Protect tables from getting dropped by mistake

With the help of event-specfic attributes, you can protect tables from getting dropped in a production environment.

Corrected September 30, 2003

Oracle provides a mechanism to track down database system events like LOGON and SHUTDOWN. Whenever a trigger is fired, event-specfic attributes or functions could be used within the trigger as a literal or variable; i.e., ora_dict_obj_name or ora_dict_obj_type. With the help of event-specfic attributes, you can protect tables from getting dropped in production environments. This script works in 8.1.6, 8.1.7 and 9i.

Prequisites: You need to create a table in sys schema that holds the name of all protected tables.

sqlplus '/as sysdba'
 
CREATE TABLE security AS SELECT object_name, owner FROM dba_objects WHERE object_type='TABLE' ;
 
CREATE OR REPLACE TRIGGER trg_security BEFORE DROP ON DATABASE
DECLARE
 v_object_name char(128); 
 v_owner varchar2(128);
BEGIN
 SELECT object_name INTO v_object_name FROM security WHERE UPPER(object_name) = ora_dict_obj_name and owner = login_user; 
 IF SQL%FOUND THEN 
  RAISE_APPLICATION_ERROR(-20001,'Cannot drop protected table'); 
 END IF;
EXCEPTION 
 WHEN NO_DATA_FOUND THEN
    NULL; -- Allows to drop that table
 WHEN TOO_MANY_ROWS THEN
    RAISE_APPLICATION_ERROR(-20002, 'Remove Duplicate entry from security table');
END;
/

To test this login as an another user:

$ sqlplus scott/tiger
SQL> drop table emp;
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20001: Cannot drop protected table
ORA-06512: at line 6

As long as you have an entry of that table in the security table, your table is protected. So in order to drop that table, delete an entry from the security table.

The following trigger will insert an entry into the securty table automatically when you create a table. Thus, NO manual task is required to add a record in the security table after the creation of a new table.

CREATE OR REPLACE TRIGGER trg_security_refresh AFTER CREATE ON DATABASE
DECLARE
 v_object_name char(128); 
 v_owner varchar2(128);
BEGIN
 IF ora_dict_obj_type = 'TABLE' then
  INSERT INTO security values (ora_dict_obj_name, login_user); 
 END IF;
END;
/

This can be futher modified for different object types such as VIEW, SYNONYMS, PROCDEURE, FUNCTION or INDEX.

Reader Feedback:

Christopher J. writes: I like the tip, but I think it should use ora_dict_obj_user instead of login_user (for the test: owner = login_user).

For More Information

  • Feedback: E-mail the editor with your thoughts about this tip.
  • More tips: Hundreds of free Oracle tips and scripts.
  • Tip contest: Have an Oracle tip to offer your fellow DBAs and developers? The best tips submitted will receive a cool prize -- submit your tip today!
  • Ask the Experts: Our applications, SQL, database administration, and data warehousing gurus are waiting to answer your toughest questions.
  • Forums: Ask your technical Oracle questions--or help out your peers by answering them--in our active forums.
  • Best Web Links: Oracle tips, tutorials, and scripts from around the Web.

This was first published in August 2003

Dig deeper on Oracle database backup and recovery

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchDataManagement

SearchBusinessAnalytics

SearchSAP

SearchSQLServer

TheServerSide

SearchDataCenter

SearchContentManagement

SearchFinancialApplications

Close