Scripts for the Employee Records Application

A.3.1 How to Run the Scripts

Run these scripts as SYS from a shell on the database host, in the following order.

03_application_demo.sql: Sets up the demo environment. The script reads these parameters in order from either command-line arguments or interactive prompts:
- syspasswd: SYS password for the target PDB.
- dbapasswd: Password for the DEEPSEC_DBA administrative user that the script creates.
- target_pdb: Service name of the target PDB.
- TENANT_ID: Directory (tenant) ID of your Microsoft Entra ID tenant.
- DB_APP_ID: Application (client) ID of the EmployeeRecordsDB application registration in Entra ID. See Register the Database Resource.
- DB_APP_ID_URI: Application ID URI of the EmployeeRecordsDB application registration in Entra ID.
- ENTRA_DOMAIN: Your Microsoft Entra ID domain (for example, supremo.onmicrosoft.com). Used to construct sample employee email addresses.
- EMP_RECORDS_APP_ID: Application (client) ID of the EmployeeRecordsAPI application registration in Entra ID. See Register the Spring Boot Application.
03_application_cleanup.sql: Removes all objects the demo script created. Run this to reset the environment. The script reads these parameters in order from either command-line arguments or interactive prompts:
- syspasswd: SYS password for the target PDB.
- target_pdb: Service name of the target PDB.

A.3.2 Scripts

Review the source for both scripts used in the scenario.

File	Purpose
`03_application_demo.sql`	Sets up the demo environment.
`03_application_cleanup.sql`	Removes all objects created by the demo script.

A.3.2.1 03_application_demo.sql

The source for the 03_application_demo.sql script.

SET ECHO ON
SET FEEDBACK 1
SET NUMWIDTH 10
SET LINESIZE 200
SET TRIMSPOOL ON
SET TAB OFF
SET PAGESIZE 100

define syspasswd=&1
define dbapasswd=&2
define target_pdb=&3
define TENANT_ID=&4
define DB_APP_ID=&5
define DB_APP_ID_URI=&6
define ENTRA_DOMAIN=&7
define EMP_RECORDS_APP_ID=&8

spool 03_application_demo.log

----------------------------------------------------------------------
--  HR Security Demo - Spring Boot application
----------------------------------------------------------------------
-- This script creates the demo environment:
-- * Configure the database to accept external identities from Microsoft 
--   Entra ID
-- * Create sample employee records data
-- * Set up the connection pool user account and application identity for the 
--   application
-- * Create data roles, which map to Entra ID application roles
-- * Define data grants that limit a user with employee role to his or her 
--   own employee record, and enable privilege elevation for the 
--   salary-summary endpoint

----------------------------------------------------------------------
-- 1. Connect as SYS to the target PDB
----------------------------------------------------------------------

connect sys/&syspasswd@&target_pdb as sysdba

----------------------------------------------------------------------
-- 2. Create the administration user
----------------------------------------------------------------------

-- This local user is used to manage the demo environment.
create user DEEPSEC_DBA identified by &dbapasswd;
grant DBA to DEEPSEC_DBA;

----------------------------------------------------------------------
-- 3. Connect as the administration user
----------------------------------------------------------------------

connect DEEPSEC_DBA/&dbapasswd@&target_pdb

----------------------------------------------------------------------
-- 4. Configure the identity provider
----------------------------------------------------------------------

-- Enable Microsoft Entra ID as the identity provider for this PDB.
-- SCOPE = BOTH applies the setting to both the CDB and the PDB.
-- The database will use these values to validate incoming Entra tokens.
ALTER SYSTEM SET IDENTITY_PROVIDER_TYPE = AZURE_AD SCOPE = BOTH;

-- Supply the Entra tenant details so the database can validate tokens.
--   application_id_uri: the Application ID URI of the EmployeeRecordsDB
--                       Entra app registration  [DB_APP_ID_URI]
--   tenant_id:          the Directory (tenant) ID of your Entra tenant [TENANT_ID]
--   app_id:             the Application (client) ID of EmployeeRecordsDB [DB_APP_ID]
ALTER SYSTEM SET IDENTITY_PROVIDER_CONFIG = '{
  "application_id_uri": "&DB_APP_ID_URI", 
  "tenant_id": "&TENANT_ID", 
  "app_id": "&DB_APP_ID"
}' SCOPE = BOTH;

