I just downloaded the Oracle Database 11g and I can't select,create,update or do anything. Every command that I entered and run only results to "ORA-01435: user does not exist"
What are the things that i need to do in order to enable creating and running some commands?
Here is a picture of ORA-01435: user does not exist
Please look at right upper corner SCHEMA:XS$NULL:
From Securing Oracle Database User Accounts
XS$NULL
An internal account that represents the absence of a user in a session. Because XS$NULL is not a user, this account can only be accessed by the Oracle Database instance. XS$NULL has no privileges and no one can authenticate as XS$NULL, nor can authentication credentials ever be assigned to XS$NULL.
Expired and locked
You need to change it to some specific schema.
Related
I'm not a DB expert, my boss has retired and it's up to me now. He created a production database, and a test database on another server with same username/password and schema name test_SameAsOtherDB. I'm trying to pull the live data from the production table, into the test DB table, but there are no privileges for me to do so.
I tried by logging into my production DB and "grant select on mytable_name to testDB.mytable_name;" but it gives me the error "ORA-00933: SQL command not properly ended".
I've tried all the combinations of user/password/schema that I could think of, but none work.
Everything I've researched says use "GRANT select on tablename to USER" but the user is the same on each DB.
Hope I made sense, any help would be appreciated.
Thanks,
John
You access a database on another server through a DATABASE LINK, not with the syntax to access an object in another schema on the same server.
You must create the DBLINK using the "CONNECT TO user IDENTIFIED BY password" syntax. (And the user used to execute "CREATE DATABASE LINK" must have the privilege to do...)
Then you will be able to "SELECT ... FROM mytable_name#DBLINK_TESTDB" assuming you named the DBLINK "DBLINK_TESTDB" with the same rights the user used in the "CONNECT TO" statement has in the target DB.
(And change that policy having the same passwords in all environment...)
I am using Oracle database 21c Express edition in Windows x64.
With system user, I run
alter user `bichvan` account lock
With system user
but, in Oracle SQL Developer, session of user bichvan, I still can query.
Why alter user lock, still can query?
Documentation says:
To temporarily deny access to the database for a particular user account, you can lock the user account. If the user then attempts to connect, then the database displays an error message and does not allow the connection.
It means that lock won't affect currently logged users. But, if you disconnect and then try to connect, you won't be allowed to do that.
My organisation has a number of schemas within an Oracle database that need to be accessed by a number of individual developers. In most cases, the developers can login with their own id and access these other schemas through role permissions, but for certain tasks the individual developers need to log into these schemas directly.
An example of this would be schema A which needs to be accessed by users X and Y. User X and user Y can log in with their own ids, but to fully leverage the potential of schema A, they would need the schema A password.
I am interested in tracking if and when user Y for example logs into schema A, using the schema A password. Can this be done?
My need for this is primarily in relation to password security and leaving procedures when staff depart our organisation. For example, if I have schema A and the password is known by at least some of users X, Y, Z and Q, and user Q leaves, is this a threast? If the checks show the password for schema A was not known by user Q, then I don't have a security risk, but if the checks show that user Q knew the password for schema A, then I need to change the password for schema A, potentially impacting users X, Y and Z.
Therefore, my question is, is there a method within Oracle that would enable me as DBA to identify which individuals logged into these schemas, whether it be by tracking their client identifiers or some other route?
Thanks
For this specific scenario, use proxy authentication: it kills several problems related to development environments in a single stroke.
[Proxy authentication] allows a user to connect to a database as one user and on connection
become a different user. This capability was originally deployed by
Oracle as a way for applications to authenticate end users to
individual database accounts through a common application account, but
it works just as effectively the other way around.
In this model ... each developer is given a separate,
personal account in the database. Most application development can now
be handled – and audited – through these personal accounts. Because
the login accounts are associated with individual users there is no
incentive for the developer to share their credentials with anyone
else. It would be relatively simple to tell if a personal account was
being shared, and doing so would be grounds for termination with most
companies.
To demonstrate this in action, I’ll create an application schema and
configure it so that it can only be accessed by means of proxy
authentication:
Connected to: Oracle Database 19c Enterprise Edition Release
19.0.0.0.0 - Production Version 19.3.0.0.0
SQL> create user app_schema no authentication proxy only connect;
User created.
SQL> grant connect, resource to app_schema;
Grant succeeded.
The “no authentication” option creates the shared
account without credentials. [This is not strictly required, but] it eliminates the need to maintain a
password or certificate for an account that will never be used
directly. The “proxy only connect” option allows only proxy
connections to the shared account. [This too is not required, but could be useful depending on your situation.] The “connect” and “resource” roles
grant basic privileges to use the account and create objects. Next, I
will create a sample development user:
SQL> create user dev_user identified by oracle;
User created.
