Re: Errors executing password change procedure

From: Sandra Becker <sbecker6925_at_gmail.com>
Date: Thu, 3 Jan 2019 13:13:09 -0700
Message-ID: <CAJzM94AmKdcObvaBuCqpU_zHGxqANpFxKVWseBsUO-vVpvBJ=A_at_mail.gmail.com>

Got sidetracked with critical production issues. I suggested an Apex app at one time, but it was shot down as "not approved for this environment". Personally, I think Apex is a fantastic tool, having used it extensively at a previous employer.

On Thu, Nov 29, 2018 at 8:53 AM <correo_at_fjandrade.com> wrote:

> Why don´t create a nice APEX app that sends emails with the new password
> autogenerated?
> You validate the info with a table inside the app.
>
> FJA
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> On
> Behalf Of Mladen Gogala
> Sent: Thursday, November 29, 2018 10:41 AM
> To: oracle-l_at_freelists.org
> Subject: Re: Errors executing password change procedure
>
>
> On 11/28/18 11:56 AM, Sandra Becker wrote:
> > Oracle Enterprise version 12.1.0.2
> >
> > We have a new requirement to allow users to change their passwords,
> > even if expired and/or account is locked. Per the requirements, I
> > have created the new user (not allowed DBA privs) that will connect
> > through a GUI and execute a password change procedure in another
> > schema that has the necessary privileges. This new user has been
> > granted execute privileges on the procedure. However, I'm getting an
> > "ORA-01031: insufficient privileges" error when I try to execute the
> > procedure as the new user.
>
> Hi Sandra!
>
> You can create the procedure belonging to the user SYSTEM and grant an
> execute rights to your users. The default is so called "definer's rights"
> procedure, and that is what your security concerns are about. The
> "definer's rights procedure" can access any object that its owner can
> access. Personally, I would create the procedure to unlock/change password
> for users not containing the string 'SYS'. An alternative would be to
> create a role LUSER and only allow the operations if the username to
> process is a member of the role LUSER. If you create another user, call it
> ORAPHB, you can grant the execute privilege on the
> SYSTEM.CHANGE_LUSER_PASSWORD procedure and that would be it. The procedure
> can access anything that the user SYSTEM can access.
>
> Regards
>
>
> --
> Mladen Gogala
> Database Consultant
> Tel: (347) 321-1217
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>

-- 
Sandy B.

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Jan 03 2019 - 21:13:09 CET

This message: [ Message body ]
Next message: Sandra Becker: "One primary with two physical standbys exhibiting different behavior with regard to lag"
Previous message: niall.litchfield_at_gmail.com: "Re: Deadlock & DBMS_ROWID weirdness."
In reply to Mladen Gogala: "Re: Deadlock & DBMS_ROWID weirdness."
Next in thread: Andre Maasikas: "Re: Deadlock & DBMS_ROWID weirdness."

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message