----------------------------------------------------------------------
-- 5. Create tablespace and HR schema
----------------------------------------------------------------------

-- Create the tablespace used by the HR demo schema.
-- Oracle Managed Files (OMF) controls the datafile location.
CREATE TABLESPACE users DATAFILE SIZE 100M AUTOEXTEND ON;

-- Create the HR schema that owns the employee table.
-- NO AUTHENTICATION means this schema cannot be logged into directly;
-- it is accessed only through object grants.
CREATE USER hr NO AUTHENTICATION
  DEFAULT TABLESPACE users
  QUOTA UNLIMITED ON users;

----------------------------------------------------------------------
-- 6. Create the employee table
----------------------------------------------------------------------

-- Create the data model used by all demo scenarios.
CREATE TABLE hr.employees (
    employee_id NUMBER PRIMARY KEY,
    first_name  VARCHAR2(50),
    last_name   VARCHAR2(50),
    email       VARCHAR2(128),
    manager     VARCHAR2(128),
    ssn         VARCHAR2(20),
    salary      NUMBER(10,2),
    phone       VARCHAR2(20)
);

----------------------------------------------------------------------
-- 7. Load sample data
----------------------------------------------------------------------

-- Email and manager values use UPN format (firstname@ENTRA_DOMAIN).
-- This matches the identity the Spring Boot application receives from
-- the Entra-issued JWT and passes as ORA_END_USER_CONTEXT.username.
INSERT INTO hr.employees VALUES (100,'Victoria','Williams','victoria@&ENTRA_DOMAIN',NULL,'219-09-9999',13000,'555-0100');
INSERT INTO hr.employees VALUES (200,'Marvin','Anderson','marvin@&ENTRA_DOMAIN','victoria@&ENTRA_DOMAIN','457-55-5462',12030,'555-0200');
INSERT INTO hr.employees VALUES (300,'Chris','Evans','chris@&ENTRA_DOMAIN','victoria@&ENTRA_DOMAIN','321-12-4567',6900,'555-0300');
INSERT INTO hr.employees VALUES (400,'Emma','Baker','emma@&ENTRA_DOMAIN','marvin@&ENTRA_DOMAIN','733-02-9821',8200,'555-0400');
INSERT INTO hr.employees VALUES (500,'Taylor','Mills','taylor@&ENTRA_DOMAIN','marvin@&ENTRA_DOMAIN','558-76-1243',9000,'555-0500');
COMMIT;

----------------------------------------------------------------------
-- 8. Create the connection pool user
----------------------------------------------------------------------

-- The Spring Boot application authenticates to the database using this
-- account and its own Entra database-access token (AZURE_CLIENT_ID).
-- The Oracle JDBC Spring Boot Provider obtains this token automatically
-- from Entra using the application's client credentials.
CREATE USER hr_app_user IDENTIFIED GLOBALLY AS
    'AZURE_CLIENT_ID=&EMP_RECORDS_APP_ID';

GRANT CREATE SESSION TO hr_app_user;

-- Allows the application to attach an end-user security context payload
-- (the end user's Entra JWT) to each session on behalf of an end user.
GRANT CREATE END USER SECURITY CONTEXT TO hr_app_user;

----------------------------------------------------------------------
-- 9. Create the application identity
----------------------------------------------------------------------

-- Maps the Spring Boot application's Entra client ID to a named
-- principal in the database. Data roles granted to this identity
-- can only be activated when the application includes them in the
-- end-user security context payload.
CREATE OR REPLACE APPLICATION IDENTITY hr_app
    MAPPED TO 'AZURE_CLIENT_ID=&EMP_RECORDS_APP_ID';

----------------------------------------------------------------------
-- 10. Create data roles
----------------------------------------------------------------------

-- Employees can see only their own row.
CREATE DATA ROLE employee_role MAPPED TO 'AZURE_ROLE=EMPLOYEE';

