BEGIN
FOR i IN (SELECT object_name FROM user_objects WHERE object_type in ('PROCEDURE','PACKAGE','FUNCTION') )
LOOP
EXECUTE IMMEDIATE 'GRANT EXECUTE ON '||i.object_name||' TO kshitij';
END LOOP;
END;
/
BEGIN
FOR i IN (SELECT object_name FROM user_objects WHERE object_type in ('TABLE') )
LOOP
EXECUTE IMMEDIATE 'GRANT SELECT,INSERT,UPDATE,DELETE ON '||i.object_name||' TO kshitij';
END LOOP;
END;
/
BEGIN
FOR i IN (SELECT object_name FROM user_objects WHERE object_type in ('SEQUENCE') )
LOOP
EXECUTE IMMEDIATE 'SELECT ON '||i.object_name ||' TO kshitij';
END LOOP;
END;
/
Showing posts with label user management. Show all posts
Showing posts with label user management. Show all posts
Saturday, July 27, 2013
Thursday, August 23, 2012
Restrict Users to access other application exe
create or replace procedure sp_ltmlogin AS
MODULE SYS.V_$SESSION.MODULE%TYPE ;
L_USER NUMBER ;
BEGIN
SELECT MODULE INTO MODULE FROM SYS.V_$SESSION WHERE AUDSID = USERENV('SESSIONID') AND AUDSID != 0 AND ROWNUM = 1;
SELECT COUNT(*) INTO L_USER FROM DBA_USERS DBA_USERS WHERE DBA_USERS.USERNAME=USER AND DBA_USERS.PROFILE='LTM';
IF L_USER=0 THEN
IF UPPER(MODULE) ='LDLIVETRADEMONITOR.EXE'
THEN
RAISE_APPLICATION_ERROR(-20000,'you are not authorized to access LTM software');
END IF;
END IF ;
IF L_USER > 0 THEN
IF UPPER(MODULE) ='LD.EXE'
THEN
RAISE_APPLICATION_ERROR(-20000,'you are not authorized to access LD software');
END IF;
END IF ;
EXCEPTION
WHEN NO_DATA_FOUND THEN
NULL ;
END;
/
create or replace
trigger tg_ltmlogin
after logon on Database
Begin
sp_ltmlogin() ;
End;
/
To restrict user to login only
LTM user, you have to create a LTM profile and move that users to LTM profile
Followings are the steps to
implement the same
1 Connect
to sysdba user
Create
profile for LTM users and move them to LTM profile
CREATE PROFILE LTM
LIMIT PASSWORD_REUSE_MAX DEFAULT
PASSWORD_REUSE_TIME DEFAULT;
ALTER USER LTM PROFILE LTM;
Wednesday, August 8, 2012
Two User Logon Not Allowed on same Machine
create or replace trigger TG_SINGLELOGIN
after logon on database
declare
cnt pls_integer;
begin
select count(*) into cnt from v$session
where username !=sys_context('userenv','session_user') and terminal =sys_context('userenv','terminal');
if cnt >= 1 then
raise_application_error (-20001, 'You are already connected on another user with this machine');
end if;
exception
when no_data_found then raise;
end;
/
Concurrent User Login Denied from Different Machine
create or replace trigger TG_MULTILOGIN
after logon on database
declare
cnt pls_integer;
begin
select count(*) into cnt from v$session
where username=sys_context('userenv','session_user') and terminal !=sys_context('userenv','terminal') and status like '%ACTIVE%';
if cnt >= 1 then
raise_application_error (-20001, 'You are already connected on another machine');
end if;
exception
when no_data_found then raise;
end;
/
RAISE_APPLICATION_ERROR (-20001, 'You are not allowed to logon');
wont work for a user who has ADMINISTER DATABASE TRIGGER privilege.
The ADMINISTER DATABASE TRIGGER privilege allows you to create database-level triggers (server error, login, and logout triggers). It also allows you to log in regardless of errors thrown by a login trigger as a failsafe. If you inadvertently coded your login trigger to throw an error no matter who was logging in, for example, you need to allow someone to log in to fix the trigger.
if someone is exit from oracle without logout then record is still present in v$session then error occur.
we can use status like '%ACTIVE%'; to avoid killed and sniped session
User Machine Specific Access
suppose you have five machines and five users ( one user per machine)
Note: these users are database users...
e.g
User name
|
Machine name
|
User1
|
WORKGROUP\PC-01
|
User2
|
WORKGROUP\PC-02
|
User3
|
WORKGROUP\PC-03
|
User4
|
WORKGROUP\PC-04
|
User5
|
WORKGROUP\PC-05
|
So according to above table ye create a table in our database as sys user
Create table user_record
(user_name varchar2(25),
Machine_name varhcar2(30));
now insert user info ….
