Oracle find all users I created (excluding Oracle accounts) - oracle

Is there a way to find all user accounts in Oracle which have been created by me?
The SELECT * FROM ALL_USERS; returns all users in Oracle, but there seems to be no way of defining the 'owner' of the account (ORC_SYS would be nice) so I can add a clause like
'WHERE OWNER !+ 'ORC_SYS' or something.
Thanks in advance
KS

If its only the users created by oracle at install time you want to exclude you can properly do it filtering on user_id. Normally these users will have the lowest numbers:
Ajust the 35 to your installation.
Select * from dba_users where user_id > 35;
And if you are running 12c or above there is a column "Oracle_maintained" telling you if it is an oracle created user.
Select * from dba_users where oracle_maintained = 'N';

If you have access to dba_users and your Oracle's version is 12.1 and above, you can filter by oracle_maintained column.
Otherwise, there is no "official" way to distinguish between oracle internal users and your own.
There are some indirect ways, though:
Filter by all_users.created column. Mostly, internal users are created when the database is created, so your users will be after this date. You may find the database creation time in v$database.created .
Filter by all_users.user_id. As above, mostly, internal users are created when the database is created, so they get low user_id. There are some exceptions for several users like SYSBACKUP, SYSDG.
Both ways may produce incorrect results when internal users are created much later than the database creation - for example when an Oracle Option is reinstalled.

Should you try:
SELECT * FROM dba_users;

Related

Informix - select from a table of another user

I have to do CRUD operations on a table that is not owned by the user I am using to connect to my Informix database. I have been granted the necessary privileges to do the operations, but I do not know how to do the actual query.
I have little experience with Informix, but I remember in OracleDB I had to do reference the shema like so:
SELECT * FROM SCHEMA.TABLE;
In Informix should I reference the user that owns the table ? Like :
SELECT * FROM OWNER:TABLE
Or can I just do :
SELECT * FROM TABLE
Thanks for any help !
In Informix you can generally use the table name without or without the owner prefix unless the database was created with mode ANSI in which case the owner prefix is required. Note that the correct syntax when using the owner is to use a period "." as in:
SELECT * FROM owner.table;
The colon is used to separate the database name as shown in the Informix Guide to SQL: Syntax https://www.ibm.com/docs/en/informix-servers/14.10?topic=segments-database-object-name#ids_sqs_1649
FYI you can determine if the database is mode ANSI with this query:
SELECT is_ansi FROM sysmaster:sysdatabases WHERE name = "<database name>";

How to know user's "expiry_date" changed?

I'm faced with a very specific task with Oracle.
I need to prove that values in column expiry_date of table dba_users were not changed in a certain period (during last weekend).
I am not very experienced with Oracle. For me, it seems like a feature called "audit" is disabled, but I'm not strongly sure.
So, I need whatever option to check whether these values have been changed. I have already tried to analyze the user_sessions table (having the intent to check for connections during the period in question), but with that, I couldn't get an exact answer.
Instead of trying to directly detect changes to dba_users.expiry_date, it would be much easier to detect when a user changes their password, which would indirectly change the expiry date:
select password_date
from sys.user_history$
join dba_users
on sys.user_history$.user# = dba_users.user_id
where username = '&USER'
order by password_date desc;
However, that table will only contain values if the user has a profile where the PASSWORD_REUSE_TIME is not set to unlimited. You can find that setting with these queries:
--Find the user's profile:
select profile from dba_users where username = '&USER';
--Find the PASSWORD_REUSE_TIME of the profile.
--If the value is 'DEFAULT', you'll have to run this query again for the profile 'DEFAULT'.
select limit
from dba_profiles
where resource_name = 'PASSWORD_REUSE_TIME'
and profile = '&PROFILE';
(Oracle's audit functionality does not capture this information. You can run audit alter user and then query DBA_AUDIT_TRAIL to detect when a user was changed, but you can't tell the difference between a password reset and an account locking.)
Unfortunately, the above solution doesn't cover all possible reasons why the expiration date could change. If an administrator manually expires a user, or changes a profile or profile settings, the expiration date could change. To capture all possible reasons for a change, you would need to create triggers on the system tables used by DBA_USERS and store the expiration value whenever it changes. Or you could create a job that periodically checks the view and looks for changes.
But before you consider those options, you might want to explain exactly why you want this information. I'm guessing this question is for a security audit, but this feels like the wrong kind of information to look for. What is your true goal here?