-- compensation_analyst is created DISABLED
-- Granting it to hr_app means only the application can activate it.
-- End users cannot enable this role on their own.
--
-- At runtime, the @RunWithDataRoles({"COMPENSATION_ANALYST"}) annotation
-- on EmployeeService.getSalarySummary() instructs the Oracle JDBC Spring
-- Boot Provider to temporarily include this role in the end-user context
-- payload for that method call only. The role is deactivated as soon as
-- the method returns.
CREATE OR REPLACE DATA ROLE compensation_analyst DISABLED;
GRANT DATA ROLE compensation_analyst TO hr_app;

----------------------------------------------------------------------
-- 11. Create data grants
----------------------------------------------------------------------

-- Employee access rule:
-- A user can see only the row where the email matches their identity.
-- Used by the Spring Boot GET /api/employees endpoint.
CREATE OR REPLACE DATA GRANT hr.employees_own_record
  AS SELECT
  ON hr.employees
  WHERE email = ORA_END_USER_CONTEXT.username
  TO employee_role;

-- Analyst access rule:
-- Exposes the salary column across all rows when the role is active.
-- Used by the Spring Boot GET /api/employees/salary-summary endpoint
-- through the @RunWithDataRoles({"COMPENSATION_ANALYST"}) annotation.
CREATE OR REPLACE DATA GRANT hr.employees_salary_summary
  AS SELECT (salary)
  ON hr.employees
  WHERE 1 = 1
  TO compensation_analyst;

spool off

A.3.2.2 03_application_cleanup.sql

The source for the 03_application_cleanup.sql script.

SET ECHO ON
SET FEEDBACK 1
SET NUMWIDTH 10
SET LINESIZE 200
SET TRIMSPOOL ON
SET TAB OFF
SET PAGESIZE 100

define syspasswd=&1
define target_pdb=&2

spool 03_application_cleanup.log

-- This script removes all objects created by the demo so the
-- environment can be reused cleanly.

----------------------------------------------------------------------
-- 1. Connect as SYS
----------------------------------------------------------------------

connect sys/&syspasswd@&target_pdb as sysdba

----------------------------------------------------------------------
-- 2. Remove application objects
----------------------------------------------------------------------

DROP USER hr_app_user CASCADE;
DROP APPLICATION IDENTITY hr_app;

----------------------------------------------------------------------
-- 3. Remove the HR schema
----------------------------------------------------------------------

DROP USER hr CASCADE;

----------------------------------------------------------------------
-- 4. Remove data roles
----------------------------------------------------------------------

DROP DATA ROLE employee_role;
DROP DATA ROLE compensation_analyst;

----------------------------------------------------------------------
-- 5. Remove the administration user and tablespace
----------------------------------------------------------------------

DROP USER DEEPSEC_DBA CASCADE;
DROP TABLESPACE users INCLUDING CONTENTS AND DATAFILES;

spool off

A.3.3 Log Files

Review the output generated by running each script.

File	Purpose
`03_application_demo.log`	Output generated by running `03_application_demo.sql`.
`03_application_cleanup.log`	Output generated by running `03_application_cleanup.sql`.

A.3.3.1 03_application_demo.log

The output generated by running 03_application_demo.sql.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> --  HR Security Demo - Spring Boot application
SQL> ----------------------------------------------------------------------
SQL> -- This script creates the demo environment:
SQL> -- * Configure the database to accept external identities from Microsoft
SQL> --   Entra ID
SQL> -- * Create sample employee records data
SQL> -- * Set up the connection pool user account and application identity for the
SQL> --   application
SQL> -- * Create data roles, which map to Entra ID application roles
SQL> -- * Define data grants that limit a user with employee role to his or her
SQL> --   own employee record, and enable privilege elevation for the
SQL> --   salary-summary endpoint
SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 1. Connect as SYS to the target PDB
SQL> ----------------------------------------------------------------------
SQL> 
SQL> connect sys/&syspasswd@&target_pdb as sysdba
Connected.
SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 2. Create the administration user
SQL> ----------------------------------------------------------------------
SQL> 
SQL> -- This local user is used to manage the demo environment.
SQL> create user DEEPSEC_DBA identified by &dbapasswd;
old   1: create user DEEPSEC_DBA identified by &dbapasswd
new   1: create user DEEPSEC_DBA identified by dba_pwd

User created.

