Skip to content

Grant select on all but security tables to cwms_user for codegen. #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adamkorynta merged 7 commits into from
Jan 29, 2026
Merged

Grant select on all but security tables to cwms_user for codegen. #97

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
52a6b78
Grant select on all but security tables to cwms_user for codegen.
MikeNeilson Nov 7, 2024
7ff26bd
Move block to different location.
MikeNeilson Nov 7, 2024
e7ae556
Move location and use dba_objects instead.
MikeNeilson Nov 8, 2024
f6618ae
add unit test to ensure normal user cannot query at_sec tables
adamkorynta Jan 22, 2026
262a87d
fix test
adamkorynta Jan 23, 2026
b956a83
add simple "select * from" test against security tables
adamkorynta Jan 28, 2026
5913af5
add extra error code
adamkorynta Jan 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 21 additions & 1 deletion schema/src/buildCWMS_DB.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,27 @@ begin
end;
/
@@cwms/User-Roles/web_user_role_grants.sql
alter session set current_schema = &builduser

-- Grant select on tables to normal users.

begin
for rec in (select object_name
from dba_objects
where owner = '&cwms_schema'
and object_type = 'TABLE'
and (instr(object_name, 'AT_') = 1 or instr(object_name, 'CWMS_') = 1)
and instr(object_name, 'AT_SEC_') = 0
and object_name != 'AT_API_KEYS'
order by 1
)
loop
execute immediate 'grant select on '||rec.object_name||' to cwms_user';
end loop;
end;
/


alter session set current_schema = &builduser;

-- create CWMS service user
begin execute immediate 'create user ' || cwms_sec.cac_service_user || ' PROFILE CWMS_PROF IDENTIFIED BY "FEDCBA9876543210" '; end;
Expand Down
44 changes: 44 additions & 0 deletions schema/src/test/test_aaa_normaluserfails.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ AS
-- %test(Normal user cannot arbitrarily set user context)
-- %throws(-20998)
procedure cannot_set_context_users;

--%test(Normal user has no READ access to sensitive tables)
procedure no_read_access;
END;
/

Expand All @@ -32,5 +35,46 @@ AS
ut.expect(cwms_util.get_user_id()).not_to_equal(upper(l_other_user));
ut.fail('This should not have worked');
end;

procedure no_read_access is
c_owner constant varchar2(128) := '&&cwms_schema';
type t_table_list is table of varchar2(128);
c_tables constant t_table_list := t_table_list(
'AT_API_KEYS',
'AT_SEC_ALLOW',
'AT_SEC_CWMS_USERS',
'AT_SEC_LOCKED_USERS',
'AT_SEC_SERVICE_USER',
'AT_SEC_SESSION',
'AT_SEC_TS_GROUPS',
'AT_SEC_TS_GROUP_MASKS',
'AT_SEC_USERS',
'AT_SEC_USER_GROUPS',
'AT_SEC_USER_OFFICE'
);

l_cnt number;
begin
for i in 1 .. c_tables.count loop
select count(*)
into l_cnt
from all_tab_privs p
where p.table_schema = c_owner
and p.table_name = c_tables(i)
and p.privilege = 'SELECT'
and (
p.grantee = user
or p.grantee = 'PUBLIC'
or p.grantee in (select granted_role from user_role_privs)
);

if l_cnt <> 0 then
ut.fail(
'Expected no SELECT on ' || c_owner || '.' || c_tables(i) ||
' for user=' || user || '. Found count=' || l_cnt
);
end if;
end loop;
end;
END;
/