I have two users on windows server
Administrator
devUser
Both can use SQL Developer to connect to Oracle 11g Server (Oracle e-Business suite) but in the same query (from synonym) they got the difference result: devUser got the correct result and Administrator got null in first three columns.
SELECT * from XXAUTO.XXFND_OU_COMPANY_V
where ou_name like 'ASL%'
Query Result from Administrator(Windows User)
Seems like the view has some form of VPD in place. Oracle supports Fine-Grained Access Control through its DBMS_RLS package, which despite the name allows us to implement security policies on columns as well as rows (since 10g). Find out more.
The common model is, when users connect to the database a LOGON trigger populates an application context with details about them. These details are used to generate as additional filters on tables and views which have security policies in place. You can confirm this by using the pertinent views: start with ALL_POLICIES and drill down depending on what you find.
It's possible the view implements a hand-rolled version of this (FGAC is an Enterprise Edition feature) but if you're using EBS that seems unlikely.
Another option is that your database is protected by Oracle Database Vault. This product is a chargeable extra to the EE license. It is a very powerful tool, and one of its uses is to prevent super users like sysadmins or DBAs abusing their privileges to look at sensitive data. It seems unlikely that an organisation would put Database Vault in place on a server that developers have access to but I offer this suggestion for completeness. Find out more.
Thank you for all.
Now I found the problem that is both user set the different Windows locale.
Related
My requirement is just to monitor and know how many a user log in per month.I need to count number of logins for a user with the time they login
Can anyone please help me in how to do this?
Is there any log file such as obis1-query log file for queries processing monitoring in OBIEE to get these info?
Thanks
Not familiar with obiee and if users log in via a connection pool, but if they log in as an Oracle defined user ID, you want a System Trigger in PL/SQL:
create trigger user_logged_in
after logon database
begin
insert into some_audit_table
(user_id, login_time)
values (sys_context('USERENV', 'CURRENT_USER'), sysdate);
end;
/
Not tested, but that should give you a start. Above example derived from Oracle PL/SQL Language Reference Example 9-21.
User tracking is your friend. You can set up to log information in the OBIEE RCU database (that database you create/configure as part of OBIEE installation), and it includes the login information. Look how to set up it in Oracle documentation, as well as blog posts (look for OBIEE User tracking in Google). Keep in mind your OBIEE version, as the details to set it up have changed in different versions, basically it involves two steps:
Set up the RPD to query to the RCU database and table (mainly, in
your XXX_BIPLATFORM DB user, the S_NQ_ACCT table for general
information, and the S_NQ_DB_ACCT table for the physical
queries)
Modify the OBIEE config file or in the EM Beans (depending on
your OBIEE version) referencing the RPD Physical layer you have set
up.
Regards
I am going to share with you my finding about my question which has asked. As you may know, OBIEE repository tables, which can be used to show to end users as subject area that this is usgae tracking utility, just track information around sent queries to BI server and not more about users specifically. In this occasion, you can use a method which called enhanced usage tracking for OBIEE that is presented completely here: https://www.rittmanmead.com/blog/2016/12/enhanced-usage-tracking-for-obiee-now-available-as-open-source/
This is exactly what you want. All detail information about users activities in OBIEE and even some redundant ones. You can create a physical table, then add it to repository file and display as subject area to end user with any permission. Of course, according to your software environment or implementation structure, you are supposed to make some changes in this manner.
I hope this goes well.
I've been trying for days but cannot find the answer to this. I am using Oracle Application Express (APEX), someone else setup the initial connection to a "Apex" database in oracle, but I am trying to connect to our production database in oracle. I am making web forms and the web forms are connected to the "Apex" database that was setup already, but I need to connect to our production database so we can create reports from the data entered through the web forms. I need the tables to show up in the create page option from the production database, currently its coming from the apex database, please help.
Create Page View with Tables (from apex)
Thank You so much in Advance!
What is the "production database"? Is it really a different database (than the one you're currently connected to), or is it a user in the same database?
if former:
you could create a database link between those two databases and create synonyms for production users' tables in one of schemas your workspace is assigned to.
another option is to install Apex onto the production database, so that you could use current installation as "development" and then deploy the application into the "production-based" Apex
if latter, you might do the same (i.e. create synonyms, just without the database link), or simply assign the production schema to your workspace
You may be interested to read Mike's response to a question with a similar misunderstanding regarding architecture.
https://community.oracle.com/thread/4135843
Once you have your head wrapped around this, you can consider the parsing schema to your application. This schema defines the table access your application has, in the normal way Oracle handles table privileges.
Then it's up to you to define who has access to what pages, using APEX Authorisation Schemes.
The database I am using is Oracle 11g Express Edition release 2.
