Call (800) 766-1884 for Oracle support & training
Free Oracle Tips


Oracle Consulting Support
Oracle Upgrades
Use New Oracle Features
Oracle Replication Support
Oracle Training
Remote Oracle DBA
System Documentation
Oracle Tips
Oracle Performance
 

Free Oracle Tips


 

HTML Text

BC Oracle tuning

Oracle training

Oracle support

Remote Oracle

 

 

   
 

CREATE_PENDING_AREA Syntax

Oracle Tips by Burleson
 

This procedure lets you make changes to resource manager objects.

DBMS_RESOURCE_MANAGER.CREATE_PENDING_AREA;

All changes to the plan schema must be done within a pending area. The pending area can be thought of as a “scratch” area for plan schema changes. The administrator creates this pending area, makes changes as necessary, and possibly validates these changes. Only when the submit is completed do these changes become active.

You may, at any time while the pending area is active, view the current plan schema with your changes by selecting from the appropriate user views.

At any time, you may clear the pending area if you want to stop the current changes. You may also call the VALIDATE procedure to confirm whether the changes you have made are valid. You do not have to do your changes in a given order to maintain a consistent group of entries. These checks are also implicitly done when the pending area is submitted.

Tip: Oracle allows “orphan” consumer groups (i.e., consumer groups that have no plan directives that refer to them). This anticipates that an administrator may want to create a consumer group for future use.

VALIDATE_PENDING_AREA Syntax

DBMS_RESOURCE_MANAGER.VALIDATE_PENDING_AREA;

The following rules must be adhered to validate a pending resource plan area;  they are checked whenever the VALIDATE or SUBMIT procedures are executed:

* No plan schema may contain any loops.

* All plans and consumer groups referred to by plan directives must exist.

* All plans must have directives that refer to either plans or consumer groups.

* All the percentages in any given level may not add up to greater than 100 for the emphasis resource allocation method.

* No plan that is currently being used as a top plan by an active instance may be deleted.

* Under Oracle8i, the plan directive parameter, parallel_degree_limit_p1, may appear only in plan directives that refer to consumer groups (i.e., not at subplans).

* There  may not be more than 32 plan directives coming from any given plan (i.e., no plan can have more than 32 children).

* There may not be more than 32 consumer groups in any active plan schema.

* Plans and consumer groups use the same namespace; therefore, no plan may have the same name as any consumer group.

* There must be a plan directive for OTHER_GROUPS somewhere in any active plan schema. This ensures that a session not covered by the currently active plan is allocated resources as specified by the OTHER_GROUPS directive.

If any of the above rules are broken when checked by the VALIDATE or SUBMIT procedures, an informative error message is returned. You may then make changes to fix the problem(s) and reissue the VALIDATE or SUBMIT procedures.

CLEAR_PENDING_AREA Syntax

This procedure has no arguments it is simply called using:

       DBMS_RESOURCE_MANAGER.CLEAR_PENDING_AREA;

SUBMIT_PENDING_AREA Syntax

This procedure has no arguments it is simply called using:

      DBMS_RESOURCE_MANAGER.SUBMIT_PENDING_AREA;

SET_INITIAL_CONSUMER_GROUP Syntax

DBMS_RESOURCE_MANAGER.SET_INITIAL_CONSUMER_GROUP (
   user           IN VARCHAR2,
   consumer_group IN VARCHAR2);

where:

IOT Overflow. Gives the name of the IOT tables overflow table.

LOG. Does this table use redo logging?

SWITCH_CONSUMER_GROUP_FOR_SESS Syntax

DBMS_RESOURCE_MANAGER.SWITCH_CONSUMER_GROUP_FOR_SESS(
  SESSION_ID      IN NUMBER,
  SESSION_SERIAL  IN NUMBER,
  CONSUMER_GROUP  IN VARCHAR2);

where:

session_id. SID column from the view V$SESSION.

serial. SERIAL# column from the view V$SESSION.

consumer_group. Name of the consumer group of which to switch.

