Definer rights vs. user rights

Similar Messages

• ORA-22285 Loadclobfromfile and definer rights

  I've create a directory D in schema A.
  Schema A has read permissions on the directory.
  Created a stored procedure X that reads a clob from a file in this directory.
  Running the procedure as user A works ok.
  Granted execute rights on procedure X to user B
  When user B tries to run procedure X I get error: ORA-22285: non-existent directory or file for FILEOPEN operation.
  It turns out I have to grant B read permission on the directory D.
  I don't understand why this is necessary. Procedure X runs with definer rights by default.
  Maybe someone can shed a bit of light on this ?

  // ACEs where r u ?!Oh don't Re: Needs another simple fix ! (Its been over 24hrs, nobody tried! Strange) Alex, I thought you were one of the good guys.
  Anyway, I expect a lot of the Aces are in the air right now, heading for 'Frisco.
  To your question:
  which one of the two above is the best one?It depends. Is John a developer or a user? If John is a developer then the DBA should grant him privileges explicitly. If John is a user then it is appropriate to use a role for his privileges and thus use the AUTHID CURRENT_USER approach.
  Note, I think this example is flawed because I would not expect a user to have a procedure which dynamically creates a table. Certainly I wouldn't expect John as a user to be creating procedures or to know about invoker rights. But the same model applies if the privilege is say SELECT access on another user's tables.
  the question that emerges is why do we have roles anyway if we can't truly rely on them (?)In my view ROLES are intended for managing users rather than developers. Generally I think this means granting table privileges to roles but not system privileges (although CREATE SESSION is an obvious exception). We should not use Roles for managing the privileges of developers, or for application owner accounts come to that. If the account has a schema it probably should have individually granted system privileges; as with most generalisations there is a grey area.
  Cheers, APC
  Message was edited by: inserting the crucial NOT that makes the sentence make sense
  APC

• Explain me Auth_id  and definer rights in detail with example.

  Explain me Auth_id and definer rights in detail with example.

  ibney wrote:
  Explain me Auth_id and definer rights in detail with example.How do I ask a question on the forums?
  SQL and PL/SQL FAQ
  unwilling or incapable to Read The Fine Manual yourself?
  http://docs.oracle.com/cd/E11882_01/server.112/e25789/toc.htm

• Package with invoker or definer rights

  Hi,
  would you give me the syntax for creating package with invoker or definer rights??
  Thanks in adavance.
  Regards
  Ravikumar.A

  i am looking for syntax.Document has it. From the doc.
  CREATE [OR REPLACE] PACKAGE package_name
     [AUTHID {CURRENT_USER | DEFINER}]
     {IS | AS}
     [PRAGMA SERIALLY_REUSABLE;]
     [collection_type_definition ...]
     [record_type_definition ...]
     [subtype_definition ...]
     [collection_declaration ...]
     [constant_declaration ...]
     [exception_declaration ...]
     [object_declaration ...]
     [record_declaration ...]
     [variable_declaration ...]
     [cursor_spec ...]
     [function_spec ...]
     [procedure_spec ...]
     [call_spec ...]
     [PRAGMA RESTRICT_REFERENCES(assertions) ...]
  END [package_name];
  [CREATE [OR REPLACE] PACKAGE BODY package_name {IS | AS}
     [PRAGMA SERIALLY_REUSABLE;]
     [collection_type_definition ...]
     [record_type_definition ...]
     [subtype_definition ...]
     [collection_declaration ...]
     [constant_declaration ...]
     [exception_declaration ...]
     [object_declaration ...]
     [record_declaration ...]
     [variable_declaration ...]
     [cursor_body ...]
     [function_spec ...]
     [procedure_spec ...]
     [call_spec ...]
  [BEGIN
     sequence_of_statements]
  END [package_name];]

• "Role not defined for individual users" on user import

  Hello,
  I am trying to import a certain user from one portal to another and I get this warning message:
  "Role <pcd_role_path> not defined for individual users."
  This role is assigned to this user at the 1st portal and exists at the 2nd portal at the same location.
  What does it mean and what do I need to do in this case?

  hi Roy,
  just check one thing ....
  please check wether the user have permissions to those roles.
  please go to the PCD location, where the roles have defined.
  right click on the role and check permissions.
  see if the user you are using is mentioned there. if no, add your user with read/write end user permission.
  i hope this will help you .
  Regards,
  Sujay

• Define and assign user authorization groups in FI

  Hi All,
  In order to allow some specific group of users to post in AUGR allowed periods, how do I define and assign user authorization groups in FI?
  Thanks,
  Teo

