Due to security issues the user or Informatica has grants to create neither tables nor synonyms.
So I have come up with this:
The PMERR_DATA, PMERR_MSG, etc. tables are created under another user
The user of Informatica is granted to select, inset, update and delete from these tables
Name of the owner of the tables was set in the error table log prefix field:
But when the task starts, the integration service tries to create these PMERR% tables and it fails (due to lack of permissions to create tables)
How can these restrictions be overcome?
Related
I'm trying to copy data from Oracle database table to MS SQL database using Azure Data Factory pipeline.
I have installed oracle locally and using the SYSTEM user, I have created couple of tables in oracle as seen in the screenshot below:
After connecting this local oracle instance with Azure Data Factory via Self Hosted Runtime, I am unable to see the names of these tables in the dropdown of Table names list while creating a dataset for one of these tables. Below are the screenshots of what I am trying to achieve:
But when I search for these tables SPENDREPORT and SPENDREPORTDETAILS, they are not found in this dropdown, as shown in the screenshot below. Any clues as to how I can solve this?
As commented by Justin Cave and also as per Oracle official documentation You must not create any tables in the SYS schema.
•SYS
This account can perform all administrative functions. All base (underlying) tables and views for the database data dictionary are stored in the SYS schema. These base tables and views are critical for the operation of Oracle Database. To maintain the integrity of the data dictionary, tables in the SYS schema are manipulated only by the database. They should never be modified by any user or database administrator. You must not create any tables in the SYS schema.
The SYS user is granted the SYSDBA privilege, which enables a user to perform high-level administrative tasks such as backup and recovery.
• SYSTEM
This account can perform all administrative functions except the following:
• Backup and recovery
• Database upgrade
You should also try to clear Data factory cache and then refresh Table name field.
Our application has its data structured across two schemas, let's call them Main and Archive. This is needed as some tables from the Main schema are archived into corresponding tables in the Archive schema.
The Main schema updates are run using a Liquibase servlet which is run by the Main user when the application first starts.
At the moment all archive updates are run as a separate DBA task. This is a bit inconvenient as we must engage a DBA for simple things like creating a new table in the archive schema and granting the right permissions to the Main user which is the absolute owner of all application data.
We are considering making Main user able to create/alter objects in the archive schema and embed this in our Liquibase scripts.
The Main user has been granted an APP_ADMIN_ROLE that make it entitled to CREATE, ALTER, COMMENT ON etc ANY TABLE so it is able to create and drop tables in the Archive schema.
However, we hit the problem that despite tha fact the Main user can create an Archive table it is not able to grant CRUD operations on that table to itself.
Is there any way to achieve this.
GRANT DBA TO MAIN is not an option.
Thanks in advance
For future references (and extracted from the comment of kfinity), the following solution answered the OPs question best:
A lazy fix: you can also grant CRUD operations for ANY TABLE. In your
case, you could either grant it to the Main user or the role. e.g.
grant select any table, update any table, delete any table, insert any table to APP_ADMIN_ROLE;
I want to create the user and the database within that user. But when I tried to create database its giving the warning message as
ERROR at line 1:
ORA-01501: CREATE DATABASE failed
ORA-01100: database already mounted
Then I tried
STARTUP NOMOUNT;
Its giving the warning message for insufficient privileges even I have given all the permission to that particular user.
Can any one please help in finding the solution for this?
You don't create a database under a user in Oracle; I believe you're using terminology from another database poduct. The equivalent is a schema, which is a logical container for a group of objects. User and schema are essenentially synonymous in Oracle - when you create a user is automatically has its own schema.
You create the database once (which you already seem to have done, or had done for you), then create as many schemas/users as your application needs. You don't ever rerun the create database under normal circumstances - you certainly wouldn't as a normal user.
If you connect as that user you will be able to create tables, views, packages etc., assuming it has really been granted all the necessary privileges.
I have below requirement in oracle database
Create User and grant to all objects in schema "abc"
If i add any tables to schema "abc", then the user should have access by default without executing individual Grant
Current we are executing Grant statements for every objects created in schema, is there any onetime configuration available? Please help
Note: Here user is not a schema owner, for ex. some one who having access to read-only access.
In current versions of Oracle, you could create a DDL Trigger and have this automatically execute a grant on the newly created object to your other user.
See the excellent PSOUG site for an overview: http://psoug.org/reference/ddl_trigger.html
As security tightening exercise, I'm removing all system privileges from an oracle database user. Now this user ONLY has the following system privileges:
CREATE SESSION
UNLIMITED TABLESPACE
I was hoping that the user wont be able to do any DDL commands. But to my surprise, user can DROP TABLE in its own schema even though it can't create one.
Oracle documentation says prerequisite for DROP TABLE is "The table must be in your own schema or you must have the DROP ANY TABLE system privilege". Just that!!! I don't understand the security logic of Oracle but is there any way I can prevent Users from dropping their own tables?
The alternative would be creating another user to run the application and grant object access, which I'd rather like to avoid as there are potential issues.
A user will always have permissions to drop objects that they own. You can't prevent that by revoking privileges.
Since you're looking at tightening security, creating a new user and granting that user whatever privileges they need to manipulate the data is the right answer. The only people that ought to be logging in to a production database as a user that owns application objects are DBAs and then only when they are in the process of deploying changes to the schema. Everyone else should be logging in to the database as users other than the schema owner.
That being said, if the right solution is more work than you're prepared to undertake right now, a potential stopgap would be to create a DDL trigger on the database that throws an exception if a DROP is issued against an object in the specified schema. This is less secure than the proper solution. You may miss something when implementing the trigger, you or someone else may drop or disable the trigger and forget to re-enable it, etc. And it makes security reporting much more difficult because you've got a custom solution that isn't going to be obvious in the various security related data dictionary views which may create problems for auditors.