Oracle - how to export security policies - oracle

Our Oracle DBA is planning to move a number of schemas to new instances. One thing we've noticed - security policies are not being carried over in the exports. Also- they don't seem to count as 'objects' when querying 'all_objects' or 'user_objects'. Different kind of animal I guess.
Any ideas on how to migrate this stuff smoothly?

Personally I use a tool to extract/generate scripts for specific users or roles. Toad can script users, as can other tools. The one I now use is my own, but I cannot promote it here. If you don't have such a tool, there are other options.
Use export or data pump. When you do full system export (using exp or data pump) you will get all of the grants. You can then use the import / impdp utilities to dump all of the DDL for the grants for users of interest. Once you have the dmp file.
impdp system/ full=Y directory=dumpdir dumpfile=full.dmp logfile=dump.txt grants=y
Or for export
imp system/ full=y grants=y file=full.dmp log=dump.txt
This will dump everything to the dump.txt in text form and you can extract the SQL. Not super pretty, but works.
Use DBMS_METADATA to give you the grants for a user or role.
SQL> set long 50000
SQL> select dbms_metadata.get_ddl( 'USER', 'MSMITH' ) from dual;
SQL> select dbms_metadata.get_granted_ddl('SYSTEM_GRANT', 'MSMITH') from dual;
SQL> select dbms_metadata.get_granted_ddl('OBJECT_GRANT', 'MSMITH') from dual;
SQL> select dbms_metadata.get_granted_ddl('ROLE_GRANT', 'MSMITH') from dual;
Or for roles:
SQL> select dbms_metadata.get_ddl( 'ROLE', 'JUNIOR_DBA' ) from dual;
SQL> select dbms_metadata.get_granted_ddl('SYSTEM_GRANT', 'JUNIOR_DBA') from dual;
SQL> select dbms_metadata.get_granted_ddl('OBJECT_GRANT', 'JUNIOR_DBA') from dual;
SQL> select dbms_metadata.get_granted_ddl('ROLE_GRANT', 'JUNIOR_DBA') from dual;

Related

PL/SQL Hierarchical Profiler in Autonomous Database

How can I use the PL/SQL hierarchical profiler in an Oracle autonomous database? When I try to run the following code, I get the error "PLS-00201: identifier 'DBMS_HPROF' must be declared":
begin
sys.dbms_hprof.create_tables(force_it => true);
end;
/
The package DBMS_HPROF exists but is not granted to any user:
SQL> select owner,object_name,object_type from dba_objects where object_name='DBMS_HPROF' order by 1,2,3;
OWNER OBJECT_NAME OBJECT_TYPE
------- ------------ -------------
PUBLIC DBMS_HPROF SYNONYM
SYS DBMS_HPROF PACKAGE
SYS DBMS_HPROF PACKAGE BODY
SQL> select * from dba_tab_privs where table_name = 'DBMS_HPROF';
no rows selected
If this was a local database, I would logon as SYS and run grant execute on sys.dbms_hprof to my_username;. But as far as I know, there is no way to run a command as SYS on an Oracle autonomous database.
If this was Amazon RDS, I could probably run a command like RDSADMIN.RDSADMIN_UTIL.GRANT_SYS_OBJECT(.... But as far as I know, there is no such package on an Oracle autonomous database. None of the DBMS_CLOUD* packages seem to have what I'm looking for either.
I'm using Oracle 21c Autonomous Data Warehouse on the Always Free tier.
Is there a way to run the PL/SQL hierarchical profiler on the cloud? Or am I stuck using the older profiler as a work around?
Try following MOS ER: 34369019. As for all MOS documents, this requires a login.

Oracle command to create a table from another schema, including triggers?

Using this command, I am able to create a table from another schema, but it does not include triggers. Is it possible to create a table from another schema, including triggers?
create table B.tablename unrecoverable as select * from A.tablename where 1 = 0;
First option is to run CREATE script for those objects, if you have a code repository. I suppose you don't.
If you use any GUI tool, things are getting simpler as they contain the SCRIPT tab that enables you to copy code from source and paste it into target user.
If you're on SQLPlus, it means that you should, actually, know what you're supposed to do. Here's a short demo.
SQL> connect hr/hr#xe
Connected.
SQL> create table detail (id number);
Table created.
SQL> create or replace trigger trg_det
2 before insert on detail
3 for each row
4 begin
5 :new.id := 1000;
6 end;
7 /
Trigger created.
SQL>
SQL> -- you'll have to grant privileges on table to another user
SQL> grant all on detail to scott;
Grant succeeded.
Connect as SCOTT and check what we've got:
SQL> connect scott/tiger#xe
Connected.
SQL> -- now, query ALL_SOURCE and you'll get trigger code
SQL> set pagesize 0
SQL> col text format a50
SQL> select text from all_source where name = 'TRG_DET' order by line;
trigger trg_det
before insert on detail
for each row
begin
:new.id := 1000;
end;
6 rows selected.
SQL>
Yet another option is to export & import table, which will get the trigger as well (I've removed parts that aren't relevant, as Oracle database version):
C:\>exp hr/hr#xe tables=detail file=detail.dmp
About to export specified tables via Conventional Path ...
. . exporting table DETAIL 0 rows exported
Export terminated successfully without warnings.
C:\>imp scott/tiger#xe file=detail.dmp full=y
. importing HR's objects into SCOTT
. importing HR's objects into SCOTT
. . importing table "DETAIL" 0 rows imported
Import terminated successfully without warnings.
C:\>
Check what's imported (should be both table and trigger):
SQL> desc detail
Name Null? Type
----------------------------------------- -------- ---------------
ID NUMBER
SQL> select * From detail;
no rows selected
SQL> insert into detail (id) values (-1);
1 row created.
SQL> select * From detail;
ID
----------
1000
SQL>
Cool; even the trigger works.
There might be some other options, but these 4 should be enough to get you started.

