Skip to Main Content
  • Questions

  • How to get the operating system user OSUSER from Oracle

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Shane.

Asked: January 02, 2005 - 10:43 am UTC

Last updated: July 12, 2018 - 10:13 am UTC

Version: 8.1.7

Viewed 100K+ times! This question is

You Asked

I believe there is a way to get the LAN user ID of a user from within an Oracle query. I thought the variable was called OSUSER or OS_USER. I've tried select os_user from dual, but that doesn't work. Yet I think I'm close. Can you lead me in the right direction?

The reason is as follows: we use Weblogic and therfore our connections to Oracle are Pooled and all have the same login ID. To track the actual user I need to get the operating system use ID, OS USER. I just don't know how to get it from Oracle. I'll use it in triggers.

Thanks.

and Tom said...

If you are using 3 tiers, which you most like are given "weblogic" in the middle -- the CLIENT of the database, the OS USER will be the OS account associated with the middle tier application server!

tkyte@ORA8IW> select sys_context( 'userenv', 'os_user' ) from dual;

SYS_CONTEXT('USERENV','OS_USER')
---------------------------------------------------------------------
ORACLE-N15577HE\tkyte

is what you asked for -- but I seriously doubt it is what you want.


It would be up to your middle tier software to push the identify through to the database if you need it and are not using N-Tier Proxy authentication (search the docs on otn.oracle.com for proxy authentiation if you would like to read about that).

You can use dbms_session.set_client_identifier for example in 9i and above, but in 8i, you'll have to use an application context and have the middle tier set that application context value to the users identity.

Rating

  (15 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

HTMLDB?

A reader, January 03, 2005 - 5:11 pm UTC

How about when using HTMLDB? The browser "knows" the os_user, does HTMLDB make it available to me so I can take decisions based on it in the HTMLDB app?

Thanks

Tom Kyte
January 03, 2005 - 10:32 pm UTC

does the BROWSER tell the WEB SERVER "who" the OS user is, that -- that is the question....

Browser

A reader, January 03, 2005 - 10:56 pm UTC

Well, the browser just knows, doesnt it? In a Windows environment, every app just knows who the OS user is, I think. Doesnt NTLM, Active Directory and all that stuff kick in here? Not exactly sure, but all ASP/.NET pages against IIS I have seen simply call some builtin function to get the os user.

Can HTMLDB do something similar?

Tom Kyte
January 03, 2005 - 11:06 pm UTC

does it? does firefox know or CARE? how about things that are not "windows only".

while they might *know*, do they TELL. therein lies my real question to you.

IIS and IE are proprietary software -- run on exactly one OS (with 50 flavors, each slightly incompatible with the other... but that is besides the point), me -- I use firefox -- not on windows mostly. Now what? Who am I :) You think NTLM is running on Linux? Mac? or that most of the rest of the browsers care enough?

do you really want "web site X" to just "know" who you are? I'm pretty sure I don't.




Works perfectly

Shane, January 04, 2005 - 8:43 am UTC

I was unable to use3 the V$SESSION so this works perfectly. Exactly what I needed. The middleware sofware (WEBLOGIC) does not push the LAN user ID through, so it was up to Oracel to perform this task for me.

Thanks

To Shane

A reader, January 05, 2005 - 9:48 am UTC

What worked perfectly? What solution did you end up using? Thanks

Exactly what I was looking for

Steve, January 11, 2005 - 7:22 am UTC

I needed to store the OSUSER who changed certain columns on a table since everybody uses the same DB login. I used your code in a DB trigger. This was perfect.

Needed OS_user from Oracle

A reader, January 24, 2005 - 12:16 pm UTC

Gave me exactly the info I needed

User level

abdul, January 02, 2006 - 6:01 am UTC

Hello tom,
I am not a developer, i am just a dba but unfortunatkey i landed my self in to building application using html db. I created a application from spread sheet for recording tasks done by employees.Say i have 4 employees:1.smith
2.john
3.mary
4.scott
in hierarchial order. Their username in html db is also same. If smith logs in he should be able to see tasks of all the other three in the table.If john logs in he should be able to see mary and scott only and like wise.
Can you tell me how to accomplish this in html db ?
thanks in advance

Tom Kyte
January 02, 2006 - 10:05 am UTC

"I am just a DBA" :) Thanks for that laugh...


This sounds like VPD - Virtual Private Database - also known as FGAC - Fine Grained Access Control.

</code> http://asktom.oracle.com/~tkyte/article2/index.html <code>

Alternatively, you could just query for data using a query such as this:

select *
from emp
where empno in ( select empno
from emp
start with ENAME = :BIND_USER_NAME_HERE
connect by prior empno = mgr)



User level

Abdul, January 03, 2006 - 1:39 am UTC

Hello Tom,
Sorry Tom i didnt get the complete answer from your last update.The query you gave is excellent but it depends on fields in the table. The main issue here is working in HTML db. I don't know where and what code to write here . In forms with PL/SQL editors/triggers etc. where is it here?
Its not practical to have the user duly fill up his empno or his mgr no every time he creates a task. So how can i automate this update to few fields in HTML DB?
If mgr and emp no gets updated automatically based on user then it will make sence.
tahnk you tom.Its always good to see teacher laugh!

