1. Security Guide
  2. Modifying Service Security Data

Modifying Service Security Data

Different companies and organizations have different service user and permission maintenance strategies. Some have a single service administrator for this user maintenance, and use the Oracle Transportation Management default user roles with high privileges. While others view this user maintenance as a help desk type of task and want to use a custom user role for just this access. Regardless of the strategy, it is good to know there are Oracle database triggers implemented, which place different constraints on which User Roles can insert, update, and delete records for specific security related tables. If the conditions of the User Role constraints are not met, these database triggers will raise different database exceptions based on the violation. Some of these below rules are very complicated.

Only users with the "DBA.ADMIN" user role can modify records in the following tables. If a user with a different user role other than "DBA.ADMIN" user role, then an "ORA-20201: User does not have privileges to modify this data" exception will be raised.

  • ACR_ROLE
  • ACR_ROLE_ENTRY_POINT
  • ACR_ROLE_ROLE
  • GL_USER_ACR_ROLE
  • GL_USER_BI_APP
  • GL_USER_BI_ROLE
  • PROP_INSTRUCTION
  • USER_ROLE_ACR_ROLE
  • VPD_CONTEXT
  • VPD_CONTEXT_VARIABLE
  • VPD_PROFILE

Only users with the "DBA.ADMIN", "ADMIN", or "SERVPROV.ADMIN" user roles can modify records in the following tables. If a user with a different user role other than these user roles, then an "ORA-20007: Transaction not permitted" exception will be raised.

  • DOMAIN
  • DOMAIN_GRANTS_MADE
  • EXTERNAL_PREDICATE
  • USER_ROLE
  • USER_ROLE_GRANT
  • VPD_CONTEXT
  • VPD_CONTEXT_VARIABLE
  • VPD_PROFILE
  • ROLE_ROLE_GRANT

Only a user with the "DBA.ADMIN" user role can grant another user role the "DBA.ADMIN user role. If a user with a different user role other than this, then an "ORA-20008: Transaction not permitted" exception will be raised.

Only a user with the "DBA.ADMIN" or "OTM-SYSTEM" user role can create or update another user to have the "DBA.ADMIN" user role. If a user with a different user role other than this, then an "ORA-20013: {User} not allowed to update gl_user" exception will be raised.

Only a user with the logged in user role of "DBA.ADMIN" can create or update another user to have the "DBA.ADMIN" user role. If a user with a different user role other than this, then a "ORA-20020: Transaction not allowed, DBA.ADMIN role cannot be assigned by {User}" or an "ORA-20021, Transaction not allowed, DBA.ADMIN role cannot be assigned by {User}" exception will be raised.

Only a user with the "ADMIN", "DBA.ADMIN", "SERVPROV.ADMIN", or "OTM-SYSTEM" user role can create or update another user to have the “ADMIN” user role. If a user with a different user role other than this, then an "ORA-20014: {User} not allowed to update gl_user" exception will be raised.

Only a user with the "ADMIN", "DBA.ADMIN", "SERVPROV.ADMIN", "USER-ADMINISTRATION " or "OTM-SYSTEM" user role can update or delete another user. If a user with a different user role other than this, then an "ORA-20015: {User} not allowed to update gl_user" exception will be raised.

A user will and must be able to change their own individual Oracle Transportation Management password.

A Domain Admin user must have the "ADMIN" user role. If a different user role is used other than this, then an "ORA-20016: Transaction not allowed, Domain Admin user {User} must be assigned ADMIN user role." or an "ORA-20018: Transaction not allowed, Domain Admin user {User} must be assigned ADMIN user role." exception will be raised.

The SERVPROV.ADMIN user must have the "SERVPROV.ADMIN" user role. If a different user role is used other than this, then an "ORA-20017: Transaction not allowed, SERVPROV.ADMIN must be assign SERVPROV.ADMIN user role" or an "ORA-20019: Transaction not allowed, SERVPROV.ADMIN must be assign SERVPROV.ADMIN user role" exception will be raised.