Oracle Proxy User Configurations

Oracle Proxy User allows to access a schema via a different username/password combination, which is done by using the GRANT CONNECT THROUGH clause on the destination user.

A proxy user is a user who is able to connect as another user without password required. In this example, user “TESTUSER” needs connect as user “APPDBA” without knowing the password of user “APPDBA”.

  • Create destination user with appropriate role(s).
SQL> create user appdba identified by Password;
User created.

SQL> grant connect,resource,dba to appdba;
Grant succeeded.
  • Create the proxy user account.
SQL> create user testuser identified by PasswordProxy;
User created.
  • Alter the destinatiom user ( APPDBA) to connect through the proxy user (TESTUSER).
SQL> alter user appdba grant connect through testuser;
User altered.
  • Test the connection for proxy user.
SQL> select count(*) from dba_users;

 COUNT(*)
----------
 31


SQL> connect testuser[appdba]/PasswordProxy
Connected.
SQL> show user
USER is "APPDBA"


SQL> select * from proxy_users;

PROXY      CLIENT       AUT FLAGS
---------- ------------ --- -----------------------------------
TESTUSER   APPDBA       NO  PROXY MAY ACTIVATE ALL CLIENT ROLES


SQL> select sys_context('userenv','session_user') session_user,
            sys_context('userenv','session_schema') session_schema,
            sys_context('userenv','current_schema') current_schema,
            sys_context('userenv','proxy_user') proxy_user
    from dual;

SESSION_USER    SESSION_SCHEMA   CURRENT_SCHEMA PROXY_USER
--------------- --------------- --------------- ---------------
APPDBA          APPDBA          APPDBA          TESTUSER


SQL>select USERNAME,ACTION_NAME,COMMENT_TEXT,PROXY_SESSIONID 
      from dba_audit_trail 
      where PROXY_SESSIONID is not null

USERNAME ACTION_NAM COMMENT_TEXT               PROXY_SESSIONID
-------- ---------- -------------------------- ---------------
APPDBA   LOGON      Authenticated by: PROXY;    222208723
                    EXTERNAL NAME: oracle      


SQL> select USERNAME,ACTION_NAME,COMMENT_TEXT ,PROXY_SESSIONID 
     from dba_audit_trail 
     where SESSIONID=222208723;

USERNAME  ACTION_NAME               COMMENT_TEXT     PROXY_SESSIONID
--------  ------------------------  ---------------- ---------------
TESTUSER  PROXY AUTHENTICATION ONLY Authenticated by: 
                                    DATABASE

  • If you don’t want the proxy user (testuser ) has all the privilege of user APPDBA, alter the proxy user by giving the certain roles ( CONNECT, RESOURCE ). In this case, DBA_USERS is not accessible to user TESTUSER.
SQL> alter user appdba grant connect through testuser with role connect, resource;

User altered.

SQL> connect testuser[appdba]/PasswordProxy
Connected.

SQL> select count(*) from dba_users;
select count(*) from dba_users
 *
ERROR at line 1:
ORA-00942: table or view does not exist
  • The proxy authentication can be revoked using the following command.
ALTER USER appdba REVOKE CONNECT THROUGH testuser;

Change ASM Instance SYS ASMSNMP User Password

Change ASM instance SYS ASMSNMP user password by using ASM command “passwd”. If ASM password file is stored and shared in ASM diskgroup, then SQL “alter user” can still be used to change ASM user password.

Here is the way to change ASM instance SYS/ASMSNMP user password in 12c.

