Trick #1 - Copying Users the Right Way
September 19th, 2006 by The Oracle AlchemistYesterday I announced that I would be doing a five day series entitle “The 5 Oracle Tricks You Never Knew.” Today’s trick is pretty simple, and it allows you to copy user accounts from one instance to another with the same password, grants, roles, etc, without using the exp/imp tools.
Everyone knows that you can use “create user username identified by password” to create a new user. What most people don’t know is that you can actually copy the password of a user from one database to another as well.
You wont be able to see the password (sorry hackers), but you can copy it in its encoded form.
Instead of using:
create user test identified by password;
You will use:
create user test identified by values 'encoded password';
The encoded password will actually be the encrypted password stored in the database that is visible to the DBA eye. This is a 16 character password you will find in the DBA_USERS view in the PASSWORD column.
You can also use:
alter user test identified by values 'encoded password';
If you have already created the user and need to change the password to what it might have been on another system.
This is extremely useful for DBAs that are copying their production database to development, or migrating a database from one instance to another. Too often, DBAs are forced to remember the details they have, copy them from the DBA_USERS view, and try to create the new users as close as possible to the original.
But we’re more sophisticated! Instead, we will use the DBMS_METADATA package to pull the user information.
set head off
set pages 0
set long 9999999
select dbms_metadata.get_ddl('USER', username) || '/' usercreate
from dba_users;
USERCREATE
--------------------------------------------------------------
CREATE USER "SYS" IDENTIFIED BY VALUES 'F894844C34402B67'
DEFAULT TABLESPACE "SYSTEM" TEMPORARY TABLESPACE "TEMP"
/
...
Do you want to get all their roles and grants as well? Nothing easier! Look at the following:
SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT','SYS') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT','SYS') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT','SYS') FROM DUAL;
From this, we can form our Unified User Copy-o-matic with the following query:
set head off
set pages 0
set long 9999999
spool user_script.sql
SELECT DBMS_METADATA.GET_DDL('USER', USERNAME) || '/' DDL
FROM DBA_USERS
UNION ALL
SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT', USERNAME) || '/' DDL
FROM DBA_USERS
UNION ALL
SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT', USERNAME) || '/' DDL
FROM DBA_USERS
UNION ALL
SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT', USERNAME) || '/' DDL
FROM DBA_USERS;
spool off;
And voila! All of our users and grants all in one simple script.
If you would like simple alter commands instead, we can always skip using DBMS_METADATA. Instead, use this query:
select 'alter user ' || username || ' identified by values ''' || password || ''';' from dba_users;
Note that in the case above, there are three single quotes to the left and right of password. Don’t use double quotes.
That’s it for today; a rather easy trick that you can use many times during your DBA career. If you already knew this trick, don’t worry! There’s more to come, the rest a bit more advanced and a bit more obscure. Join me tomorrow and we’ll talk about how to transform any query into any other on the back-end, sometimes with very amusing results!
September 28th, 2006 at 3:17 pm
Hello ,
It is helpful to others to add one more proc.
GET_DEPENDENT_DDL to get the space quota in tablespaces.
Hope this helps.
Ravinder
September 29th, 2006 at 2:11 am
You’re absolutely right, it helps very much. Quota information is vital to copy a user verbatim.
November 28th, 2006 at 5:50 pm
I had to add some qualifiers on the statements so that if a user has not bee issued a grant the procedure does not fail. Here is my additions: Note the ‘exists’ statements.
SELECT DBMS_METADATA.GET_GRANTED_DDL(’ROLE_GRANT’, USERNAME) || ‘/’ DDL
FROM DBA_USERS where exists (select ‘x’ from dba_role_privs drp where
drp.grantee = dba_users.username)
UNION ALL
SELECT DBMS_METADATA.GET_GRANTED_DDL(’SYSTEM_GRANT’, USERNAME) || ‘/’ DDL FROM D
BA_USERS where exists (select ‘x’ from dba_role_privs drp where
drp.grantee = dba_users.username)
UNION ALL
SELECT DBMS_METADATA.GET_GRANTED_DDL(’OBJECT_GRANT’, USERNAME) || ‘/’ DDL FROM D
BA_USERS where exists (select ‘x’ from dba_tab_privs dtp where
dtp.grantee = dba_users.username);
November 28th, 2006 at 10:19 pm
Good call Bob, without this is can make for a painful output script.
December 17th, 2006 at 4:50 pm
This will help Bob’s code out and stop the package from issuing errors, where users have no system privlidges.
SELECT DBMS_METADATA.GET_GRANTED_DDL(’SYSTEM_GRANT’, USERNAME) || ‘/’ DDL
FROM DBA_USERS
where exists (select ‘x’ from dba_role_privs drp, dba_sys_privs dsp
where drp.grantee = dba_users.username
and drp.granted_role = dsp.privilege)
September 6th, 2007 at 3:29 pm
Still one hangup, setting default role(s) for the users. If there are multiple roles to be set as default for a user they must all be declared in the same ALTER USER statement. The statment can be generated with the function below:
create or replace
FUNCTION f_default_roles(p_usr varchar2) RETURN VARCHAR2 IS
v_list VARCHAR2(2000);
v_first boolean;
CURSOR c_def_roles(v_userid varchar2) IS
SELECT granted_role
FROM dba_role_privs
WHERE grantee = v_userid
AND default_role = ‘YES’
ORDER BY granted_role;
BEGIN
v_first := true;
FOR c_rec IN c_def_roles(p_usr)
LOOP
if v_first then
v_list := c_rec.granted_role ;
v_first := false ;
else
v_list := v_list || ‘, ‘ || c_rec.granted_role;
end if;
END LOOP;
if v_first then
v_list := ‘– no default role for ‘ || p_usr ;
else
v_list := ‘alter user ‘ || p_usr || ‘ default role ‘ || v_list || ‘ ;’;
end if;
RETURN v_list;
END f_default_roles;
October 11th, 2007 at 10:24 pm
# Ravinder Says:
#It is helpful to others to add one more proc.
#GET_DEPENDENT_DDL to get the space quota in tablespaces.
Thanks for this tidbit — I am currently trying to extract it through the GET_DEPENDENT_DDL proc but I couldn’t figure out the correct syntax. Do you specify the user or the tablespace? Either way, I couldn’t get it to run:
SQL> select DBMS_METADATA.GET_DEPENDENT_DDL(’TABLESPACE_QUOTA’,'SYSTEM’) FROM DUAL;
ERROR:
ORA-31604: invalid NAME parameter “BASE_OBJECT_NAME” for object type TABLESPACE_QUOTA in function
SET_FILTER
ORA-06512: at “SYS.DBMS_SYS_ERROR”, line 116
ORA-06512: at “SYS.DBMS_METADATA_INT”, line 4676
ORA-06512: at “SYS.DBMS_METADATA_INT”, line 8552
ORA-06512: at “SYS.DBMS_METADATA”, line 2881
ORA-06512: at “SYS.DBMS_METADATA”, line 2757
ORA-06512: at “SYS.DBMS_METADATA”, line 4394
ORA-06512: at line 1
Any thoughts?
September 5th, 2008 at 5:57 am
You probably have this by now, but anyhow….
SELECT DBMS_METADATA.GET_granted_DDL(’TABLESPACE_QUOTA’, ‘SYSTEM’) || ‘/’ DDL
FROM dual;
As observed earlier, you’ll want to wrap this to avoid the instance where there is no quota for that user. If you find you can’t get this to work, try using a ‘real’ user rather than SYS or SYSTEM in the function call.