User Profiles  «Prev  Next»

Lesson 2 The product profile explained
Objective Explain how the product profile works

Product Profile Explained

Explain how the product profile works in SQL*Plus?
In SQLPlus, the product profile is a powerful feature that enables administrators to control user access to specific SQLPlus, SQL, and PL/SQL commands and options. This granular control allows organizations to maintain a higher level of security and compliance by restricting users' capabilities according to their roles and responsibilities. The product profile is particularly useful in multi-user environments, where it is essential to prevent unauthorized actions or access to sensitive data. The product profile functionality is implemented using the PRODUCT_USER_PROFILE table, which is part of the Oracle Database. This table stores the information about the restrictions on various commands and options for different users. The table contains the following columns:
  1. PRODUCT: The name of the Oracle product (e.g., 'SQL*Plus').
  2. USERID: The username of the user for whom the restriction is set.
  3. ATTRIBUTE: The command, option, or PL/SQL package that is being restricted.
  4. SCOPE: A qualifier to further define the restriction, which is usually NULL for SQL*Plus.
  5. NUMERIC_VALUE: Numeric value associated with the restriction.
  6. CHAR_VALUE: Character value associated with the restriction.

To set up restrictions for a specific user, the administrator must insert appropriate records into the PRODUCT_USER_PROFILE table. For example, to restrict a user named 'JOHN_DOE' from executing the DROP TABLE command, the administrator would insert the following record: 
INSERT INTO PRODUCT_USER_PROFILE
  (PRODUCT, USERID, ATTRIBUTE, SCOPE, NUMERIC_VALUE, CHAR_VALUE)
VALUES
  ('SQL*Plus', 'JOHN_DOE', 'DROP', NULL, NULL, 'DISABLED');

Once this record is added, the user 'JOHN_DOE' will not be able to execute the DROP TABLE command in SQL*Plus. To remove the restriction, the corresponding record must be deleted from the PRODUCT_USER_PROFILE table.
It is essential to note that the product profile in SQLPlus only affects the SQLPlus environment. Users can still access restricted commands or options through other interfaces, such as SQL Developer or other third-party tools, unless similar restrictions are implemented in those interfaces as well. As a result, it is crucial to apply comprehensive security measures across all database access points in addition to using the SQL*Plus product profile.
SQL*Plus is the utility that gives Oracle users the ability to interact directly with the Oracle database. There will be times when you want to give all kinds of users the ability to use SQL*Plus for ad hoc access to the database. However, many users may typically be accessing your Oracle database through an application system, which imposes its own constraints on their actions and unrestrained or uninhibited access can create problems.
For instance, you may allow a user to delete data in a table only when a certain set of application-specific conditions is met. If the same user has access to SQL*Plus, he or she can simply execute a DELETE command outside of the boundaries of the application. The product profile gives you the ability to limit access specifically to some of the capabilities available through SQL*Plus.

Product profiles Implementation

Product profiles are implemented through a table in the Oracle database called PRODUCT_PROFILE in the SYSTEM schema. Note: This table used to be called PRODUCT_USER_PROFILE, and a synonym by that name is created when the table is created for compatibility.
PRODUCT_PROFILE contains a number of columns, but the only ones of real relevance to you are the following:
  1. PRODUCT-This column contains the value SQL*Plus.
  2. USER_ID-This column contains the user ID that will be affected by the limitation.
  3. ATTRIBUTE-This column can contain either the name of a particular command that will be disabled or the keyword ROLES, which indicates that a role is to be disabled.
  4. CHAR_VALUE-This column contains either the keyword DISABLED for a command or the name of a role.

You control access for SQL*Plus by using simple INSERT statements that insert data into these columns. Because the table is owned by SYSTEM, you should be logged on as SYSTEM when you execute these statements.
If the PRODUCT_PROFILE table does not exist, you will have to create it, as explained in this sidebar.
In the next lesson, you will learn how to impose restrictions on the use of a command.