Is Your Application SmartDB?

Question 1

Query to check SmartDB property 2

Answer

Check SmartDB property 2: query (>=12.1)

WITH
   -- roles as recursive structure
   role_base AS (
      -- roles without parent (=roots)
      SELECT r.role, NULL AS parent_role
        FROM dba_roles r
       WHERE r.role NOT IN (
                SELECT p.granted_role
                  FROM role_role_privs p
             )
      UNION ALL
      -- roles with parent (=children)
      SELECT granted_role AS role, role AS parent_role
        FROM role_role_privs
   ),
   -- roles tree, calculate role_path for every hierarchy level
   role_tree AS (
      SELECT role,
             parent_role,
             sys_connect_by_path(ROLE, '/') AS role_path
        FROM role_base
      CONNECT BY PRIOR role = parent_role
   ),
   -- roles graph, child added to all ancestors including self
   -- allows simple join to parent_role to find all descendants
   role_graph AS (
      SELECT DISTINCT
             role,
             regexp_substr(role_path, '(/)(\w+)', 1, 1, 'i', 2) AS parent_role
        FROM role_tree
   ),
   -- application users in scope of the analysis
   -- other users are treated as if they were not installed
   app_user AS (
      SELECT username
        FROM dba_users
       WHERE oracle_maintained = 'N' -- SYS, SYSTEM, SYSAUX, ...
         AND username NOT IN ('FTLDB', 'PLSCOPE', 'UT3')
   ),
   -- user system privileges
   sys_priv AS (
      -- system privileges granted directly to users
      SELECT u.username, p.privilege
        FROM dba_sys_privs p
        JOIN app_user u ON u.username = p.grantee
      UNION
      -- system privileges granted directly to PUBLIC
      SELECT u.username, p.privilege
        FROM dba_sys_privs p
       CROSS JOIN app_user u
       WHERE p.grantee = 'PUBLIC'
         AND p.privilege NOT IN (
                SELECT r.role
                  FROM dba_roles r
             )
      UNION
      -- system privileges granted to users via roles
      SELECT u.username, p.privilege
        FROM dba_role_privs r
        JOIN app_user u ON u.username = r.grantee
        JOIN role_graph g ON g.parent_role = r.granted_role
        JOIN dba_sys_privs p ON p.grantee = g.role
      UNION
      -- system privileges granted to PUBLIC via roles
      SELECT u.username, p.privilege
        FROM dba_role_privs r
        JOIN role_graph g ON g.parent_role = r.granted_role
        JOIN dba_sys_privs p ON p.grantee = g.role
        CROSS JOIN app_user u
       WHERE r.grantee = 'PUBLIC'
   ),
   -- user object privileges
   obj_priv AS (
      -- objects granted directly to users
      SELECT u.username, p.owner, p.type AS object_type, p.table_name AS object_name
        FROM dba_tab_privs p
        JOIN app_user u ON u.username = p.grantee
       WHERE p.owner IN (
                SELECT u2.username
                  FROM app_user u2
             )
      UNION
      -- objects granted to users via roles
      SELECT u.username, p.owner, p.type AS object_type, p.table_name AS object_name
        FROM dba_role_privs r
        JOIN app_user u ON u.username = r.grantee
        JOIN role_graph g ON g.parent_role = r.granted_role
        JOIN dba_tab_privs p ON p.grantee = g.role
       WHERE p.owner IN (
                SELECT u2.username
                  FROM app_user u2
             )
      -- objects granted to PUBLIC
      UNION
      SELECT u.username, p.owner, p.type AS object_type, p.table_name AS object_name
        FROM dba_tab_privs p
       CROSS JOIN app_user u
       WHERE p.owner IN (
                SELECT u2.username
                  FROM app_user u2
             )
         AND p.grantee = 'PUBLIC'
   ),
   -- issues if user is configured in the connection pool of a middle tier
   issues AS (
      -- privileges not part of CONNECT role
      SELECT username,
             'SYS' AS owner,
             'PRIVILEGE' AS object_type,
             privilege AS object_name,
             'Privilege is not part of the CONNECT role' AS issue
        FROM sys_priv
       WHERE privilege NOT IN ('CREATE SESSION', 'SET CONTAINER')
      -- access to non PL/SQL units
      UNION ALL
      SELECT username,
             owner,
             object_type,
             object_name,
             'Access to non-PL/SQL unit'
        FROM obj_priv
       WHERE object_type NOT IN ('PACKAGE', 'TYPE', 'FUNCTION', 'PROCEDURE')
      -- own objects
      UNION ALL
      SELECT u.username,
             o.owner,
             o.object_type,
             o.object_name,
             'Connect user must not own any object'
        FROM app_user u
        JOIN dba_objects o ON o.owner = u.username
      -- missing CREATE SESSION privilege
      UNION ALL
      SELECT u.username,
             'SYS',
             'PRIVILEGE',
             'CREATE SESSION',
             'Privilege is missing, but required'
        FROM app_user u
       WHERE u.username NOT IN (
                SELECT username
                  FROM sys_priv
                 WHERE privilege = 'CREATE SESSION' 
             )
   ),
   -- aggregate issues per user
   issue_aggr AS (
      SELECT u.username, COUNT(i.username) issue_count
        FROM app_user u
        LEFT JOIN issues i ON i.username = u.username
       GROUP BY u.username
   ),
   -- user summary (calculate is_smartdb_property_2_met)
   summary AS (
      SELECT username,
             CASE
                WHEN issue_count = 0 THEN
                   'YES'
                ELSE
                   'NO'
             END AS is_smartdb_property_2_met,
             issue_count
        FROM issue_aggr
       ORDER BY is_smartdb_property_2_met DESC, username
   )
-- main
SELECT * 
  FROM summary
 WHERE issue_count = 0;

