{"id":1330,"date":"2022-08-08T11:06:00","date_gmt":"2022-08-08T09:06:00","guid":{"rendered":"https:\/\/promatis.com\/ch\/creating-a-read-only-apps-user\/"},"modified":"2023-03-28T12:21:06","modified_gmt":"2023-03-28T10:21:06","slug":"creating-a-read-only-apps-user","status":"publish","type":"post","link":"https:\/\/promatis-test.de\/ch\/en\/creating-a-read-only-apps-user\/","title":{"rendered":"Creating a Read-Only APPS User"},"content":{"rendered":"<p>[et_pb_section fb_built=\"1\" admin_label=\"Sektion\" _builder_version=\"4.17.6\" _module_preset=\"default\" custom_padding=\"5vh||5vh||true|false\" global_module=\"23\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row column_structure=\"1_4,3_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" custom_margin=\"||0px||false|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"1_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_image src=\"\/.\/wp-content\/uploads\/2022\/06\/Michler-Johannes-2.png?_t=1658731838\" alt=\"Johannes Michler PROMATIS Horus Oracle\" _builder_version=\"4.17.6\" _module_preset=\"default\" width=\"90%\" custom_margin=\"0vh||0vh||true|false\" border_radii=\"on|516px|516px|516px|516px\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][\/et_pb_image][\/et_pb_column][et_pb_column type=\"3_4\" _builder_version=\"4.17.6\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.17.6\" _module_preset=\"default\" link_font=\"Open Sans||||on|||RGBA(255,255,255,0)|\" link_text_color=\"gcid-0becd5ff-19fc-4653-a221-c8c75771a987\" link_font_size=\"22px\" custom_margin=\"2vh||0px||false|false\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22link_text_color%22%93}\" theme_builder_area=\"post_content\"]<\/p>\n<div><span itemprop=\"name\"><a href=\"\/.\/en\/author\/jmichler\/\" rel=\"author\" itemprop=\"url\">Johannes Michler<\/a><\/span><\/div>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.17.6\" _module_preset=\"default\" custom_margin=\"1vh||0px||false|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"]<\/p>\n<p><img decoding=\"async\" src=\"\/.\/wp-content\/uploads\/2023\/02\/ACE-Director-Logo_175x51.jpg\" \/><br \/><strong>Senior Vice President<\/strong> \u2013\u00a0Head of Platforms\u00a0&\u00a0Development<\/p>\n<p>[\/et_pb_text][et_pb_text _builder_version=\"4.17.6\" _module_preset=\"default\" text_text_color=\"gcid-0becd5ff-19fc-4653-a221-c8c75771a987\" text_font_size=\"22px\" custom_margin=\"5px||0px||false|false\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22,%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22,%22header_4_text_color%22,%22header_5_text_color%22,%22header_6_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22text_text_color%22%93}\" theme_builder_area=\"post_content\"]<a target=\"_blank\" href=\"https:\/\/www.linkedin.com\/in\/johannes-michler-099892ab?originalSubdomain=de\" rel=\"noopener\"><i class=\"fab fa-linkedin\"><\/i><\/a><a target=\"_blank\" href=\"https:\/\/www.xing.com\/profile\/Johannes_Michler3\" rel=\"noopener\"><i class=\"fab fa-xing-square\"><\/i><\/a><a target=\"_blank\" href=\"mailto:johannes.michler@promatis.de\" rel=\"noopener\"><i class=\"fas fa-envelope\"><\/i><\/a>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section][et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" custom_padding=\"0vh||10vh||false|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_row use_custom_gutter=\"on\" _builder_version=\"4.17.3\" _module_preset=\"default\" custom_padding=\"0px||0px||true|false\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\" theme_builder_area=\"post_content\"][et_pb_text _builder_version=\"4.19.4\" _module_preset=\"default\" background_enable_color=\"off\" custom_padding=\"0px||0px||true|false\" hover_enabled=\"0\" inline_fonts=\"Times New Roman\" global_colors_info=\"{%22gcid-32812186-bc94-4de4-814c-2bf202477fd5%22:%91%22header_text_color%22,%22header_2_text_color%22,%22header_3_text_color%22%93,%22gcid-0becd5ff-19fc-4653-a221-c8c75771a987%22:%91%22background_color%22%93}\" theme_builder_area=\"post_content\" sticky_enabled=\"0\"]<\/p>\n<p>In Oracle E-Business Suite environments it is often necessary to query data. Typically, all data can be accessed through the APPS user. However, that user is highly privileged and, when in use, can easily \u201cbreak things\u201d. This is obviously a big compliance issue. Having a dedicated read-only user is thus a much better approach. Let\u2019s see how such a \u201cXXREAD\u201d-user can be created.