Granting role to user error
Oracle 10.2.05
Linux environment
I just granted a role to a user, but the user does not have privileges base on the role.
Here is what I did:
First create a user (db_user) using system id
Second, create role schema_admin_role
Then run the script to grant privileges to the role
(SELECT 'grant select, insert, update, delete on ' ||owner|| '.'||table_name || ' to schema_admin_role;' from dba_tables WHERE OWNER = 'another_schema';
Then run
grant schema_admin_role to db_user;
The problem:
When db_user tries to update table X own by another_schema, he gets not sufficent privileges
But when I run (select owner, table_name,privilege from dba_tab_privs where grantee = 'SCHEMA_ADMIN_ROLE'; ), I see all the privileges owned by this role.
Any solution from your end will be appreciated.
sb92075 wrote:
did db_user start a new session after GRANT was issued?Yes he did - also when I try to list all privileges granted to db_user, I get no row seleted. On the other hand, when I query privileges granted to role schema_admin_role, I see all privileges granted earlier
example
select owner, table_name,privilege from dba_tab_privs where grantee = 'SCHEMA_ADMIN_ROLE'; ---Here we get all privileges
select owner, table_name,privilege from dba_tab_privs where grantee = 'DB_USER'; --No row seleted
Similar Messages
-
How can use Oracle Developer2000 Form6 to grant priveledge and role to user in database (oracle 8i) from Trigger of Form6. Is there any built-in about this statement?
PL/SQL doesn't allow you to issue DDL commands directly, but it does provide a utility package called DBMS_SQL. This allows you to create dynamic SQL statements at runtime and execute them. The code you would need are as follows:
In declaration section -
v_sql varchar2(200);
v_cursor number;
v_result number;
In the code body -
v_sql := 'GRANT <ROLES> TO <USER>';
v_cursor := dbms_sql.open_cursor;
dbms_sql.parse(v_cursor, v_sql, dbms_sql.native);
v_result := dbms_sql.execute(v_cursor);
You can ignore the value of v_result as it is not a DML statement. Also you could build your SQL string up dynamically using variables from your form ie:
v_sql := 'GRANT '||:FORM.ROLE||' TO '||:FORM.USER;
Hope that helps!
Ian -
Dear all,
I have a role called ets_manager. How can i grant it to my user steve in forms 6i? I mean what is the script? I have a button when button pressed i want the role be granted to a user
Thanks in advance.
regardsTry out FORMS_DDL Built-in
http://www.oracle.com/webapps/online-help/forms/10g?topic=formsddl_html -
Who granted role to user and when
In Oracle 11g, is it possible to find out who granted a particular role to a user and when? Like maybe from logs?
SELECT log_mode
FROM v$databasewill tell you whether the database is running in ARCHIVELOG mode or not. You'd need for the database to be running in ARCHIVELOG mode and to have the archived logs back to the point in time that the role was granted in order to use LogMiner.
I don't suppose there is any chance that you had enabled auditing of GRANTs prior to the role being granted, is there? That would be the appropriate way to capture that information going forward.
Justin -
In 11i CRM add the role 'csi normal user error
Hi,
i am trying to add the role 'csi normal user' , for that i have some procedure below
To add this role to a user, you need CRM HTML Administration responsibility:
1. In the Navigator, click the CRM HTML Administration responsibility.
2. Under “Setup : Users : Registration”, click User Maintenance
3. Enter full or partial username and click Go.
4. Select the applicable username from the list
5. Click Roles
6. Select the CSI Normal User role from the left pane.
7. Click Move to put it in the right pane.
8. Click Update.
i have already added crm html administrator to myself,i have sysadmin privilege,i have crm html administrator under that i have user maintanence
if i click that its showing error that i dont have privilege to view that page
error says i dont have the privilege
Please let me know ,Hi,
Have a look at the following documents.
Note: 261174.1 - Insufficient Privileges to Access the User Maintenance Page
https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=261174.1
Note: 232373.1 - Insufficient Privileges when Accessing User Maintenance
https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=232373.1
Note: 299795.1 - Error In Granting Any Roles To A User - "Error granting role"
https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=299795.1
Note: 299186.1 - Administration Privilege Is Required To Access This Page
https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=299186.1
Regards,
Hussein -
I created a custom security extension following the steps listed in the Readme_Security Extension Sample. It works fine if I login as the user that is specified AdminConfiguration section of the rsreportserver.config file but if I
log in as another user, I get this error: User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed. I've added the user to both System Administrator
and System User roles to try to get it to work but still no luck.
