Restrict access to the database for the upgrade of the application

Hi all

We're performing an upgrade of the application that requires us to perform a lot of scripts on our server Oracle EE 11.2.0.4.

This specific database has around a website based end and a front end based client, but it is also accessible on the network through TNS SQLPLUS/Toad, ODBC, JDBC etc.

For obvious reasons, the upgrade, I want to make sure that no one else that the DBA can access the database. Usually change us the listening port of 1521 to let say 1544. This prevents all access.

But now we run in a physical Data Guard with two Standby configuration so I don't really want to play with the listener ports. The upgrade must propagate changes from primary to Standby. I could interrupt them temporarily, but I would like to avoid that if possible.

Another way I thought would work was to stop the database and open it in restricted mode. But before that, I would need to grant the privilege of the Session to RESTRICT all users upgrade scripts using (around 5 users).

This approach using the restricted mode seems reasonable?

Other opinions would be much appreciated.

Thank you

This is exactly what restricted session is for. You can do online and then kill a session is currently connected. No need to stop:

orclz > alter system enable restricted session;

Modified system.

orclz > change system disable restricted session;

Modified system.

orclz >

Tags: Database

Similar Questions

  • How to restrict access to the service web application deployed on weblogic for user group only

    I built the web service application in jdevelopler 11.1.1.7. Their security policy applied in the web service of the default Oracle policy which is (policy: Wssp1.2 - 2007-Https-UsernameToken - Plain.xml)

    Now all want to access the web service application must provide the name of user and password in the header section of the SOAP request to meet the requirement of the policy.

    the following steps I'm trying to restrict access to the application of web service with a specific group of users among users of weblogic:

    Connect to the weblogic administration console

    Create user or group of users

    Click on the links of deployments

    Select your web service

    Click the Security tab

    Click the sub-tab political

    Choose your authorization provider in the menu drop-down (looks like by default)

    Choose Add Conditions-> Group-> Type in the name of the Group

    Finishing

    But access is always available for all weblogic users (IE users not in the group specified in the above security configuration). How can I restrict access to only authorized group? Any thing lacking in my approach?

    There is nothing wrong with the steps mentioned in the question. In addition, you must do the following

    At the time of the application deployment with regard to the security part, there is a list in the title of the question (which security template you want to use with this application?)

    You must select (Advanced: use a custom template that you have configured on the page of configuration of the Kingdom) a configuration mentioned in the question will be work

  • Restrict access to the Page of the user in the relational database

    I have a relational database with two tables on a common ID field. The user can access all their entries in the child table with simple SQL queries and then select from a list of correspondence which of its documents records in the child table that they wish to change (i.e. ['ID'] ParentTable, ChildTable ['ID'])). Registration is then displayed using $_GET passed through the URL as parameter "recordID". However, when the user is connected and accessing a folder that matches the query, they can then enter another "RecordID" number in the URL and go to any record in the table child whether they are 'owner' of the record or not.

    I tried to put a statement of equivalence in the authorization user code to restrict the access to the child records users since ParentTable ['ID'] == ['ID'] ChildTable only when you are connected the user accesses the records they created previously. (In other words, when a user type a different "RecordID" in the URL, the ParentTable ['ID'] and ChildTable ['ID] are not equivalent.) The code that I entered in the authentication of the user generated by DW is as follows:

    If ((isset ($HTTP_SESSION_VARS ["MM_Username"]) & & ($row_ParentTable ['ID'] == ['ID'] $row_ChildTable))) {}
    ...

    Is still not accessible, even if tests show the ParentTable ['ID'] and ChildTable ['ID'] are not equivalent

    Any ideas on how to restrict access to the child records "unknown"? I'm sure it's relatively simple, but I'm having trouble to get through this obstacle.

    Thank you

    Thank you, Philo. In fact I got it to work by initializing a session variable of tha parent ID of the table and comparing it to the variable ID of child table, then using a header redirect in case of inequality. Part of my problem was where I put the code in the page. Anyway, it works now. It seems that the answer is always just after you have posted the question.

  • How to restrict access to the drive of Wndows xp sp3?

    I have 3 user account on my computer, it is has the administrator rights and the other is a standard user account.

    I want to restrict access to all readers for the standard player.
    I used gpedit.msc to enable the administrative model, but it also limits the account admin and me to access the road
    OS: windows XP SP3
    Please advice
    Hi Utkarsh.Ranjan,
     
    If you want to restrict access to a drive by using the Group Policy Editor, you can not apply for a particular user account. This will change for the user accounts.
     
    You can't restrict access to the complete transmission. However, you can resrtict access to folders and files inside a car to a particular user.
     