Question 2

Compile all application users with PL/Scope

Answer

Prepare check SmartDB property 3: compile with PL/Scope (>=12.2)

SET SERVEROUTPUT ON SIZE UNLIMITED
DECLARE
   PROCEDURE exec_sql (in_sql_stmt IN VARCHAR2) IS
   BEGIN
      dbms_output.put_line('executing: ' || in_sql_stmt);
      EXECUTE IMMEDIATE in_sql_stmt;
   END exec_sql;
   --
   PROCEDURE enable_plscope IS
   BEGIN
      exec_sql(q'[ALTER SESSION SET plscope_settings='IDENTIFIERS:ALL, STATEMENTS:ALL']');
   END enable_plscope;
   --
   PROCEDURE compile_private_synonyms(in_user IN VARCHAR2) IS
   BEGIN
      <<synonyms>>
      FOR r IN (
         SELECT synonym_name
           FROM dba_synonyms
          WHERE owner = in_user
      ) LOOP
         exec_sql('ALTER SYNONYM "' || in_user || '"."' || r.synonym_name || '" COMPILE');
      END LOOP synonyms;
   END compile_private_synonyms;
   --
   PROCEDURE compile_public_synonyms(in_user IN VARCHAR2) IS
   BEGIN
      FOR r IN (
         SELECT synonym_name
           FROM dba_synonyms
          WHERE owner = 'PUBLIC'
            AND table_owner = in_user
      ) LOOP
         exec_sql('ALTER PUBLIC SYNONYM "' || r.synonym_name || '" COMPILE');
      END LOOP public_synonyms;
   END compile_public_synonyms;
   --
   PROCEDURE compile_types(in_user IN VARCHAR2) IS
      e_has_table_deps EXCEPTION;
      e_is_not_udt     EXCEPTION;
      e_compile_error  EXCEPTION;
      PRAGMA exception_init(e_has_table_deps, -2311);
      PRAGMA exception_init(e_is_not_udt, -22307);
      PRAGMA exception_init(e_compile_error, -24344);
   BEGIN
      <<types>>
      FOR r IN (
         SELECT o.object_type, o.object_name, count(d.name) AS priority 
           FROM dba_objects o
           LEFT JOIN dba_dependencies d
             ON d.owner = o.owner
                AND d.type = o.object_type
                AND d.name = o.object_name
          WHERE o.owner = in_user
            AND o.object_type in ('TYPE', 'TYPE BODY')
          GROUP BY o.object_type, o.object_name
          ORDER BY priority
      ) LOOP
         <<compile_type>>
         BEGIN
             IF r.object_type = 'TYPE' THEN
                exec_sql('ALTER TYPE "' || in_user || '"."' || r.object_name || '" COMPILE');
             ELSE
                exec_sql('ALTER TYPE "' || in_user || '"."' || r.object_name || '" COMPILE BODY');
             END IF;
         EXCEPTION
            WHEN e_has_table_deps OR e_is_not_udt OR e_compile_error THEN
               NULL;
         END compile_type;
      END LOOP types;
   END compile_types;
   --
   PROCEDURE compile_schema(in_user IN VARCHAR2) IS
   BEGIN
      -- synonyms and types are not covered by dbms_utility.compile_schema
      compile_private_synonyms(in_user);
      compile_public_synonyms(in_user);
      compile_types(in_user);
      dbms_utility.compile_schema(
         schema         => in_user,
         compile_all    => TRUE,
         reuse_settings => FALSE
      );
   END compile_schema;
BEGIN
   enable_plscope;
   <<app_user>>
   FOR r IN (
      SELECT username
        FROM dba_users
       WHERE oracle_maintained = 'N' 
         AND username NOT IN ('FTLDB', 'PLSCOPE', 'UT3')      
   ) LOOP
      compile_schema(r.username);
   END LOOP app_user;
END;
/

