Skip to Main Content
  • Questions

  • Get Authenticated_User with only SID

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Peter.

Asked: February 01, 2011 - 11:52 am UTC

Last updated: December 18, 2012 - 1:16 pm UTC

Version: 11.1.0.7.0

Viewed 1000+ times

You Asked

I need some assistance.

We are currently using proxy authentication with BI Publisher (Reporting tool) to display reports to end users.
When looking through Enterprise manager (with DBA privileges) we can identify the SID executing a SQL report, but are unable to specifically identify the end user executing a particular SQL report.

How does a dba obtain the authenticated identify with only a SID?

Using the v$session table we only see the proxy user name in the USERNAME column.
-> select SID, USERNAME from v$session where audsid=sys_context('userenv','SESSIONID');
--> Gives SID = 1234; USERNAME = "Proxy"

We need to see something like SYS_CONTEXT ('USERENV','AUTHENTICATED_IDENTITY').
-> select SYS_CONTEXT ('USERENV','AUTHENTICATED_IDENTITY') from dual;
--> Gives "Peter"

The Sys_context functionality contains all the information I need.
Is there a way to join from the v$session to the "Sys_Context" information and get all of the additional Sys_context information that is not available in v$session table?

And/or is there a configuration within enterprise manager to show the authenticated identity information?

Thanks for you help
Peter

and Tom said...

sys_context is private to a session, sys_context retrieves "session" things - not things across sessions.

If you "audit connect" - then you can join to dba_audit_trail and you'll see something like:

SQL> select p.username proxy,
  2         u.username uname,
  3             u.sessionid,
  4         u.proxy_sessionid
  5    from dba_audit_trail u, dba_audit_trail p
  6   where u.proxy_sessionid = p.sessionid
  7     and p.action_name = 'PROXY AUTHENTICATION ONLY'
  8  /

PROXY     UNAME  SESSIONID PROXY_SESSIONID
--------- ----- ---------- ---------------
A         SCOTT    1831304         1831303
A         SCOTT    1831304         1831303
OPS$TKYTE SCOTT    1831313         1831312

3 rows selected.


that shows that scott was proxy'ed into using A and OPS$TKYTE - like:


connect ops$tkyte[scott]/foobar;

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

An alternate option

A reader, February 15, 2011 - 8:34 am UTC

In Enterprine Manager, click on the SID. This will bring up the "Session Details" page. Select the "General" link. Under "Client" section, there are details on who the user is, which terminal the user is logged in from and lot of other useful information about what that SID is doing.

Tom Kyte
February 15, 2011 - 8:43 am UTC

I don't have EM in front of me right now - does it show the connect proxy user information?

Using TOAD no 'PROXY AUTHENTICATION ONLY'

Apps Dba, December 18, 2012 - 5:44 am UTC

Hi Tom,

First post but many reads ... of books, magazine and asktom, due to the excellent information and the quantifiable approach to everything.

I came open this post when investigating an idea we have to use proxy users to give audited access to the main database application user (APPS for EBS) to some people from the development teams: conn DEVGUY[APPS]. And also to prevent them from needing to know the password.

When testing with connections from TOAD I note that there are two connections set up but none of them has the ACTION_NAME "PROXY AUTHENTICATION ONLY" unlike the case for SQL*Plus. Any idea why this may be the case?

For extracting audit information I don't think this matters since I can always use just the join on PROXY_SESSIONID and SESSIONID to distinguish proxied actions for a given user (developer).

Thanks.

Tom Kyte
December 18, 2012 - 1:16 pm UTC

... Any idea why this may be the case? ...

ask quest maybe? we don't do toad....
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.