<\/p>\n<h3>Preparation<\/h3>\n<p>In order for the APPS user to be able to grant access to objects the user doesn\u2019t actually own (e.g. tables in XX schemes), the APPS user needs to have privileges on those objects \u201cincluding grant option\u201d. This can be achieved with a script such as the following one, which should be run whenever new custom objects are created (as the XX scheme user):<\/p>\n<div style=\"font-family: courier;\">set echo off;<br \/>set verify off;<br \/>BEGIN<br \/>FOR r IN (<br \/>SELECT<br \/>\u2018grant all on \u2018<br \/>|| object_name<br \/>|| \u2018 to apps with grant option\u2019 statement_to_run<br \/>FROM<br \/>user_objects dbos<br \/>WHERE<br \/>(object_type IN ( \u2018SEQUENCE\u2019, \u2018TABLE\u2019 )<br \/>or object_type=\u2019VIEW\u2019 and object_name like \u2018%#\u2019)<br \/>AND NOT EXISTS (<br \/>SELECT<br \/>1<br \/>FROM<br \/>user_tab_privs privs<br \/>WHERE<br \/>privs.table_name = dbos.object_name<br \/>AND privs.type = dbos.object_type<br \/>AND privs.grantable = \u2018YES\u2019<br \/>AND privs.owner = user<br \/>)<br \/>order by object_type asc<br \/>) LOOP<br \/>EXECUTE IMMEDIATE r.statement_to_run;<br \/>END LOOP;<br \/>END;<br \/>\/<\/div>\n<p>&nbsp;<\/p>\n<h3>Creating a user and granting privileges<\/h3>\n<p>First, create a XXREAD user and produce a script to grant privs:<\/p>\n<div style=\"font-family: courier;\">\n<p>. setenv_run.sh<br \/>sqlplus -s system\/<system-pwd><br \/>create user XXREAD identified by MyAppsReadPwd;<br \/>grant create session to XXREAD;<br \/>grant alter session to XXREAD;<br \/>SET echo off<br \/>SET feedback off<br \/>SET term off<br \/>SET pagesize 0<br \/>SET linesize 200<br \/>SET newpage 0<br \/>SET space 0<\/system-pwd><\/p>\n<p>spool grant_privs.sql<br \/>select \u2018exec AD_ZD.GRANT_PRIVS(\u201dREAD\u201d,\u201d\u2019||VIEW_NAME || \u201d\u2019, \u201dXXREAD\u201d);\u2019 from all_views where OWNER =\u2019APPS\u2019 and view_NAME not like \u2018%\/%\u2019;<br \/>select \u2018exec AD_ZD.GRANT_PRIVS(\u201dREAD\u201d,\u201d\u2019||table_NAME || \u201d\u2019, \u201dXXREAD\u201d);\u2019 from all_tables where OWNER =\u2019APPS\u2019 and table_NAME not like \u2018%\/%\u2019;<br \/>select \u2018exec AD_ZD.GRANT_PRIVS(\u201dREAD\u201d,\u201d\u2019||SYNONYM_NAME || \u201d\u2019, \u201dXXREAD\u201d);\u2019 from all_synonyms syns, all_objects objs where<br \/>syns.OWNER =\u2019APPS\u2019 and syns.SYNONYM_NAME not like \u2018%\/%\u2019<br \/>and syns.table_owner=objs.owner and syns.table_name=objs.object_name<br \/>and objs.object_type in (\u2018TABLE\u2019,\u2019VIEW\u2019);<br \/>spool off<br \/>exit<\/p>\n<\/div>\n<p>Then, run the spooled script and register the XXREAD user:<\/p>\n<div style=\"font-family: courier;\">sqlplus apps\/<appspwd> @grant_privs.sql<\/appspwd><br \/>sqlplus apps\/<appspwd> @$AD_TOP\/patch\/115\/sql\/ADZDREG.sql apps <appspwd> XXREAD<\/appspwd><\/appspwd>sqlplus apps\/<appspwd> @\/u01\/install\/APPS\/fs1\/EBSapps\/appl\/ad\/12.0.0\/sql\/adutlrcmp.sql<\/appspwd><\/div>\n<p>&nbsp;<\/p>\n<h3>First tests and logon trigger<\/h3>\n<p>After having initially created the user, sign in as XXREAD and do some initial testing by accessing apps.* tables.<br \/>Unfortunately, so far, it is still necessary to do all selects with an \u201capps.\u201d prefix. This can be solved with two approaches:<\/p>\n<ul>\n<li>Create a synonym in XXREAD for each APPS object.<\/li>\n<li>Create a logon trigger that changes the CURRENT_SCHEMA.<\/li>\n<\/ul>\n<p>Such a trigger can look as follows:<\/p>\n<div style=\"font-family: courier;\">create or replace TRIGGER xxread.xxread_query_logon_trg<br \/>AFTER logon ON XXREAD.SCHEMA<br \/>DECLARE<br \/>BEGIN<br \/>EXECUTE IMMEDIATE \u2018ALTER SESSION SET CURRENT_SCHEMA =APPS\u2019;<br \/>END;<br \/>\/<\/div>\n<p>&nbsp;<\/p>\n<h3>Summary<\/h3>\n<p>With the above procedure, it is possible to create a XXREAD user that can access (in a reading fashion) everything from the APPS user. This is a lot more secure than really using the APPS user\/password since in that way, no one can accidentally run a \u201ctruncate\u201d on some table. Also keep in mind, though, that such a XXREAD user is not the perfect solution and allows a lot of (reading) access, which still might be a GDPR issue; obviously, you also want to limit access to this XXREAD user as restrictive as possible.<\/p>\n<p>[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In Oracle E-Business Suite environments it is often necessary to query data. Typically, all data can be accessed through the APPS user. However, that user is highly privileged and, when in use, can easily \u201cbreak things\u201d. This is obviously a big compliance issue. Having a dedicated read-only user is thus a much better approach.<\/p>\n","protected":false},"author":2,"featured_media":1244,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[440],"tags":[115,110,133,145],"dipi_cpt_category":[],"class_list":["post-1330","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-techblog-en","tag-e-business-suite-2","tag-oracle-2","tag-oracle-e-business-suite-2","tag-read-only-apps-user-en"],"_links":{"self":[{"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/posts\/1330"}],"collection":[{"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/comments?post=1330"}],"version-history":[{"count":0,"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/posts\/1330\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/media\/1244"}],"wp:attachment":[{"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/media?parent=1330"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/categories?post=1330"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/tags?post=1330"},{"taxonomy":"dipi_cpt_category","embeddable":true,"href":"https:\/\/promatis-test.de\/ch\/en\/wp-json\/wp\/v2\/dipi_cpt_category?post=1330"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}