    Refer to the section "set, view, change, or remove special permissions for files and folders" in the following article and follow the steps to remove the authorization of the user access to the file/folder.
  • Restrict access from the view of external endpoint

    Hello world

    I got an interesting question to come today: is it possible to restrict access to the view of physical endpoint?  This client does not support BYOD somehow and provided instead of thin laptops HP for their users access to the view since then at home, via a security gateway.  I know that you can disable the web interface from view completely, but they seek to block connections to nothing but these thin laptops.  Thank you!

    Here's a more recent document - https://www.vmware.com/files/pdf/VMware-View-KioskMode-WP-EN.pdf

  • How to restrict access to the system.

    Hello

    I thought it is possible to restrict access to the system during the processing of payroll is. The GI company is currently working to, so is distributed departments in a different location across the country during the payroll run payroll users are still transaction, insert/update of the data in the entry of the item, monthly data on the pay to play.

    It is technically possible to restrict access to the system or component during the race entry window? no idea to proceed accordingly?

    Thank you

    Published by: user10893201 on March 3, 2010 07:27

    Hi user;

    Please check:

    Security profile is not limiting access to payroll employees [ID 344649.1]
    How install bank account maintenance and security of access to the account in Release 12 [403975.1 ID]
    Restrict access to security of payroll is not working correctly on the safety profile of set [244652.1 ID]

    Also, check search below:
    http://forums.Oracle.com/forums/search.jspa?threadID=&q=restrict+access+&objid=f475&DateRange=all&userid=&NumResults=15

    It may be useful

    Respect of
    HELIOS

  • Restrict access to the Portlet producer

    I want to restrict access to the Portlet producer.
    I mean, it is supposed that there 5 portlets to the producer.
    I want user1 will have access to only 2 portlets and user2 will have access to another 3 portlets.

    Could you please suggest how to achieve this type of authorization.

    I know everything right and single sign on in WSRP. My hypothesis is to combine these two long I can achieve.

    Thank you

    Bénédicte

    Ah ok
    something like that then?
    http://eDOCS.BEA.com/WLP/docs102/Federation/chap-entitlements.html

  • Using filters Essbase to restrict access to OBIEE dashboards for multiple users

    Hello

    You can use Essbase filters to restrict access to the data in OBIEE dashboards so that users with no access to specific members are not able to see all data for multiple users.

    Any suggestions on how to go about it.

    Thank you!

    Hello

    Like any data source as an essbase.

    You can filter the data by the user, use a NQSESSION. to get the session the correct access.

    Kind regards

  • How to restrict access to the network for customers in the lobby.

    Hello

    How is - this preferable to limit the access of the data ports in the lobby of the company for Internet access only? Although the hosts are not on the field, is it safe to allow them to reach the port of data?

    I suggest setting up a vlan separate for these ports and usig dot1q on trunk this vlan to a DMZ interface dedicated or the subinterface on your firewall with an ACL that only allows access to the internet. That should do the trick.

  • Restrict access to the page

    Hello

    Appreciate if some web developers who are more experienced can help a beginner like me:

    I already used the Dreamweaver Server behavior to restrict access to a page... for example, localhost/xxx/xxx.php

    However, when I have a link that has a php echo as localhost/xxx/xxx.php?id= <? PHP echo $row_rsListing ["ListingID'];? ">" > < button type = "button" class = "btn, btn - sm btn - default" style = "background-color: #add8e6" > change list < / button > < / has > and I click on the link and it goes to a URL that says localhost/xxx/xxx.php?id=1, I can then go to the URL line and changed manually to localhost/xxx/xxx.php?id=5 which is under a different user and page restrict access doesn't stop me access to this page.

    What should I do to prevent this?

    Thanks in advance.

    Peter

    The best advice you can get as a beginner is to stop using Dreamweaver server behaviors. They have been deprecated by Adobe many years ago and have been removed from Dreamweaver, because PHP code they use is not reliable. All the database-driven server behaviors rely on what is called the original MySQL extension in PHP, which has been removed from PHP 7. Even if your site currently still support the original MySQL extension, you will be forced to redo all your code when it is upgraded to PHP 7.

    Adobe has not created versions updates to server behaviors. You must either learn how to manually code PHP yourself (not particularly difficult) or buy third-party extensions created by DMXZone or WebAssist.

  • Restricting access to the CPO?

    Hi team,

    Currently, we are facing two problems different w.r.t. limiting access to the CPO.

    Question 1: User should be added to the Admin group in order to access all the features of CPO.