Now the application schema can be altered to allow
connections from individual developer accounts, like this:
alter user app_owner grant connect through dev_user;
Note the syntax:
the APP_OWNER schema is altered to allow connection by or through the
DEV_USER account. This is not a privilege that is assigned directly to
the development user. Once this proxy privilege has been assigned, the
developer can connect to the application schema using their personal
credentials. All they need do is append the application account name
in brackets to the end of their development account name, like this:
SQL> connect dev_user[app_schema]/oracle
Connected.
SQL> show user;
USER is "APP_SCHEMA"
By connecting in this way, the developer can
still perform needed actions but need never be aware of the
application owner account’s real password (assuming one was even
assigned). The proxy account name (the developer’s personal account)
is available in the system session context, and can be automatically
made visible in the v$session view through a database trigger so that
the DBA can tell who is connected to shared accounts at all times.
CREATE OR REPLACE TRIGGER db_session_trig
AFTER LOGON ON DATABASE
v_proxy_user varchar2;
BEGIN
v_proxy_user := sys_context('userenv','proxy_user');
if v_proxy_user is not null then
dbms_session.set_identifier(v_proxy_user);
end if;
END;
select username, osuser, client_identifier
from v$session where username='APEX_040000';
USERNAME OSUSER CLIENT_IDENTIFIER
----------------- --------------- ----------------------
APEX_040000 oracle PETE
Using the PROXY_USERS view it is easy to
determine exactly which developers have access to each application
owner account as well.
PROXY CLIENT AUTHENTICATION FLAGS
------- -------------- -------------- -----------------------------------
PETE APEX_040000 NO PROXY MAY ACTIVATE ALL CLIENT ROLES
Because even basic auditing
captures the OS username of the developer, the audit trail will record
the actual developer behind DDL operations executed as the application
owner.
Sep 4 10:04:07 testdb Oracle Audit: SESSIONID: "12345" ENTRYID: "1"
STATEMENT: "6" USERID: "APP_SCHEMA" USERHOST: "myserver" TERMINAL:
"pts/2" ACTION: "7" RETURNCODE: "0" OBJ$CREATOR: "APP_SCHEMA"
OBJ$NAME: "TEST_TABLE" SES$TID "4567" OS$USERID: "PETE"
Using
individual developer user accounts with proxy account access to
application schemas, it is possible to allow developers to work in
shared accounts while still maintaining account credential security,
visibility of connected users, and an accurate audit history.
Full article here: https://pmdba.wordpress.com/2021/10/15/shared-application-accounts-revisited/
You could use proxy users for this. That way there is no need to share a password and regular auditing can do its job.
An other option could be to define packages in the other schemas that can be called by the developers. The packages need to be defined with definers rights so when a dev calls the package, the execution is done using the privileges that are directly granted to the schema. Doing so avoids nasty ‘any’ privileges.
Iam creating an app to change the password of selected Db user account.When an user select a particular db name and user of the db then click submit button i should call procedures that changes the password of the db user.So guide me how to connect to selected db from oracle Apex and do it.
As far as I can tell, there are two ways to change someone's password:
connect as that user
connect as a privileged user (such a SYS)
and run such a command:
alter user scott identified by tiger;
As you'd want to do that for any database you have a access to, as well as every user in those databases, I doubt that you know their passwords so I guess that you'll connect as a privileged user to all those databases. Of course, you have to know their passwords.
One option would be to
create the same stored procedure (which will modify someone's password) in every database
it'll accept username and its new password
as alter table is DDL, you'll have to use dynamic SQL (execute immediate)
create database links to those databases in a schema you use to connect to your Apex application
depending on database you choose, call appropriate procedure via database link and pass chosen username and its new password. This might also require some kind of dynamic SQL, if you want to use different DB link name
I don't know which database version you use, but - have a look at 11g's Accessing and Modifying Information in Multiple Databases, especially "Running a Stored Procedure in a Remote Oracle Database" chapter for more info.
I am newbie to oracle sql developer 3.1.07.42, and have just installed it on my machine. I want to make a new connection, but it requires a user and a password which I do not know. I have been googling about it since many days, and have learned that there are some commands to create user, but I do not know where should I run those commands, because I cannot run queries/commands until the connection is created.
Would anyone let me know what should I do?
Steps for creating new user :
1)Open Sql Developer, make new connection.
2)Login with System username and password(made during installation).
3)Once you connect, expand the System user (under Connections, in the left pane) and scroll down to Other users. Then right click users and add new user.
4)Give its username and password & select appropriate system privilege.
5)You are done now, check by making new connection.
Use this below simple commands to create an user
-- Create a user
CREATE USER youruser IDENTIFIED BY yourpassword;
--Grant permissions
GRANT CONNECT, RESOURCE, DBA TO demo;
you should install database software in your local pc/laptop then create user in the database and you can connect the database via sql developer by key in username and password that already created.If you want to connect to other database same step like the previous step but before that you need to point to the remote database.
I thinks you should use "Database Configuration Assistant" to create new database and U can set user name and password and use it in oracle SQL Developer!!!