I have a oracle 12c database .
I would like to grant sysdba to C##user1.
Here is user table.
When I execute this command I can get a error.
grant sysdba to c##user1 container=current
Error report -
SQL Error: ORA-65175: cannot grant SYSDBA privilege locally in the root
65175. 00000 - "cannot grant SYSDBA privilege locally in the root"
*Cause: An attempt was made to grant SYSDBA privilege locally in the root
of a multitenant container database (CDB).
*Action: While connected to the root, SYSDBA privilege can only be granted
commonly.
and when I execute this command , I can get 2 users of C##user1.
grant sysdba to c##user1 container=all
How can I grant sysdba to C##user1.
Thank you for viewing.
Pls help me.
Are you trying to grant sysdba to c##user1 at the Container or Root level? This is an important distinction within 12C, as the Container is logically separate from the rest of the CDB. The CON_ID column will tell you where each user resides - Con_ID=0 means that the row pertains to the entire CDB, whereas CON_ID=1 means that the row pertains to the root.
You currently have two "C##user1" users, one is a common user that is present in all containers (CON_ID=0,) and the other is a local user that is specific to the root.
You already have one "C##user1" user that has the SYSDBA privilege on the entire CDB, so if that's what you want, you can connect to the root and drop the local "C##user1" user. If you just wanted a local user with the SYSDBA privilege on that root only, I would recommend dropping the "C##user1" common user, then connecting to the root and granting sysdba to the local user there.
The article I linked to is titled "Overview of the Multitenant Architecture", I would suggest giving it a review before you make a decision either way.
under cdb connection try it
grant sysdba to c##user1 container=all
Related
I tried to create a user after creating tablespaces but there is an error at line 1, ORA-01031: insufficient privileges.
This is what I wrote and the effect ...
Enter user-name: sys as sysdba
Enter password:
Connected to:
Oracle Database 12c Enterprise Release 12.1.0.1.0
SQL> create user c##ntoi identified by botho123
2 container=all
3 default tablespace perm_ntoi_tbs
4 temporary tablespace temp_ntoi_tbs;
create user c##ntoi identified by botho123
*
ERROR at line 1:
ORA-01031: insufficient privileges
According to the create user command for the version you're connected to:
To specify the CONTAINER clause, you must be connected to a multitenant container database (CDB). To specify CONTAINER = ALL, the current container must be the root. To specify CONTAINER = CURRENT, the current container must be a pluggable database (PDB).
Maybe your environment is set such that connecting to "sys as sysdba" is connecting to:
a pluggable instead of its container
a current container that is not the root
I have created the user by connecting with
SQL> conn c##sys
I got another problem when granting the user
SQL> grant sysdba, connect, create user, create session to c##ntoi;
ERROR at line 1:
ORA-47410: Realm violation for GRANT on CREATE SESSION
whenever I'm trying to connect with scott it is showing invalid username/password,
tried this:
alter user scott account unlock;
SP2-0640: Not connected
alter user scott identified by tiger;
SP2-0640: Not connected
Go to the Installing path of the Oracle 11g In default it is present C: Drive, then move to C:\oraclexe\app\oracle\product\11.2.0\server\rdbms\admin
here you can find a file named scott.sql
Open the SQL Command Line and login as conn system/ (password set during the installation of oracle 11g)
Run the Below script (Note: File name is appended at the end)
# C:\oraclexe\app\oracle\product\11.2.0\server\rdbms\admin\scott.sql
Now you can query the SELECT * FROM all_users; to see the scott schema created
Alternatively you can do this by using SQL developer by creating a connection to SYSTEM and run the above script
After the creation the default username : SCOTT password: TIGER
In the comment part i especially asked for querying
select count(1) from dba_users where username = 'SCOTT';. I'd like to learn if user exists.
For the message you get ORA-01017,
the First possible reason is what message tells us(invalid
username/password).
Secondly, you may not have an account named SCOTT. i.e. the above
query gives 0(zero).
