Oracle Role for liquibase user - oracle

I am working on adding liquibase in my spring boot app which connects to an oracle DB. I don't feel comfortable using the schema ID in my application. So I would like to create another user id that will be used to connect to the DB from my app. Since I am using liquibase this new user id will need to have create, drop, select, insert, update, delete on all table in that schema.
In Mysql I can ran the following command:
GRANT CREATE, DROP, SELECT, INSERT, UPDATE, DELETE ON SCHEMA_NAME.* TO 'liquidbase_local_usr'#'localhost';
is there a similar query in Oracle?

I did this with the Datical product that was built on Liquibase.
First I created a role called DATICAL_PACKAGER_ROLE and assigned it to the user $DaticalUser:
CREATE ROLE DATICAL_PACKAGER_ROLE NOT IDENTIFIED;
-- When using the tracefileLocation=REMOTE, you will need to setup the following permissions.
-- Note: These permissions are only required on schemas running the Convert SQL Scripts command. This is only needed on the packaging / reference database.
GRANT EXECUTE ANY PROCEDURE TO DATICAL_PACKAGER_ROLE;
GRANT ALTER SESSION TO DATICAL_PACKAGER_ROLE;
GRANT CREATE ANY DIRECTORY TO DATICAL_PACKAGER_ROLE;
GRANT DROP ANY DIRECTORY TO DATICAL_PACKAGER_ROLE;
-- The following permissions are needed for backing up and restoring the database. This is only needed on the packaging / reference database.
GRANT EXP_FULL_DATABASE TO DATICAL_PACKAGER_ROLE;
GRANT IMP_FULL_DATABASE TO DATICAL_PACKAGER_ROLE;
-- The following must be run as sysdba
-- SQL > conn / as sysdba
GRANT EXECUTE on SYS.UTL_FILE TO DATICAL_PACKAGER_ROLE;
-- Grant the new role to the Datical User
GRANT DATICAL_PACKAGER_ROLE to $DaticalUser;
Then I granted the role to the schema I wanted:
GRANT DATICAL_PACKAGER_ROLE to <yourschema>;

Related

How Grant all privileges on prefixed wildcard name in mysql 8

In my database, there are many database retaliated to a one project like below
flatmon
flatmon_user
flatmon_login
flatmon_transaction
.....
I just want the user to only have access to all databases beginning with "flatmon"
But, in mysql 8 it's doesn't work. (i tried in mysql 5.7 then it worked)
i set privileges like below.
CREATE USER 'flatmonuperadmin'#'%' IDENTIFIED BY '7c652ab5-5658-417a-9680-8a4265752233';
GRANT ALL PRIVILEGES ON `flatmon\_%`.* TO 'flatmonuperadmin'#'%' WITH GRANT OPTION;
FLUSH PRIVILEGES;
If you have db named "rf-facade"
You can use:
GRANT SELECT, INSERT, UPDATE, DELETE ON `rf-facade`.* TO 'rf_facade_developer';
Try This
Grant all privileges on `some_db_%`.* to 'user'#'IP' with grant option;

How to create schema in Oracle and table spaces?

I create user(schema) in oracle. like this
create user EMP_DB identified by netsolpk account unlock;
But when i tried login through schema name and password, login failed. Below is the error message.
user EMP_DB lacks create session privilage; login denied.
I've not created any tablespaces.
For this, do I need to create any tablespace? If needed, how to create a tablespace?
And what more things are required for creating a schema in oracle 11g.
Please help me and give me step by step procedure.
The error user EMP_DB lacks create session privilage; login denied indicates that you need privilege to create a session. So you need to grant the appropriate privilege like,
GRANT CREATE SESSION TO emp_db;
Or You can go with granting the roles(group of privileges), CONNECT and RESOURCE.
CONNECT role has only CREATE SESSION privilege.
RESOURCE has the following privilges,
CREATE TRIGGER
CREATE SEQUENCE
CREATE TYPE
CREATE PROCEDURE
CREATE CLUSTER
CREATE OPERATOR
CREATE INDEXTYPE
CREATE TABLE
To find these PRIVILEGES of a ROLE, You can query the DBA_SYS_PRIVS table with a query like this:
SELECT grantee, privilege, admin_option
FROM DBA_SYS_PRIVS
WHERE grantee='RESOURCE';
Also to use the existing tablespace USERS, You can create a user with QUOTA UNLIMITED statement like,
CREATE USER emp_db IDENTIFIED BY netsolpk QUOTA UNLIMITED on USERS;
the fastest, quickest way to create a new user with privileges is
grant connect, resource to NewUser_name identified by NewUser_password;
by this command you will be sure that errors like above will not displayed.