SWITCH_CONSUMER_GROUP_FOR_USER Syntax

DBMS_RESOURCE_MANAGER.SWITCH_CONSUMER_GROUP_FOR_USER (
   user           IN VARCHAR2,
   consumer_group IN VARCHAR2);

where:

user. Name of the user.

consumer_group. Name of the consumer group to switch to.

DBMS_RESOURCE_MANAGER_PRIVS Package  

The DBMS_RESOURCE_MANAGER package has a companion package that grants privileges in the realm of the resource consumer option: DBMS_RESOURCE_MANAGER_ PRIVS. Its procedures are documented in Table 9.6.

Table 9.6 DBMS_RESOURCE_MANAGER_PRIVS Procedures

Procedure

Purpose

GRANT_SYSTEM_PRIVILEGE

Performs a grant of a system privilege. 

REVOKE_SYSTEM_PRIVILEGE

Performs a revoke of a system privilege. 

GRANT_SWITCH_CONSUMER_GROUP

Grants the privilege to switch to resource consumer groups.

REVOKE_SWITCH_CONSUMER_GROUP

Revokes the privilege to switch to resource consumer groups.

DBMS_RESOURCE_MANAGER_PRIVS Procedure Syntax 

The calling syntaxes for all DBMS_RESOURCE_MANAGER_PRIVS packages are presented in the following subsections.

GRANT_SYSTEM_PRIVILEGE Syntax

DBMS_RESOURCE_MANAGER_PRIVS.GRANT_SYSTEM_PRIVILEGE (
   grantee_name   IN VARCHAR2,
   privilege_name IN VARCHAR2 DEFAULT 'ADMINISTER_RESOURCE_MANAGER',            
   admin_option   IN BOOLEAN);

where:

grantee_name. Name of the user or role to whom privilege is to be granted.

privilege_name. Name of the privilege to be granted.

admin_option. TRUE if the grant is with admin_option; FALSE otherwise.

REVOKE_SYSTEM_PRIVILEGE Syntax

DBMS_RESOURCE_MANAGER_PRIVS.REVOKE_SYSTEM_PRIVILEGE (
   revokee_name   IN VARCHAR2,
   privilege_name IN VARCHAR2 DEFAULT 'ADMINISTER_RESOURCE_MANAGER');

where:

revokee_name. Name of the user or role from whom privilege is to be revoked.

privilege_name. Name of the privilege to be revoked.

GRANT_SWITCH_CONSUMER_GROUP Syntax

DBMS_RESOURCE_MANAGER_PRIVS.GRANT_SWITCH_CONSUMER_GROUP (
   grantee_name   IN VARCHAR2,
   consumer_group IN VARCHAR2,
   grant_option   IN BOOLEAN);

where:

grantee_name. Name of the user or role to whom privilege is to be granted.

consumer_group. Name of consumer group.

grant_option. TRUE if grantee should be allowed to grant access; FALSE otherwise.

When using the GRANT_SWITCH_CONSUMER_GROUP procedure, the following usage notes apply:

* If you grant permission to a user to switch to a particular consumer group, then that user can immediately switch his or her current consumer group to the new consumer group.

* If you grant permission to a role to switch to a particular consumer group, then any users who have been granted that role and have enabled that role can immediately switch their current consumer group to the new consumer group.

* If you grant permission to switch a particular consumer group to PUBLIC, then any user can switch to that consumer group.

* If the grant_option parameter is TRUE, then users granted switch privilege for the consumer group may also grant switch privileges for that consumer group to others.

* In order to set the initial consumer group of a user, you must grant to the user the switch privilege for that group.

REVOKE_SWITCH_CONSUMER_GROUP Syntax

DBMS_RESOURCE_MANAGER_PRIVS.REVOKE_SWITCH_CONSUMER_GROUP (
   revokee_name   IN VARCHAR2,
   consumer_group IN VARCHAR2);

where:

revokee_name. Name of user/role from which to revoke access.

consumer_group. Name of consumer group.

