Thursday, December 04, 2008

Limiting User Commands, Roles & Sessions!! One Session / User.

There are a number of options available for limiting user access to the database. You can grant/restrict access of a specific user based on IP address as discussed in the article Tricky Oracle Access by IP Address!! However sometimes we need to limit user access instead of restricting it completely. In this article we will discuss some great tips that will help you limit your user access to the database.

Oracle PRODUCT_PROFILE Table:

Oracle PRODUCT_PROFILE table can be used for restricting a user or group of users from running a specific command. You can use it to disable roles and report the current restrictions in the profile table. If PRODUCT_PROFILE does not exist, then you can create it by running the PUBBLD.SQL script.

Limiting User from running Specific Commands:

Consider a scenario where you own a large database of some hundred tables and you do not want Schema Owner to run the DELETE command on any of the tables. One solution is to use the GRANT / REVOKE commands. However the simple solution is to insert a row in the PRODUCT_PROFILE table. Below command will restrict user SCOTT from running DELETE command on any table.

INSERT INTO PRODUCT_PROFILE (product, userid, attribute, char_value) VALUES('SQL*Plus','SCOTT','DELETE','DISABLED');

You can re-enable the command by simply deleting that row from the PRODUCT_PROFILE table.

DELETE FROM PRODUCT_PROFILE WHERE (product='SQLPlus' AND userid='SCOTT' AND attribute=' DELETE ' AND char_value=' DISABLED')

Note that you must be logged on as SYSTEM in order to delete any row from the PRODUCT_PROFILE table.

Limiting User Roles:

Sometimes it happens that we want to assign some specific role to user for the purpose of running application but we don't want user to have that role while running ad-hoc commands from SQLPlus. However you can achieve this goal by inserting below row into the PRODUCT_PROFILE table.

INSERT INTO PRODUCT_PROFILE (product, userid, attribute, char_value) VALUES ('SQLPlus','SCOTT','ROLES','PAYROLL_ADMINISTRATOR');

You can re-enable the command by simply deleting that row from the PRODUCT_PROFILE table.

DELETE FROM PRODUCT_PROFILE WHERE (product='SQLPlus' AND userid='SCOTT' AND command='ROLES' AND char_value='PAYROLL_ADMINISTRATOR')

Assigning only one Oracle session to User:

Sometimes our requirement is to allow only one session to each user in the database. One cumbersome solution to this table is to run a batch job that analyzes V$SESSION table and kills sessions of those users who have more than 1 session. Another approach is to create a LOGIN table and insert a row into it whenever user logs in and remove the row with log out. However this approach has lots of problems especially when a row does not gets removed due to application crash. A simple solution to this problem is described below whereby any user with the ONE_SESSION profile can log on only once.

SQL> CREATE PROFILE ONE_SESSION LIMIT SESSIONS_PER_USER 1;
PROFILE CREATED.

SQL> ALTER USER SCOTT PROFILE ONE_SESSION;
USER ALTERED.

SQL> ALTER SYSTEM SET RESOURCE_LIMIT=TRUE;
SYSTEM ALTERED. Read Again!!

Best regards,

Abdoul Rahaman

IT Consultant

Globe Marine Services Co

Jeddah

Mobile:966-507654847

Tricky Oracle Access by IP Address!!

Sometimes it happens that we want to grant access to our Oracle database filtered by IP address. A typical scenario can be where you want to allow a number of IP addresses to connect to your database or ban a number of IP addresses from log in to your database. In this article we will discuss the secrets of restricting access to your database through a list of IP addresses.

Oracle enables you to restrict database access based on IP address by modifying the SQLNET.ORA file. The SQLNET.ORA file is Oracle configuration file that typically resides $ORACLE_HOME/NETWORK/ADMIN directory on UNIX systems and ORACLE_HOME\network\admin directory on Windows systems. If SQLNET.ORA file is not found there then you will have to see if you have a TNS_ADMIN environment variable pointing to a different directory because SQLNET.ORA file can also be stored in the directory specified by the TNS_ADMIN environment variable.

Below steps can be used to authorize users from accessing Oracle database based on their IP Address.

1. Turn On Hostname/IP Checking for Listeners:

Open SQLNET.ORA file in a text editor and add below line

tcp.validnode_checking = yes

2. Supply lists of nodes to be Allowed/Denied:

Now you will have to use tcp.invited_nodes and tcp.excluded_nodes to supply a list of nodes that you want to allow or deny for getting access to your database. Make sure that you always enter localhost as an invited node. Also you must ensure that all node addresses come in one line and no wildcards are used. Remember the list of included nodes have higher precedence over the list of excluded nodes.

tcp.invited_nodes = (localhost,hostname1,hostname2)
tcp.excluded_nodes = (hostname1,hostname2)

One thing that you should keep in mind is that if you are only using the tcp.invited_nodes then only those specific nodes will be allowed to access your database and all other IP addresses will be denied from accessing your database.

Similarly if you are only using tcp.excluded_nodes then only those specific nodes will be denied from getting access your database and all other IP addresses will be allowed to access your database.

3. Restart Listeners:

Finally you will need to restart your listeners by running below commands.

$LSNRCTL STOP
$LSNRCTL START

SQLNET.ORA for Allowed IP Addresses:

Suppose you want to allow users from IP addresses 70.127.349.101 and 70.127.349.160 only to access your database. In such scenario your SQLNET.ORA file will look like

tcp.validnode_checking = yes
tcp.invited_nodes = (localhost,70.127.349.101,70.127.349.160)

SQLNET.ORA for Banned IP Addresses:

Suppose you want to ban users from IP addresses 70.127.349.216, 192.176.420.301 and 70.127.349.191 from getting access to your database. In such scenario your SQLNET.ORA file will look like

tcp.validnode_checking = yes
tcp.excluded_nodes = (70.127.349.216, 192.176.420.301, 70.127.349.191)