Does TOAD for oracle generate logs of executed SQL?

I cannot seem to find a view which I created in one of my schemas within TOAD. Lets assume I don't know the exact schema in which I've created it, is there any way where I can find all the create statements which have been executed within a period of time, lets say the last days.
Thank you in advance.
If you created the view, just query ALL the views, and order by the date in which it was created.
select * from dba_objects
where object_type = 'VIEW'
order by created desc, last_ddl_time desc
We're hitting DBA_ views to make sure we look at EVERYTHING, not just the things you have PRIVS for. Switch to ALL_ views in case you lack access, and hope you didn't create the view in a schema in which your current logon can't see.
The other way to go is query the views themselves and key in on the table you think you included in the SQL behind the view.
SELECT *
FROM dba_views
WHERE UPPER (text_vc) LIKE '%EMPLOYEES%';
You might be looking for a feature called "SQL Recall" in Toad. Press F8 or View/SQL Recall. It will show you the SQL you ran in the last month or so.

View restriction not working

I need to create views depending on users on a oracle database
For that, using System I use the following querys:
CREATE OR REPLACE VIEW PROT_VIEW AS SELECT USER_ID, ORDER_DATE, ORDER_DESC
FROM PROT
WHERE USER_ID=USER;
the tables and the values of them are as follows:
CREATE TABLE PROT(
USER_ID VARCHAR2(10),
ORDER_DATE DATE,
ORDER_DESC VARCHAR2(60));
INSERT INTO PROT VALUES ('ADM',SYSDATE+4,'FOUR DAYS LATER');
INSERT INTO PROT VALUES ('ADM',SYSDATE+5,'FIVE DAYS LATER');
INSERT INTO PROT VALUES ('STUD1',SYSDATE+6,'SIX DAYS LATER');
INSERT INTO PROT VALUES ('STUD2',SYSDATE+7,'SEVEN DAYS LATER') ;
After this I have 3 different users (adm,stud1 and stud2) and when I log them on I should be getting 3 different results (one for each user) from each select I do (depending on the user logged).
The problem is, no matter what which user I have logged in (system,adm,stud1,stud2) I get empty tables.
I would like to know what i'm doing wrong and what can I do to solve this problem
Thank you in advance for anyone who's willing to help
update: i've been messing around and the problem is that i cant connect to those users. i've granted create session with system to those users and tried to connect to them but I'm stuck on system
Nice way to accomplish this task is to use public synonym in my opinion.
After creating your view (prot_view) on system schema, create a public synonym with the same name as view :
create or replace public synonym prot_view for prot_view;
and issue :
grant select on prot_view to public;
to be able to get desired result from every schema without prefixing with system schema name :
select * from prot_view;
"the problem is that i cant connect to those users"
user is a pseduo-column which returns the name of the account you're currently connected as. You're logged in as SYSTEM so that's the value of user, and that's why your view returns no rows. So, contrary to your question title, the view restriction is working.
Which means the the real question is, why can't you connect as those other users? You have SYSTEM so you have the necessary privileges to straighten out the accounts by changing the passwords to something you know or granting create session, or whatever.

