Results 1 to 5 of 5
  1. #1
    Join Date
    Mar 2002
    Posts
    23

    Unanswered: Lock unlock without change password

    I've been googling for some time now, so I made some assertions that I would kindly ask you to confirm/infirm.

    Can one user get only the right to lock/unlock another user without getting the right to change that other user's password or being able to change it's default role?

    I believe this is not possible because all the above are done via ALTER USER command right? and once you grant to a user X the right to ALTER USER then there is no fine graining afterwards to allow that user X to execute ALTER USER only for the locking unlocking on user Y, it could as well change the password of user Y.

    I guess that one user can have multiple roles, so if the default role can be changed, than the next time the user will log-in with then the new default role will be enabled right?

    It's quite an important security privilege to be able to do ALTER USER, right?

    Many thanks

  2. #2
    Join Date
    May 2014
    Location
    World Wide On The Web
    Posts
    16
    Quote Originally Posted by jimmyy View Post
    Can one user get only the right to lock/unlock another user without getting the right to change that other user's password
    First of all, I wouldn't let anybody without SYSDBA to even think about it.

    However, if your requirement is seriously to let any user to have the privilege to lock/unlock an account without letting the user to change the password, I would suggest to provide an interface(a GUI) which will just have the functionality to LOCK/UNLOCK a selected user. The underlying query will only execute ALTER USER username ACCOUNT LOCK/UNLOCK;

    Thus, from the interface, any user with login privilege can lock/unlock any user by selecting a username.

    Regards,
    Lalit

  3. #3
    Join Date
    Mar 2002
    Posts
    23
    Quote Originally Posted by Lalit Kumar B View Post
    First of all, I wouldn't let anybody without SYSDBA to even think about it.

    However, if your requirement is seriously to let any user to have the privilege to lock/unlock an account without letting the user to change the password, I would suggest to provide an interface(a GUI) which will just have the functionality to LOCK/UNLOCK a selected user. The underlying query will only execute ALTER USER username ACCOUNT LOCK/UNLOCK;

    Thus, from the interface, any user with login privilege can lock/unlock any user by selecting a username.

    Regards,
    Lalit
    Thank you Lalit,

    I want to allow only one specific user to be able to do that, not any user, but one specific user to be able to unlock another specific user.

    Otherwise how does it happen normally?
    It's the DBA that unlocks it right?

  4. #4
    Join Date
    May 2014
    Location
    World Wide On The Web
    Posts
    16
    Quote Originally Posted by jimmyy View Post
    It's the DBA that unlocks it right?
    In any production environment, it is to be done by someone specifically having dba role.

    Your requirement is to let let the user ONLY to lock/unlock account and NOT let that user to change the password, and I gave you a solution for that.

  5. #5
    Join Date
    Mar 2002
    Posts
    23
    Thank you for confirming!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •