Whilst in the past I have known clients to implement this using synonyms. However the approach discussed below is designed without the need of having to create a single synonym in APPS_QUERYschema.
Step 1
Create the read-only schema, in this case lets call it APPS_QUERY.
Step 2.
Surely, the schema created in above Step 1 will be given read only grants to objects in apps. There will be cases where the grant command might fail. To monitor such failures create a table as below
conn xx_g4g/&2 ;
--For APPS_QUERY. This table will capture the exceptions during Grants
PROMPT create table XX_GRANTS_FAIL_APPS_QUERY
create table XX_GRANTS_FAIL_APPS_QUERY (
object_name VARCHAR2(100)
,sqlerrm varchar2(2000)
,creation_date DATE
);
grant all on XX_GRANTS_FAIL_APPS_QUERY to apps with grant option;
grant select on XX_GRANTS_FAIL_APPS_QUERY to apps_query ;
Step 3
In this step we grant select on all the existing views and synonyms in apps schema to apps_query.
conn apps/&1 ;
PROMPT This can take upto 15-30 minutes
PROMPT Granting SELECT on All synonyms and views to apps_query
DECLARE
--One off script to execute grants to apps_query
v_error VARCHAR2(2000);
BEGIN
FOR p_rec IN (SELECT *
FROM all_objects
WHERE owner = 'APPS'
AND object_type IN ('SYNONYM', 'VIEW')
AND object_name NOT LIKE '%_S')
LOOP
BEGIN
EXECUTE IMMEDIATE 'grant select on ' || p_rec.object_name ||
' to apps_query';
EXCEPTION
WHEN OTHERS THEN
v_error := substr(SQLERRM, 1, 2000);
INSERT INTO bes.XX_GRANTS_FAIL_apps_query
(object_name
,SQLERRM
,creation_date
)
VALUES
(p_rec.object_name
,v_error
,sysdate
);
END;
END LOOP;
COMMIT;
END;
/
Step 4
Write a after logon trigger on apps_query schema. The main purpose of this trigger is to alter the session to apps schema, such that the CurrentSchema will be set to apps for the session(whilst retaining apps_query restrictions).In doing so your logon will retain the permissions of apps_query schema(read_only). Howerver it will be able to reference the apps objects with exactly the same name as does a direct connection to apps schema.
conn apps/&1 ;
PROMPT CREATE OR REPLACE TRIGGER xx_apps_query_logon_trg
CREATE OR REPLACE TRIGGER xx_apps_query_logon_trg
--16Jun2006 By Anil Passi
--Trigger to toggle schema to apps, but yet retaining apps_query resitrictions
--Also sets the org_id
AFTER logon ON apps_query.SCHEMA
DECLARE
BEGIN
EXECUTE IMMEDIATE
'declare begin ' ||
'dbms_application_info.set_client_info ( 101 ); end;';
EXECUTE IMMEDIATE 'ALTER SESSION SET CURRENT_SCHEMA =APPS';
END;
/
Step 5
Create a Trigger on the apps schema to issue select only grants for all new views and synonyms. Please note that I am excluding grants for sequences. SELECT grants for views and synonyms will be provided to apps_query as and when such objects are created in APPS. Please note that, all the APPS objects (views and synonyms) that existed in APPS schema prior to the implementation of this design, would have been granted read-only access to apps_query in Step 2.
conn apps/&1 ;
PROMPT CREATE OR REPLACE TRIGGER xx_grant_apps_query
CREATE OR REPLACE TRIGGER xx_grant_apps_query
--16Jun2006 By Anil Passi
--
AFTER CREATE ON APPS.SCHEMA
DECLARE
l_str VARCHAR2(255);
l_job NUMBER;
BEGIN
IF (ora_dict_obj_type IN ('SYNONYM', 'VIEW'))
AND (ora_dict_obj_name NOT LIKE '%_S')
THEN
l_str := 'execute immediate "grant select on ' || ora_dict_obj_name ||
' to apps_query";';
dbms_job.submit(l_job, REPLACE(l_str, '"', ''''));
END IF;
END;
/
Some notes for this design
Note1
You need to ensure that the schema created in Step 1 has very limited permissions. Most importantly it must not be given grant for “EXECUTE/CREATE ANY PROCEDURE”. You will need to agree with your DBAs upfront for the permissions,
Note 2
Only views and synonyms will be granted access. Objects in your xx_g4g(bespoke) schema should have their synonyms in apps already in place.
Note 3
If your site has multi org enabled, you will then have to set the org I'd after loggiong on to apps query schema. In case you have only one single ORG_ID, then would have been set as in Step 4 above.
Note 4
ALTER SESSION SET CURRENT_SCHEMA =APPS
This facilitates users to run their queries as if they were connected to apps schema. However, their previliges will be restricted to those of apps_query
Note 5
It is assumed that ALTER SESSION privilege will exist for APPS_QUERY schema.