SQL> grant DBA to DEEPSEC_DBA;

Grant succeeded.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 3. Connect as the administration user
SQL> ----------------------------------------------------------------------
SQL> 
SQL> connect DEEPSEC_DBA/&dbapasswd@&target_pdb
Connected.
SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 4. Configure the identity provider
SQL> ----------------------------------------------------------------------
SQL> 
SQL> -- Enable Microsoft Entra ID as the identity provider for this PDB.
SQL> -- SCOPE = BOTH applies the setting to both the CDB and the PDB.
SQL> -- The database will use these values to validate incoming Entra tokens.
SQL> ALTER SYSTEM SET IDENTITY_PROVIDER_TYPE = AZURE_AD SCOPE = BOTH;

System altered.

SQL> 
SQL> -- Supply the Entra tenant details so the database can validate tokens.
SQL> --   application_id_uri: the Application ID URI of the EmployeeRecordsDB
SQL> --                       Entra app registration  [DB_APP_ID_URI]
SQL> --   tenant_id:          the Directory (tenant) ID of your Entra tenant [TENANT_ID]
SQL> --   app_id:             the Application (client) ID of EmployeeRecordsDB [DB_APP_ID]
SQL> ALTER SYSTEM SET IDENTITY_PROVIDER_CONFIG = '{
  2    "application_id_uri": "&DB_APP_ID_URI",
  3    "tenant_id": "&TENANT_ID",
  4    "app_id": "&DB_APP_ID"
  5  }' SCOPE = BOTH;
old   2:   "application_id_uri": "&DB_APP_ID_URI",
new   2:   "application_id_uri": "<DB_APP_ID_URI>",
old   3:   "tenant_id": "&TENANT_ID",
new   3:   "tenant_id": "<TENANT_ID>",
old   4:   "app_id": "&DB_APP_ID"
new   4:   "app_id": "<DB_APP_ID>"

System altered.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 5. Create tablespace and HR schema
SQL> ----------------------------------------------------------------------
SQL> 
SQL> -- Create the tablespace used by the HR demo schema.
SQL> -- Oracle Managed Files (OMF) controls the datafile location.
SQL> CREATE TABLESPACE users DATAFILE SIZE 100M AUTOEXTEND ON;

Tablespace created.

SQL> 
SQL> -- Create the HR schema that owns the employee table.
SQL> -- NO AUTHENTICATION means this schema cannot be logged into directly;
SQL> -- it is accessed only through object grants.
SQL> CREATE USER hr NO AUTHENTICATION
  2    DEFAULT TABLESPACE users
  3    QUOTA UNLIMITED ON users;

User created.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 6. Create the employee table
SQL> ----------------------------------------------------------------------
SQL> 
SQL> -- Create the data model used by all demo scenarios.
SQL> CREATE TABLE hr.employees (
  2      employee_id NUMBER PRIMARY KEY,
  3      first_name  VARCHAR2(50),
  4      last_name   VARCHAR2(50),
  5      email       VARCHAR2(128),
  6      manager     VARCHAR2(128),
  7      ssn         VARCHAR2(20),
  8      salary      NUMBER(10,2),
  9      phone       VARCHAR2(20)
 10  );

Table created.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 7. Load sample data
SQL> ----------------------------------------------------------------------
SQL> 
SQL> -- Email and manager values use UPN format (firstname@ENTRA_DOMAIN).
SQL> -- This matches the identity the Spring Boot application receives from
SQL> -- the Entra-issued JWT and passes as ORA_END_USER_CONTEXT.username.
SQL> INSERT INTO hr.employees VALUES (100,'Victoria','Williams','victoria@&ENTRA_DOMAIN',NULL,'219-09-9999',13000,'555-0100');
old   1: INSERT INTO hr.employees VALUES (100,'Victoria','Williams','victoria@&ENTRA_DOMAIN',NULL,'219-09-9999',13000,'555-0100')
new   1: INSERT INTO hr.employees VALUES (100,'Victoria','Williams','victoria@<ENTRA_DOMAIN>',NULL,'219-09-9999',13000,'555-0100')

1 row created.