Create user in oracle database

I have below requirement in oracle database
Create User and grant to all objects in schema "abc"
If i add any tables to schema "abc", then the user should have access by default without executing individual Grant
Current we are executing Grant statements for every objects created in schema, is there any onetime configuration available? Please help
Note: Here user is not a schema owner, for ex. some one who having access to read-only access.
In current versions of Oracle, you could create a DDL Trigger and have this automatically execute a grant on the newly created object to your other user.
See the excellent PSOUG site for an overview: http://psoug.org/reference/ddl_trigger.html

How to create a user in Oracle 11g and grant permissions

Can someone advise me on how to create a user in Oracle 11g and only grant that user the ability only to execute one particular stored procedure and the tables in that procedure.
I am not really sure how to do this!
Connect as SYSTEM.
CREATE USER username IDENTIFIED BY apassword;
GRANT CONNECT TO username;
GRANT EXECUTE on schema.procedure TO username;
You may also need to:
GRANT SELECT [, INSERT] [, UPDATE] [, DELETE] on schema.table TO username;
to whichever tables the procedure uses.
Follow the below steps for creating a user in Oracle.
--Connect as System user
CONNECT <USER-NAME>/<PASSWORD>#<DATABASE NAME>;
--Create user query
CREATE USER <USER NAME> IDENTIFIED BY <PASSWORD>;
--Provide roles
GRANT CONNECT,RESOURCE,DBA TO <USER NAME>;
--Provide privileges
GRANT CREATE SESSION, GRANT ANY PRIVILEGE TO <USER NAME>;
GRANT UNLIMITED TABLESPACE TO <USER NAME>;
--Provide access to tables.
GRANT SELECT,UPDATE,INSERT ON <TABLE NAME> TO <USER NAME>;
The Oracle documentation is comprehensive, online and free. You should learn to use it. You can find the syntax for CREATE USER here and for GRANT here,
In order to connect to the database we need to grant a user the CREATE SESSION privilege.
To allow the new user rights on a stored procedure we need to grant the EXECUTE privilege. The grantor must be one of these:
the procedure owner
a user granted execute on that procedure with the WITH ADMIN option
a user with the GRANT ANY OBJECT privilege
a DBA or other super user account.
Note that we would not normally need to grant rights on objects used by a stored procedure in order to use the procedure. The default permission is that we execute the procedure with the same rights as the procedure owner and, as it were, inherit their rights when executing the procedure. This is covered by the AUTHID clause. The default is definer (i.e. procedure owner). Only if the AUTHID is set to CURRENT_USER (the invoker, that is our new user) do we need to grant rights on objects used by the procedure. Find out more.
Don't use these approach in critical environment like TEST and PROD. Below steps are just suggested for local environment. For my localhost i create the user via these steps:
IMPORTANT NOTE : Create your user with SYSTEM user credentials.Otherwise you may face problem when you run multiple application on same database.
CONNECT SYSTEM/<<System_User_Password>>#<<DatabaseName>>; -- connect db with username and password, ignore if you already connected to database.
Then Run below script
CREATE USER <<username>> IDENTIFIED BY <<password>>; -- create user with password
GRANT CONNECT,RESOURCE,DBA TO <<username>>; -- grant DBA,Connect and Resource permission to this user(not sure this is necessary if you give admin option)
GRANT CREATE SESSION TO <<username>> WITH ADMIN OPTION; --Give admin option to user
GRANT UNLIMITED TABLESPACE TO <<username>>; -- give unlimited tablespace grant
