iSQL*Plus User's Guide and Reference
Release 9.0.1
Part Number A88826-01
Go To Documentation Library
Home		Go To Product List
Book List		 Go To Table Of Contents
Contents		 Go To Index
Index
Master Index
Feedback

Go to previous page Go to beginning of chapter Go to next page

Security, 3 of 4

Disabling SQL*Plus, SQL, and PL/SQL Commands

To disable a SQL or SQL*Plus command for a given user, insert a row containing the user's username in the Userid column, the command name in the Attribute column, and DISABLED in the Char_Value column.

The Scope, Numeric_Value, and Date_Value columns should contain NULL. For example: 

PRODUCT    USERID  ATTRIBUTE  SCOPE   NUMBERIC     CHAR       DATE
                                      VALUE        VALUE      VALUE
-------    ------  ---------  -----   --------     ------     -----
SQL*Plus   HR      HOST                            DISABLED
SQL*Plus   %       INSERT                          DISABLED
SQL*Plus   %       UPDATE                          DISABLED
SQL*Plus   %       DELETE                          DISABLED

To re-enable commands, delete the row containing the restriction.

You can disable the following SQL*Plus commands:

EXECUTE

START

RUN

Note:

Disabling the SQL*Plus SET command will also disable the SQL SET ROLE and SET TRANSACTION commands. Disabling the SQL*Plus START command will also disable the SQL*Plus @ and @@ commands. 

You can also disable the following SQL commands:

ALTER

LOCK

ANALYZE

NOAUDIT

AUDIT

RENAME

CONNECT

REVOKE

CREATE

SELECT

DELETE

SET ROLE

DROP

SET TRANSACTION

GRANT

TRUNCATE

INSERT

UPDATE

You can also disable the following PL/SQL commands:

BEGIN

DECLARE

Note:

Disabling BEGIN and DECLARE does not prevent the use of the SQL*Plus EXECUTE command. EXECUTE must be disabled separately. 

Example A-1 Setting Restrictions in the PUP Table

This is an example of how to insert a row into the PUP table to restrict the user HR from using the SELECT statement:

  1. Log in with AS SYSDBA privileges.

  2. Insert a row into the PUP table with the command: 

    Keyboard icon
INSERT INTO PRODUCT_USER_PROFILE
VALUES ('SQL*PLUS', 'HR', 'SELECT', NULL, NULL, 'DISABLED', NULL, NULL);
  3. Connect as HR/HR and try to SELECT something: 

    Keyboard icon
CONNECT HR/HR; 
SELECT * FROM EMP_DETAILS_VIEW;

    This command causes the following error message: 

    Screen icon
SP2-0544: INVALID COMMAND: SELECT
  4. To delete this row and remove the restriction from the user HR, CONNECT again with AS SYSDBA privileges and enter: 

    Keyboard icon
DELETE FROM PRODUCT_USER_PROFILE WHERE USERID = 'HR';
Go to previous page Go to beginning of chapter Go to next page
Oracle
Copyright © 1996-2001, Oracle Corporation.
All Rights Reserved.
Go To Documentation Library
Home		Go To Product List
Book List		 Go To Table Of Contents
Contents		 Go To Index
Index
Master Index
Feedback