In this case :
you should create mentioned user ( when you're connected to system ):
SQL> conn system/pwd
Connected.
SQL> create user scott identified by tiger;
and grant related privileges :
SQL> grant connect to scott;
SQL> grant resource to scott;
and then you can connect by issuing :
SQL> conn scott/tiger
Connected.
Connect with a DBA Account and Issue an Alter User Command
The error you are seeing indicates you are no longer connected to the database. You were logged in as system#db, but when you tried to connect as scott#db, you no longer have a database connection.
Here I replicate your experience:
SYSTEM#db>conn system#db as sysdba
Enter password:
Connected.
SYS#db>conn scott#db
Enter password:
ERROR:
ORA-01017: invalid username/password; logon denied
#>alter user account scott unlock;
SP2-0640: Not connected
#>alter user scott identified by tiger;
SP2-0640: Not connected
Here I reconnect and then issue an alter user command to unlock the user account and set a new password.
#>conn system#db as sysdba
Enter password:
Connected.
SYS#db>ALTER USER scott IDENTIFIED BY tiger ACCOUNT UNLOCK;
User altered.
SYS#db>conn scott/tiger#db
Connected.
Addendum
My steps provided assumed you had the scott schema installed. If the scott schema does not exist, it would be good to see if the default 11g database sample schemas exist.
The schema account scott is no longer a default schema in the 11g database. The 11g documentation states:
"Oracle used the schema SCOTT with its two prominent tables EMP and
DEPT for many years. With advances in Oracle Database technology,
these tables have become inadequate to show even the most basic
features of Oracle Database and other Oracle products. "
I would recommend reviewing to see if the other default sample schemas are installed. The hr account is most similar to the scott schema.
Here is a list of common sample schema usernames:
username IN (
'HR',
'OE',
'PM',
'SH',
'IX'
)
Check to see if the person whom performed the installation used the database configuration assistant and opted to install the sample schemas.
If the schemas were not created at the time of installation, the document, "Oracle® Database Sample Schemas 11g Release 1 (11.1) B28328-03", describes the steps to do this in chapter 2, Installation.
Open Oracle sql developer.
In the sql developer paste the path of scott.sql file(C:\oraclexe\app\oracle\product\11.2.0\server\rdbms\admin\scott.sql) with '#' infront of it.
# C:\oraclexe\app\oracle\product\11.2.0\server\rdbms\admin\scott.sql
Run script
Script Output -> Connection created by CONNECT script command disconnected
Connect using SQL Command Line
conn scott/TIGER;
These two privileges don't get granted to the DBA:
SYSDBA
SYSOPER
SQL and GUI attempts to grant these privileges return successful messages, but they remain revoked. While signed in as SYS:
Signing in as SYS
Bookshop_DBA privileges appear as such
Granting with GUI
Granting with SQL
Result for both
Messages are returned to say that granting is successful but no changes are made.
Please show us what you're actually doing.
If you're using the dialog as shown, and getting problems, you should be able to report an any ORA- errors.
For example:
And you don't have to guess what SQL Developer is actually doing - click on the SQL page of the edit user dialog.
Before going further, please consider:
you should in general NEVER login as SYSDBA - unless you need to actually shut down or alter a database. Don't use it as an all powerful PRIV to get around security/grant issues
you should know what you're doing before you grant it to someone, or even use it yourself. Read the docs, then read them again. Otherwise, this is how you do very, very bad things to your database.
Running this code from a non-privileged user:
-- SYSTEM PRIVILEGES
GRANT SYSDBA TO "user" ;
GRANT SYSOPER TO "user" ;
Error starting at line : 6 in command -
GRANT SYSDBA TO "user"
Error report -
ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to perform a database operation without
the necessary privileges.
*Action: Ask your database administrator or designated security
administrator to grant you the necessary privileges
Error starting at line : 7 in command -
GRANT SYSOPER TO "user"
Error report -
ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to perform a database operation without
the necessary privileges.
