I am trying to create a new user in Oracle with the following script, executed as the 'SYSTEM' user:
alter session set "_ORACLE_SCRIPT"=true;
create user my_user identified by my_password;
I am aware that this user does not have any grants yet, but I am wondering why Oracle creates this user as a system user. If I run the following query:
select USERNAME, ORACLE_MAINTAINED from SYS.ALL_USERS where username = 'my_user'
then I am receiving the result
USERNAME ORACLE_MAINTAINED
------------------------- -
MY_USER Y
I am using flyway to handle the schema which belongs to the user, and it refuses to clean up my schema because it assumes that the schema is system maintained, due to the 'ORACLE_MAINTAINED' flag. What am I doing wrong?
Related
Hey please am using oracle 11g XE and I have created a new user under the username "amine" and set the password to "amine" in SQL developer,
I have also granted all permissions and system privileges but when I try to create a new connection using the "amine" user it gives an ora-01017 even if the username and the password are correct
Steps that I tried :
-- setting the case sensitivity to FALSE
-- make sure that the user is created and the status is open (using sqlplus)
-- tried the command: alter user amine identified by "amine"; result ---> ORA-01918: user 'AMINE' does not exist
I have created a new user under the username "amine"
It sounds like you have used the query:
CREATE USER "amine" IDENTIFIED BY "amine";
This will create a case-sensitive username and a case-sensitive password as you have surrounded the identifiers with double quotes.
If you try in SQL/Plus (or via equivalents in other UI such as SQL Developer's connection dialog) to use any one of these:
CONN amine/amine
CONN "amine"/amine
CONN amine/"amine"
Then it will fail as the unquoted values will be implicitly converted to upper-case as Oracle stores non-case-sensitive identifiers in upper-case.
You would always need to quote both the username and the password. I.e. in SQL/Plus
CONN "amine"/"amine"
Or using quotes in the username field in SQL Developer.
You can check if you did this by running:
SELECT username
FROM all_users
WHERE UPPER(username) = 'AMINE';
If the value comes back as lower-case (or, even, if there are now two users amine and AMINE) then you created the first one with a case-sensitive username and you will need to surround the username with double quotes whenever you want to use it.
Such as:
GRANT CREATE SESSION TO "amine";
I'm trying to change the password for Oracle DB user but I'm getting below error:
ORA-28003: password verification for the specified password
ORA-20002: YOU ARE NOT ALLOWED TO CHANGE THE PASSWORD FOR CRITICAL SCHEMAS
I've tried to change the password using sys user and got same error.
DB version: 12.2.0.1.0
Client: SQLPlus
Please help
The exception is being raised by a password verification function, assigned to the user via a profile.
You can see the profile name and the function being applied by querying:
select du.profile, dp.limit
from dba_users du
join dba_profiles dp on dp.profile = du.profile
where du.username = '<YOUR_USER>'
and dp.resource_name = 'PASSWORD_VERIFY_FUNCTION';
You can then see what the function is actually doing by looking at its source, using the name identified in the previous query:
select text
from dba_source
where owner = 'SYS'
and name = '<FUNCTION_NAME>'
order by line;
From there you can see when and why it's happening, by looking for a line like:
raise_application_error(-20002, 'YOU ARE NOT ALLOWED TO CHANGE THE PASSWORD FOR CRITICAL SCHEMAS');
and seeing what logic leads to it being raised.
You'll need to decide whether that rule is (still) appropriate for that user - clearly it's there for a reason so don't remove it or change the user's profile without really understanding it, and discussing with the DBA and/or application owner etc. - basically anyone with an interest in that user account.
I'm currently trying to grant a couple of simple privileges to an Oracle database user.
I have tried the following queries:
grant all privileges to <username>
grant alter session to <username>
The second privilege is the one I actually need, but I decided simply to try and give the user all privileges to see if that would work. When I check the user's permissions using
select * from user_sys_privs;
everything seems to say NO.
I've even tried to grant the user dba privileges and that still fails. My end goal is to run scripts that require these permissions to be turned on.