Thanks,
Anil Passi
Subscribe to this comment's feedwritten by Hi Anil, , July 16, 2007
written by Pranay , August 19, 2007
The statement has to be like,
SELECT *
FROM all_objects
WHERE owner = 'APPS'
AND object_type IN ('SYNONYM', 'VIEW')
AND object_name NOT LIKE '%_S' ESCAPE '';
This would aviod getting objects ending with '_S' (which I guess would be sequences, and they are not selected in the object_type above).
- Pranay
written by SRINIVAS. M , August 23, 2007
I am looking for creating read only responsibility. Will you pls prepare note for this.
Thanks,
Srinivas
written by Akil , August 24, 2007
written by ashish dubeby , October 20, 2007
im new to orr-apps .can u elaborate me on.....Create custom Application.....it would be gr8 help for me.....thanx in advance...
regards
Ashish
written by Neeladri , October 22, 2007
Hi Anil,
Just adding one thought to the point no. 2, in case of non-hrms responsibility, there would be many form functions, is there a single way to make all the forms query-only access to all users in apps? please give a suggestion on this.
Thanks,
Neeladri
written by Carlos , November 20, 2007
your doc is very useful!!! thanks in advance.
But I would like to comment another issue regarding this matter, read_only apps schema...
I working to implementing policies and procedures for SOX audit, and I need to define a specific procedure to established a emergency changes to live environment.. that is, create a mirror apps schema (apps-emer) for implement a emergency changes for a developer user if the person in charge to apply this cannot to do...
do you have any experiences about this issue, mirror apps schema?
thanks for your comments
Regards,
Carlos
written by Carlos , November 21, 2007
I'm trying to apply your process, but when I would like to create trigger xx_apps_query_logon_trg, failed with oracle error ora-600 [17057]. This lookup error is not identified!! do you have any experience about this trouble?
Thanks!
Carlos
written by George , November 26, 2007
written by George , December 01, 2007
written by NeoHyd , January 18, 2008
Apps Read only schema is a serious security violation.
When implementing this make sure you are not violating any Audit procedures. Access from back-end should always be discouraged unless there is a dire need and it is always better to have individual users created in DB and have access to data which they are authorized to see.
written by NeoHyd , January 18, 2008
written by Khaleel , January 31, 2008
Just adding one thought to the point no. 2, in case of non-hrms responsibility, there would be many form functions, is there a single way to make all the forms query-only access to all users in apps? please give a suggestion on this.
Thanks,
Khaleel S
written by VenkatJ , March 11, 2008
Can you please explain in detail about READ-ONLY APPS Schema.
I am not able to find schema "XX_G4G"
Thanks
Venkat.
written by Damir Vadas , March 12, 2008
THX
written by Subbu , May 04, 2008
We have one requirement to create Readonly Database user for GL, AP, AR and PO Modules, How can we do that, we dont want him to touch another Module Tables or views or synonyms.
Do you have any idea to do that???
written by Subbu , May 04, 2008
SELECT *
FROM dba_objects
WHERE owner in ('GL','AP','AR','PO')
AND object_type IN ('SYNONYM', 'VIEW')
AND object_name NOT LIKE '%/_S' ESCAPE '/';
will the above query serve our purpose? Here I am granting select privileges of the objects returned by the above query.
I want to do the following steps.
(a) create a readonly user in the database
(b) grant select privileges on the objects returned from the above query
Please correct me if i am wrong. did i miss anything?
written by Subbu , May 04, 2008
the procedure, which i have given in the above comment will it serve our purpose?
Please correct me If I am wrong.
written by Alex2008 , May 20, 2008
Can you please guide me exactly what to do if multi org is enabled. You are explaining that "ORGID" to be set, which I don't know how to do while creating the trigger.
Thanks in advance.
Regards,
Alex
written by Jerry , August 25, 2009
Great article. Unfortunately there is an issue with the after logon trigger when using 11gR1 on a non-Windows server. You run in to Bug Bug 6747927 ALTER SESSION set CURRENT_SCHEMA does not work in AFTER LOGON TRIGGER From the descriptions:
Description
This problem is introduced in 11g.
Issuing an "alter session set current_schema=xxxxx" within an
AFTER LOGON trigger only has an effect during the duration of that
trigger. At the end of the trigger the schema is reset back
to the original schema.
eg:
connect / as sysdba
CREATE OR REPLACE TRIGGER TEST.change_schema
AFTER logon ON SCHEMA
begin
execute immediate 'alter session set current_schema=XXX';
end;
/
Connecting as users does not set current_schema to XXX.
eg: Check with
SELECT SYS_CONTEXT ('USERENV', 'CURRENT_SCHEMA') as current_schema FROM DUAL;
Bug is fixed on Windows Servers only and in future 11gR2 for other systems:
* 11.1.0.6 Patch 5 on Windows Platforms
* 11.1.0.7 Patch 6 on Windows Platforms
* 11.2 (Future Release)
Take care,
Jerry
written by Koyel Das , December 18, 2009
Can you please tell me why this is so and how to resolve this issue?
| < Prev | Next > |
|---|
This is a excellent note on creating read only schema for Apps.
Well, I am looking for creating read only responsibility. Will you pls prepare note for this.
Thanks,
Dnyanesh