  Hi Teo,
  Here i am giving some authorisations in fi
  F_AVIK_BUK FI Payment Advice: Authorization for Company Codes
  F_BKPF_BED FI Accounting Document: Account Authorization for Customers
  F_BKPF_BEK FI Accounting Document: Account Authorization for Vendors
  F_BKPF_BES FI Accounting Document: Account Authorization for G/L Accounts
  F_BKPF_BLA FI Accounting Document: Authorization for Document Types
  F_BKPF_BUK FI Accounting Document: Authorization for Company Codes
  F_BKPF_BUP FI Accounting Document: Authorization for Posting Periods
  F_BKPF_GSB FI Accounting Document: Authorization for Business Areas
  F_BKPF_KOA FI Accounting Document: Authorization for Account Types
  F_BKPF_VW FI Acc. Document: Change/Display Default Vals for Doc.Type/PKey
  F_BL_BANK FI Authorization for House Banks and Payment Methods
  F_BNKA_BUK FI Banks: Authorization for Company Codes
  I hope it will help.
  BR,
  Satya

• ITS access with users not defined as dialog users

  Hello ,
  We have a requirement so that the users accessing HR Machine are restricted and only few of them are defined as dialog users . For the users defined as comunication users in the R3 core , we are now installing ESS - MSS services .
  The ITS is needed for reporting , and also is needed for PCR´s functionality . But the ITS is asking for dialog users .
  Does anyone know how can we use system or communicatio users ¿? . Or where can we fix the problem .
  Regards
      Álvaro

  Hi,
  I have been running my Own test on this.
  Any Screen Name on my G4 will show a Red Away Blob. In the Header ang where I have Some Accounts as Buddies in Other Buddy Lists.
  This is also true if I log in with yet more Screen Names on my second computer.
  I posted an Red Away message asking people to IM me if they could see it as Away.
  In two days I had one reply form someone who saw it as Green.
  If I set it to the Basic Away Setting the Message became Away but I showed as On Line and Available (Green).
  I am currently testing having deleted com.apple.ichat.AIM.plist
  You can try here
  http://www.apple.com/feedback/ichat.html
  There is no reply but enough people will produce a result over time (few days if there is a rush)
  I will also make the Hosts aware via another Channel
  8:31 PM Wednesday; July 1, 2009
  Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"

• Defining BI Power User Role and Authorizations

  We are looking for information/best practices/guidelines pertaining to defining BI Power Users and the appropriate authorizations to attach to this role.  Our Power Users are asking for approval to access several transactions within BI, specifically within RSA1. I am curious to know how you define your power user role(s) and to what extent they have access to BW itself (i.e. BEx, Web Designer, direct access to BW transactions such as listcube, RSA1, RRI, ability to update custom tables, ability to access the data model structure, etc )? Do your power users have access to develop production queries in DEV and test in your QA environment or are they restricted to ad hoc queries in Production? Have you seen any best practices or guidelines from SAP surrounding appropriate authorizations for Power Users? Any information you would be willing to share with us would be most appreciated.

  Hatem,
  You have an option to use the old method however it's recommend to use analysis authorizations going forward.
  Take a look at the sap wiki for analysis auth for more info or search the site for other good info.
  https://www.sdn.sap.com/irj/sdn/wiki?path=/display/bi/authorizationinSAPNWBI&
  Cheers,
  Ben

• How to define a new user in Enterprise manager with Specific access rights?

  Hi,
  I want to create a new user in OEMS 11g who should be able to access only the scheduler jobs section.
  How can this be acheived?

  You can create new administrators via the Setup --> Administrators page
  You can grant certain access rights to targets, you can not however grant priv to only access the job system
  Take a look at http://download.oracle.com/docs/cd/E11857_01/em.111/e14586/security3.htm#sthref235
  Regards
  Rob
  http://oemgc.wordpress.com

• Definer rights VS. invoker rights (same old story...)