Insert into user_record (user_name,machine_name)
Values (‘USER1’,’ WORKGROUP\PC-01’);
Insert into user_record (user_name,machine_name)
Values (‘USER2’,’ WORKGROUP\PC-02’);
Insert into user_record (user_name,machine_name)
Values (‘USER3’,’ WORKGROUP\PC-03’);
Insert into user_record (user_name,machine_name)
Values (‘USER4’,’ WORKGROUP\PC-04’);
Insert into user_record (user_name,machine_name)
Values (‘USER4’,’ WORKGROUP\PC-04’);
Insert into user_record (user_name,machine_name)
Values (‘USER5’,’ WORKGROUP\PC-05’);
COMMIT;
NOW CREATE AFTER LOGON ON DATABASE TRIGGER AS SYS..
*******************************************************************************************************
CREATE OR REPLACE TRIGGER USER_CHECK
AFTER LOGON ON DATABASE
DECLARE
U_NAME VARCHAR2(20);
M_NAME VARCHAR2(20);
BEGIN
SELECT USER_NAME, MACHINE_NAME INTO U_NAME,M_NAME
FROM USER_RECORD
WHERE (USER_NAME, MACHINE_NAME) IN
(SELECT USERNAME, MACHINE FROM V$SESSION WHERE SID=(SELECT DISTINCT SID FROM
V$MYSTAT));
EXCEPTION
WHEN NO_DATA_FOUND THEN
RAISE_APPLICATION_ERROR(-20000,’YOU ARE NOT AUTHRIZE TO LOGIN FROM THIS MACHINE’);
END;
*******************************************************************************************************
this will connect
user1 from WORKGROUP\PC-01 only
user2 from WORKGROUP\PC-02 only
user3 from WORKGROUP\PC-03 only
user4 from WORKGROUP\PC-04 only
user5 from WORKGROUP\PC-05 only
Friday, May 4, 2012
Track User password change Audit Activity
if you want to track password change or other activity with sql then
ALTER SYSTEM SET AUDIT_TRAIL=DB_EXTENDED SCOPE=SPFILE;
THERE IS SQL_TEXT COLUMN IN DBA_AUDIT_TRAIL VIEW.
Monday, April 23, 2012
Connect as an Oracle User Without Knowing the Password
SQL> alter user ldbo grant connect through ksh;
User altered.
SQL> connect n/ksh$1#@apx1112srv;
Connected.
SQL> show user
USER is "LDBO"
2. If we can allow ourselves to change the password, but don’t want to change it permanently, there is a way to change the password back.
The DBA_USERS table contains the PASSWORD column. This column contains the encrypted password of the user.
Follow these steps to change the user’s password:
Get the encrypted password of the user from DBA_USERS table and save it.
Change the password by using the “alter user <user> identified by <pwd>” command.
Perform the following step to change the password back:
Use the “alter user <user> identified by values <encrypted_password>” command.
Use the encrypted password you have and pay attention to the “values” keyword in the command, it specifies that the password given in the command is already encrypted.
User altered.
SQL> connect n/ksh$1#@apx1112srv;
Connected.
SQL> show user
USER is "LDBO"
2. If we can allow ourselves to change the password, but don’t want to change it permanently, there is a way to change the password back.
The DBA_USERS table contains the PASSWORD column. This column contains the encrypted password of the user.
Follow these steps to change the user’s password:
Get the encrypted password of the user from DBA_USERS table and save it.
Change the password by using the “alter user <user> identified by <pwd>” command.
Perform the following step to change the password back:
Use the “alter user <user> identified by values <encrypted_password>” command.
Use the encrypted password you have and pay attention to the “values” keyword in the command, it specifies that the password given in the command is already encrypted.