Does anyone know how to fix this?
Thanks.Hi MetronM,
The issue is due to that user have no permission to access the report server. In report manager, Reporting Services includes predefined roles that we can assign to users and groups to provide immediate access to a report server. Each role defines a collection
of related tasks.
You can refer to the following steps to assign corresponding role to the user.
Open report manager.
Click “Folder Setting” button.
Click “New Role Assignment” icon.
Type the user name and select the corresponding role.
There is an article about Granting Permissions on a Native Mode Report Server, you can refer to it.
http://technet.microsoft.com/en-us/library/ms156014.aspx
Regards,
Alisa Tang
Alisa Tang
TechNet Community Support -
Error Message = 3205: '~WF_ADHOC-1446' is not a valid role or user name
Hi,
I have an Item attribute of type 'Role' ('CREDIT_COMMITTEE_MEMBERS') and I am using that attribute as performer for two notification activities.
For first notification, I create an adhoc role and assign it to the attribute and the notification goes successfully.
I want to send reminder to the people who have not responded to the first notification.
So I used the following query:
SELECT recipient_role
FROM wf_notifications
WHERE (message_name = 'MSG_TO_CREDIT_COMM_NEED_APPR' or message_name = 'MSG_REMINDER_CREDIT_COMM')
AND item_key = itemkey
AND status = 'OPEN';
The following code was used to update the Item attribute of type "Role"
FOR rec_cc_role_names IN cur_cc_role_names
LOOP
IF l_role_count = 0 THEN
l_role_users := rec_cc_role_names.recipient_role;
ELSE
l_role_users := l_role_users || ' ' || rec_cc_role_names.recipient_role;
END IF;
l_role_count := l_role_count + 1;
END LOOP;
wf_directory.createadhocrole
( role_name => l_role_name,
role_display_name => l_role_display_name,
notification_preference => 'MAILTEXT',
role_users => l_role_users,
expiration_date => NULL);
wf_engine.setitemattrtext
( itemtype => 'XXCCVOTP',
itemkey => itemkey,
aname => 'CREDIT_COMMITTEE_MEMBERS',
avalue => l_role_name);
The second notification activity is throwing the below error
Error Name = WFNTF_ROLE
Error Message = 3205: '~WF_ADHOC-1446' is not a valid role or user name.
Error Stack =
Wf_Notification.SendGroup(~WF_ADHOC-1446, XXCCVOTP,
MSG_REMINDER_CREDIT_COMM, 07-APR-10, WF_ENGINE.CB)
Wf_Engine_Util.Notification_Send(XXCCVOTP, 154009, 186344,
XXCCVOTP:MSG_REMINDER_CREDIT_COMM)
Wf_Engine_Util.Notification(XXCCVOTP, 154009, 186344, RUN)
Kindly help.
Thanks,
AmitThe users list was null for the role, which was causing the error. The query populating the user list was not returning any row.
-
Sales Agreement workflow errored on 3205: is not a valid role or user name.
Hi experts,
We're currently on EBS R12.1.2 We're running into an issue that seems like a very general issue that other businesses would have encountered before. We have a business user who creates most of sales agreements. When this business user left the company, we set active end date on the particular userid. Now, when we go into these sales agreements originally created by this particular userid, and put in the expiration date to expire these sales agreement. We're seeing the sales agreement workflow erroring out in the pre-notification workflow email with error 3205: is not a valid role or user name.
It seems to be this is a very typical business scenario. If you have encountered this problem, please share how you resolved this issue within your oracle apps environment.
Thank you in advance for your help,
JenniferHello,
We have the same problem in 11.5.10.2. If we want use this blanket sales agreement I have to skipped this notification by sysadmin and after this I can extend end date and another user can use this BSA.