  /Disclaimer:/
  Look, I know that this one has been discussed like hundreds of times already...
  Anyway, as I was browsing the forum yesterday, I have noticed this thread:
  Re: Different data dictionaries inside stored procedures?
  and it actually reminded me of a question I once had but never got the anwser.
  So, here goes...
  Imagine a pretty common situation of a DBA creating a new user account 'JOHN' and granting John some privileges:
  create user john identified by xxxxx default tablespace .... ;
  grant connect to john;
  grant create procedure to john;Afterwards John opens a session, creates the following PL/SQL procedure and executes it:
  create or replace procedure table_creator (tab_name varchar2)
  is
  begin
    execute immediate 'create table '||tab_name||' (n number)';
  end;
  exec table_creator('test')And we all know what happens:
  BEGIN table_creator('test'); END;
  ERROR at line 1:
  ORA-01031: insufficient privileges
  ORA-06512: at "JOHN.TABLE_CREATOR", line 5
  ORA-06512: at line 1Now, the 2 well-known solutions to this problem are:
  1) grant create table to john; (and thus do not rely on roles);
  2) create or replace procedure table_creator (tab_name varchar2) authid current_user is...
  My question is: which one of the two above is the best one?
  I mean, the first solution seems pretty straightforward, but then the question that emerges is why do we have roles anyway if we can't truly rely on them (?)
  As for the second one, there're issues like performance downgrade due to runtime name/privilege resolution, etc.
  Or is there some other way to go?
  Message was edited by:
  iferous

  // ACEs where r u ?!Oh don't Re: Needs another simple fix ! (Its been over 24hrs, nobody tried! Strange) Alex, I thought you were one of the good guys.
  Anyway, I expect a lot of the Aces are in the air right now, heading for 'Frisco.
  To your question:
  which one of the two above is the best one?It depends. Is John a developer or a user? If John is a developer then the DBA should grant him privileges explicitly. If John is a user then it is appropriate to use a role for his privileges and thus use the AUTHID CURRENT_USER approach.
  Note, I think this example is flawed because I would not expect a user to have a procedure which dynamically creates a table. Certainly I wouldn't expect John as a user to be creating procedures or to know about invoker rights. But the same model applies if the privilege is say SELECT access on another user's tables.
  the question that emerges is why do we have roles anyway if we can't truly rely on them (?)In my view ROLES are intended for managing users rather than developers. Generally I think this means granting table privileges to roles but not system privileges (although CREATE SESSION is an obvious exception). We should not use Roles for managing the privileges of developers, or for application owner accounts come to that. If the account has a schema it probably should have individually granted system privileges; as with most generalisations there is a grey area.
  Cheers, APC
  Message was edited by: inserting the crucial NOT that makes the sentence make sense
  APC

• Best practices for defining Environment Variables/User Accounts in Linux

  Hello,
  After reading throught the Quick Install guide for 10gR2 on x86_64 Linux, I see that it is not recommended to define ANY variables in .bash_profile.
  I'm hoping to get a Best practices approach for defining environment variables - right now we use the oracle linux account for administration including sql*plus. So, where should the myriad variables be defined? Is it important enough to create a user account in linux to support best practices?
  What variables, exactly, should be defined? It seems that LD_LIBRARY_PATH is no longer being used?
  Thanks in advance
  Doug

  Something that I've done for years on unix/linux boxes is to create a seperate environment variable setup file for each instance on the box. This would include things like ORACLE_HOME, ORACLE_SID, etc. Then I would create an alias in my .bash_profile that would execute this script. As an example, I would create a orcl.env file that would hold all of the environment variables for this instance. Then in my .bash_profile I would create a line like the following:
  alias orcl=". $HOME/orcl.env"
  Then from anywhere you could type orcl and you would set your environment to connect to that database.
  Also, if you are using 10g, something else that is really nice if you are using sqlplus, and you connect to different databases without starting a new sqlplus session is to set a parameter in your $ORACLE_HOME/sqlplus/admin/glogin.sql file:
  set sqlprompt "_user 'at' _connect_identifier >"
  This will automatically change your command prompt to look like this:
  RALPH at ORCL >
  if you connect as GEORGE, your prompt will immediately change to :
  GEORGE at ORCL >
  This way you can always know who and where you are connected to.
  Good luck!

• Error while linking user defined table to user defined field using vb6.0

  Hi,
  I am creating a userdefined field on a SAPB1 table(PDN1) using vb 6.0
  I am trying to link this field to a user defined table.
  When i do that i get the following error:
  "The field 'Related table' should consist of 8 alphanumeric chracters with no valid or default values"
  When i try to do the same thing from SAPB1(not using code) there is no such problem.
  My vb code is as follows:
  Set oUserFieldsMD = oCmp.GetBusinessObject(oUserFields)
  oUserFieldsMD.TableName = "PDN1"
  oUserFieldsMD.Name = "OB_Locn"
  oUserFieldsMD.Description = "WH Location"
  oUserFieldsMD.Type = db_Alpha
  oUserFieldsMD.EditSize = 30
  lRetCode = oUserFieldsMD.Add
  If lRetCode <> 0 Then
      oCmp.GetLastError lErrCode, sErrMsg
      MsgBox sErrMsg
      GoTo Err_
  End If
  If Not oUserFieldsMD.GetByKey("PDN1", 0) Then
      MsgBox "Error"
      GoTo Err_
  End If
  oUserFieldsMD.LinkedTable = "OB_TEST"
  lRetCode = oUserFieldsMD.Update
  Your help will be much appreciated.
  Thanks.

