| Privileges [message #438777] |
Tue, 12 January 2010 03:32  |
madhavamanohar
Messages: 58
Registered: February 2009
|
Member |
|
|
Hi All,
With out DBA privilege is it possible to change the password for the user?
If yes please let me know the procedure.
One application user(owner) need to change the password fro all other users,but I don't want to give DBA privilege fro that user.
Thanks
Manohar.
|
|
|
|
| Re: Privileges [message #438778 is a reply to message #438777] |
Tue, 12 January 2010 03:41  |
 |
ramoradba
Messages: 2457
Registered: January 2009
Location: AndhraPradesh,Hyderabad,I...
|
Senior Member |
|
|
The user should have "ALTER USER" SYSTEM PRIVILEGE directly.
SQL> conn raghav/raghav
Connected.
SQL> alter user scott identified by tejajun20;
alter user scott identified by tejajun20
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> conn system/tejajun20
Connected.
SQL> grant alter user to raghav;
Grant succeeded.
SQL> conn raghav/raghav
Connected.
SQL> alter user scott identified by tejajun20;
alter user scott identified by tejajun20
*
ERROR at line 1:
ORA-28007: the password cannot be reused
SQL> alter user scott identified by teja;
User altered.
SQL> sho user
USER is "RAGHAV"
SQL>
sriram 
[Updated on: Tue, 12 January 2010 03:42] Report message to a moderator |
|
|
|
|
|
| Re: Privileges [message #438788 is a reply to message #438777] |
Tue, 12 January 2010 04:25 |
 |
Michel Cadot
Messages: 68712
Registered: March 2007
Location: Saint-Maur, France, https...
|
Senior Member
Account Moderator |
|
|
Quote:One application user(owner) need to change the password fro all other users,but I don't want to give DBA privilege fro that user.
Do not give ALTER USER privilege to your user as he can change ALL passwords including SYS, SYSTEM and all DBAs one, and so allow to connect as a DBA afterwards.
Create a procedure in a DBA schema that executes the ALTER USER statement but previously checks the account it tries to change.
The grant the EXECUTE privilege on this procedure to your user.
Regards
Michel
[Updated on: Tue, 12 January 2010 04:27] Report message to a moderator |
|
|
|
| Re: Privileges [message #438793 is a reply to message #438788] |
Tue, 12 January 2010 05:06 |
madhavamanohar
Messages: 58
Registered: February 2009
|
Member |
|
|
Hi Michel,
Thanks for you reply..
How to create a procedure to for routine password change for every 60 days and can you please help me to resolve the following issue. please expalin the procedure to resolve the issue.
"Is it possible to create a routine (stored procedure) that change a users password in the Oracle database?
The routine shall be possible to call from the application TSIC IM where a page can be designed that posts the user id, old password and the new password to the routine. The routine must send back a reply if the change was successful or not."
Thanks
|
|
|
|
| Re: Privileges [message #438797 is a reply to message #438793] |
Tue, 12 January 2010 05:29 |
|
Michel Cadot
Messages: 68712
Registered: March 2007
Location: Saint-Maur, France, https...
|
Senior Member
Account Moderator |
|
|
Quote:"Is it possible to create a routine (stored procedure) that change a users password in the Oracle database?
Yes, it is possible and quite simple.
It could be something like:
create or replace procedure change_password (
p_username in varchar2,
p_password in varchar2
)
is
begin
-- Check parameters
if p_username is null or p_password is null
or length(p_username) > 30 or length(p_password) < 8 -- minimum password length
or upper(p_username) in ('SYS','SYSTEM') -- and so on, or check if username is in a list
then
raise_application_error (-20000, 'Wrong parameter');
end if;
execute immediate
'alter user '||dbms_assert.schema_name(p_username)||
' identified by "'||p_password||'"';
end;
/
Must be created as a DBA user that has ALTER USER privilege directly granted to him, and then grant the EXECUTE privilege on this procedure to your user.
Add all controls you need depending on your environnement and policy.
Regards
Michel
[Updated on: Tue, 12 January 2010 05:30] Report message to a moderator |
|
|
|
| Re: Privileges [message #438801 is a reply to message #438797] |
Tue, 12 January 2010 05:48 |
|
ramoradba
Messages: 2457
Registered: January 2009
Location: AndhraPradesh,Hyderabad,I...
|
Senior Member |
|
|
SQL> conn raghav/raghav
Connected.
SQL> create or replace procedure change_password (
2 p_username in varchar2,
3 p_password in varchar2
4 )
5 is
6 begin
7 -- Check parameters
8 if p_username is null or p_password is null
9 or length(p_username) > 30 or length(p_password) < 8 -- minimum password length
10 or upper(p_username) in ('SYS','SYSTEM') -- and so on, or check if username is in a list
11 then
12 raise_application_error (-20000, 'Wrong parameter');
13 end if;
14 execute immediate
15 'alter user '||dbms_assert.schema_name(p_username)||
16 ' identified by "'||p_password||'"';
17 end;
18 /
Procedure created.
SQL> conn system/bhanu
Connected.
SQL> create user ashish identified by bhanu account unlock;
User created.
SQL> grant create session to ashish;
Grant succeeded.
SQL> grant execute on change_password to ashish;
grant execute on change_password to ashish
*
ERROR at line 1:
ORA-04042: procedure, function, package, or package body does not exist
SQL> grant execute on raghav.change_password to ashish;
Grant succeeded.
SQL> sho user
USER is "SYSTEM"
SQL> conn ashish/bhnau
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL> conn ashish/bhanu
Connected.
SQL> set serveroutput on
SQL> exec change_password('SCOTT','ASHISH');
BEGIN change_password('SCOTT','ASHISH'); END;
*
ERROR at line 1:
ORA-06550: line 1, column 7:
PLS-00201: identifier 'CHANGE_PASSWORD' must be declared
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
SQL> exec raghav.change_password('SCOTT','ASHISH');
BEGIN raghav.change_password('SCOTT','ASHISH'); END;
*
ERROR at line 1:
ORA-20000: Wrong parameter
ORA-06512: at "RAGHAV.CHANGE_PASSWORD", line 12
ORA-06512: at line 1
SQL> exec raghav.change_password('SCOTT','oracleoca');
PL/SQL procedure successfully completed.
SQL> conn scott/oracleoca
Connected.
SQL> alter user system identified by oracleoca;
User altered.
SQL> conn system/oracleoca
Connected.
SQL>
So here My newly created user ahish has only limited no of privileges...As i granted him execute that procedure...so that he can change the password of another user which is having DBA privilege...so that again he can do the dba things which is also some security problem isn`t it?
Let me know If I am wrong..
sriram
|
|
|
|
| Re: Privileges [message #438803 is a reply to message #438801] |
Tue, 12 January 2010 05:54 |
|
Michel Cadot
Messages: 68712
Registered: March 2007
Location: Saint-Maur, France, https...
|
Senior Member
Account Moderator |
|
|
Quote:so that he can change the password of another user which is having DBA privilege...so that again he can do the dba things which is also some security problem isn`t it?
What about my remark:
Quote:-- and so on, or check if username is in a list
In the test you can exclude all users having DBA role, or anything you want to enforce the security. My procedure was just a prototype that anyone can enhance to fit his needs.
Please when you post something remove all that is NOT in your demonstration; the first error for instance should NOT be posted as it has nothing with your post, just show that you make errors and we don't care about that. Will you also post all your typos?
Regards
Michel
[Updated on: Tue, 12 January 2010 05:56] Report message to a moderator |
|
|
|
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