    Description: We have added a new user groups authors definition TEO and TEO operators on one of our servers of CPO. When the user tries to create a new target, under Advanced properties, no option not being listed for the type of default profiles. That when we added the user to the Administrators group of TEO, the user can create the target successfully.  Is there anyway that we can restrict the user to not have admin access and still be able to have access to all the functions of developer?

    Question 2: In the CPO Windows user

    Description: One of our customers noticed that needed to add a windows user to the CPO, the user must be part of the management of the host group and this gives access to this same windows user to windows TEO host as an administrator.

    We believe that the above two questions are similar and what steps we can take to limit access to users. It is extremely important that users using our POC environment have access to all the useful features as developers not part of the Admin group.

    Appreciate your help.

    Thank you
    Greg

    To add users, they must be a part of the Group of Directors TEO. Or you can create your own custom security with create/update for users of the run time.

    For users of windows runtime, users must be able to interactively connect with box and must have the log on as a service/connection as batch in local security policy / group.

  • ISE - restrict access to the BYOD Portal

    Hello

    Is there a way to limit access to a BYOD portal to a set of Active Directory ORGANIZATION unit? Currently when I select the sequence 'identity Source' to use the source of advertising identity, any user can connect you to the portal and register devices.

    The SSID that uses the subset of endpoint created by this portal is only available in a limited number of buildings, user base is controlled by the access to the buildings, but that doesn't stop everyone on campus, registering a device.

    I use ISE 1.4.0.253.

    see you soon,

    SEB.

    Hi Seb,

    I don't have a specific guide for this. It would use no feature additional license as already consuming BYOD.

    To run, you can follow the following steps.

    We think that you have already decided on an ad group and that you have selected in the groups under the source of your identity.

    1. click on strategy > customer Provisioning

    2. change the relevant rule you want to restrict

    3. expand the "other Conditions".

    4. click on the gear set

    5. Select 'add an attribute/value '.

    6. in the "Select the attribute" field click on the arrow down

    7. click on the ">" next to your external identity source

    8. Select "ExternalGroups".

    9. let the "equal" and select the arrow down to the next field

    10. Select the appropriate ad group

    11. click on 'Done' on the rule

    12. click on 'Save' at the bottom of the page

    And you're done. Follow these steps for each rule that you want to restrict.

    Kind regards

    Jason

  • IPSEC RA - activate crossed but restrict access to the web

    ASA5520 8.2 (5) 30

    Greetings,

    I have an IPSEC RA strategy that has implemented to tunnel all traffic (no split tunnel) by the ASA (which ends on the external interface).  I need to be able to allow VPN users to access a web page (crossed) thesesame on the external interface.

    ++++++++++++++++++++++++++++++

    Here are the current settings:

    Group Policy Admins L internal

    attributes of Group Policy L_Admins

    value of server WINS 172.16.0.33 172.16.0.9

    value of 172.16.0.33 DNS server 172.16.0.9

    VPN-idle-timeout 60

    VPN-session-timeout 480

    VPN-value filter-admin-l

    IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.255.252 host 172.16.0.33

    IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.255.252 host 172.16.0.9

    IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.252.252 172.16.1.4 host

    IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.252.252 welcome 172.16.1.2

    access-list extended l-admin-test-filter permit ip 172.30.4.0 255.255.252.252 10.24.0.0 255.252.0.0

    IP 172.30.4.0 allow Access-list l-admin-test-filter extended 255.255.252.252 the host 172.16.0.233

    Protocol-tunnel-VPN IPSec

    Split-tunnel-policy tunnelall

    value by default-field IHI.local

    type tunnel-group L_Admins remote access

    attributes global-tunnel-group L_Admins

    address ili_global pool

    PhoneFactor authentication-server-group

    Group Policy - by default-L_Admins

    IPSec-attributes tunnel-group L_Admins

    pre-shared-key *.

    ++++++++++++++++++++++

    Crossed is not currently enabled, so I guess I have to add:

    permit same-security-traffic inter-interface

    and (I guess)

    mask IP local pool l_admins 172.30.4.1 - 172.30.4.2 255.255.255.252

    Global (outside) 1 interface * PAT IP

    NAT (outside) 1 mask 172.30.4.1 - 172.30.4.2 255.255.255.252

    But from there I don't know how to restrict access to a single external IP on the web on port 80.

    Hello

    Enter the correct command to permit traffic and the same interface of leave is

    permit same-security-traffic intra-interface

    The command you posted allow traffic between 2 different interfaces that have the same value of 'security level'

    permit same-security-traffic inter-interface

    What about PAT Dynamics for Internet traffic

    If you have already

    Global 1 interface (outside)

    Then you will need the command "nat" for the VPN pool

    NAT (outside) 1 172.30.4.0 255.255.255.252

    In what concerns the control of Internet traffic, should not be able to simply add this destination IP address to the VPN filter ACL you have ever used? I mean the ACL named "l-admin-test-filter".