Question 3

Query to check SmartDB property 3

Answer

Check SmartDB property 3: query (>=12.2)

WITH 
   -- calculate object dependencies recursively
   -- using PL/SQL to handle cycles (expected on object level)
   -- SQL variant using NOCYCLE did not work (runs forever)
   FUNCTION get_dep (
      in_xml IN XMLTYPE
   ) RETURN XMLTYPE IS
      l_deps     sys.ora_mining_varchar2_nt;
      l_result   XMLTYPE := XMLTYPE('<xml/>');
      l_element  XMLTYPE;
      --
      PROCEDURE add_child(
         io_deps  IN OUT sys.ora_mining_varchar2_nt,
         in_owner           IN VARCHAR2,
         in_type            IN VARCHAR2,
         in_name            IN VARCHAR2,
         in_has_dml         IN INTEGER,
         in_has_transaction IN INTEGER
      ) IS
      BEGIN
         io_deps.extend;
         io_deps(io_deps.count) := in_owner || '.' || in_type || '.' || in_name 
            || '.' || in_has_dml || '.' || in_has_transaction;         
      END add_child;
      --
      FUNCTION exists_child(
         in_deps            IN sys.ora_mining_varchar2_nt,
         in_owner           IN VARCHAR2,
         in_type            IN VARCHAR2,
         in_name            IN VARCHAR2,
         in_has_dml         IN INTEGER,
         in_has_transaction IN INTEGER
      ) RETURN BOOLEAN is
         l_found INTEGER;
      BEGIN
         SELECT COUNT(*)
           INTO l_found
           FROM table(in_deps)
          WHERE column_value = in_owner || '.' || in_type || '.' || in_name 
                   || '.' || in_has_dml || '.' || in_has_transaction
            AND rownum = 1;
         RETURN l_found > 0;
      END exists_child;
      --
      PROCEDURE add_children(
         io_deps  IN OUT sys.ora_mining_varchar2_nt,
         in_xml   IN     XMLTYPE,
         in_owner IN     VARCHAR2,
         in_type  IN     VARCHAR2,
         in_name  IN     VARCHAR2
      ) IS
      BEGIN
         FOR r IN (
            SELECT owner, type, name, has_dml, has_transaction
              FROM XMLTABLE(
                      'xml/row/value/dependency[../../key/owner=$owner and ../../key/type=$type and ../../key/name=$name]'
                      PASSING in_xml, in_owner AS "owner", in_type AS "type", in_name AS "name"
                      COLUMNS owner           VARCHAR2(128) PATH 'referenced_owner',
                              type            VARCHAR2(128) PATH 'referenced_type',
                              name            VARCHAR2(128) PATH 'referenced_name',
                              has_dml         INTEGER       PATH 'referenced_has_dml',
                              has_transaction INTEGER       PATH 'referenced_has_transaction'
                   )
         ) LOOP
            IF NOT exists_child(io_deps, r.owner, r.type, r.name, r.has_dml, r.has_transaction) THEN
               add_child(io_deps, r.owner, r.type, r.name, r.has_dml, r.has_transaction);
               add_children(io_deps, in_xml, r.owner, r.type, r.name);
            END IF;
         END LOOP;
      END add_children;
      ---
      FUNCTION get_fragment(
         in_deps  IN sys.ora_mining_varchar2_nt,
         in_owner IN VARCHAR2,
         in_type  IN VARCHAR2,
         in_name  IN VARCHAR2
      ) RETURN XMLTYPE IS
         l_xml XMLTYPE;
      BEGIN
         SELECT XMLELEMENT("xml",
                   XMLAGG(
                      XMLELEMENT("row",
                         XMLELEMENT("owner", in_owner),
                         XMLELEMENT("type", in_type),
                         XMLELEMENT("name", in_name),
                         XMLELEMENT("referenced_owner", regexp_substr(column_value, '[^\.]+', 1, 1)),
                         XMLELEMENT("referenced_type", regexp_substr(column_value, '[^\.]+', 1, 2)),
