Thanks for the question, Kyle.

Asked: April 19, 2016 - 2:47 pm UTC

Last updated: May 05, 2016 - 2:57 pm UTC

Version: 11.2.0.4

Viewed 1000+ times

You Asked

I want to prevent users from running the "ALTER SYSTEM SET" command, but other "ALTER SYSTEM" commands are okay to run (i.e. ALTER SYSTEM SWITCH LOGFILE, etc.). I tried creating a trigger to do this, but it does not capture "ALTER SYSTEM SET" commands. Is there a way to prevent users (SYS, SYSTEM, USERNAME etc.) from running "ALTER SYSTEM SET" commands with a trigger?

Below is the code that I used.

CREATE OR REPLACE TRIGGER TEST_TRIGGER BEFORE ALTER ON DATABASE WHEN (USER IN ('SYS','ORACLE','SYSTEM') )
DECLARE
PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN
CASE ora_sysevent
WHEN 'ALTER SYSTEM SET' THEN
dbms_output.put_line('hello');
ELSE
NULL;
END CASE;
END TEST_TRIGGER;
/

and Chris said...

I believe you're out of luck. Alter triggers only fire when:

Causes the database to fire the trigger whenever an ALTER statement modifies a database object in the data dictionary. An ALTER DATABASE statement does not fire the trigger.

http://docs.oracle.com/cd/E11882_01/appdev.112/e25519/create_trigger.htm#CIHGCJHC

"Alter system" isn't a database object. So the trigger isn't activated.

Rating

(3 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Kyle Karus, April 19, 2016 - 4:20 pm UTC

A reader, April 19, 2016 - 4:35 pm UTC

Thank you for the quick response, appreciate it! Is there a way for us to prevent users from running "ALTER SYSTEM SET" without a trigger? Thanks!

April 19, 2016 - 4:57 pm UTC

Don't grant "ALTER SYSTEM"!

I'm not aware of a way to allow "alter system" but not "alter system set". In any case, SYS is a special user which doesn't follow all the rules of normal users. So I think you're out of luck here.

What about a Procedure

hugo, May 05, 2016 - 2:38 pm UTC

I'm not sure if this applies to your case or not, but you can always create a procedure(s) with the necessary command(s) and then grant execute to the users that should be able to use those commands.

Example using the parameter "job_queue_processes":
Initial state:

SQL> show parameter job

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
job_queue_processes                  integer     1000

AND as the "target" User:

SQL> alter system set job_queue_processes=20 scope=both;
alter system set job_queue_processes=20 scope=both
*
ERROR at line 1:
ORA-01031: insufficient privileges

Create procedure as sys:

SQL> CREATE OR REPLACE PROCEDURE setT
  2  IS
  3  BEGIN
  4    EXECUTE IMMEDIATE 'alter system set job_queue_processes=10 scope=both';
  5  END;
  6  /

Grant execute to user:

SQL> grant execute on setT to XXX;

Grant succeeded.

As user XXX, execute the procedure:

SQL> exec sys.setT;

PL/SQL procedure successfully completed.

Check the value;

SQL> show parameter job

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
job_queue_processes                  integer     10

Done:

Check direct execution as user XXX:

SQL> alter system set job_queue_processes=20 scope=both;
alter system set job_queue_processes=20 scope=both
*
ERROR at line 1:
ORA-01031: insufficient privileges

May 05, 2016 - 2:57 pm UTC

Yes, providing procedures with the allowed commands is one way to do this.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library

Breadcrumb

Question and Answer

You Asked

and Chris said...

Rating

Comments

What about a Procedure

More to Explore

PL/SQL demos

PL/SQL docs

Trigger to Prevent Users From Running "ALTER SYSTEM SET" Commands

Breadcrumb

Question and Answer

You Asked

and Chris said...

Rating

Comments

What about a Procedure

More to Explore

PL/SQL demos

PL/SQL docs