EDIT: If you face a problem about oracle ora-28001 the password has expired also this can be useful run
select * from dba_profiles;-- check PASSWORD_LIFE_TIME
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED; -- SET IT TO UNLIMITED
As previously mentioned multiple times in the comments, the use of the CONNECT, RESOURCE and DBA roles is discouraged by Oracle.
You have to connect as SYS to create your role and the user(s) which are given this role. You can use SQL Developer or SQL*Plus as you prefer. Do not forget to mention the SYSDBA role in the logon string. The connect_identifier uses different syntaxes.
sqlplus sys/<<password>>#<<connect_identifier>> as sysdba
Let's say you have a 12cR1 like the one provided as a VM with the "Oracle Technology Network Developer Day". The connect strings might be (to connect to the provided PDB) :
sqlplus sys/oracle#127.0.0.1/orcl as sysdba
sqlplus sys#"127.0.0.1/orcl" as sysdba -- to avoid putting the pw in clear
Note that under Unix, the quotes have to be escaped otherwise they will be consumed by the shell. Thus " becomes \".
Then you create the role MYROLEand grant it other roles or privileges. I added nearly the bare minimum to do something interesting :
create role myrole not identified;
grant create session to myrole;
grant alter session to myrole;
grant create table to myrole;
Next your create the user MYUSER. The string following identified by which is the password is case-sensitive. The rest is not. You could also use SQL delimited identifiers (surrounded by quotes ") instead of regular identifiers which are converted tu uppercase and subject to a few limitations. The quota could be unlimited instead of 20m.
create user myuser identified by myuser default tablespace users profile default account unlock;
alter user myuser quota 20m on users;
grant myrole to myuser;
Eventually, you connect as your new user.
Please note that you could also alter the default profile or provide another one to customize some settings as the expiration period of passwords, the number of permitted failed login attempts, etc.
CREATE USER USER_NAME IDENTIFIED BY PASSWORD;
GRANT CONNECT, RESOURCE TO USER_NAME;
CREATE USER books_admin IDENTIFIED BY MyPassword;
GRANT CONNECT TO books_admin;
GRANT CONNECT, RESOURCE, DBA TO books_admin;
GRANT CREATE SESSION GRANT ANY PRIVILEGE TO books_admin;
GRANT UNLIMITED TABLESPACE TO books_admin;
GRANT SELECT, INSERT, UPDATE, DELETE ON schema.books TO books_admin;
https://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1006107
https://chartio.com/resources/tutorials/how-to-create-a-user-and-grant-permissions-in-oracle/
First step:
Connect to a database using System/Password;
second Step:
create user username identified by password; (syntax)
Ex: create user manidb idntified by mypass;
third Step:
grant connect,resource to username; (Syntax)
Ex: grant connect,resource to manidb;
step 1 .
create user raju identified by deshmukh;
step 2.
grant connect , resource to raju;
step 3.
grant unlimitted tablespace to raju;
step4.
grant select , update , insert , alter to raju;

Hide tables in Oracle XE database

I'm using Oracle XE but I would like to log in as a user than can create tables, contraints etc., but who cannot view all of the other system tables and stuff that you see when you log in with the system account.
How can I achieve this?
You need to create a new user with:
CREATE USER xxx IDENTIFIED BY yyyy;
From there, issue GRANT for the privileges you want to give the user:
GRANT CREATE SESSION TO xxx;
GRANT CREATE TABLE TO xxx;
GRANT CREATE VIEW TO xxx;
etc.
See the SQL Reference documentation for all the privileges you can grant. User xxx will only be able to see their own objects and objects they have been granted privileges on.

Resources