I am trying to identify incoming user into Oracle in order to give them access right according to their identity (FGAC). Users are located in different domain's. which means that they might have identical system username (windows userename).
I have been trying to use the Environment context variable sys_context('userenv', 'var') where I get the Domain name (f.ex. SYS_CONTEXT('USERENV','HOST') and SYS_CONTEXT('USERENV','OS_USER')) but I seem to get different result's depending on the connection method.
Are there any other means of getting users true identity I can explore?
I'm not sure which variable you should use but you may want to look at select * from v$session to help you pick one.
If you're basing FGAC on OS_USER environment variable, you're truly not securing the data. OS_USER isn't a credential passed to Oracle, it's just a string that can be manipulated by an attacker.
Related
I would like to hear your opinion or how you deal with such cases in practice.
It is about an external person being selected by a user who is already registered in the system.
The information is stored in a staging table for the time being. The internal user expects an answer from the external person, who is unknown to the system.
The external person has two options
Accept
Reject
First case: If the external person accepts, he/she must first make some entries, these should also be stored in the staging table for the time being. However, in order to make these entries, the person must logically register in the system?
Second case: If the external person rejects, it would be superfluous for this person to register in the system.But how can I save and retrieve this answer in order to show it to the internal person?
Does the external person have to register first in order to be able to give an answer (of any kind) so that this answer can be saved and retrieved?
If the person registers in the system, where should personal data be stored, also in a staging table?
I know this answer is very superficial, I am new to development and wonder how temporary user accounts in the system are generally handled in practice.
Translated with www.DeepL.com/Translator (free version)
The way I see it, you'd create a public page (i.e. the one that doesn't require any authentication) and let those "external" people visit it and either accept or reject what's being offered.
Their answer can be stored into a database; I'd suggest you not to create a region which has actual table behind it, but call a stored procedure which will accept certain parameters (external person's answer and possibly some other data) and perform an INSERT operation to the database table.
Can you let me know the script in oracle to change the common column in USER_ROLES_PRIVS table. Currently it is set to No but i need to change it to yes, Any help will be appreciated.
Why do you think that you need to change it to "yes"?
If you planned to mess up with Oracle data dictionary, don't do that.
Documentation (12c; that value doesn't exist in lower versions) says that common
Indicates how the grant was made. Possible values:
YES if the role was granted commonly (CONTAINER=ALL was used)
NO if the role was granted locally (CONTAINER=ALL was not used)
Now that you know it, use container=all while granting the role.
I am using Oracle apex 5,oracle database 12c
I have successfully configured oracle apex 5 with oracle DB 12c.
My requirement is to accessing username and password from url and use it as login credentials.
But I am not able to get username and password from url in apex processes.
I am tried below stuff:
URL : f?p=136:1:::::PX_USER,PX_PWD:shree,itdev
I accessing like :PX_USER and :PX_PWD
but that's not working for me.If any other method is there for accessing parameters in prcessing then please suggest me
Let's hope this is just for educational purposes only. Showing username and password in a URL is not very safe...
If you call an Apex page like this:
URL : f?p=136:1:::::PX_USER,PX_PWD:shree,itdev
This means that the value "shree" is assigned to page item PX_USER and the value "itdev" is assigned to PX_PWD.
The standard way to name items in Apex is to use the page number. So, create hidden page items P136_USER and P136_PWD and call the page like this:
URL : f?p=136:1:::::P136_USER,P136_PWD:shree,itdev
The values should be accessible now.
Are you using them in SQL/PL/SQL? If you are trying to just set values with them on the page (such as giving another value it as the default value or output them in an html-region), then you have to reference the values such as &PX_USER.
The ending dot is sometimes very important.
And as Rene wrote, make sure they are decalred page-items. If they are, your naming convention is unorthodox. Do adopt the P_name style.
The scenario : an Oracle 11g database containing some sensitive user data that could result legal liabilities if disclosed to the wrong party.
The desired effect : only a certain user, connecting from a certain IP, can see the column that contains this sensitive user data
I am not sure that hidden columns or virtual columns are the right ways to do this. It seems that Fine-Grained Access Control could help. I am not sure of what is the best solution. The restriction by IP is probably done at the listener level?
The question :
How can we restrict the visibility of a column so it is only available only to a specific user? All the other users would never see the column, not even when doing a "DESC TABLE_WITH_SENSITIVE_DATA"
Thanks for any tips.
Simplest way to do this is to create a view on the table that does not contain all of the columns. Don't grant select on the table, but only on the view.
The "proper" way to do this is with Fine-Grained Access Control (Virtual Private Database), which can replace the contents of columns with a NULL if certain conditions are not met.
See the example here: http://docs.oracle.com/cd/B28359_01/network.111/b28531/vpd.htm#autoId17
You can probably build this sort of functionality yourself if you're feeling both impoverished and skilled.
Do you the ability to modify roles and create views? Perhaps you could create two separate views and grant access to two different roles for that table. All users that are restricted from seeing the sensitive data would belong to a "restricted" role and the others would have access to the "unrestricted" role. You would need to grant privileges on each view to the appropriate role.
It is important to note that there are restrictions on updating the underlying data associated with a view. As explained here, views that contain set operators, aggregates and GROUP BY DISTINCT and joins and not modifiable.
I was wondering if there is a was to check if the "Current User" (User!UserID) running the report is in a network group, from the dataset query of a report? Currently we are restricting access to data based on the "CurrentUser" by checking in the where clause of a SQL query, for example, if the CurrentUser is the "Creator" of a domain object. Based on this, if the CurrentUser is not the creator, then no data will be returned in the result set to the report. Now I want to add another condition in the where clause, which is, to check if the User!UserId is in a network group. Is this possible? If not, can anyone give any suggestions on whether I should be trying to accomplish this another way?
Maybe this will help. You can add an Active Directory server as a linked server and then use openquery() to execute requests.
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-22_11-5259887.html