When using the REVOKE_SWITCH_CONSUMER_GROUP procedure, the following usage notes apply.

* If you revoke a user’s switch privilege for a particular consumer group, then any subsequent attempts by that user to switch to that consumer group will fail.

* If you revoke the initial consumer group from a user, then that user, upon logging in, will automatically be part of the DEFAULT_CONSUMER_GROUP consumer group.

* If you revoke the switch privilege for a consumer group from a role, then any users who only had switch privilege for the consumer group via that role will be subsequently unable to switch to that consumer group.

* If you revoke the switch privilege for a consumer group from PUBLIC, then any users who could previously only use the consumer group via PUBLIC will not be subsequently able to switch to that consumer group.

Using OEM to Manage Resource Groups and Plans

As an alternative to using manual procedures to create and maintain resource plans and groups, Oracle has created a GUI interface in the OEM that allows the DBA to create and maintain simple resource plans. The OEM Resource Manager interface allows the DBA to create plans and groups, assign CPU and parallel process allocations, and assign users to resource plans. The DBA can also schedule when a resource plan is active via OEM.

Tip: In SuSE 7.2 Linux, I had to edit the oemapp script to remove the "native"  setting of the command-line argument since that isn't supported on SuSE. To get OEM working on Linux, search for "native" and comment out the section of the if command where it is set to "native.".

You can invoke OEM on Linux from a display window using this command:

oracle@tuscgalinux> oemapp console

The keyword console tells OEM that you are not using a service manager. Once OEM starts, you will have to select the Launch Standalone option to show the top-level display that is shown in Figure 9.3

Figure 9.3 Example top-level OEM display.

By clicking on the cross next to the Databases icon, you will see a list of databases. Click on the database icon that corresponds to the database in which you wish to create a resource plan. You will be prompted for the user name and password for the database. Connect as SYS since you will be using DBMS_RESOURCE_MANAGER, and remember to select the “SYSDBA connect as” option. Once all of the icons for the database you chose are displayed, select the Instance icon. From the Instance menu, select the Resource Plans icon; the display for maintaining resource plans will be displayed. The Resource Plans display is shown in Figure 9.4.

Figure 9.4 OEM resource plan display.

By selecting the Object menu item from the top menu bar on the OEM screen, you can choose Create Object, which will allow you to fill in the required dialog boxes to create a resource plan, assign it groups, and assign these groups to users and  roles. The top-level display for this resource plan creation wizard is shown in Figure 9.5.

Figure 9.5 Example of the Create Resource Plan wizard dialog box.

I won't go through an entire resource plan creation using OEM, as the steps are self-explanatory using the wizard, and you shouldn't have any problems with it.

Back in the Instance menu, there is an icon for Resource Consumer Groups. The top-level Resource Consumer Group display is shown in Figure 9.6. Notice that you can choose the group, the users, and roles that belong to it.

Figure 9.6 OEM Resource Manager group display.

If you choose the Object menu item, you can create new resource groups. An example of the Create Resource Consumer Group dialog box is shown in Figure 9.7.

Figure 9.7 OEM Create Resource Consumer Group dialog box.

Notice the option at the bottom of the screen in Figure 9.7 that allows the user to see the SQL that will be used to create the resource group. As you can see, I had already selected the user and role from the pick lists under their tabs when the screenshot was taken, as is evident in the resulting SQL commands. These commands should look familiar after stepping through the manual creation method at the start of this section.

When you have completed adding users and roles, you simply click the Create button to generate your new Resource Group. Once you have created a resource group, you will need to assign resources to it; you do this in the Resource Plans area when the group is assigned to a plan.

