Skip to Main Content
  • Questions

  • Restricting Production access while granting Read-only Access to Replica DB (Data guard)

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, raj.

Asked: August 22, 2017 - 4:23 am UTC

Last updated: September 07, 2017 - 2:45 am UTC

Version: 11g

Viewed 1000+ times

You Asked

Hello Experts,

We replicate our critical Production Databases using Data guard, which implies that all the security user roles are as well replicated in both the environments. As such what techniques one can follow to GRANT READ ONLY Access to Replica Database, while restricting access to Production Database, if the same user (who has access to replica) tries to login to production?


Thx


and Connor said...

I've done this in the past using login triggers and probing V$DATABASE.DATABASE_ROLE (or whatever attributes that make sense for you).

So a given user might have two roles: "PRODUCTION_ACCESS" (with limited privs) and "STANDBY_ACCESS" (with greater privs), but only the PRODUCTION_ACCESS role is set to be on by default, and STANDBY_ACCESS is protected with a password.

Then the login trigger decides whether it should activate the STANDBY_ACCESS security role based on the current mode of the database.

Others welcome to add their experiences.

Rating

  (5 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

sunny aleti, August 23, 2017 - 5:21 am UTC

Thank you. Can you please elaborate more on this? With data gurd whatever trigger we create in production Db also get replicated into replica (standby DB), so how do we differentiate different login types? We do not want any access to production for a user, while granting read only access to standby DB

Thx
Connor McDonald
August 23, 2017 - 6:53 am UTC

Yes, the SAME trigger exists in BOTH databases. For example

SQL> create or replace
  2  trigger LOGIN_CHECK
  3  after logon on database
  4  declare
  5    v_mode varchar2(30);
  6  begin
  7    select database_role
  8    into   v_mode
  9    from   v$database;
 10
 11    if v_mode = 'PRIMARY' then
 12        raise_application_error(-20000,'NO YOU CANNOT USE THIS ACCOUNT ON PRODUCTION');
 13    elsif v_mode = 'PHYSICAL STANDBY' then
 14        --
 15        -- any particular code I want to run when in standby mode
 16        --
 17        null;
 18    end if;
 19  end;
 20  /

Trigger created.

SQL> conn scott/tiger
ERROR:
ORA-04088: error during execution of trigger 'MCDONAC.LOGIN_CHECK'
ORA-00604: error occurred at recursive SQL level 1
ORA-20000: NO YOU CANNOT USE THIS ACCOUNT ON PRODUCTION
ORA-06512: at line 9


Warning: You are no longer connected to ORACLE.


sunny aleti, August 23, 2017 - 5:40 pm UTC

Thank you.

sunny aleti, August 23, 2017 - 5:43 pm UTC

Lastly, would this trigger create any performance issues (login latency) for other application logins? Do you foresee any drawbacks to this solution. I just want to make sure I'm prepared for any push packs from application support management
Connor McDonald
August 24, 2017 - 1:01 am UTC

Obviously depends how much logic you add to this trigger, but if you have an application that logs in so frequently that a login trigger causes problems, then you have a bigger root cause to investigate...ie, the volume of logins

how do we differentiating users in both DB's

sunny aleti, September 06, 2017 - 9:54 pm UTC

Sorry to comeback to this again. Can you please help me understand how are differentiating users in both DB's (Primary and standby)?

With the above logic I see that the trigger would restrict all users not just those on the standby database, since in the replication environment we have to grant access to objects on the primary database
Connor McDonald
September 07, 2017 - 2:25 am UTC

You have two database security roles:

ROLE1 - basic connect privileges only

create role role1;
grant connect to role1;

ROLE2 - read only on all appropriate tables

create role role2 identified by my_secret_password;
grant select on [tables] to role2;

Each user gets:

grant role1, role2 to U;
alter user U default role role1;

So by default, they have basic connect privs. If they want more, they need to know the password for role2 (which they dont).

You login trigger does:

if [i am the standby] then
execute immediate 'set role role2 identified by my_secret_password';
end if;

sunny aleti, September 07, 2017 - 2:31 am UTC

Thank you.

So how do we deal with power/admin users and process accounts that are OK to have full access to Primary DB?
Connor McDonald
September 07, 2017 - 2:45 am UTC

You just adjust what is in role1 for them, or have multiple roles.

*You* have total flexibility here.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

Administration

Need more information on Administration? Check out the Administrators guide for the Oracle Database