I granted the CREATE SESSION privilege to a recently created database user, and I granted him the SELECT privilege on some objects for different database schemas.
I find an apps schema (SCHEMA#) in v$session that is different from the database USERNAME recently created, and I would like to understand the phenomenon.
I think that he executes alter session set current schema and I would like to know if is it possible to revoke alter session privilege in Oracle 11g.
The documentation for the alter session statement says:
To enable and disable the SQL trace facility, you must have ALTER SESSION system privilege.
To enable or disable resumable space allocation, you must have the RESUMABLE system privilege.
You do not need any privileges to perform the other operations of this statement unless otherwise indicated.
As you don't need any privileges to perform alter session set current_schema, there is nothing you can revoke to prevent that being done. If you had actually granted alter session - which you haven't, from what you said - then you could of course still revoke that, but it would make no difference to the ability to change the current schema.
But this isn't really a problem, and is mentioned in the security guide as a good thing:
For example, a given schema might own the schema objects for a specific application. If application users have the privileges to do so, then they can connect to the database using typical database user names and use the application and the corresponding objects. However, no user can connect to the database using the schema set up for the application. This configuration prevents access to the associated objects through the schema, and provides another layer of protection for schema objects. In this case, the application could issue an ALTER SESSION SET CURRENT_SCHEMA statement to connect the user to the correct application schema.
Your recently-created user does not have any additional privileges or abilities simply by changing their current schema. They have not 'become' that schema; they can still only do the things you specified by granting select privileges on objects. They can't see anything else, and can't do any more to the objects they can see. They haven't inherited any of the privileges that schema has - so they can't create or drop objects under that schema, for instance. (You would have to explicitly grant them additional any privileges, which presumably you have no intention of doing.)
What they can do is reference those objects without having to prefix them with the schema name, and without having to create synonyms. But they can still only select from them (if that is the only privilege you granted).
Related
I have a user in Oracle 19C at container level, I want to grant him the privileges to switch among multiple pluggable database through alter session set container command without granting him the sysdba/dba privilege.
Please let me know, if this is possible.
You don't need any administrative role. The SYSDBA, SYSOPER, etc are only necessary if the PDB you're trying to switch to is currently CLOSED.
Otherwise -
-- drop user C##_JEFF;
-- USER SQL
CREATE USER C##_JEFF IDENTIFIED BY "oracle" container=all
DEFAULT TABLESPACE "USERS"
TEMPORARY TABLESPACE "TEMP";
-- QUOTAS
-- ROLES
-- SYSTEM PRIVILEGES
GRANT CREATE SESSION TO C##_JEFF container=all;
GRANT SET CONTAINER to C##_JEFF container=all;
And then, since you tagged SQLDev -
In addition to the Docs of course, Oracle-Base has a nice article on this concept. I will say, it's pretty rare that you would actually want COMMON users that could switch into any PDB that were not administrator accounts. Be sure you understand what the CDB is actually for before you jump in. Most applications will have everything they need defined in the pluggable database (PDB).
I want to import schema to my new host. First I had created new user account:
CREATE USER test IDENTIFIED BY test;
What kind of privileges I need to grant to have super role?
(create schema, tables, packages, triggers...etc)
It's one privilege to grant me access to all of them?
You should grant only those privileges that are required for a newly created user to work. One by one.
CREATE SESSION is the first one; without it, user can't even connect to the database.
CREATE TABLE is most probably also required, if user TEST is going to create his own tables.
That's enough to get it started. Once it appears that user needs to create a procedure, you'll grant CREATE PROCEDURE. And so forth.
There are/were roles named CONNECT and RESOURCE which contained the "most frequent" privileges one needed, but their use is - as far as I can tell & in my opinion - discouraged.
Basicly i have an java application that uses oracle as a data source. Now my application connects with a user and uses connected user's schema for table creation and etc...
Now i have a requirment that my application also should work under another schema.
So i have to alternatives.
1 - Change my table names with a prefix like
select * from other_schema.table
2 - Altering the session before running any query like
alter session set current_schema=other_schema
I am curios about is there any possibilty that alter session privilege can be revoked by dba's.
Oracle documentation says that
You do not need any privileges to perform the other operations of this statement unless otherwise indicated.
https://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_2012.htm
Please note that my app user will have all privileges for other_schema.
My application will be running many envoriments.
So going with first appoach, it looks like more safe but it can take long time.
Second one is faster but seems like tricky.
Yes they do. There is a role called CONNECT. This role usually (depending on version) gives you two system privileges:
create session
alter session
when your user has only create session privilege granted directly then you can not use any alter session ... statement.
Se Oracle docs:
Addressing The CONNECT Role Change
Note that the ALTER SESSION privilege is required for setting events.
Very few database users should require the alter session privilege.
SQL> ALTER SESSION SET EVENTS ........
The alter session privilege is not required for other alter session
commands.
SQL> ALTER SESSION SET NLS_TERRITORY = FRANCE;
So it really depends on Oracle version.
The CONNECT role was changed in 10gR2. It used to have most of the permissions of RESOURCE, but these were revoked in 10gR2.
I just tried ALTER SESSION with a user that only had CREATE SESSION and much to my surprise it worked, at least in 11.2.0.4.
I'm using Oracle's 10g version.
In the database, I would like to create a configuration table and fill it with data.
Then the other users can not change anything in it, and even better that it was not at all visible to other users. Is it possible to somehow hide the table?
Regards
Create a separate schema for that table. Create a package that provides an API to your configuration data (e.g. to get a value that is needed by another program).
Revoke CREATE SESSION privilege from that schema (i.e. just don't grant any privileges to the schema at all). Don't grant any privileges on the table. The only users who will be able to see the table are those with DBA privileges.
The only thing that database sessions will be able to do is execute the package, IF they have been granted EXECUTE privilege on it.
If you do not grant enough privileges to other users, they could not see your objects.
As security tightening exercise, I'm removing all system privileges from an oracle database user. Now this user ONLY has the following system privileges:
CREATE SESSION
UNLIMITED TABLESPACE
I was hoping that the user wont be able to do any DDL commands. But to my surprise, user can DROP TABLE in its own schema even though it can't create one.
Oracle documentation says prerequisite for DROP TABLE is "The table must be in your own schema or you must have the DROP ANY TABLE system privilege". Just that!!! I don't understand the security logic of Oracle but is there any way I can prevent Users from dropping their own tables?
The alternative would be creating another user to run the application and grant object access, which I'd rather like to avoid as there are potential issues.
A user will always have permissions to drop objects that they own. You can't prevent that by revoking privileges.
Since you're looking at tightening security, creating a new user and granting that user whatever privileges they need to manipulate the data is the right answer. The only people that ought to be logging in to a production database as a user that owns application objects are DBAs and then only when they are in the process of deploying changes to the schema. Everyone else should be logging in to the database as users other than the schema owner.
That being said, if the right solution is more work than you're prepared to undertake right now, a potential stopgap would be to create a DDL trigger on the database that throws an exception if a DROP is issued against an object in the specified schema. This is less secure than the proper solution. You may miss something when implementing the trigger, you or someone else may drop or disable the trigger and forget to re-enable it, etc. And it makes security reporting much more difficult because you've got a custom solution that isn't going to be obvious in the various security related data dictionary views which may create problems for auditors.