I created 2 schemas in the same instance xe. They all have the same tables names and sequences names and stored procedures and stored functions and views names. But the tables structures and views texts are different ( there is some modifications between them ).
The reason for the creation of these two schemas is because our project has two versions. So the first schema is used for the first version , and the second schema was created for the second version. The mechanism of our web application Spring project is that whenever a connection is made through the web application login page then a corresponding Oracle user is making a connection according to the login entered ; so there is no fixed credential connection , there are Oracle users corresponding to each web application login.
So in order for each user to work with each database objects then I created public synonyms for every objects , and granted permissions to them for each user. But the database objects are owned by the schema I mentioned at the beginning. Now my problem is this : our customer wants the two project versions to be run on a same instance ( same computer server ). So one of the project version cannot run because the public synonyms can only refer to a particular schema owner. So how to make the public synonyms work for each schema ?
In short, you can't. However, you can always use a distinct synonym name to identify the object.
Something similar to below:
create public synonym structures_v1 for schema1.structures;
create public synonym structures_v2 for schema2.structures;
Oracle provides 2 totally different technologies for this situation (which comes to my mind):
Editions (and Edition Based Redefinition)
PDBs
With Editions you can create the same Object once in each Edition - but there are limitations like tables are not editionable.
It's not a feature you just enable, you need to understand the concept and implement it properly.
PDBs enable consolidation of Databases with colliding namespace (such as your described synonyms) within the same CDB and therefore save SGA/memory. Basically they are totally separated - limited interference can be implemented when it's concept of object & data inheritance is understand.
What about creating a 3rd Schema and having Synonym and permission to query 1st and 2nd schema. Anyone tested this concept?
Oracle SQL Developer 4.0.1.14
I currently have an Oracle database with a user who contains a set of tables, views, etc. However, I would like this schema to be shared among multiple people with different logins.
My company has a domain and each employee logs into their computers through this domain, for example
COMPANY_NAME/username
I am hoping to be able to use windows authentication to log each user into the database. This way everyone at the company will automatically have a login with a password they are used to.
In Oracle SQL Developer, I have tried ticking "OS Authentication", and received "Invalid username/password" upon testing the connection. Do I need to create an Oracle user for each domain?
I have also tried checking "Use OCI/Thick driver", but it cannot be checked unless "Use Oracle Client" is configured, which I'm also unsure about.
This question appears to be a duplicate:
Windows Authentication to Oracle for domain group, however the tutorial link is dead. I have not been able to find another tutorial for how to set this up anywhere.
There is a server-side parameter called os_authent_prefix that is typically set to OPS$, and the network user id needs to be prefixed with this in addition to having the IDENTIFIED EXTERNALLY option added to the create user statement.
So if your Windows account id is hambone, then your OS-authentication login would be OPS$hambone, and you don't need a password. I used it for years, and it never required the domain to be specified for a Windows account, which was nice because it meant the same credentials worked for my Unix account.
SQL*Plus, for example would look like:
sqlplus OPS$hambone/#myserver
Likewise, connection strings for applications just have nothing for the password.
For Toad, you would put OPS$hambone as userid and leave the password blank. SQL Developer, I'm honestly not sure -- I can't stand it; I use PL/SQL Developer, but with the various options they have I'd imagine you select OS authentication and/or put the OPS$hambone.
Read the caveats/security warnings on OS authentication. I think in a private network the risks are outweighed by the advantages, but that's for you to decide.
We have application where all logic is implemented in oracle database using pl/sql.
We have different oracle databases for development and production.
When developer make changes in development database after testing we move changes from development database to production database using schema compare tool of toad. Problem here is that developer must have password of production database. We want only admin to know this password.
Can somebody advice me better way of moving changes between databases without need of having production database password, what is best practice for this ?
I posted this question on oracle OTN forums and got some advices there. Maybe it will be interesting for somebody.
Her is a link
I do not recommend to use comparison tools for generating of database migration scripts.
Development and production databases (and also test databases) must be identical except for current changes made by developers in development databases. Generally speaking this assertion is not correct, because there are many kinds of differencies between development and production databases, e.g. partitioned objects, additional objects for audit (triggers, tables), replication-based objects (snapshots), different tablespaces etc.
Every developer must know, what changes were made by him and applied to development database.
If developer was able to change schema and data in developer database, then he/she must be able to create programs for these DDL and DML changes.
To delegate the same developer an ability to run these migration programs on production database is a bad idea. But if you don't have a better way of database migration, then you can use one of following:
1. Configure Oracle authentication by OS. OS authentication allows Oracle to pass
control of user authentication to the operating system.
2. TOAD can save passwords without disclose them. DBA will insert required password
to local TOAD installation at developer PC (if developers use PC).