I want to export dump file DDL my database (Oralce database version 11.2.0.4). I created user and granted permission (sysdba). I connected to database using user above, I choose View --> DBA --> Data Pump --> Data Pump Export Wizard --> choose connection above --> and it alert error "Cant use Data Pump as sys.".
Here's an interesting thing about SYS, it cannot use SERIALIZABLE transactions. This also applies to users connected as SYSDBA. Find out more.
The SERIALIZABLE isolation level means that all statements in a transaction are read consistent. The default for Oracle is READ COMMITTED, which applies at the statement level. The difference is this: if we run select * from T1 followed by select * from T2 under READ COMMITTED isolation level then we will any changes committed to T2 while we were querying T1. That is, the result sets for T1 and T2 are both consistent set of records, but we might have seen different results if we had run the queries the other way round. Whereas, under SERIALIZABLE the result sets are consistent with the start of the transaction. It doesn't matter what order we query the tables, the results are stable.
You can see why this is important for exporting. The entire set of exported tables must be consistent in order to guarantee the relational integrity of a subsequent import. We don't want to export a child table with records which depend on records added to the parent table after we exported it. (The old Export utility allowed us to set consistency=N - indeed that was the default! - but Data Pump protects us from ourselves).
So this is why we can't run exports as SYS, or SYSDBA users. Fortunately there is a simple solution: revoke SYSDBA from your user and grant it DATAPUMP_EXP_FULL_DATABASE and DATAPUMP_IMP_FULL_DATABASE roles instead. [Find out more][2].
I found answer to my question:
- when login we choose Role default
We need grant dba permission to user
Ex:
Grant dba to vinhhc_vsc;
Related
I have just created a new read only user (TEMPDBREAD) for our developers # our oracle Database 11.2.0.4
Now they like read access to all tables from just one schema (TEMPDBUSER)
is there an alternative to grant select any table.
They should not be able to read the other schemes. But since the table structure often changes, it is difficult to justify everything manually.
That's why select any table is awarded very quickly and easier to place
Can i deny the access to the other schemes anyway?
Any Idea how i can solve this very simple?
BR Julian
Grant Table Access manually
Grant Select ANY Table
Nope. You either give them select any table and let them read any table in the database or you give them access to each table in TempDBUser individually. In the vast, vast majority of cases, you'd want to give them access to each table in TempDBUser (presumably via a role because there will be many developer accounts that need to run queries).
It isn't clear to me why giving object-level access is problematic for you. "Table structure changes" do not require new grants since they're just changes to existing objects. If you really mean that new tables are created frequently, you'd just want to incorporate the grants into your change control and deployment process.
If you have a packaged application that creates new tables periodically (a terrible practice), you could create a DDL trigger that issued the grant every time a new table was created in TempDBUser. You'd need a DDL trigger that submitted a job via the dbms_job package that did the actual grant which is a rather convoluted architecture but it works.
spool /tmp/grant_issue.sql
select 'grant select on TEMPDBUSER.' || table_name || ' TO TEMPDBREAD;' from dba_tables where owner='TEMPDBUSER' ;
spool off;
run the spool file.
sqlplus #/tmp/grant_issue.sql
I would like to submit a question about creating an audit trail for specific tables on Oracle 11g database. We would like to track user's changes, on some specific tables, that records has been changed from the application (front end) side. Of course the first idea we came up with was to create manually audit tables and set triggers to track:
who is changing the data
what type of operation is it (I, U, D)
time of the operation
But I read that Oracle has in-build mechanism that can handle audit trails, but at this moment I don't know any details how is it working. So the main question is: "What is the best / most elegant, with easy and clear access to the data, way to perform audit tracking?"
First of all your auditing should be on by setting your audit_trail
parameter to a valid value like DB, DB_EXTENDED, XML,
XML_EXTENDED or OS with scope=spfile and restart database.
Next, you need to use audit commands for what you want to track, such
as :
audit drop user by access;
audit drop any procedure by access;
audit drop any table by access;
audit audit system by access;
audit grant any privilege by access;
audit insert, update, delete on myschema.mytable by access;
To track sessions by audit-trail it's advisible to use
Dbms_Session.Set_Identifier( :i_client );
to set client info, during connection phase of your program unit.
Dbms_Session.Set_Identifier sets the session's client id to the
given value. This value can be used to identify sessions in
v$session by means of v$session.client_identifier. It can also be
used to identify sessions by means of
sys_context('USERENV','CLIENT_IDENTIFIER').
This procedure is executable by PUBLIC.
In addition ;
Dbms_Application_Info.Set_Client_Info( :i_client );
Dbms_Application_Info.Set_Module( :i_modul,null );
-- :i_modul is the name of your module or program unit from which
-- you are connecting to db .
methods are also useful to monitor from gv$session view's client_info and module columns.
I am using Oracle 11g. I am successfully extracting DDL of database using userA account who created database tables, SP, Functions etc using getddl() method.
