I built something like this recently for an application where every
application user has a database account. I can’t say I miss all the “THE
DATABASE FORGOT MY PASSWORD” tickets.
The owner of the procedure needs ALTER USER. The ALTER SESSION is not
necessary. But there’s a lot more to this, such as control over what
username is passed (or people will be able to reset passwords of others,
which is bad).
Depending on whether you have a rule that says “ALL DB USERS HAVE THE SAME
USERID AS THEIR AD ACCOUNT,” you may need a lookup table to translate AD
user to DB user. Then your P_USERNAME is used to lookup the database
username, which is then substituted in your ALTER USER statement. Probably
wand double quotes surrounding the username and password just in case.
EXECUTE IMMEDIATE 'ALTER USER "'||p_username||'" IDENTIFIED BY "'
||p_password||'" ACCOUNT UNLOCK';
Write packages, not independent functions/procedures.
Your WHEN OTHERS is not great. It’s useful when you’re running it via
interactive SQL session, but the GUI most likely can’t pick up on
DBMS_OUTPUT(). It’ll be better to just let any exceptions that you don’t
anticipate raise naturally.
HTH,
T. J.
*Sent:* Wednesday, November 28, 2018 12:56 PM
*Subject:* Re: Errors executing password change procedure
Users already have the ability to change their passwords, assuming they
can actually login. The problem, according to the project owner, arises
when they don't know their current password, it has expired, or they locked
their account. They want a GUI that end_users can access to change their
password in any situation. I'm told it will have checks in place to ensure
they can change only their own password. Opening a ticket with the DBA
team is too difficult and time consuming. Project owner's words, not mine.
That's what I thought was wanted, so the user running it could change
their own password. Maybe I misread somewhere along the line.
Scott Canaan ‘88
Sr Database Administrator
Information & Technology Services
Finance & Administration
Rochester Institute of Technology
o: (585) 475-7886 | f: (585) 475-7520
CONFIDENTIALITY NOTE: The information transmitted, including attachments,
is intended only for the person(s) or entity to which it is addressed and
may contain confidential and/or privileged material. Any review,
retransmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.
-----Original Message-----
Sent: Wednesday, November 28, 2018 1:39 PM
To: Scott Canaan
Subject: Re: Errors executing password change procedure
That will run using the roles of the person who calls it, not the
roles of the user that owns it. :)
procedure line?
attachments, is intended only for the person(s) or entity to which it is
addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.
user privileges" since I can do it from command line in the database.
create the procedure as owned by a privileged user and grant execute of the
procedure as required.
if expired and/or account is locked. Per the requirements, I have created
the new user (not allowed DBA privs) that will connect through a GUI and
execute a password change procedure in another schema that has the
necessary privileges. This new user has been granted execute privileges on
the procedure. However, I'm getting an "ORA-01031: insufficient privileges"
error when I try to execute the procedure as the new user.
tweak it to meet our requirements. Any help would be greatly appreciated. I
did grant "alter user" to the new user, but I'm not sure I really need that
and it didn't make a difference to the error.
||p_password||' ACCOUNT UNLOCK';
--
Sandy B.
<http://gfidisc.castiarx.com>
CONFIDENTIALITY NOTICE: This message may contain confidential information,
including Protected Health Information as defined under the Health
Insurance Portability and Accountability Act of 1996, intended only for the
use of the individual or entity identified above. If the receiver of this
message is not the intended recipient, you are hereby notified that any
dissemination, distribution, use or copying of this message is strictly
prohibited. If you have received this message in error, please immediately
notify the sender by replying to his/her e-mail address noted above and
delete the original message, including any attachments. Thank you.
<http://gfidisc.castiarx.com>

I built something like this recently for an application where every
application user has a database account. I can’t say I miss all the “THE
DATABASE FORGOT MY PASSWORD” tickets.
The owner of the procedure needs ALTER USER. The ALTER SESSION is not
necessary. But there’s a lot more to this, such as control over what
username is passed (or people will be able to reset passwords of others,
which is bad).
Depending on whether you have a rule that says “ALL DB USERS HAVE THE SAME
USERID AS THEIR AD ACCOUNT,” you may need a lookup table to translate AD
user to DB user. Then your P_USERNAME is used to lookup the database
username, which is then substituted in your ALTER USER statement. Probably
wand double quotes surrounding the username and password just in case.
EXECUTE IMMEDIATE 'ALTER USER "'||p_username||'" IDENTIFIED BY "'
||p_password||'" ACCOUNT UNLOCK';
Write packages, not independent functions/procedures.
Your WHEN OTHERS is not great. It’s useful when you’re running it via
interactive SQL session, but the GUI most likely can’t pick up on
DBMS_OUTPUT(). It’ll be better to just let any exceptions that you don’t
anticipate raise naturally.
HTH,
T. J.
*Sent:* Wednesday, November 28, 2018 12:56 PM
*Subject:* Re: Errors executing password change procedure
Users already have the ability to change their passwords, assuming they
can actually login. The problem, according to the project owner, arises
when they don't know their current password, it has expired, or they locked
their account. They want a GUI that end_users can access to change their
password in any situation. I'm told it will have checks in place to ensure
they can change only their own password. Opening a ticket with the DBA
team is too difficult and time consuming. Project owner's words, not mine.
That's what I thought was wanted, so the user running it could change
their own password. Maybe I misread somewhere along the line.
Scott Canaan ‘88
Sr Database Administrator
Information & Technology Services
Finance & Administration
Rochester Institute of Technology
o: (585) 475-7886 | f: (585) 475-7520
CONFIDENTIALITY NOTE: The information transmitted, including attachments,
is intended only for the person(s) or entity to which it is addressed and
may contain confidential and/or privileged material. Any review,
retransmission, dissemination or other use of, or taking of any action in
reliance upon this information by persons or entities other than the
intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.
-----Original Message-----
Sent: Wednesday, November 28, 2018 1:39 PM
To: Scott Canaan
Subject: Re: Errors executing password change procedure
That will run using the roles of the person who calls it, not the
roles of the user that owns it. :)
procedure line?
attachments, is intended only for the person(s) or entity to which it is
addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any
action in reliance upon this information by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and destroy any copies of this information.
user privileges" since I can do it from command line in the database.
create the procedure as owned by a privileged user and grant execute of the
procedure as required.
if expired and/or account is locked. Per the requirements, I have created
the new user (not allowed DBA privs) that will connect through a GUI and
execute a password change procedure in another schema that has the
necessary privileges. This new user has been granted execute privileges on
the procedure. However, I'm getting an "ORA-01031: insufficient privileges"
error when I try to execute the procedure as the new user.
tweak it to meet our requirements. Any help would be greatly appreciated. I
did grant "alter user" to the new user, but I'm not sure I really need that
and it didn't make a difference to the error.
||p_password||' ACCOUNT UNLOCK';
--
Sandy B.
<http://gfidisc.castiarx.com>
CONFIDENTIALITY NOTICE: This message may contain confidential information,
including Protected Health Information as defined under the Health
Insurance Portability and Accountability Act of 1996, intended only for the
use of the individual or entity identified above. If the receiver of this
message is not the intended recipient, you are hereby notified that any
dissemination, distribution, use or copying of this message is strictly
prohibited. If you have received this message in error, please immediately
notify the sender by replying to his/her e-mail address noted above and
delete the original message, including any attachments. Thank you.
<http://gfidisc.castiarx.com>