*Action: Ask your database administrator or designated security
administrator to grant you the necessary privileges
So, how do we get around this?
You need to do this for the user who is performing the grants - and you better REALLY trust this user, if you're going to let them do this SYSDBA...
GRANT SYSDBA TO "*user*" WITH ADMIN OPTION;
But, that's NOT ENOUGH.
Per the DOCS:
Because SYSDBA and SYSOPER are the most powerful database privileges,
the WITH ADMIN OPTION is not used in the GRANT statement. That is, the
grantee cannot in turn grant the SYSDBA or SYSOPER privilege to
another user. Only a user currently connected as SYSDBA can grant or
revoke another user's SYSDBA or SYSOPER system privileges. These
privileges cannot be granted to roles, because roles are available
only after database startup. Do not confuse the SYSDBA and SYSOPER
database privileges with operating system roles.
So, in SQL Developer, disconnect.
Change your connection properties:
Now that you're connected as SYSDBA, you can do...perilous things...like grant that to someone else.
PS - Don't ever GRANT SYS anything to a demo schema like HR. And don't have these demo schemas in production environments, they're only there as learning resources.
It may be due to the user you are connected with. SYSDBA and SYSOPER privs can only be granted by a SYSDBA user.
Can someone advise me on how to create a user in Oracle 11g and only grant that user the ability only to execute one particular stored procedure and the tables in that procedure.
I am not really sure how to do this!
Connect as SYSTEM.
CREATE USER username IDENTIFIED BY apassword;
GRANT CONNECT TO username;
GRANT EXECUTE on schema.procedure TO username;
You may also need to:
GRANT SELECT [, INSERT] [, UPDATE] [, DELETE] on schema.table TO username;
to whichever tables the procedure uses.
Follow the below steps for creating a user in Oracle.
--Connect as System user
CONNECT <USER-NAME>/<PASSWORD>#<DATABASE NAME>;
--Create user query
CREATE USER <USER NAME> IDENTIFIED BY <PASSWORD>;
--Provide roles
GRANT CONNECT,RESOURCE,DBA TO <USER NAME>;
--Provide privileges
GRANT CREATE SESSION, GRANT ANY PRIVILEGE TO <USER NAME>;
GRANT UNLIMITED TABLESPACE TO <USER NAME>;
--Provide access to tables.
GRANT SELECT,UPDATE,INSERT ON <TABLE NAME> TO <USER NAME>;
The Oracle documentation is comprehensive, online and free. You should learn to use it. You can find the syntax for CREATE USER here and for GRANT here,
In order to connect to the database we need to grant a user the CREATE SESSION privilege.
To allow the new user rights on a stored procedure we need to grant the EXECUTE privilege. The grantor must be one of these:
the procedure owner
a user granted execute on that procedure with the WITH ADMIN option
a user with the GRANT ANY OBJECT privilege
a DBA or other super user account.
Note that we would not normally need to grant rights on objects used by a stored procedure in order to use the procedure. The default permission is that we execute the procedure with the same rights as the procedure owner and, as it were, inherit their rights when executing the procedure. This is covered by the AUTHID clause. The default is definer (i.e. procedure owner). Only if the AUTHID is set to CURRENT_USER (the invoker, that is our new user) do we need to grant rights on objects used by the procedure. Find out more.
Don't use these approach in critical environment like TEST and PROD. Below steps are just suggested for local environment. For my localhost i create the user via these steps:
IMPORTANT NOTE : Create your user with SYSTEM user credentials.Otherwise you may face problem when you run multiple application on same database.
CONNECT SYSTEM/<<System_User_Password>>#<<DatabaseName>>; -- connect db with username and password, ignore if you already connected to database.