                         XMLELEMENT("referenced_name", regexp_substr(column_value, '[^\.]+', 1, 3)),
                         XMLELEMENT("referenced_has_dml", regexp_substr(column_value, '[^\.]+', 1, 4)),
                         XMLELEMENT("referenced_has_transaction", regexp_substr(column_value, '[^\.]+', 1, 5))
                      )
                   )
                )   
           INTO l_xml
           FROM table(in_deps);
          RETURN l_xml;
      END get_fragment;
      ---
      PROCEDURE add_to_result(
         io_result    IN OUT XMLTYPE,
         in_fragment  IN     XMLTYPE
      ) IS
      BEGIN
         SELECT xmlquery('
                   copy $i := $p1 modify
                   (
                      for $j in $i/xml 
                      return insert node $p2 into $j
                   )
                   return $i'
                   PASSING io_result AS "p1", in_fragment.extract('/xml/row') AS "p2"
                   RETURNING CONTENT
                )
           INTO io_result
           FROM dual;  
      END add_to_result;
   BEGIN
      FOR r IN (
         SELECT owner, type, name
           FROM XMLTABLE (
                   '/xml/row/key'
                   PASSING in_xml
                   COLUMNS owner VARCHAR2(128) PATH 'owner',
                           type  VARCHAR2(128) PATH 'type',
                           name  VARCHAR2(128) PATH 'name'                           
                )
      ) 
      LOOP
         l_deps := sys.ora_mining_varchar2_nt();
         add_children(l_deps, in_xml, r.owner, r.type, r.name);
         add_to_result(l_result, get_fragment(l_deps, r.owner, r.type, r.name));
      END LOOP;
      RETURN l_result;
   END get_dep;
   -- application users in scope of the analysis
   -- other users are treated as if they were not installed
   app_user AS (
      SELECT username
        FROM dba_users
       WHERE oracle_maintained = 'N' -- SYS, SYSTEM, SYSAUX, ...
         AND username NOT IN ('FTLDB', 'PLSCOPE', 'UT3')
   ),
   -- materialize relevant PL/Scope identifiers to avoid very bad execution plans
   identifiers AS (
      SELECT --+ materialize
             owner,
             object_type, 
             object_name
        FROM dba_identifiers i
       WHERE usage_context_id = 0
         AND object_type IN ('PACKAGE BODY', 'TYPE BODY', 'FUNCTION', 'PROCEDURE', 'TRIGGER')
   ),
   -- PL/SQL objects without PL/Scope metadata
   missing_plscope_obj AS (
      SELECT o.owner, o.object_type, o.object_name
        FROM dba_objects o
        JOIN app_user u ON u.username = o.owner
        LEFT JOIN identifiers i
          ON i.owner = o.owner
             AND i.object_type = o.object_type
             AND i.object_name = o.object_name
       WHERE o.object_type IN ('PACKAGE BODY', 'TYPE BODY', 'FUNCTION', 'PROCEDURE', 'TRIGGER')
         AND i.object_name IS NULL
   ),   
   -- PL/SQL bodies extended by has_dml and has_transaction colums using PL/Scope 
   plscope_obj AS (
      SELECT s.owner, s.object_type, s.object_name,
             MAX (
                CASE
                   WHEN s.type IN ('INSERT', 'UPDATE', 'DELETE', 'MERGE') THEN
                      1
                   ELSE
                      0
                END
             ) AS has_dml,
             MAX (
                CASE
                   WHEN s.type IN ('COMMIT', 'ROLLBACK') THEN
                      1
                   ELSE
                      0
                END
             ) AS has_transaction
        FROM dba_statements s
        JOIN app_user u ON u.username = s.owner
       WHERE s.object_type IN ('PACKAGE BODY', 'TYPE BODY', 'FUNCTION', 'PROCEDURE', 'TRIGGER')
