Thursday, 12 May 2011

Create a Read Only apps/ebs schema


Step 1:-
create a new user let say APPSREAD.

Step 2:-
Surely, the schema created in above Step 1 will be given read only grants to objects in apps. There will be cases where the grant command might fail. To monitor such failures  create a table as below
conn apps/xx;
–For APPSREAD. This table will capture the exceptions during Grants
PROMPT create table XX_GRANTS_FAIL_APPSREAD
create table XX_GRANTS_FAIL_APPSREAD (
        object_name VARCHAR2(100)
       ,sqlerrm varchar2(2000)
       ,creation_date DATE
        );
grant all on XX_GRANTS_FAIL_APPSREAD to apps with grant option;
grant select on XX_GRANTS_FAIL_APPSREAD to APPSREAD ;

Step 3
In this step we grant select on all the existing views and synonyms in apps schema to APPSREAD.
conn apps/xx;
PROMPT This can take upto 15-30 minutes
PROMPT Granting SELECT on All synonyms and views to APPSREAD
DECLARE
–One off script to execute grants to APPSREAD
  v_error VARCHAR2(2000);
BEGIN
  FOR p_rec IN (SELECT *
                FROM   all_objects
                WHERE  owner = ‘APPS’
                AND    object_type IN (‘SYNONYM’, ‘VIEW’)
                AND    object_name NOT LIKE ‘%_S’)
  LOOP
    BEGIN
      EXECUTE IMMEDIATE ‘grant select on ‘ || p_rec.object_name ||
                        ‘ to APPSREAD’;
    EXCEPTION
      WHEN OTHERS THEN
        v_error := substr(SQLERRM, 1, 2000);
        INSERT INTO bes.XX_GRANTS_FAIL_APPSREAD
          (object_name
          ,SQLERRM
          ,creation_date
          )
        VALUES
          (p_rec.object_name
          ,v_error
          ,sysdate
          );
    END;
  END LOOP;
  COMMIT;
END;
/
Step 4
Write a after logon trigger on APPSREAD schema. The main purpose of this trigger is to alter the session to apps schema, such that the CurrentSchema will be set to apps for the session(whilst retaining APPSREAD restrictions).In doing so your logon will retain the permissions of APPSREAD schema(read_only). Howerver it will be able to reference the apps objects with exactly the same name as does a direct connection to apps schema.
conn apps/xx;
PROMPT CREATE OR REPLACE TRIGGER xx_APPSREAD_logon_trg
CREATE OR REPLACE TRIGGER xx_APPSREAD_logon_trg
–16Jun2006 By Anil Passi
–Trigger to toggle schema to apps, but yet retaining APPSREAD resitrictions
–Also sets the org_id
  AFTER logon ON APPSREAD.SCHEMA
DECLARE
BEGIN
  EXECUTE IMMEDIATE
          ‘declare begin ‘ ||
          ‘dbms_application_info.set_client_info ( 101 ); end;’;
  EXECUTE IMMEDIATE ‘ALTER SESSION SET CURRENT_SCHEMA =APPS’;
END;
/
Step 5
Create a Trigger on the apps schema to issue select only grants for all new views and synonyms. Please note that I am excluding grants for sequences. SELECT grants for views and synonyms will be provided to APPSREAD as and when such objects are created in APPS. Please note that, all the APPS objects (views and synonyms) that existed in APPS schema prior to the implementation of this design, would have been granted read-only access to APPSREAD in Step 2.
conn apps/xx ;
PROMPT CREATE OR REPLACE TRIGGER xx_grant_APPSREAD
CREATE OR REPLACE TRIGGER xx_grant_APPSREAD
–16Jun2006 By Anil Passi

  AFTER CREATE ON APPS.SCHEMA
DECLARE
  l_str VARCHAR2(255);
  l_job NUMBER;
BEGIN
  IF (ora_dict_obj_type IN (‘SYNONYM’, ‘VIEW’))
     AND (ora_dict_obj_name NOT LIKE ‘%_S’)
  THEN
    l_str := ‘execute immediate “grant select on ‘ || ora_dict_obj_name ||
             ‘ to APPSREAD”;’;
    dbms_job.submit(l_job, REPLACE(l_str, ‘”‘, ””));
  END IF;
END;
/

1 comment:

Number of Visitors