$ asmcmd
ASMCMD> pwget --asm
+OCR_VOTE/orapwASM

ASMCMD> cd +OCR_VOTE
ASMCMD> ls -l orapwASM
Type     Redund Striped Time           Sys Name
PASSWORD UNPROT COARSE  AUG 08 17:00:00 N  orapwASM => +OCR_VOTE/ASM/PASSWORD/pwdasm.256.919359249

ASMCMD> cd +OCR_VOTE/ASM/PASSWORD
ASMCMD> ls -l
Type     Redund Striped Time            Sys Name
PASSWORD UNPROT COARSE  AUG 08 17:00:00 Y   pwdasm.256.919359249
ASMCMD>

To see users in password file:

ASMCMD> lspwusr
Username sysdba sysoper sysasm
 SYS     TRUE   TRUE    TRUE
 ASMSNMP TRUE   FALSE   FALSE

ASMCMD> lspwusr --suppressheader
 SYS     TRUE TRUE  TRUE
 ASMSNMP TRUE FALSE FALSE
ASMCMD>

Change user password:

ASMCMD> passwd
usage: passwd <user>
help: help passwd
ASMCMD> help passwd
passwd
 Changes the password of a user.

Synopsis
 passwd <user>

Description
 The option for the passwd command is described below.

user - Name of the user.

An error is raised if the user does not exist in the Oracle ASM
 password file. The user is first prompted for the current password,
 then the new password. The command requires the SYSASM privilege to run

Examples
 This example changes the password of the oracle2 user.

ASMCMD [+] > passwd oracle2
 Enter old password (optional):
 Enter new password: ******


ASMCMD> passwd sys
Enter old password (optional):
Enter new password: *********
ASMCMD>

We can still use “alter user ” to change sys and asmsnmp user password :

SQL> alter user sys identified by "XXXXXXXX";
alter user sys identified by "XXXXXXXX"
 *
ERROR at line 1:
ORA-01031: insufficient privileges

SQL> connect / as sysasm
Connected.
SQL> alter user sys identified by "XXXXXXXX";

User altered.

ORA-00959 tablespace does not exist by revoking user quota on a dropped tablespace

It is a bug? Tablespace has been dropped, but this tablespace information still exists in database data dictionary.

User has quotas on two tablespaces. One tablespace needs to be dropped. After dropping this tablespace, the quota on this tablespace can not be manually revoked from this user.

To fix this, we have to create and add a dummy tablespace with same name back again, then revoke user quota on this tablespace, drop the tablespace finally.

Here are the steps to show this issue plus how to fix it most importantly.

1) User has quotas on two tablespaces.

SQL>select tablespace_name,username,max_bytes,dropped 
from dba_ts_quotas
where username='TESTUSER';
TABLESPACE_NAME USERNAME MAX_BYTES DRO ---------------- ---------- ---------- --- USERS_OLD TESTUSER -1 NO USERS TESTUSER -1 NO

2) Drop tablespace “USERS_OLD”.

SQL> drop tablespace USERS_OLD including contents and datafiles;
Tablespace dropped.

3) Quota on tablespace still exists.

SQL> select tablespace_name,username,max_bytes,dropped 
from dba_ts_quotas
where username='TESTUSER';
TABLESPACE_NAME USERNAME MAX_BYTES DRO ---------------- --------- ---------- --- USERS_OLD TESTUSER -1 YES USERS TESTUSER -1 NO

4) Revoke quota on tablespace “USERS_OLD”

SQL> alter user TESTUSER quota 0 on USERS_OLD;
alter user TESTUSER quota 0 on USERS_OLD
*
ERROR at line 1:
ORA-00959: tablespace 'USERS_OLD' does not exist

5) Create a dummy tablespace with  same name.

SQL> create tablespace USERS_OLD datafile '+dg1' size 10m;
Tablespace created.

6) Revoke quota on tablespace USERS_OLD.

SQL> alter user TESTUSER quota 0 on USERS_OLD;
User altered.

7) To confirm quota on tablespace “USERS_OLD” revoked.

SQL> select tablespace_name,username,max_bytes,dropped 
from dba_ts_quotas
where username='TESTUSER'; TABLESPACE_NAME USERNAME MAX_BYTES DROPPED ---------------- ---------- ---------- ------ USERS TESTUSER -1 NO

8) Drop the dummy tablespace. 

SQL> drop tablespace USERS_OLD including contents and datafiles;
Tablespace dropped.