Managing Row-Level Access

Row-level access, also known as fine-grained security and virtual private databases, is managed using a combination of Oracle8i or Oracle contexts, stored procedures, database-level triggers, and the DBMS_RLS package. Row-level access is used to restrict SELECT, INSERT, UPDATE, and DELETE on table rows based on specific values contained in the rows or specific system-environment-related variables. Generally speaking, a policy will require:

* A context

* A procedure to implement the context

* A database- (Oracle8i or Oracle) level trigger that monitors login activity

* A security procedure to implement the policy

* A policy declaration

A row-level access control depends on certain environment variables known as contexts to be set. The DBMS_CONTEXT package is used to set the various context variables used by the RLS policy.

Figure 9.8 Steps to implement a security policy.

Figure 9.8 shows a flowchart of how to implement a simple security policy. As you can see, the process is not complex. Let’s examine each step and see what is really involved.

In the first step, a context package or procedure is developed that will then be used by a login trigger to set each user’s context variables. This step is vital in that if the context variables aren’t set, it is many times more difficult to implement row-level security using the DBMS_RLS package. The package or procedure used to set the context variables should resemble the one shown in Source 9.3.

SOURCE 9.3 Example of a context-setting procedure.

CREATE OR REPLACE PACKAGE graphics_app AUTHID DEFINER AS
PROCEDURE get_graphics_function(usern IN VARCHAR2, graphics_function OUT VARCHAR2);
PROCEDURE set_graphics_context(usern IN VARCHAR2);
END;
/
SET ARRAYSIZE 1
SHO ERR
CREATE OR REPLACE PACKAGE BODY graphics_app AS
graphics_user VARCHAR2(32);
graphics_function VARCHAR2(32);
PROCEDURE get_graphics_function(usern IN VARCHAR2, graphics_function OUT VARCHAR2)
IS
BEGIN
SELECT user_function INTO graphics_function FROM graphics_dba.graphics_users
WHERE username=usern;
END get_graphics_function;
PROCEDURE set_graphics_context(usern IN VARCHAR2) IS
BEGIN
graphics_app.get_graphics_function(usern,graphics_function);
DBMS_SESSION.SET_CONTEXT('GRAPHICS_SEC','GRAPHICS_FUNCTION',graphics_function);
DBMS_SESSION.SET_CONTEXT('GRAPHICS_SEC','GRAPHICS_USER',usern);
END set_graphics_context;
END graphics_app;
/
SHOW ERR

In the package in Source 9.3 are two procedures, one that retrieves a user’s graphics function from a pre-built and populated table, and the other that is used to set the user’s context variables based on using the DBMS_SESSION.SET_CONTEXT procedure provided by Oracle.

Of course, the procedures in Source 9.3 wouldn’t be much use without a trigger that could run it whenever a user logged on to the system. Until Oracle8i, this would have involved setting auditing on for login, moving the aud$ table from SYS ownership and setting the ownership to another user, resetting all of the synonyms pointing to aud$, and then building an insert trigger to perform the actual work. Since Oracle8i, all we have to do is build a trigger similar to the one shown in Source 9.4.

SOURCE 9.4 Example of a database login trigger.

CREATE OR REPLACE TRIGGER set_graphics_context AFTER LOGON ON DATABASE
DECLARE
username VARCHAR2(30);
BEGIN
username:=SYS_CONTEXT('USERENV','SESSION_USER');
graphics_app.set_graphics_context(username);
EXCEPTION
WHEN OTHERS THEN
NULL;
END;
/

Once we have an operating context set package and database login trigger, we can proceed to create the required context-checking package and the context it checks. Source 9.5 shows an example context-checking package.

SOURCE 9.5 Example of a context-checking package.