how to record all oracle select statement executed on table oracle

I want to record all oracle select statement executed on specific table oracle
and pc ip address, windows username, PC name
in other words I need to know who and when a table was read..
I searched and found the this query will return pc ip address, windows username, PC name
SELECT SYS_CONTEXT ('USERENV', 'IP_ADDRESS'),
SYS_CONTEXT ('USERENV', 'HOST'),
SYS_CONTEXT ('userenv', 'OS_USER')
FROM DUAL;
But I am wondering does this will return correct information when there is no database on that pc ?
since trigger cannot be launched on select then How to deal with that case ?
I am using oracle forms 6i application if there is possible solution too
You can use database auditing for individual SQL DML/DDL statements.
Example:
SQL> conn sys as sysdba
SQL> alter system set audit_trail=DB,EXTENDED scope=spfile;
Reboot the database.
I have a table called T1 and I want audit SELECT statements fired against it.
SQL> audit select on t1 by access;
Audit succeeded.
SQL> select * from t1;
no rows selected
The audit information can be obtained from USER_AUDIT_TRAIL view.
SQL> select OS_USERNAME,USERNAME, USERHOST, SQL_TEXT, ACTION_NAME from dba_audit_trail where obj_name='T1';
OS_USERNAME USERNAME USERHOST SQL_TEXT ACTION_NAME
------------ --------- ------------ ----------------- ------------
oracle JAY myserver.js select * from t1 SELECT
Individually Auditing SQL Statements

what's the reason of dbms_metadata.get_granted_ddl('SYSTEM_GRANT', 'AQ_ADMINISTRATOR_ROLE') ora-31608 error?

I'd like to get ddls of all roles in the database using dbms_metadata package. Unfortunately dbms_metadata.get_granted_ddl fails with error when there are no grant (object, system or role type) for the role. That's why I have to check the presence of privileges in dba_tab_privs, dba_sys_privs and dba_role_privs views.
However AQ_ADMINISTRATOR_ROLE role has system privileges the following statement fails. Checked on two databases.
sqlplus system/pass#db1
select dbms_metadata.get_granted_ddl('SYSTEM_GRANT', 'AQ_ADMINISTRATOR_ROLE')
from dual
where exists (select 1 from dba_sys_privs where grantee = 'AQ_ADMINISTRATOR_ROLE')
/
ORA-31608: specified object of type SYSTEM_GRANT not found ORA-06512:
at "SYS.DBMS_METADATA", line 4018 ORA-06512: at "SYS.DBMS_METADATA",
line 5991 ORA-06512: at line 1
select * from v$version
/
Oracle Database 11g Release 11.2.0.2.0 - 64bit Production PL/SQL
Release 11.2.0.2.0 - Production CORE 11.2.0.2.0 Production
Oracle returns that exception if there are no rows that match your parameters. There must be no SYSTEM_GRANT objects for QA_ADMINISTRATOR_ROLE
This will return what you are looking for:
select dbms_metadata.GET_GRANTED_DDL('SYSTEM_GRANT') from dual;
This will return something like:
GRANT CREATE JOB TO "SCOTT"
GRANT SELECT ANY DICTIONARY TO "SCOTT"
GRANT EXECUTE ANY TYPE TO "SCOTT"
I assume, you want to extract DDL for all privileges (roles/permissions) given to current schema user (when you say 'database').
If one wants to extract for a given user, use the following:
select dbms_metadata.GET_GRANTED_DDL('SYSTEM_GRANT', 'SCOTT') from dual;
If one wants to extract privileges given on a OBJECT from current user to another schema user, use the following:-
select DBMS_METADATA.GET_DEPENDENT_DDL('OBJECT_GRANT','TEST_TABLE') from dual;

Oracle: copy a role from one database to another?

I would like to duplicate some roles from a production database to a test database.
How can I programatically generate a text-based SQLPLUS script to do this? Since I'm only interested in the roles I don't want to use EXP/IMP.
DBMS_METADATA might be helpful: http://www.orafaq.com/wiki/DBMS_METADATA
SELECT dbms_metadata.get_ddl('ROLE', role) FROM dba_roles;
SELECT dbms_metadata.get_granted_ddl('ROLE_GRANT', '&&your_role_name') FROM dual;
SELECT dbms_metadata.get_granted_ddl('SYSTEM_GRANT','&&your_role_name') FROM dual;
SELECT dbms_metadata.get_granted_ddl('OBJECT_GRANT','&&your_role_name') FROM dual;

Resources