       GROUP BY s.owner, s.object_type, s.object_name
   ),
   -- dba_dependencies reduced to a PL/SQL bodies
   dep_base AS (
      SELECT owner,
             type, 
             name, 
             referenced_owner,
             CASE referenced_type
                WHEN 'PACKAGE' THEN 'PACKAGE BODY'
                WHEN 'TYPE' THEN 'TYPE BODY'
                ELSE referenced_type
             END AS referenced_type,
             referenced_name
        FROM dba_dependencies d
       WHERE referenced_type IN ('PACKAGE', 'PACKAGE BODY', 'TYPE', 'TYPE BODY', 'FUNCTION', 'PROCEDURE', 'SYNONYM')
         and (owner = 'PUBLIC' OR owner IN (SELECT username FROM app_user))
         and (referenced_owner = 'PUBLIC' OR referenced_owner IN (SELECT username FROM app_user))
   ), 
   -- extend dependencies by columns has_dml and has_transaction
   dep AS (
      select d.owner,
             d.type,
             d.name, 
             d.referenced_owner, 
             d.referenced_type, 
             d.referenced_name, 
             nvl(p.has_dml, 0) AS referenced_has_dml,
             nvl(p.has_transaction, 0) AS referenced_has_transaction
        FROM dep_base d
        LEFT JOIN plscope_obj p
          ON p.owner = d.referenced_owner
             AND p.object_type = d.referenced_type
             AND p.object_name = d.referenced_name
   ),
   -- XML because JSON values are still restricted to 4000/32767 bytes
   -- see Bug 27199654 : ORA-40459 WHEN GENERATING JSON DATA
   xml_dep AS (
      SELECT XMLELEMENT("xml",
                XMLAGG(
                   XMLELEMENT("row",
                      XMLELEMENT("key",
                         XMLELEMENT("owner", d.owner),
                         XMLELEMENT("type", d.type),
                         XMLELEMENT("name", d.name)
                      ),
                      XMLELEMENT("value",
                         XMLAGG(
                            XMLELEMENT("dependency",
                               XMLELEMENT("referenced_owner", d.referenced_owner),
                               XMLELEMENT("referenced_type", d.referenced_type),
                               XMLELEMENT("referenced_name", d.referenced_name),
                               XMLELEMENT("referenced_has_dml", d.referenced_has_dml),
                               XMLELEMENT("referenced_has_transaction", d.referenced_has_transaction)
                            )
                         )
                      )
                   )
                )
             ) AS xmldoc
        FROM dep d
        JOIN dba_objects o
          ON d.owner = o.owner
         AND d.type = o.object_type
         AND d.name = o.object_name
       WHERE o.owner IN (SELECT username FROM app_user)
         AND o.object_type IN ('PACKAGE BODY', 'TYPE BODY', 'FUNCTION', 'PROCEDURE')
         AND (d.owner, replace(d.type, ' BODY'), d.name) IN (
                SELECT owner, type, table_name 
                 FROM dba_tab_privs
             )
       GROUP BY d.owner, d.type, d.name               
   ),
   -- get the object dependencies via PL/SQL function
   -- passing data as XML because the PL/SQL function dont't have access to named subqueries
   dep_hier AS (
      SELECT owner, type, name, referenced_owner, referenced_type, referenced_name, 
             referenced_has_dml, referenced_has_transaction
        FROM XMLTABLE(
               '/xml/row'
               PASSING get_dep((SELECT xmldoc from xml_dep))
                   COLUMNS owner                      VARCHAR2(128) PATH 'owner',
                           type                       VARCHAR2(128) PATH 'type',
                           name                       VARCHAR2(128) PATH 'name',
