OEM - read-only access?

I am new to Oracle and Unix. I however have a number of years JDE, AS400, SQL, NT4, W2k background. Being a CNC administrator and new to this site there are problems with regards to system speed ie slow response etc. The only way that I am able to find information is to ask questions which proves to be quite tedious expecially seeing that the Oracle DBA is not in the same building.
I have a need to see the Oracle database, setups, initial values, tabespaces, defragmentation etc. I am unable to get access to the OEM tool due to the DBA saying that he cannot give read only access to me when I use it. I don't think that this is the case. Surely if I use a ID with read-only access to the Oracle database then it is read-only in the tool? If not then how will I personally get access to the information I need?

Thanking you in advance
Larry Meyer

Any account in Oracle is a member of "public" group and by default any member of this group has full access to all OneWorld tables, so your DBA is somewhat right - unless the access has been granted to another group (not PUBLIC), users should not have DB access at all...

On the other hand, CNC Administrator is not exactly a user and would normally have this access, in which case "select any table" system privilige should be enough to run OEM.

Regards,
Alex.

Larry

What is this OEM tool that you are talking about? Is it a OneWorld tool? If so how to I access it?

Patty

Oracle Enterprise Manager................

Hi all,

Has anyone discovered a way to set up a read only oracle user for OneWorld? We have a requirement for this but so far havent thought of an "easy" way of achieving this. Although we can set up one which looks as if it is, because of the *public access, that user can still update the database.

Thanks,

Maria

I rang response line about this sometime ago, and they huffed and puffed
about it, eventually giving me a convoluted way of removing the *public
access. Our requirement was read only through access, and I found it easier
to create an Oracle datasource, mark it as read only, and secure the registry
key. As for trying to accomplish the same thing with OEM, good luck!
Regards
Kieran Fitzgerald

Larry,

I think the questions regarding OEM and so-called *PUBLIC Oracle access are distinctly separate questions.

OEM access requires read access to a number of system database views. The more system level information you wish to see, the more views you need access to. If your DBA does the research it is definitely possible to issue you a read-only OEM user. He could allow you to see everything you want including tablespace information, session information, the SQL buffer and others. What he would prevent you from doing would be to modify data or data definitions.

On the *PUBLIC question, the JDE position that OneWorld tables must be available to public is nonsense. In fact I don't think that the folks in the JDE technology group would agree. I am sure that they have assisted clients in tightening up Oracle security. I have done it in myself with a number of OneWorld systems. It is certainly possible to secure OneWorld tables, it just takes a fair amount of work using standard Oracle security commands. Now, that being said, there are some programs that will complain if certain tables are read only. So the final answer is that you could have an almost read-only profile with a couple of tables that might require update access.

Regards,

Coming in on the Second part of this discussion thread as Justin defined it.

Tightening up the database security from how JDE ships is really a must. Your data security is depending on ignorance and good-will . . . Setting an ODBC datasource to Read-Only doesn't cut it.

Attached is an Oracle PL-SQL script that makes this extremely easy for an Oracle DBA. Al the DBA must do is:

1. Create a new role called jde_role.
2. Assign jde_role to all the jde DB acounts (JDE, PRODDTA, PRODCTL, ...)
3. Run the script. It generates another script (Set_OW_Table_grants.sql) with the REVOKE and GRANT statements for each JDE table.
4. Edit the connect statement(s) in the generated script.
5. Run the generated script.

That's it!

...and then create a new Oracle user and grant "connect" privilige and "select any table" system privilige to that account: now you can use it to run OEM in read-only mode (at least some tools, for the full OEM suite your DBA will need to do some OEM administration to enable it) AND have no access to OneWorld tables.