Tom Kyte
January 03, 2006 - 7:29 am UTC

You got a complete answer???

did you read the article on fine grained access control? it turns "select * from emp" into that query above (assuming you use that predicate in the security policy)

Or, just create a view and have htmldb go after that...

User level

Abdul, January 03, 2006 - 8:20 am UTC

Hi again Tom,
Create view like what? the probelm is when i am logged in htmldb i want to user :APP_USER to return me result according to the user? How should i refer APP_USER of html into database view?
Or just tell me this.. suppose i have to text fields on my html page text1 and text2. I enter SCOTT in text1.Now tell me where to write what code in the html attributes so that it populates the text2 with mgr no(hard coded logic).
If i know this much i will work around my requirement! Thanks for spending time on my problem tom.

Tom Kyte
January 03, 2006 - 8:41 am UTC

pop it into an application context - using the same technique as VPD would.

so your application calls a procedure that can set "my_ctx" and puts the app_user in there, a view:


select *
from emp
where empno in ( select empno
from emp
start with ENAME = sys_context( 'my_ctx', 'app_user' )
connect by prior empno = mgr)


will either return

o nothing when the context is not set
o data you are allowed to see when it is set



user level

abdul, January 04, 2006 - 12:35 am UTC

Hello Tom,
Ok getting required data issue solved, what about another question regarding html db? how to populate one text field automatically based on the value entered in another text field on the page? In forms i can put code in pl/sql editor as
If :text1:='SCOTT' then :text2:='1732' ...
So how to trigger a code on items in html db? where should i code such condition?
Thank you


Tom Kyte
January 04, 2006 - 8:49 am UTC

that sounds like "user written javascript" to me perhaps.

OS_USER; credential or envvar?

Mark Brady, March 01, 2012 - 10:10 am UTC

Tom,

Should the OS_USER be considered a credential or an environment variable? From what I've seen from security analysis, OS_USER is a value passed from the client and can be set to any value. To me, this sounds like the purpose is for some auditing or such but NOT for security.

This is my advice to some colleagues here. Their next question was, is this still a vulnerability in 11g. To which I replied, It's not a vulnerability, it's by design.

Do you find fault with my statements?
Tom Kyte
March 01, 2012 - 1:34 pm UTC

the OS_USER is pushed by the client. It is good for auditing.

Finding Original OSUser

Shimmy, September 18, 2015 - 1:45 pm UTC

I am log on to Linux using my userid and then su to another user. This user then runs
sqlplus /
When I execute
select sys_context( 'userenv', 'os_user' ) from dual;
It's giving me the su user.
In Linux, if I run logname, I do see my username.
Is there a way to find the original username/id from sqlplus?
Chris Saxon
September 18, 2015 - 11:47 pm UTC

I dont think this is possible, because once you make a database connection, its a new process, running as that of the database owner. It's not as if we are still in the shell you created.

Gotcha

A reader, March 02, 2018 - 12:52 pm UTC

This ist exactly what i was looking for.
Works like a charm.
Big thanks :)

SYS_CONTEXT ('USERENV', 'OS_USER');

sanket, June 29, 2018 - 2:27 pm UTC

I have a very simple javascript code in oracle procedure which us used for fetching the Username for Active Directory as my application don't have any user interface.

htp.p('function disp_alert()');
htp.p('{');
htp.p('var WinNetwork = new ActiveXObject("WScript.Network")');
htp.p(' WinNetwork = WinNetwork.UserName');
htp.p('alert(WinNetwork)');
htp.p('}');
It throws exception ActiveXObject creation error: Automation server can't create object

I tried changing browser setting script ActiveX controls marked safe for scripting to enable and it worked.

But in my case the application is accessed by users in client network and we can't tweak security settings as its security breach.

We have 3 tier architecture OHS- Weblogic- Application Server with SYS_CONTEXT ('USERENV', 'OS_USER') control got pass to Schema user..Could you please advise, how to achieve Client userid who hit the application url ??
Connor McDonald
June 30, 2018 - 7:36 am UTC

There's a good reason why most framework do not allow to grab information about the client...its a big security risk, hence the reason most of these things are blocked by browsers.

The better option (in my opinion) is single sign on, so people login to your application with their windows credentials, and hence you now have the username directly in your application

Fetching user name from AD.

sanket, July 12, 2018 - 6:58 am UTC

Ref. to above my application is Open application, Anyone in a domain Network can access it and don't have user interface. So their is no authentication as such. The motive is got the Lan User id from AD of user hit the application url. Application all page html coding is done at Oracle Package and procedure level.When user hit the url its invokes the Oracle Package and load html content from the package (and this time control passes to Su user).

Application Architecture

Browser - > OHS -> Application Servier (Sun Solaris) - >DB server

Could you please guide how SSO will help in this case or any Other alternative how to fetch the AD userid details and store in DB.?

Connor McDonald
July 12, 2018 - 10:13 am UTC

"So there is no authentication as such."

but you want to track who is using the application. That strikes me as being a contradiction.

Anyway, a friend Niels did a nice set of slides on SSO for Apex applications, which gives a good starting point on SSO via http and the like.

https://www.slideshare.net/nielsdb/single-signon-for-apex-apps


more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library