Any help is greatly appreciated.
everything seems to say NO
You're looking at the wrong thing. If the user_sys_privs view lists ALTER SESSION:
select * from user_sys_privs where privilege = 'ALTER SESSION';
USERNAME PRIVILEGE ADM COM
-------------------- ------------- --- ---
MY_USER ALTER SESSION NO NO
then the user does have that privilege.
The NO entries don't mean the privilege is not granted. The columns that is showing you are:
desc user_sys_privs
Name Null? Type
----------------------------------------------------------------- -------- --------------------------------------------
USERNAME VARCHAR2(128)
PRIVILEGE VARCHAR2(40)
ADMIN_OPTION VARCHAR2(3)
COMMON VARCHAR2(3)
and they are described in the documentation:
ADMIN_OPTION - Indicates whether the grant was with the ADMIN option (YES) or not (NO)
COMMON - Indicates how the grant was made. Possible values:
YES if the privilege was granted commonly (CONTAINER=ALL was used)
NO if the privilege was granted locally (CONTAINER=ALL was not used)
As you didn't specify the admin option or any other modifiers, it's correct that both of those flags are set to NO.
What's probably confusing you is that all privileges are listed when you query for your user, because you did grant all privileges to <username>. You probably want to revoke all of those privileges, and only grant the specific ones the user actually needs. You'll then see a much shorter list when you query user_sys_privs - possibly only that single entry, depending on what else you need to retain for the user.
You might also want to consider using roles, though you sometimes need to have privileges granted directly anyway - if a stored procedure relies on them.
I am sorry for a newbie question. I am creating a readonly user in oracle. I want to limit him just to view and execute a function or procedure. I dont want him to modify those func or proc. Please help me on how to achieve this.
Thanks a lot
-- As sysdba:
-- 1) create an user account
create user <username> identified by <password>;
-- 2) allow user to log in
grant create session to <username>;
-- 3) allow user to execute a single procedure in other schema
grant execute on <other_schema.procedure_name> to <username>;
From SYSDBA user login (from where you created the user), give the following grant :
GRANT EXECUTE ANY PROCEDURE TO user;
GRANT SELECT ANY TABLE TO user;
where user = the username you just created.
Then ,to ensure the user has only read priviledges, check from session_privs that he doesnot have any other priviledge, specifically any "CREATE" prviledge. To do this , run :
select * from session_privs;
from the user you just created.
In my understanding, creating a profile with the idle_time set to a certain value (in minutes) and creating a user with this profile should force the SNIPED status for that user's session in case he is idle for longer than idle_time. When the user tries to execute a query after this has happened, he receives a message that he must connect again.
First question: Is that right? If so, read on:
I'm running a test script as follows in sqlplus (without the placeholders obviously):
connect system/<password>#<tns>
CREATE PROFILE test_profile LIMIT idle_time 1;
CREATE USER test_user PROFILE test_profile IDENTIFIED BY test_user;
GRANT CREATE SESSION TO test_user;
GRANT ALTER SESSION TO test_user;
GRANT SELECT ON <schema>.<table> TO test_user;
disconnect;
connect test_user/test_user#<tns>
SELECT * FROM <schema>.<table>;
Everything works up to this point; the sqlplus window is still open. Now I open an additional sqplus window and connect using the system account, running the following query after doing other stuff for a while:
SELECT username, status, seconds_in_wait FROM v$session WHERE username = 'test_user';
I get something like:
USERNAME STATUS SECONDS_IN_WAIT
--------- -------- ---------------
TEST_USER INACTIVE 1166
Why has the status not been set to SNIPED?
Obviously, If I run another query from the test_user's sqlplus window, I do not get a message asking me to reconnect.
You need to set the database's RESOURCE_LIMIT parameter to TRUE in order for resource limits in profiles to take effect. Assuming you use a spfile (otherwise omit the scope = BOTH part)
ALTER SYSTEM SET resource_limit = TRUE scope = BOTH
Once you do that, PMON should start sniping the sessions that have exceeded your IDLE_TIME when it wakes up every few minutes.