Now here is a case userA has shared / grant some action (ie. select) to userB account. and When I tried to get DDL details using same getDDL method, it is not including that shared tables.
To resolve it I used following.
SELECT * FROM USER_TAB_PRIVS;
Statement. Using this I can get list of all shared table with some unknow system tables details.
Now I am looking for the solution which either gives only shared tables or a way using that I can ignore (filter) that tables
FYI: When I am executing the above query it gives this output.
As expected it returns data related to all tables including system tables and all users created in the database including system generated users.
So can please anyone help me to create a query which will give me data related to privileges granted to all the users created manually and not by system?
To get the list of all privileges given to USER_2 from USER_1, you can use the following query.
SELECT * FROM SYS.USER_TAB_PRIVS T WHERE T.GRANTOR = 'USER_2';
While trying to create a trigger named ghazal_current_bef_upd_row :
create trigger ghazal_current_bef_upd_row
before update on ghazal_current
for each row
when (new.Rating < old.Rating)
begin
insert into ghazal_current_audit
(GhazalName,Old_Rating,New_Rating)
values
(:old.GhazalName,:old.Rating,:new.Rating);
end;
I get the following error :
Error report:
ORA-04089: cannot create triggers on objects owned by SYS
04089. 00000 - "cannot create triggers on objects owned by SYS"
*Cause: An attempt was made to create a trigger on an object owned by SYS.
*Action: Do not create triggers on objects owned by SYS.
Both the tables named ghazals_current and ghazal_current_audit were created by SYS. Why cannot I create a trigger on the table created by SYS .
You should not be creating any objects in the SYS schema. That user is part of the Oracle database management system, and changing its schema is likely to break your database. Certainly it could invalidate your Oracle Support contract (if you have one). From the documentation:
"The administrative account SYS is automatically created when a
database is created. This account can perform all database
administrative functions. The SYS schema stores the base tables and
views for the data dictionary. These base tables and views are
critical for the operation of Oracle Database. Tables in the SYS
schema are manipulated only by the database and must never be modified
by any user."
Oh, in case you're wondering, the same applies to SYSTEM too.
Triggers are particularly prone to abuse and are a major source of scaling problems. That's why Oracle forbids us to build triggers in SYS, because doing so might corrupt or at least impact the performance of the data dictionary.
Of course that's not what's happening here. You have built your own tables in SYS. Well drop them. Now. Use SYS to create your own user, GHAZAL or whatever name suits, and grant it the required privileges: CREATE SESSION, CREATE TABLE, CREATE TRIGGER, and so forth. Then connect as that new user to create your tables and other schema objects.
here's a tricky case on which 5 peoples including a DBA have been struggling on for days... I offer lifetime consideration to the one which will identify the root cause of the issue.
here it is:
Oracle Client: 10g
Oracle Server: 11g
We have 2 schemas and 1 user:
SCHEMA1
SCHEMA2
USER
We have 1 table 'TOTO' which is defined in SCHEMA1 (SCHEMA1.TOTO)
We have a private synonym of table 'TOTO', called 'TOTO' defined in SCHEMA2, created like this:
CREATE SYNONYM SCHEMA2.TOTO FOR SCHEMA1.TABLE1;
We have granted SELECT,UPDATE,DELETE,INSERT priviledges on "SCHEMA2.TOTO " (so on the synonym) to SCHEMA2 (so that any session ran from SCHEMA2 has access to the synonym table)
GRANT SELECT, UPDATE, DELETE, INSERT ON SCHEMA2.TOTO TO SCHEMA2;
Our application connects to the DB with USER, then directly switches to SCHEMA2:
ALTER SESSION SET CURRENT_SCHEMA=SCHEMA2;
Then after that, it tries to perform a select query on the synonym table WITHOUT prefixing the synonym name by SCHEMA1 (this is a constrain of the framework we use):
SELECT COL FROM TOTO;
Most of the times this query works successfully, which is what we expect since we have altered our session to SCHEMA2, by default that where the objects are looked.
But sometimes it fails, with an ORA-00942: table or view does not exist error.
I insist on the fact that between the time when it works and when it fails, nothing has changed, we've just restarted the application (which is of course re-connecting to the DB the same way at each startup).
We've been investigated with a DBA monitoring all the events on USER,SCHEMA1,SCHEMA2 hoping to find an external process modifying the GRANTS on one of thoses, between a success and a failure, but nothing changes. Yet, at some point, randomnly we get the ORA-00942 error, then we restart the application several times and it's back again...
Would someone have an idea or any suggestion/hint that could lead us to identify what we're missing here?
Many thanks for your help!
The grant should go to USER, not to SCHEMA2:
GRANT SELECT, UPDATE, DELETE, INSERT ON schema1.toto TO userxy;
This should solve the problem. If it doesn't, can you please post the result of
SELECT * FROM all_objects WHERE object_name='TOTO';