                           referenced_owner           VARCHAR2(128) PATH 'referenced_owner',
                           referenced_type            VARCHAR2(128) PATH 'referenced_type',
                           referenced_name            VARCHAR2(128) PATH 'referenced_name',
                           referenced_has_dml         INTEGER       PATH 'referenced_has_dml',
                           referenced_has_transaction INTEGER       PATH 'referenced_has_transaction'
             )
   ),
   -- aggregate columns has_dml and has_transaction per root PL/SQL body
   app_plsql AS (
      SELECT owner, type AS object_type, name AS object_name,
             MAX(referenced_has_dml) AS has_dml,
             MAX(referenced_has_transaction) AS has_transaction
        FROM dep_hier
       GROUP by owner, type, name
   ),
   -- roles as recursive structure
   role_base AS (
      -- roles without parent (=roots)
      SELECT r.role, NULL AS parent_role
        FROM dba_roles r
       WHERE r.role NOT IN (
                SELECT p.granted_role
                  FROM role_role_privs p
             )
      UNION ALL
      -- roles with parent (=children)
      SELECT granted_role AS role, role AS parent_role
        FROM role_role_privs
   ),
   -- roles tree, calculate role_path for every hierarchy level
   role_tree AS (
      SELECT role,
             parent_role,
             sys_connect_by_path(ROLE, '/') AS role_path
        FROM role_base
      CONNECT BY PRIOR role = parent_role
   ),
   -- roles graph, child added to all ancestors including self
   -- allows simple join to parent_role to find all descendants
   role_graph AS (
      SELECT DISTINCT
             role,
             regexp_substr(role_path, '(/)(\w+)', 1, 1, 'i', 2) AS parent_role
        FROM role_tree
   ),
   -- user system privileges
   sys_priv AS (
      -- system privileges granted directly to users
      SELECT u.username, p.privilege
        FROM dba_sys_privs p
        JOIN app_user u ON u.username = p.grantee
      UNION
      -- system privileges granted directly to PUBLIC
      SELECT u.username, p.privilege
        FROM dba_sys_privs p
       CROSS JOIN app_user u
       WHERE p.grantee = 'PUBLIC'
         AND p.privilege NOT IN (
                SELECT r.role
                  FROM dba_roles r
             )
      UNION
      -- system privileges granted to users via roles
      SELECT u.username, p.privilege
        FROM dba_role_privs r
        JOIN app_user u ON u.username = r.grantee
        JOIN role_graph g ON g.parent_role = r.granted_role
        JOIN dba_sys_privs p ON p.grantee = g.role
      UNION
      -- system privileges granted to PUBLIC via roles
      SELECT u.username, p.privilege
        FROM dba_role_privs r
        JOIN role_graph g ON g.parent_role = r.granted_role
        JOIN dba_sys_privs p ON p.grantee = g.role
        CROSS JOIN app_user u
       WHERE r.grantee = 'PUBLIC'
   ),
   -- user object privileges
   obj_priv AS (
      -- objects granted directly to users
      SELECT u.username, p.owner, p.type AS object_type, p.table_name AS object_name
        FROM dba_tab_privs p
        JOIN app_user u ON u.username = p.grantee
       WHERE p.owner IN (
                SELECT u2.username
                  FROM app_user u2
             )
      UNION
      -- objects granted to users via roles
      SELECT u.username, p.owner, p.type AS object_type, p.table_name AS object_name
        FROM dba_role_privs r
        JOIN app_user u ON u.username = r.grantee
        JOIN role_graph g ON g.parent_role = r.granted_role
        JOIN dba_tab_privs p ON p.grantee = g.role
       WHERE p.owner IN (
                SELECT u2.username
                  FROM app_user u2
             )
