I am currently looking for a more fine-grained approach to the user management within an Oracle 11g Release 2 (soon to be 12.1.0.2) Database:
There is an idea to give some users the permission to manage some aspects of a user account such as:
- Change the password of a user
- Expire a password
- Lock or unlock an account
However, it is explicitly not wanted that the pre-selected profile is changed as it also contains a password validation procedure .
When granting 'ALTER USER' it is possible to make that change :
SYS@TEST > create user dummy identified by dummy account unlock;
User created.
SYS@TEST > grant connect, resource, alter user to dummy;
Grant succeeded.
SYS@TEST > connect dummy/dummy
Connected.
DUMMY@TEST > alter user scott profile default;
User altered.
That is excatly what is not intended to happen (but of course working as designed) .
The only idea so far is to create a function that is owned by a privileged account that allows just the
operations that are to be permitted and then grant execution rights to the users allowed to make the changes.
This would have the charm to allow to perform a filtering of the ID's the changes are to be permitted for
but still something out of the box would be better for maintenance and Migration reasons.
The same happened in the Enterprise Manager Cloud Control (all or nothing).
Is there any other way to achieve something like this?