SQL> INSERT INTO hr.employees VALUES (200,'Marvin','Anderson','marvin@&ENTRA_DOMAIN','victoria@&ENTRA_DOMAIN','457-55-5462',12030,'555-0200');
old   1: INSERT INTO hr.employees VALUES (200,'Marvin','Anderson','marvin@&ENTRA_DOMAIN','victoria@&ENTRA_DOMAIN','457-55-5462',12030,'555-0200')
new   1: INSERT INTO hr.employees VALUES (200,'Marvin','Anderson','marvin@<ENTRA_DOMAIN>','victoria@<ENTRA_DOMAIN>','457-55-5462',12030,'555-0200')

1 row created.

SQL> INSERT INTO hr.employees VALUES (300,'Chris','Evans','chris@&ENTRA_DOMAIN','victoria@&ENTRA_DOMAIN','321-12-4567',6900,'555-0300');
old   1: INSERT INTO hr.employees VALUES (300,'Chris','Evans','chris@&ENTRA_DOMAIN','victoria@&ENTRA_DOMAIN','321-12-4567',6900,'555-0300')
new   1: INSERT INTO hr.employees VALUES (300,'Chris','Evans','chris@<ENTRA_DOMAIN>','victoria@<ENTRA_DOMAIN>','321-12-4567',6900,'555-0300')

1 row created.

SQL> INSERT INTO hr.employees VALUES (400,'Emma','Baker','emma@&ENTRA_DOMAIN','marvin@&ENTRA_DOMAIN','733-02-9821',8200,'555-0400');
old   1: INSERT INTO hr.employees VALUES (400,'Emma','Baker','emma@&ENTRA_DOMAIN','marvin@&ENTRA_DOMAIN','733-02-9821',8200,'555-0400')
new   1: INSERT INTO hr.employees VALUES (400,'Emma','Baker','emma@<ENTRA_DOMAIN>','marvin@<ENTRA_DOMAIN>','733-02-9821',8200,'555-0400')

1 row created.

SQL> INSERT INTO hr.employees VALUES (500,'Taylor','Mills','taylor@&ENTRA_DOMAIN','marvin@&ENTRA_DOMAIN','558-76-1243',9000,'555-0500');
old   1: INSERT INTO hr.employees VALUES (500,'Taylor','Mills','taylor@&ENTRA_DOMAIN','marvin@&ENTRA_DOMAIN','558-76-1243',9000,'555-0500')
new   1: INSERT INTO hr.employees VALUES (500,'Taylor','Mills','taylor@<ENTRA_DOMAIN>','marvin@<ENTRA_DOMAIN>','558-76-1243',9000,'555-0500')

1 row created.

SQL> COMMIT;

Commit complete.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 8. Create the connection pool user
SQL> ----------------------------------------------------------------------
SQL> 
SQL> -- The Spring Boot application authenticates to the database using this
SQL> -- account and its own Entra database-access token (AZURE_CLIENT_ID).
SQL> -- The Oracle JDBC Spring Boot Provider obtains this token automatically
SQL> -- from Entra using the application's client credentials.
SQL> CREATE USER hr_app_user IDENTIFIED GLOBALLY AS
  2      'AZURE_CLIENT_ID=&EMP_RECORDS_APP_ID';
old   2:     'AZURE_CLIENT_ID=&EMP_RECORDS_APP_ID'
new   2:     'AZURE_CLIENT_ID=<EMP_RECORDS_APP_ID>'

User created.

SQL> 
SQL> GRANT CREATE SESSION TO hr_app_user;

Grant succeeded.