Oracle : check for read/write privileges, automated testing

I have a question about Oracle and checking privileges.
Some background Info
I wrote some php scripts that will 'test' various things in our environment. One of those tasks is checking that a user has execute privileges on a procedure and that the procedure is valid/compiled.
Here is the query
select ao.object_name, utp.grantee, ao.status, utp.privilege
from all_objects ao, user_tab_privs utp
where utp.owner = ao.owner and
ao.object_name = utp.table_name and
upper( ao.object_name ) = :object_name and
ao.object_type = 'PACKAGE' and
utp.privilege = 'EXECUTE' and
ao.status = 'VALID'
This has worked well and has saved us time on procedure privileges; I do realize now that I can also double check the all_tab_privs to check execute access as well.
The problem
Now my question is, how do I do something similar with tables? We ran into an issue where a certain user had SELECT privs on a table but not UPDATE/INSERT privs. How can I check for each of these privileges individually. I've looked into all_tab_privs but haven't found it shows me what I want. It has procedures I can execute but when I check to see if a known table is there it isn't. For example, I'll run the following
select * from all_tab_privs
where table_name = 'KNOWN_TABLE' and
grantee = 'CURRENT_USER'
and privilege in ( 'SELECT', 'UPDATE', 'INSERT' );
but instead of getting back 3 rows for a table I know 100% that I can already select/insert/update it returns nothing.
Any ideas? Thank you.
Disclaimer
I am aware that I could just try inserting/updating data and then deleting it but I'd rather not do this. I'd rather not leave any trace since these scripts will run periodically, should be repeatable, and shouldn't alter the state of any piece of data, even if it's just a sequence on the table.
Also, if you could provide a 'list' of possible queries that I can use to determine privileges that would be fine. For example, to determine if i have select access run query 1, 2 and 3. If either returns data then you have select privs and so on for insert/update.
This looks rather optimistic to me, as the role issue could get really complex, particularly if roles ever get password protected, and I'd never really trust the method 100% without actually trying the DML.
It might be more simple to try queries such as:
select count(*)
from schema_name.table_name
where 1=0;
insert into schema_name.table_name
select *
from schema_name.table_name
where 1=0;
delete from schema_name.table_name
where 1=0;
update schema_name.table_name
set column_name = column_name
where 1=0;
I believe that such queries would fail if no privileges were granted (no database handy to check it), and they would never modify any data.
By the way, the ANY privileges are generally regarded as a security problem, so you might like to fail the system if any user is granted them.
If you have privileges granted via roles, you need a more complicated check. The link in comments gives some queries to use to look at the wider picture, but if you want to check what the current user can see - as one of your queries suggests - then you can query the session_roles view to see what object privileges are currently available to your session via roles, in addition to directly-granted object privileges:
select atp.table_schema, atp.table_name, atp.privilege, atp.grantee,
'Direct' as grant_type
from all_tab_privs atp
where atp.grantee = user
union all
select atp.table_schema, atp.table_name, atp.privilege, atp.grantee,
'Via role' as grant_type
from session_roles sr
join all_tab_privs atp on atp.grantee = sr.role;
You can obviously add filters if you want to look at a specific object or privilege, and the grant_type pseudo-column is just for info - not really that useful since you can compare grantee with user to get the same info I suppose.
You might want to look at session_privs as well, to check your user has any system privileges you expect.
But if you want a single query to check the privileges for another user or several users at once, you'll need something more like the linked queries, and the privileges necessary to run them.
I ended up solving this problem using a multi-step approach based around different queries and the results they brought back. I'm executing all the queries with some PHP code so it wasn't 100% necessary that I only have big query to solve it all.
Additionally, our databases are split up physically and they are linked together through database links so I had to do some additional work to make sure that this privilege checking worked across database links.
Currently I'm only checking for SELECT, DELETE, UPDATE, and INSERT privileges; that is all I need really for now.
The procedure
Here is the general procedure in a nut-list.
Get a list of all the database links available to the user.