Wednesday, March 28, 2012
Role Creation Using Network Link
BEGIN
FOR cur_rec IN (SELECT role
FROM dba_roles@lnk_previousyearbalance) LOOP
BEGIN
EXECUTE IMMEDIATE 'CREATE ROLE ' || cur_rec.role ;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
/
BEGIN
FOR cur_rec IN (SELECT grantee,privilege
FROM DBA_SYS_PRIVS@lnk_previousyearbalance where grantee not in ('SYS','SYSTEM','SYSMAN','TSMSYS','WMSYS','RECOVERY_CATALOG_OWNER','RESOURCE','OUTLN','ORACLE_OCM','OEM_MONITOR','OEM_ADVISOR','MGMT_USER','IMP_FULL_DATABASE','EXP_FULL_DATABASE','DBA','CONNECT','AQ_ADMINISTRATOR_ROLE','DBSNMP','SCHEDULER_ADMIN')) LOOP
BEGIN
EXECUTE IMMEDIATE ('Grant ' || cur_rec.privilege || ' to ' || cur_rec.grantee );
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
/
BEGIN
FOR cur_rec IN (SELECT grantee,privilege,table_name
FROM dba_tab_privs@lnk_previousyearbalance Where Grantor='LDBO') LOOP
BEGIN
EXECUTE IMMEDIATE 'Grant ' || cur_rec.privilege || ' on ' || cur_rec.table_name || ' to ' || cur_rec.grantee ;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
/
BEGIN
FOR cur_rec IN (SELECT grantee,privilege,table_name,column_name
FROM dba_col_privs@lnk_previousyearbalance Where Grantor='LDBO') LOOP
BEGIN
EXECUTE IMMEDIATE 'Grant '|| cur_rec.PRIVILEGE || '('|| cur_rec.COLUMN_NAME ||') on '|| cur_rec.TABLE_NAME || ' to ' || cur_rec.GRANTEE ;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
/
BEGIN
FOR cur_rec IN (SELECT grantee,granted_role
FROM dba_role_privs@lnk_previousyearbalance Where Grantee!='SYSTEM' and Grantee!='SYS' and Grantee!='DBSNML' and Grantee!='REPADMIN') LOOP
BEGIN
EXECUTE IMMEDIATE 'Grant '|| cur_rec.granted_role || ' to ' || cur_rec.GRANTEE ;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
/
User Creation using Network Link
------------Create profile
BEGIN
FOR cur_rec IN (SELECT distinct profile,Resource_name,limit
FROM dba_profiles@lnk_previousyearbalance where profile!='DEFAULT') LOOP
BEGIN
EXECUTE IMMEDIATE 'Create profile '|| cur_rec.profile ||' Limit '|| cur_rec.Resource_name ||' '|| cur_rec.Limit ;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
/
------------Alter profile
BEGIN
FOR cur_rec IN (SELECT distinct profile,Resource_name,limit
FROM dba_profiles@lnk_previousyearbalance where profile!='DEFAULT' and Limit!='DEFAULT') LOOP
BEGIN
EXECUTE IMMEDIATE 'Alter profile '|| cur_rec.profile ||' Limit '|| cur_rec.Resource_name ||' '|| cur_rec.Limit ;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
/
------------Create User
BEGIN
FOR cur_rec IN (SELECT username,password,default_tablespace,temporary_tablespace,profile
FROM dba_users@lnk_previousyearbalance where username!='SYSTEM' and Username!='SYS' and Username!='DBSNMP' and Username!='REPADMIN') LOOP
BEGIN
EXECUTE IMMEDIATE 'create user ' || cur_rec.username || ' identified by values ' || '''' || cur_rec.password || '''' || ' default tablespace ' || cur_rec.default_tablespace || ' temporary tablespace ' || cur_rec.temporary_tablespace || ' profile ' || cur_rec.profile;
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
END LOOP;
END;
/
Thursday, March 15, 2012
Role Recreation
set heading off verify off feedback off echo off term off linesize 200 wrap on
spool c:\temp\roles_creation.sql
SELECT 'Create Role '|| ROLE ||' ;' from dba_roles;
SELECT 'Grant '|| PRIVILEGE || ' to ' || GRANTEE || ';' FROM DBA_SYS_PRIVS where grantee not in ('SYS','SYSTEM','SYSMAN','TSMSYS','WMSYS','RECOVERY_CATALOG_OWNER','RESOURCE','OUTLN','ORACLE_OCM','OEM_MONITOR','OEM_ADVISOR','MGMT_USER','IMP_FULL_DATABASE','EXP_FULL_DATABASE','DBA','CONNECT','AQ_ADMINISTRATOR_ROLE','DBSNMP','SCHEDULER_ADMIN');
