I am setting up a new instance of ATG (version 10.0.3). I am using an Oracle database (Oracle SE ONE). I need to create the four basic database users - atg_pub, atg_prod, atg_cata, and atg_catb.
Which privileges should I assign to these users in the Oracle database?
I assume each user needs, at the minimum
CONNECT
CREATE/ALTER/DROP TABLE
CREATE/ALTER/DROP INDEX
Is there a definitive list?
P.S. I am using a shared Oracle instance and do not have the privileges to GRANT ALL to these users
As far as I remember granting CONNECT and RESOURCE roles plus some quota on the tablespace was sufficient
Related
I can't grant select on some tables (say SYS.AQ$SCHEDULER_EVENT_QTAB).
However, I can see these tables in dba_objects.
I've an absolutely free autonomous database on Oracle cloud.
What should I do?
The ADMIN user does not have privileges to grant access to SYS objects in an Autonomous Database. Because of the shared nature of autonomous database services, full access to the SYS schema is not possible. If access to the tables or views in question cannot be obtained from an existing pre-defined role, then you will not be able to access them directly. From the documentation:
Because Oracle Autonomous Database imposes security controls and
performs administrative database tasks for you, the ADMIN user does
not have as many privileges as the SYS user. Here is a list of the
privileges that the ADMIN user does not have but that the SYS user in
an Oracle Database does have:
ALTER LOCKDOWN PROFILE
BACKUP ANY TABLE
BECOME USER
CREATE ANY JOB
CREATE ANY LIBRARY
CREATE LIBRARY
CREATE LOCKDOWN PROFILE
CREATE PLUGGABLE DATABASE
DEQUEUE ANY QUEUE
DROP LOCKDOWN PROFILE
EM EXPRESS CONNECT
ENQUEUE ANY QUEUE
EXPORT FULL DATABASE
FLASHBACK ANY TABLE
FLASHBACK ARCHIVE ADMINISTER
GRANT ANY PRIVILEGE
GRANT ANY ROLE
IMPORT FULL DATABASE
INHERIT ANY PRIVILEGES
LOGMINING
MANAGE ANY FILE GROUP
MANAGE ANY QUEUE
MANAGE FILE GROUP
USE ANY JOB RESOURCE
USE ANY SQL TRANSLATION PROFILE
I have 5 views in my Oracle database schema. And i need to provide read only access to only one view for user.
I am thinking below approach but not sure if its possible as i am not good in dba part.
a) Create a new user or the corresponding business role APP_ROLE and assign "CREATE SESSION" rights.
b) GRANT SELECT ON <view> TO {APP | APP_ROLE}
In actual oracle versions (>=12.1.0.2) it's better to use read privilege:
New features 12.1.0.2
READ Object Privilege in Oracle Database 12c Release 1 (12.1.0.2)
On previous versions - yes, grant select is fine.
I want to know what is the difference between the following two statements in oracle:
GRANT DBA TO Jack
GRANT ALL PRIVILEGES TO Jack
I advise you not to try providing dba and NEVER provide ALL PRIVILEDGES to any user, because such thing should be done only by experienced developers.
Usually there is only ONE user who is provided DBA role.
As per oracle documentation:
When oracle database is installed, there are two admin roles created:
1. SYS 2. SYSTEM
An SYS role can access internal data dictionary tables of oracle database.
All of the base tables and views for the database data dictionary are stored in the schema SYS. These base tables and views are critical for the operation of Oracle Database. To maintain the integrity of the data dictionary, tables in the SYS schema are manipulated only by the database.
If you flirted with any internal sys tables, you may face license cancellation
The SYSTEM username is used to create additional tables and views that display administrative information, and internal tables and views used by various Oracle Database options and tools. Never use the SYSTEM schema to store tables of interest to non-administrative users.
The DBA role does not include the SYSDBA or SYSOPER system privileges. These are special administrative privileges that allow an administrator to perform basic database administration tasks, such as creating the database and instance startup and shutdown.
Here GRANT ALL PRIVILEGES are provided to user on particular object, even system object, and this does not includes sys and system privilege, you can do any action on such object, this is why you should avoid using ALL PRIVILEGES.
What is the purpose of connect role in oracle.
select * from role_sys_privs where role='CONNECT';
ROLE PRIVILEGE ADMIN_OPTION
CONNECT CREATE SESSION NO
So based on the above information it is used to create session.
But i can find users who don't have the role of CONNECT but can still access the database.
So what is this CREATE SESSION about? and what can it do? is it necessary for all the users?
According to the Database Security Guide, the CONNECT ROLE was changed in Oracle Database 10.2:
The CONNECT role was originally established a special set of privileges.
These privileges were as follows:
ALTER SESSION
CREATE SESSION
CREATE CLUSTER
CREATE SYNONYM
CREATE DATABASE LINK
CREATE TABLE
CREATE SEQUENCE
CREATE VIEW
Beginning in Oracle Database 10g Release 2, the CONNECT role has only the CREATE SESSION privilege, all other privileges are removed.
I'm not a DBA, but I have some basic understanding about how SQL Server is supposed to work. I'm having trouble translating this knowledge into getting a working Oracle XE database, so my girlfriend can play around with her bookstore coursework.
So, I installed Oracle XE database, and downloaded Oracle SQL Developer. I supplied a password, during installation, and using this password in conjunction with sys login in sysdba-mode, I'm able to connect and browse the database, which I can only assume is the master database, since there are numerous tables that have nothing to do with future bookstores.
I want to create a new - empty database, and I don't much care about how it's configured. It's a playpen for coursework. So I happily stab with:
create database bookstore
and recieve an error to the effect of:
ORA-01100: database already mounted
I just want to create a new database, so that if something goes wrong i can do a drop database bookstore instead of manually deleting tables and such. In SQL Server Management Studio you execute these statements on the master database, and then connect to the specific database you want to play with.
A SQL Server database is roughly equivalent to a schema in Oracle. And a schema in Oracle is a collection of objects owned by a particular user.
Given that, it appears that you want to do something like
Create a user
CREATE USER bookstore IDENTIFIED BY bookstore;
Grant privileges to the user
GRANT CREATE SESSION TO bookstore;
GRANT UNLIMITED TABLESPACE TO bookstore;
GRANT CREATE TABLE TO bookstore;
GRANT CREATE VIEW TO bookstore;
GRANT CREATE TYPE TO bookstore;
GRANT CREATE SYNONYM TO bookstore;
GRANT CREATE PROCEDURE TO bookstore;
GRANT CREATE SEQUENCE TO bookstore;
GRANT CREATE MATERIALIZED VIEW TO bookstore;
Now, you should be able to connect to the bookstore schema in the XE database and create whatever tables, views, triggers, etc. you want.
You just need to create a schema in the database you already have. A schema in Oracle is sort of roughly equivalent to database in SQL Server, in some ways. Your girlfriend would use that schema as her playpen and you could drop it and recreate it easily. You should also create a user for her, which I think automatically creates a schema with same name as the user. But I would still create a dedicated coursework schema.
Oracle has extensive online documentation. Here's the master index for 10g. It's a bit daunting but you'll get to know your way around it.