For the following steps, start with the current database we are logged into and then check each database link retrieved from step 1.
2a. Check to see if the table is visible using a database query.
2b. If the table is visible, check to see if any of the permission queries return that this user has access to the table.
The queries
Here are the queries for each of the steps above.
1 Database links
select db_link from all_db_links
2a Table Visibility
select * from all_tables%DB_LINK% where table_name = :table_name and owner = :owner
The %DB_LINK% above is replaced by #db_link where applicable. If we are checking the current connection then I remove it entirely. Remember, the queries are being executed by a PHP script so I can do some string manipulation on the string to either remove the %DB_LINK% for the current database or replace it with one of the database links we got from step 1.
2b. Users, Roles, Tables
There are 4 queries all together here.
/*****/
/* 1 */
/*****/
select *
from user_tab_privs%DB_LINK%
where
owner = :owner
and
table_name = :table_name
and
privilege = :privilege
/*****/
/* 2 */
/*****/
select * from user_sys_privs%DB_LINK% where privilege = :privilege
/*****/
/* 3 */
/*****/
select * from
(
select distinct granted_role from
(
select null linker, granted_role
from user_role_privs%DB_LINK%
union all
select role linker, granted_role
from role_role_privs%DB_LINK%
)
start with linker is null
connect by prior granted_role = linker
) user_roles join role_tab_privs%DB_LINK% rtab on user_roles.granted_role = rtab.role
where
owner = :owner
and
table_name = :table_name
and
rtab.privilege = :privilege
/*****/
/* 4 */
/*****/
select * from
(
select distinct granted_role from
(
select null linker, granted_role
from user_role_privs%DB_LINK%
union all
select role linker, granted_role
from role_role_privs%DB_LINK%
)
start with linker is null
connect by prior granted_role = linker
) user_roles join role_sys_privs%DB_LINK% rtab on user_roles.granted_role = rtab.role
where rtab.privilege = :privilege
Explanations
Database links
In the phpunit tests I pass in two things : table name and schema name ( owner ). However, because of the database links we have to explicitly check the other databases by using the #db_link in the queries. Otherwise I might report a table as being inaccessible when in reality it is accessible via the database link.
Table visibility
If the user can't see the table then there is no point in checking for privileges. Checking for privileges also prevents the case where a user has been given 'SELECT ANY TABLE' privileges but the table itself doesn't actually exist from causing an unwanted failure.
The band of 4 queries
As shown by other posters, a user can be given access to a table in many ways. Specifically, they can be given roles, and those roles can be given roles, and then those roles can be assigned access. Or the user can be given explicit access or generic access through system privileges.
Query 1
The first of the four queries checks to see if the user has been given explicit SELECT, DELETE, etc, privileges on the table. It's easy to understand and would ideally be all that's necessary
Query 2
The second checks to see if the user has been granted any system privileges like DELETE ANY TABLE, SELECT ANY TABLE, INSERT ANY TABLE, etc. These are not granted explicitly on a table but the user can perform any of the referenced actions on any table they have visibility.
Query 3
The third query will see if any of the roles that user has, either directly or indirectly, has been given explicit SELECT, DELETE, etc, privileges on the table. This is similar to query 1 except it's based on the roles given to the user, not the user.
Query 4
The fourth checks to see if any of the roles that user has, either directly or indirectly, has been given any system privileges like DELETE ANY TABLE, SELECT ANY TABLE, INSERT ANY TABLE, etc. This one is similar to query 2.
That's it! I chain these together and use the results returned from each to determine whether a user has the desired privileges or not.
Details worth mentioning
If a user has any privileges across db_link_1 it does NOT mean that they have the same privileges on tables they access across db_link_2. Most should know this but I wanted to make sure I stated it explicitly. For example, select privs on table 1 across db_link_1 does not imply select privs on table 2 across db_link_2.
I check each db_link one at a time. So first I start of with the database I'm connected to directly, no database link required for this. Then, if I can't find the table or don't have the privs on the table I move on to the next database link.
In queries 2 and 4, I use 'SELECT ANY TABLE', 'DELETE ANY TABLE', etc in place of the :privilege variable.
In queries 1 and 3, I use 'SELECT', 'DELETE', 'UPDATE', 'INSERT' in place of the :privilege variable.

Resources