    For example

    L-admin-test-filter access list note allow the external server connection

    access-list l-admin-filter-test permit tcp 172.30.4.0 255.255.255.252 host eq 80

    access-list l-admin-filter-test permit tcp 172.30.4.0 255.255.255.252 host eq 443

    access-list l-admin-filter-test permit tcp 172.30.4.0 255.255.255.252 host eq 8080

    -Jouni

  • Restrict access to the IP address and the Application

    Hello

    I have a problem with the application of database access. I want to limit the users using Toad. I want users to use only their application, not of Toad. But as a s/n, I still need Toad. I do like this limitation?

    CMIIW.

    Thank you and best regards,

    Wiwin, ST, OCP.

    Wiwin,

    If you want to try to make decisions about access based on the application used to establish the connection, you can look into some of the attributes sys_context and see if there is something that could work.  However, there is no guarantee that a given attribute is populated and precise.  And, as Andy, it would be possible for a user to usurp a request for his client if he can change the name of the executable file, or even to change the attributes with the DBMS_APPLICATION_INFO package or OIC.

    Here's a query that can help you research how a tool or a given application is filling these attributes.  First connection with the tool you want to analyze, for example, TOAD.  Then, run this query.  It covers two sys_context attributes that I will be dedicated to implement an application 'fingerprint': MODULE and CLIENT_INFO.  If this does not work, you can try substituting one or several other attributes listed under the function description SYS_CONTEXT in the SQL reference manual .

    Select

    "CLIENT_INFO: ' | '. "sys_context (' USERENV', 'CLIENT_INFO' ') |

    MODULE: '. sys_context (' USERENV', 'MODULE' ') "SYS_CONTEXT Data".

    Double;

    If you find a 'fingerprint' that you think that you can use, you can try that integrate your logon trigger.  However, I would exercise extreme caution due to aforementioned unreliability of these attributes.  Do a lot of testing!  Or better yet, try the recommendation of Andrew; It cannot take more time to use the application role he suggests that it would for enough to code and test a change of logon trigger, and it makes a better job of dealing with the risks.

  • Restrict access to the PROD, but not DR.

    I use version 11.2.0.3.0 Production. I have questions.

    1 Prod DB is frequently asked by developers and QA guy with intensive queries of resources resulting in production down? So we intend to restrict access to these users of prod and don't give access to functional users. And for the developer/qa guys, give them access to Dr. (stand-by). So, how do I restrict user to prod but not the doctor (copy of Prod), how can this be achieved? Or any other way to do this?

    2. our production DBAs, complain that they are facing a problem (mighyt be performance related) because of sessions connected for long hours with the inactive state of developer/qa people. But my understanding was, he simply eats low memory (much lower), but will not set any CPU load, so need advice of experts, how session idle could cause problem?

    Use of theSERVER_HOST environment variable.

    See SYS_CONTEXT in the doc of the SQL language.

    http://docs.Oracle.com/CD/E11882_01/server.112/e26088/functions184.htm

    The host name of the computer on which the instance is running.

    SELECT SYS_CONTEXT (' USERENV', 'SERVER_HOST' ') FROM DUAL;

Maybe you are looking for

  • Apple Configurator - ios 10 - applications are allowed with a composition problem

    Hello We use apple configurator to generate configuration profiles imported into MDM and install remotely to iphones. Suddenly, we have a strange problem with configuration and 10 of IOS. In the configuration, we use "Allow only certain applications"

  • Music composition... (Froud)

    Hello.. I received an invoice today on the composition of music for £49.99... But I only did this membership! Who did it?

  • Re: Satellite A135-S2276 - does not start, the screen is blank

    I have a Toshiba Satellite A135-S2276, I bought 2 years ago. It worked fine except the clock which has never kept the exact time since I bought it. I turned it off Sunday night as I do regularly. But he could not turn it on Monday afternoon. The powe

  • Tecra A3 - Mat * un DVD - Ram uj-830 s

    I m having several issues related to the compatibility of this dvd recorder. I ve also heard in other forums on this problem. The controller firmware version is 5.1.2535.0, how can I solve it?There is no firmware available on the support toshiva page

  • Fluctuating speed - drivers Intel 2200 v8?

    I had problems with my Tecra XP radio - speed fluctuates between 1 MB/s and 24 Mbps even with excellent signal. After doing some research, it seems that the problem is with the Intel card and occurs with most brands of laptop, with variable problems