SELECT 'Grant '|| PRIVILEGE ||' on '|| TABLE_NAME || ' to ' || GRANTEE || ';' from dba_tab_privs Where Grantor='LDBO';
SELECT 'Grant update('|| COLUMN_NAME ||') on '|| TABLE_NAME || ' to ' || GRANTEE || ';' from dba_col_privs Where Grantor='LDBO';
spool off
Wednesday, August 11, 2010
User Creation Script for prev YR
set heading off verify off feedback off echo off term off linesize 200 wrap on
spool c:\temp\Recreate_Users.sql
SELECT distinct 'create profile '|| profile ||' Limit Sessions_per_user Unlimited;' from dba_profiles where profile!='DEFAULT' ;
Select 'Alter profile '|| profile ||' Limit '|| Resource_name ||' '|| Limit||';' from dba_profiles where profile!='DEFAULT' and Limit!='DEFAULT' ;
SELECT 'create user ' || username ||
' identified ' ||
DECODE(password, NULL, 'EXTERNALLY', ' by values ' || '''' || password || '''') ||
' default tablespace ' || default_tablespace ||
' temporary tablespace ' || temporary_tablespace ||
' profile ' || profile || ';'
FROM dba_users
where username!='SYSTEM' and Username!='SYS' and Username!='DBSNMP' and Username!='REPADMIN' ORDER BY username ;
SELECT 'Grant '|| Granted_role ||' to '|| Grantee||';' from dba_role_privs Where Grantee!='SYSTEM' and
Grantee!='SYS' and Grantee!='DBSNML' and Grantee!='REPADMIN' ;
spool off
spool c:\temp\Recreate_Users.sql
SELECT distinct 'create profile '|| profile ||' Limit Sessions_per_user Unlimited;' from dba_profiles where profile!='DEFAULT' ;
Select 'Alter profile '|| profile ||' Limit '|| Resource_name ||' '|| Limit||';' from dba_profiles where profile!='DEFAULT' and Limit!='DEFAULT' ;
SELECT 'create user ' || username ||
' identified ' ||
DECODE(password, NULL, 'EXTERNALLY', ' by values ' || '''' || password || '''') ||
' default tablespace ' || default_tablespace ||
' temporary tablespace ' || temporary_tablespace ||
' profile ' || profile || ';'
FROM dba_users
where username!='SYSTEM' and Username!='SYS' and Username!='DBSNMP' and Username!='REPADMIN' ORDER BY username ;
SELECT 'Grant '|| Granted_role ||' to '|| Grantee||';' from dba_role_privs Where Grantee!='SYSTEM' and
Grantee!='SYS' and Grantee!='DBSNML' and Grantee!='REPADMIN' ;
spool off
Create Like User Script
spool c:\usercreation.sql
set pages 0 feed off veri off lines 500
accept oldname prompt "Enter user to model new user to: "
accept newname prompt "Enter new user name: "
-- accept psw prompt "Enter new user's password: "
-- Create user...
select 'create user &&newname identified by values '''||password||''''||
-- select 'create user &&newname identified by &psw'||
' default tablespace '||default_tablespace||
' temporary tablespace '||temporary_tablespace||' profile '||
profile||';'
from sys.dba_users
where username = upper('&&oldname');
-- Grant Roles...
select 'grant '||granted_role||' to &&newname'||
decode(ADMIN_OPTION, 'YES', ' WITH ADMIN OPTION')||';'
from sys.dba_role_privs
where grantee = upper('&&oldname');
-- Grant System Privs...
select 'grant '||privilege||' to &&newname'||
decode(ADMIN_OPTION, 'YES', ' WITH ADMIN OPTION')||';'
from sys.dba_sys_privs
where grantee = upper('&&oldname');
-- Grant Table Privs...
select 'grant '||privilege||' on '||owner||'.'||table_name||' to &&newname;'
from sys.dba_tab_privs
where grantee = upper('&&oldname');
-- Grant Column Privs...
select 'grant '||privilege||' on '||owner||'.'||table_name||
'('||column_name||') to &&newname;'
from sys.dba_col_privs
where grantee = upper('&&oldname');
-- Tablespace Quotas...
select 'alter user '||username||' quota '||
decode(max_bytes, -1, 'UNLIMITED', max_bytes)||
' on '||tablespace_name||';'
from sys.dba_ts_quotas
where username = upper('&&oldname');
-- Set Default Role...
set serveroutput on
declare
defroles varchar2(4000);
begin
for c1 in (select * from sys.dba_role_privs
where grantee = upper('&&oldname')
and default_role = 'YES'
) loop
if length(defroles) > 0 then
defroles := defroles||','||c1.granted_role;
else
defroles := defroles||c1.granted_role;
end if;
end loop;
dbms_output.put_line('alter user &&newname default role '||defroles||';');
end;
/
spool off
@c:\usercreation.sql
set pages 0 feed off veri off lines 500
accept oldname prompt "Enter user to model new user to: "
accept newname prompt "Enter new user name: "
-- accept psw prompt "Enter new user's password: "
-- Create user...
select 'create user &&newname identified by values '''||password||''''||
-- select 'create user &&newname identified by &psw'||
' default tablespace '||default_tablespace||
' temporary tablespace '||temporary_tablespace||' profile '||
profile||';'
from sys.dba_users
where username = upper('&&oldname');
-- Grant Roles...
select 'grant '||granted_role||' to &&newname'||
decode(ADMIN_OPTION, 'YES', ' WITH ADMIN OPTION')||';'
from sys.dba_role_privs
where grantee = upper('&&oldname');
-- Grant System Privs...
select 'grant '||privilege||' to &&newname'||
decode(ADMIN_OPTION, 'YES', ' WITH ADMIN OPTION')||';'
from sys.dba_sys_privs
where grantee = upper('&&oldname');
-- Grant Table Privs...
select 'grant '||privilege||' on '||owner||'.'||table_name||' to &&newname;'
from sys.dba_tab_privs
where grantee = upper('&&oldname');
-- Grant Column Privs...
select 'grant '||privilege||' on '||owner||'.'||table_name||
'('||column_name||') to &&newname;'
from sys.dba_col_privs
where grantee = upper('&&oldname');
-- Tablespace Quotas...
select 'alter user '||username||' quota '||
decode(max_bytes, -1, 'UNLIMITED', max_bytes)||
' on '||tablespace_name||';'
from sys.dba_ts_quotas
where username = upper('&&oldname');
-- Set Default Role...
set serveroutput on
declare
defroles varchar2(4000);
begin
for c1 in (select * from sys.dba_role_privs
where grantee = upper('&&oldname')
and default_role = 'YES'
) loop
if length(defroles) > 0 then
defroles := defroles||','||c1.granted_role;
else
defroles := defroles||c1.granted_role;
end if;
end loop;
dbms_output.put_line('alter user &&newname default role '||defroles||';');
end;
/
spool off
@c:\usercreation.sql
Password reset same as before fro all users
set heading off verify off feedback off echo off term off linesize 200 wrap on
spool c:\password_users.sql
SELECT 'alter user ' || username ||
' identified ' ||
DECODE(password, NULL, 'EXTERNALLY', ' by values ' || '''' || password || '''') ||' account unlock;'
FROM dba_users
where username!='SYSTEM' and Username!='SYS' and Username!='DBSNMP' and Username!='REPADMIN' and
username!='WMSYS' and
username!='TSMSYS' and
username!='ACCOUNTOP' and
username!='OUTLN' and
username!='ORACLE_OCM' and
username!='BRANCH' and
username!='TRADE' and
username!='LEGAL' and
username!='ACCOUNTS' and
username!='QUALITYC' and
username!='FINANCE' and
username!='FUNDS' and
username!='STOCKS' and
username!='CRDESK' and
username!='IT'
ORDER BY username ;
spool off
@c:\password_users.sql
spool c:\password_users.sql
SELECT 'alter user ' || username ||
' identified ' ||
DECODE(password, NULL, 'EXTERNALLY', ' by values ' || '''' || password || '''') ||' account unlock;'
FROM dba_users
where username!='SYSTEM' and Username!='SYS' and Username!='DBSNMP' and Username!='REPADMIN' and
username!='WMSYS' and
username!='TSMSYS' and
username!='ACCOUNTOP' and
username!='OUTLN' and
username!='ORACLE_OCM' and
username!='BRANCH' and
username!='TRADE' and
username!='LEGAL' and
username!='ACCOUNTS' and
username!='QUALITYC' and
username!='FINANCE' and
username!='FUNDS' and
username!='STOCKS' and
username!='CRDESK' and
username!='IT'
ORDER BY username ;
spool off
@c:\password_users.sql
Subscribe to:
Posts (Atom)