Re: Errors executing password change procedure

From: Tim Hall <tim_at_oracle-base.com>
Date: Thu, 29 Nov 2018 19:50:46 +0000
Message-ID: <CAP=5zEjtRge89BZr+XbyuR5V7Xk=92--Jhr4e5p1_XPK=Ynm8w_at_mail.gmail.com>

That sounds strangely familiar. Can you see my screen? :) On Thu, Nov 29, 2018 at 3:52 PM <correo_at_fjandrade.com> wrote:
>
> Why don´t create a nice APEX app that sends emails with the new password autogenerated?
> You validate the info with a table inside the app.
>
> FJA
>
> -----Original Message-----
> From: oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> On Behalf Of Mladen Gogala
> Sent: Thursday, November 29, 2018 10:41 AM
> To: oracle-l_at_freelists.org
> Subject: Re: Errors executing password change procedure
>
>
> On 11/28/18 11:56 AM, Sandra Becker wrote:
> > Oracle Enterprise version 12.1.0.2
> >
> > We have a new requirement to allow users to change their passwords,
> > even if expired and/or account is locked. Per the requirements, I
> > have created the new user (not allowed DBA privs) that will connect
> > through a GUI and execute a password change procedure in another
> > schema that has the necessary privileges. This new user has been
> > granted execute privileges on the procedure. However, I'm getting an
> > "ORA-01031: insufficient privileges" error when I try to execute the
> > procedure as the new user.
>
> Hi Sandra!
>
> You can create the procedure belonging to the user SYSTEM and grant an execute rights to your users. The default is so called "definer's rights" procedure, and that is what your security concerns are about. The "definer's rights procedure" can access any object that its owner can access. Personally, I would create the procedure to unlock/change password for users not containing the string 'SYS'. An alternative would be to create a role LUSER and only allow the operations if the username to process is a member of the role LUSER. If you create another user, call it ORAPHB, you can grant the execute privilege on the SYSTEM.CHANGE_LUSER_PASSWORD procedure and that would be it. The procedure can access anything that the user SYSTEM can access.
>
> Regards
>
>
> --
> Mladen Gogala
> Database Consultant
> Tel: (347) 321-1217
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>
>
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
> --
> http://www.freelists.org/webpage/oracle-l
>
>

--
http://www.freelists.org/webpage/oracle-l

Received on Thu Nov 29 2018 - 20:50:46 CET

This message: [ Message body ]
Next message: Hameed, Amir: "Question related to 'direct path read""
In reply to correo_at_fjandrade.com: "RE: Errors executing password change procedure"
Next in thread: Dominic Brooks: "Re: Question related to 'direct path read""

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message