I'm faced with a very specific task with Oracle.
I need to prove that values in column expiry_date of table dba_users were not changed in a certain period (during last weekend).
I am not very experienced with Oracle. For me, it seems like a feature called "audit" is disabled, but I'm not strongly sure.
So, I need whatever option to check whether these values have been changed. I have already tried to analyze the user_sessions table (having the intent to check for connections during the period in question), but with that, I couldn't get an exact answer.
Instead of trying to directly detect changes to dba_users.expiry_date, it would be much easier to detect when a user changes their password, which would indirectly change the expiry date:
select password_date
from sys.user_history$
join dba_users
on sys.user_history$.user# = dba_users.user_id
where username = '&USER'
order by password_date desc;
However, that table will only contain values if the user has a profile where the PASSWORD_REUSE_TIME is not set to unlimited. You can find that setting with these queries:
--Find the user's profile:
select profile from dba_users where username = '&USER';
--Find the PASSWORD_REUSE_TIME of the profile.
--If the value is 'DEFAULT', you'll have to run this query again for the profile 'DEFAULT'.
select limit
from dba_profiles
where resource_name = 'PASSWORD_REUSE_TIME'
and profile = '&PROFILE';
(Oracle's audit functionality does not capture this information. You can run audit alter user and then query DBA_AUDIT_TRAIL to detect when a user was changed, but you can't tell the difference between a password reset and an account locking.)
Unfortunately, the above solution doesn't cover all possible reasons why the expiration date could change. If an administrator manually expires a user, or changes a profile or profile settings, the expiration date could change. To capture all possible reasons for a change, you would need to create triggers on the system tables used by DBA_USERS and store the expiration value whenever it changes. Or you could create a job that periodically checks the view and looks for changes.
But before you consider those options, you might want to explain exactly why you want this information. I'm guessing this question is for a security audit, but this feels like the wrong kind of information to look for. What is your true goal here?
Related
Is there a way to find all user accounts in Oracle which have been created by me?
The SELECT * FROM ALL_USERS; returns all users in Oracle, but there seems to be no way of defining the 'owner' of the account (ORC_SYS would be nice) so I can add a clause like
'WHERE OWNER !+ 'ORC_SYS' or something.
Thanks in advance
KS
If its only the users created by oracle at install time you want to exclude you can properly do it filtering on user_id. Normally these users will have the lowest numbers:
Ajust the 35 to your installation.
Select * from dba_users where user_id > 35;
And if you are running 12c or above there is a column "Oracle_maintained" telling you if it is an oracle created user.
Select * from dba_users where oracle_maintained = 'N';
If you have access to dba_users and your Oracle's version is 12.1 and above, you can filter by oracle_maintained column.
Otherwise, there is no "official" way to distinguish between oracle internal users and your own.
There are some indirect ways, though:
Filter by all_users.created column. Mostly, internal users are created when the database is created, so your users will be after this date. You may find the database creation time in v$database.created .
Filter by all_users.user_id. As above, mostly, internal users are created when the database is created, so they get low user_id. There are some exceptions for several users like SYSBACKUP, SYSDG.
Both ways may produce incorrect results when internal users are created much later than the database creation - for example when an Oracle Option is reinstalled.
Should you try:
SELECT * FROM dba_users;
I need to create views depending on users on a oracle database
For that, using System I use the following querys:
CREATE OR REPLACE VIEW PROT_VIEW AS SELECT USER_ID, ORDER_DATE, ORDER_DESC
FROM PROT
WHERE USER_ID=USER;
the tables and the values of them are as follows:
CREATE TABLE PROT(
USER_ID VARCHAR2(10),
ORDER_DATE DATE,
ORDER_DESC VARCHAR2(60));
INSERT INTO PROT VALUES ('ADM',SYSDATE+4,'FOUR DAYS LATER');
INSERT INTO PROT VALUES ('ADM',SYSDATE+5,'FIVE DAYS LATER');
INSERT INTO PROT VALUES ('STUD1',SYSDATE+6,'SIX DAYS LATER');
INSERT INTO PROT VALUES ('STUD2',SYSDATE+7,'SEVEN DAYS LATER') ;
After this I have 3 different users (adm,stud1 and stud2) and when I log them on I should be getting 3 different results (one for each user) from each select I do (depending on the user logged).
The problem is, no matter what which user I have logged in (system,adm,stud1,stud2) I get empty tables.
I would like to know what i'm doing wrong and what can I do to solve this problem
Thank you in advance for anyone who's willing to help
update: i've been messing around and the problem is that i cant connect to those users. i've granted create session with system to those users and tried to connect to them but I'm stuck on system
Nice way to accomplish this task is to use public synonym in my opinion.
After creating your view (prot_view) on system schema, create a public synonym with the same name as view :
create or replace public synonym prot_view for prot_view;
and issue :
grant select on prot_view to public;
to be able to get desired result from every schema without prefixing with system schema name :
select * from prot_view;
"the problem is that i cant connect to those users"
user is a pseduo-column which returns the name of the account you're currently connected as. You're logged in as SYSTEM so that's the value of user, and that's why your view returns no rows. So, contrary to your question title, the view restriction is working.