  Great Sébastien!
  Looks like we could not survive here one day without your contribution
  Best regards,
  Frank
  PS: For readers of this thread who don't understand why
  EditSize
  must be "8":
  This is the size of the
  Code
  field in the user-defined table to which the new field OB_Locn (in the DB it will be U_OB_Locn) is linked to...
  So, it should be preferrably of the same size.

• Remove or Delete monitor display preferences as defined by the User -

  The clarity and resolution of my display seems to have disappeared. It is currently set at 1440 x 900 which is usually fine except when I start-up, my screen loads what must initially be the default settings - which are perfect - then after a couple of seconds changes to a dark/grainy image.
  When I log in to another user account, the image is fine which indicates that it is must be display preferences for the user which has changed (although I don't recall ever doing this). Does anyone know how to reset defaults or remove delete user defined profile?
  Thank you.

  DearJane
  As Limnos points out my suggestion takes a rather blanket approach which may not suit you? However it's also fair to say that problems potentially caused due to damaged and/or corrupted .plists are not exclusive to a single .plist. Occasionally its a combination of 2, 3 or 4 or possibly more that causes the problem.
  Hence my suggestion to create a folder on the desktop first. That way if the problem goes away you can introduce desired .plist files later on once you test everything else. It's also my experience that most mac users can benefit from having a major clearout. Couple this with clearing out the contents of /Users/Home/Library/Caches and overall performance can seem quite marked.
  A lot does depend on how many 3rd-Party applications/utilities you've added. I have lots of added extras and it does not cause me any problems whenever I clear them all out.
  The choice is yours.
  HTH?
  Tony

• About user defined function in user defined rule

  Hi,
  I am wondering if I can use a user defined function in a user defined rule in oracle sem.. I've seen examples of user defined function used in sparql query filter clause in that dev. guide. However, I don't know if I can define a function in oracle sem. database and use it in the rule body or head. For example, I want to define a duration function that calculate the date difference between two dates.  Then, I want to define a rule like this: event1 :has_start_date d1 and event1: has_end_date d2 and duration (24, d1,d2) then event1:date_satisfiable "yes". Does oracle support this kind of rule? Thank you very much.
  Hong

  Hi Hong,
  The user defined rules are quite similar to a CONSTRUCT SPARQL query, where the FILTER clause is implemented in SQL.
  I think we have already written rules like you want :
  You have to write a PL/SQL FUNCTION that returns a NUMBER (not a BOOLEAN, think you are in SQL) :
  FUNCTION DURATION(HOURS INTEGER, D1 VARCHAR2, D2 VARCHAR2) RETURN INTEGER
  IS
  BEGIN
       IF(.................)
          THEN RETURN 1;
          ELSE RETURN 0;
       END IF;
  END;
  Maybe you will have to GRANT EXECUTE ON DURATION TO MDSYS.
  Then include the following in the FILTER clause of the Rulebase "[owner].duration (24, TO_CHAR(d1),TO_CHAR(d2)) = 1"
  Hope this helps.

• Using define for the user variable/

  Hii,
  I am trying to define a user variable and then using this variable trying to output the result. plz help
  1 define ename = 'TURNER'
  2 declare
  3 result number(7,2);
  4 begin
  5 select sal into result from emp
  6 where ename = '&ename';
  7 dbms_output.put_line(result);
  8* end;
  SQL> /
  Enter value for ename: turner
  define ename = 'TURNER'
  ERROR at line 1:
  ORA-00900: invalid SQL statement
  thanks
  sharath

  SQL> set serveroutput on
  SQL> define ename = 'TURNER'
  SQL> declare
    2    result number(7,2);
    3  begin
    4    select sal
    5    into result
    6    from emp
    7    where ename = '&&ename';
    8    dbms_output.put_line(result);
    9  end;
  10  /
  old   7:   where ename = '&&ename';
  new   7:   where ename = 'TURNER';
  1500
  PL/SQL procedure successfully completed.
  Message was edited by:
          jeneesh
  One '&' is enough!My mistake.Thanks Kamal Kishore..