CREATE OR REPLACE PACKAGE graphics_sec AUTHID DEFINER AS
FUNCTION graphics_check(obj_schema VARCHAR2, obj_name VARCHAR2)
 RETURN VARCHAR2;
PRAGMA RESTRICT_REFERENCES(GRAPHICS_CHECK,WNDS);
END;
/
SET ARRAYSIZE 1
SHOW ERR
CREATE OR REPLACE PACKAGE BODY graphics_sec AS
FUNCTION graphics_check(obj_schema VARCHAR2, obj_name VARCHAR2)
 RETURN VARCHAR2 AS
d_predicate VARCHAR2(2000);
user_context VARCHAR2(32);
BEGIN
   user_context:=SYS_CONTEXT('graphics_sec','graphics_function');
   IF user_context = 'ADMIN' THEN
     d_predicate:=' 1=1';
dbms_output.put_line(d_predicate);
   ELSIF user_context = 'GENERAL USER' THEN
     d_predicate:=' graphics_usage='||chr(39)||'UNRESTRICTED'||chr(39);
dbms_output.put_line(d_predicate);
   ELSIF user_context='DEVELOPER' THEN
     d_predicate:=' 1=1';
dbms_output.put_line(d_predicate);
   ELSIF user_context IS NULL THEN
     d_predicate:='1=2';
   END IF;
   RETURN d_predicate;
END graphics_check;
END;
/
SHOW ERR

The entire purpose of the package in Source 9.5 is to return a d_predicate value based on a user’s graphics_function context value. The d_predicate value is appended to whichever WHERE clause is included with the user’s command or is appended as a WHERE clause whenever there is no preexisting clause. It is also possible to use a role granted to the user to determine row-level access restrictions, but it can result in unpredictable results and should be used with care.

The creation of our graphics security context is rather simple once we have finished the preliminary work. It boils down to one command:

CREATE OR REPLACE CONTEXT graphics_sec USING sys.graphics_app;

The final step is to set the policy into the database. This is done with the DBMS_RLS package, using the procedure ADD_POLICY:

BEGIN
 dbms_rls.add_policy('GRAPHICS_DBA','INTERNAL_GRAPHICS','GRAPHICS_POLICY', 'GRAPHICS_DBA','GRAPHICS_SEC.GRAPHICS_CHECK','SELECT,INSERT,UPDATE,DELETE',TRUE);
END;

This policy simply ties the components we previously defined to a coherent entity called GRAPHICS_POLICY and implements this policy against the table INTERNAL_GRAPHICS, which is in the schema GRAPHICS_DBA. The policy GRAPHICS_POLICY is owned by GRAPHICS_DBA and uses the procedure GRAPHICS_SEC. GRAPHICS_CHECK to verify that users can perform SELECT, INSERT, UPDATE, and DELETE operations.

Note that the final parameter in the add_policy call is TRUE: It corresponds to the update_check parameter and defaults to FALSE if not set to TRUE. If update_check is set to FALSE, the validity of the INSERT and UPDATE statements will not be verified and no errors or warnings will be generated. The status of the update_check setting for existing policies can be verified by looking in the SYS.EXU81RLS table (named the same in 8i  and 9i) and checking the CHKOPT column: a value of 0 means update_check is set to FALSE; a value of 1 indicates it is set to TRUE. You can also use the DBA_POLICIES view column CHK_OPTION, which will be either read YES or NO.

The table graphics_users is required in the above example. It contains the user name and the user’s graphics function.

Note: In version 9.0.1.0, if you create a fine-grained access application and do full restriction, as shown in the preceding example (restrict INSERT, UPDATE, DELETE, and SELECT), any attempt to EXPORT the table(s) involved will fail due to bug 1802004, and you will have to patch the database to use EXPORT.

 

See Code Depot for Full Scripts


This is an excerpt from Mike Ault, bestselling author of "Oracle 10g Grid and Real Application Clusters".

You can buy it direct from the publisher for 30%-off and get instant access to the code depot of Oracle tuning scripts.
  
 

Oracle performance tuning software 
 
 
 
 

Oracle performance tuning book

 

 
 
 
Oracle performance Tuning 10g reference poster
 
 
 
Oracle training in Linux commands
 
Oracle training Excel
 
Oracle training & performance tuning books
 

 

   

Copyright © 1996 -  2014 by Burleson. All rights reserved.

Oracle® is the registered trademark of Oracle Corporation. 

Hit Counter