SQL> 
SQL> -- Allows the application to attach an end-user security context payload
SQL> -- (the end user's Entra JWT) to each session on behalf of an end user.
SQL> GRANT CREATE END USER SECURITY CONTEXT TO hr_app_user;

Grant succeeded.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 9. Create the application identity
SQL> ----------------------------------------------------------------------
SQL> 
SQL> -- Maps the Spring Boot application's Entra client ID to a named
SQL> -- principal in the database. Data roles granted to this identity
SQL> -- can only be activated when the application includes them in the
SQL> -- end-user security context payload.
SQL> CREATE OR REPLACE APPLICATION IDENTITY hr_app
  2      MAPPED TO 'AZURE_CLIENT_ID=&EMP_RECORDS_APP_ID';
old   2:     MAPPED TO 'AZURE_CLIENT_ID=&EMP_RECORDS_APP_ID'
new   2:     MAPPED TO 'AZURE_CLIENT_ID=<EMP_RECORDS_APP_ID>'

Application identity created.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 10. Create data roles
SQL> ----------------------------------------------------------------------
SQL> 
SQL> -- Employees can see only their own row.
SQL> CREATE DATA ROLE employee_role MAPPED TO 'AZURE_ROLE=EMPLOYEE';

Data role created.

SQL> 
SQL> -- compensation_analyst is created DISABLED
SQL> -- Granting it to hr_app means only the application can activate it.
SQL> -- End users cannot enable this role on their own.
SQL> --
SQL> -- At runtime, the @RunWithDataRoles({"COMPENSATION_ANALYST"}) annotation
SQL> -- on EmployeeService.getSalarySummary() instructs the Oracle JDBC Spring
SQL> -- Boot Provider to temporarily include this role in the end-user context
SQL> -- payload for that method call only. The role is deactivated as soon as
SQL> -- the method returns.
SQL> CREATE OR REPLACE DATA ROLE compensation_analyst DISABLED;

Data role created.

SQL> GRANT DATA ROLE compensation_analyst TO hr_app;

Grant succeeded.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 11. Create data grants
SQL> ----------------------------------------------------------------------
SQL> 
SQL> -- Employee access rule:
SQL> -- A user can see only the row where the email matches their identity.
SQL> -- Used by the Spring Boot GET /api/employees endpoint.
SQL> CREATE OR REPLACE DATA GRANT hr.employees_own_record
  2    AS SELECT
  3    ON hr.employees
  4    WHERE email = ORA_END_USER_CONTEXT.username
  5    TO employee_role;

Data grant created.

SQL> 
SQL> -- Analyst access rule:
SQL> -- Exposes the salary column across all rows when the role is active.
SQL> -- Used by the Spring Boot GET /api/employees/salary-summary endpoint
SQL> -- through the @RunWithDataRoles({"COMPENSATION_ANALYST"}) annotation.
SQL> CREATE OR REPLACE DATA GRANT hr.employees_salary_summary
  2    AS SELECT (salary)
  3    ON hr.employees
  4    WHERE 1 = 1
  5    TO compensation_analyst;

Data grant created.

SQL> 
SQL> spool off

A.3.3.2 03_application_cleanup.log

The output generated by running 03_application_cleanup.sql.

SQL> 
SQL> -- This script removes all objects created by the demo so the
SQL> -- environment can be reused cleanly.
SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 1. Connect as SYS
SQL> ----------------------------------------------------------------------
SQL> 
SQL> connect sys/&syspasswd@&target_pdb as sysdba
Connected.
SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 2. Remove application objects
SQL> ----------------------------------------------------------------------
SQL> 
SQL> DROP USER hr_app_user CASCADE;

User dropped.

SQL> DROP APPLICATION IDENTITY hr_app;

Application identity dropped.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 3. Remove the HR schema
SQL> ----------------------------------------------------------------------
SQL> 
SQL> DROP USER hr CASCADE;

User dropped.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 4. Remove data roles
SQL> ----------------------------------------------------------------------
SQL> 
SQL> DROP DATA ROLE employee_role;

Data role dropped.

SQL> DROP DATA ROLE compensation_analyst;

Data role dropped.

SQL> 
SQL> ----------------------------------------------------------------------
SQL> -- 5. Remove the administration user and tablespace
SQL> ----------------------------------------------------------------------
SQL> 
SQL> DROP USER DEEPSEC_DBA CASCADE;

User dropped.

SQL> DROP TABLESPACE users INCLUDING CONTENTS AND DATAFILES;

Tablespace dropped.

SQL> 
SQL> spool off

A.3 Scripts for the Employee Records Application