Then Run below script
CREATE USER <<username>> IDENTIFIED BY <<password>>; -- create user with password
GRANT CONNECT,RESOURCE,DBA TO <<username>>; -- grant DBA,Connect and Resource permission to this user(not sure this is necessary if you give admin option)
GRANT CREATE SESSION TO <<username>> WITH ADMIN OPTION; --Give admin option to user
GRANT UNLIMITED TABLESPACE TO <<username>>; -- give unlimited tablespace grant
EDIT: If you face a problem about oracle ora-28001 the password has expired also this can be useful run
select * from dba_profiles;-- check PASSWORD_LIFE_TIME
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED; -- SET IT TO UNLIMITED
As previously mentioned multiple times in the comments, the use of the CONNECT, RESOURCE and DBA roles is discouraged by Oracle.
You have to connect as SYS to create your role and the user(s) which are given this role. You can use SQL Developer or SQL*Plus as you prefer. Do not forget to mention the SYSDBA role in the logon string. The connect_identifier uses different syntaxes.
sqlplus sys/<<password>>#<<connect_identifier>> as sysdba
Let's say you have a 12cR1 like the one provided as a VM with the "Oracle Technology Network Developer Day". The connect strings might be (to connect to the provided PDB) :
sqlplus sys/oracle#127.0.0.1/orcl as sysdba
sqlplus sys#"127.0.0.1/orcl" as sysdba -- to avoid putting the pw in clear
Note that under Unix, the quotes have to be escaped otherwise they will be consumed by the shell. Thus " becomes \".
Then you create the role MYROLEand grant it other roles or privileges. I added nearly the bare minimum to do something interesting :
create role myrole not identified;
grant create session to myrole;
grant alter session to myrole;
grant create table to myrole;
Next your create the user MYUSER. The string following identified by which is the password is case-sensitive. The rest is not. You could also use SQL delimited identifiers (surrounded by quotes ") instead of regular identifiers which are converted tu uppercase and subject to a few limitations. The quota could be unlimited instead of 20m.
create user myuser identified by myuser default tablespace users profile default account unlock;
alter user myuser quota 20m on users;
grant myrole to myuser;
Eventually, you connect as your new user.
Please note that you could also alter the default profile or provide another one to customize some settings as the expiration period of passwords, the number of permitted failed login attempts, etc.
CREATE USER USER_NAME IDENTIFIED BY PASSWORD;
GRANT CONNECT, RESOURCE TO USER_NAME;
CREATE USER books_admin IDENTIFIED BY MyPassword;
GRANT CONNECT TO books_admin;
GRANT CONNECT, RESOURCE, DBA TO books_admin;
GRANT CREATE SESSION GRANT ANY PRIVILEGE TO books_admin;
GRANT UNLIMITED TABLESPACE TO books_admin;
GRANT SELECT, INSERT, UPDATE, DELETE ON schema.books TO books_admin;
https://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1006107
https://chartio.com/resources/tutorials/how-to-create-a-user-and-grant-permissions-in-oracle/
First step:
Connect to a database using System/Password;
second Step:
create user username identified by password; (syntax)
Ex: create user manidb idntified by mypass;
third Step:
grant connect,resource to username; (Syntax)
Ex: grant connect,resource to manidb;
step 1 .
create user raju identified by deshmukh;
step 2.
grant connect , resource to raju;
step 3.
grant unlimitted tablespace to raju;
step4.
grant select , update , insert , alter to raju;
I want to run a CREATE DIRECTORY query in Oracle 10, but it's giving me an insufficient privileges error.
Can anybody tell me how to grant this privilege to my user through the system as a user?
From the Oracle 10gR2 documentation:
You must have CREATE ANY DIRECTORY system privilege to create directories.
You would use the following command to grant the privilege to the schema that will create the directory:
SQL> GRANT CREATE ANY DIRECTORY TO vnz;
Grant succeeded
As always with the privileges ANY, be careful who you will grant them to. It is indeed a powerful privilege best left to DBAs.
From Oracle docs:
"You must have CREATE ANY DIRECTORY system privilege to create directories."
So,
grant create any directory to userOfInterest;