Which means the the real question is, why can't you connect as those other users? You have SYSTEM so you have the necessary privileges to straighten out the accounts by changing the passwords to something you know or granting create session, or whatever.
I am using sequences to create IDs, so while executing insert stored procedure it will create unique value for ID. But after some time it is losing the definition for the sequence.
Not sure why this is happening again and again and how to solve the problem?
I am using Oracle SQL Developer and in the edit table property there is 'Identity Column' setting. See below:
Next step is setting up trigger and sequence:
It was working fine for some time until this property defaulted. Now it is not there anymore:
Still have this trigger and sequence object in the schema and able to setup again but it will break later.
How to avoid this problem in future?
I think it is just a bug/limitation in your client software, Oracle SQL Developer. The "Identity Column" tab is a handy way to create the corresponding sequence and trigger but it doesn't seem to recognise existing elements. I've just verified my own system and that's exactly what happens.
It makes sense, because adding a new sequence and trigger is a pretty straightforward task (all you need is a template) but displaying current sequence is hard given that a trigger can implement any conceivable logic. Surely it could be done but the cost-benefit ratio probably left things this way.
In short, your app is not broken so nothing needs to be fixed on your side.
This is what I received from IT support regarding the issue:
A few possibilities that might cause this:
1 - Another user with limited privileges might be editing the table using SQL Developer. In this case, if this user's privilege is not enough to obtain the sequence and/or trigger information from the database, the tool might leave the fields blank and disable it when table changes are saved.
2 - The objects are being changed or removed outside of SQL Developer, causing it to lose the information. In my tests I noticed that dropping the trigger and recreating it with the same name caused the identity property information to be lost on SQL Developer.
Even being the trigger enabled, and working for inserts it could not retrieve the information.
Then, if I run an alter trigger to enable it (even tough dba_trigger is reporting it as already enabled), SQL Developer will list the information again:
ALTER TRIGGER "AWS"."TABLE1_TRG" ENABLE;
So it looks like there are some issues with the SQL Developer, that is causing this behavior.
Next time it happen, please check if the trigger still exist on the database and is enabled with the query below:
select owner, trigger_name, TRIGGER_TYPE, TRIGGERING_EVENT, TABLE_OWNER, TABLE_NAME, STATUS
from dba_triggers
where trigger_name = 'ENTER_YOUR_TRG_NAME'; --Just change the trigger name in WHERE
I need to retrieve the list of available sequences of a certain database schema in an Oracle 10g database (10.2.0.3).
With the schema owner, I can simply do something like the following to achieve this:
SELECT sequence_name FROM all_sequences WHERE sequence_owner = 'ABCDEF';
However, If I use a user which has a custom "read-only" role assigned, that user does not get any rows when executing that query.
I've played around a bit and found out that granting the SELECT option on the sequences to the read-only role makes those sequences appear in the all_sequences view when connected with the read-only user.
However this means that the read-only user is able to do
SELECT my_sequence.NEXTVAL FROM DUAL;
which is a no-go for our situation (after all, the read-only user shall not be able to modify anything, not even sequences).
Is there another way for retrieving the sequences which does not allow selecting NEXTVAL?
[Edit:]
If I do
SELECT DISTINCT sequence_owner FROM all_sequences;
I get the following list:
SEQUENCE_OWNER
------------------------------
MDSYS
DMSYS
OLAPSYS
XDB
SYS
5 rows selected
After using the system user to do
GRANT SELECT ANY DICTIONARY TO MY_USER;
the result stays the same (revoke does not change anything either).
Granting the SELECT_CATALOG_ROLE instead does not work either.
Granting SELECT on at least one of the sequences however changes the result to include my own schema owner.
You can try to grant SELECT ANY DICTIONARY privilege, but it's very bad for the security reasons, so, I guess, your DBA will deny it.
Good decision is to create table function publishes required data. By default this function will work with AUTHID DEFINER rights, so you should just grant it to read-only user and it would receive sequences info without any chance to change them.
The best solution I can come up with is to grant the user SELECT ANY DICTIONARY. This will give them access to DBA_SEQUENCES (as well as all of the other DBA_ views) without needing permissions on the objects.
How do I see what pending changes have been made to an SPFILE before I bounce the database? I know I can see changes in alert log, but it may have been a few months when the change had been made.
For example:
alter system set sga_max_size=1024M scope=spfile;
This doesn't become active until the next bounce.
You'll get some noise in the results from this for various reasons, but you can get close by:
select name, value from v$spparameter where isspecified = 'TRUE'
minus
select name, value from v$parameter;
I don't know of an official view that does this, but it ought to be feasible to read the spfile as an external table and join it to v$parameter.
In 11g you can do:
CREATE PFILE='dir/init_current.ora' FROM MEMORY;
and
CREATE PFILE='dir/init_spfile.ora' FROM SPFILE;
and then just compare these text files (sort lines in both files first if necessary).