      -- objects granted to PUBLIC
      UNION
      SELECT u.username, p.owner, p.type AS object_type, p.table_name AS object_name
        FROM dba_tab_privs p
       CROSS JOIN app_user u
       WHERE p.owner IN (
                SELECT u2.username
                  FROM app_user u2
             )
         AND p.grantee = 'PUBLIC'
   ),
   -- issues if user is configured in the connection pool of a middle tier
   issues AS (
     -- privileges not part of CONNECT role
      SELECT username,
             'SYS' AS owner,
             'PRIVILEGE' AS object_type,
             privilege AS object_name,
             'Privilege is not part of the CONNECT role' AS issue
        FROM sys_priv
       WHERE privilege NOT IN ('CREATE SESSION', 'SET CONTAINER')
      -- access to non PL/SQL units
      UNION ALL
      SELECT username,
             owner,
             object_type,
             object_name,
             'Access to non-PL/SQL unit'
        FROM obj_priv
       WHERE object_type NOT IN ('PACKAGE', 'TYPE', 'FUNCTION', 'PROCEDURE')
       -- own objects
      UNION ALL
      SELECT u.username,
             o.owner,
             o.object_type,
             o.object_name,
             'Connect user must not own any object'
        FROM app_user u
        JOIN dba_objects o ON o.owner = u.username
      -- missing CREATE SESSION privilege
      UNION ALL
      SELECT u.username,
             'SYS',
             'PRIVILEGE',
             'CREATE SESSION',
             'Privilege is missing, but required'
        FROM app_user u
       WHERE u.username NOT IN (
                SELECT username
                  FROM sys_priv
                 WHERE privilege = 'CREATE SESSION' 
             )
      -- missing PL/Scope metadata leads to wrong results
      UNION ALL 
      SELECT p.username,
             p.owner, 
             p.object_type, 
             p.object_name, 
             'PL/Scope metadata is missing, required for analysis'
        FROM obj_priv p
        JOIN missing_plscope_obj s
          ON s.owner = p.owner
             AND replace(s.object_type, ' BODY') = p.object_type
             AND s.object_name = p.object_name
      -- access to PL/SQL units updating database state without COMMIT/ROLLBACK
      UNION ALL 
      SELECT p.username,
             p.owner,
             p.object_type,
             p.object_name,
             'INSERT/UPDATE/DELETE/MERGE without COMMIT/ROLLBACK'
        FROM obj_priv p
        JOIN app_plsql a
          ON a.owner = p.owner
             AND replace(a.object_type, ' BODY') = p.object_type
             AND a.object_name = p.object_name
       WHERE p.object_type IN ('PACKAGE', 'TYPE', 'FUNCTION', 'PROCEDURE') 
         AND a.has_dml = 1 AND a.has_transaction = 0
   ),
   -- aggregate issues per user
   issue_aggr AS (
      SELECT u.username, COUNT(i.username) issue_count
        FROM app_user u
        LEFT JOIN issues i ON i.username = u.username
       GROUP BY u.username
   ),
   -- user summary (calculate is_smartdb_property_3_met)
   summary AS (
      SELECT username,
             CASE
                WHEN issue_count = 0 THEN
                   'YES'
                ELSE
                   'NO'
             END AS is_smartdb_property_3_met,
             issue_count
        FROM issue_aggr
       ORDER BY is_smartdb_property_3_met DESC, username
   )
-- main
SELECT * 
  FROM summary
 WHERE issue_count = 0;
/

1. The connect user does not own database objects

2. The connect user can execute PL/SQL API units only

3. PL/SQL API units handle transactions

4. SQL statements are written by human hand

5. SQL statements exploit the full power of set-based SQL

Conclusion

6 Comments

Leave a Reply Cancel reply