Look at Extend The Expiration Date For Closed Non-Active Expired BSA Blanket Sales Agreement [ID 1394888.1]
Regards,
Luko -
I want to revoke a number of roles from users. What I found is if one or more roles were not granted to the user before, then the whole 'revoke' statement will fail, i.e. the granted roles will not be revoked from the user. Is there a way to let the statement revoke the granted roles even though there may be some roles were not granted. For example;
REVOKE role1,role2,role3 from user;
I want to revoke role1 and role2 even though role3 were not granted to the user.Why don't you test this yourself?
satyaki>
satyaki>select * from v$Version;
BANNER
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Prod
PL/SQL Release 10.2.0.3.0 - Production
CORE 10.2.0.3.0 Production
TNS for 32-bit Windows: Version 10.2.0.3.0 - Production
NLSRTL Version 10.2.0.3.0 - Production
Elapsed: 00:00:00.98
satyaki>
satyaki>
satyaki>
satyaki>
satyaki>create role r1;
Role created.
Elapsed: 00:00:01.80
satyaki>
satyaki>
satyaki>GRANT select ON emp TO r1;
Grant succeeded.
Elapsed: 00:00:00.51
satyaki>
satyaki>
satyaki>create role r2;
Role created.
Elapsed: 00:00:00.02
satyaki>
satyaki>grant update on emp to r2;
Grant succeeded.
Elapsed: 00:00:00.05
satyaki>
satyaki>
satyaki>grant r1 to hr;
Grant succeeded.
Elapsed: 00:00:00.17
satyaki>
satyaki>grant r2 to titan;
Grant succeeded.
Elapsed: 00:00:00.07
satyaki>
satyaki>
satyaki>revoke r2 from hr;
revoke r2 from hr
ERROR at line 1:
ORA-01951: ROLE 'R2' not granted to 'HR'
Elapsed: 00:00:00.12
satyaki>
satyaki>Regards.
Satyaki De. -
Granting roles permission to run packages created by somone else
Hi there,
I'm using Oracle 9i and I've written a package that has several functions that need to be run by a role other than the owner. I have 2 roles I granted execute permission on the package itself but when I log in to our app as another user with one of those granted roles, I get the 'insufficient privilege' error.
My DBA mentioned something about doing a pl/sql wrapper. I did a search under wrap in the oracle index and came up with a wrap utility. If this is what he meant, I don't understand how that helps with permissions if the wrap util just encrypts my package. How do the roles get permission to run it then?
Thanks
EvitaIf you call the stored procedure from a PL/SQL block, there will be a problem that PL/SQL does not, by default, recognize privileges granted through a role. You can either make a direct grant or you can change the PL/SQL block to specify authid current_user.
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC -
How can I see which roles or users have access to a table?
How can I see which roles or users have access to a table?
For a given table, how can I see the grants, who and what?
Many thanksdba_tab_privs.
Grantee can be a role or an user, as roles are fake users.
Sybrand Bakker
Senior Oracle DBA -
Assigning roles to users programmatically
Hi,
I want to programmatically create roles, assign roles to users etc.
I saw at this thread
ADF Security Policy Store
the folowing scriptlet by Frank Nimphius
try {
IdentityStore idstore = JpsCommonUtil.getValidIdStore("idstore.xml.provider").getIdmStore();
try {
UserManager userManager = idstore.getUserManager();
RoleManager roleManager = idstore.getRoleManager();
Role adminRole = idstore.searchRole(Role.SCOPE_APPLICATION,"admin");
// create user
//TODO check for empty username and password
User newUser = userManager.createUser(this.username,this.password.toCharArray());
roleManager.grantRole(adminRole,newUser.getPrincipal());
} catch (IMException e) {
// TODO
} catch (JpsException e) {
// TODO
return null;
this is a TP3 scriptlet, is it still working on the 11g production?
I try it and i get a JpsException
oracle.security.jps.JpsException
at oracle.security.jps.internal.common.util.JpsCommonUtil.getValidIdStore(JpsCommonUtil.java:1004)
do I have to replace "idstore.xml.provider" with something else depending on my configuration?
thanks
TilemahosHi Frank thanks for the answer,
I check this functionality at WLS embeded LDAP and I shaw your "How-to configure OID for authentication in WebLogic Server" post.
I manage to add users and assign them roles that i created at my application.
But what if I want to have a super user that can create new roles and assign them member roles?
eg.
Developer created roles (policy store):
accessPage1 ( granted all the necesery principals to access page1 )
accessPage2 ( granted all the necesery principals to access page2 )
Super user created roles
Role1 member roles :accessPage1,accessPage2
If i want my application to have that functionallity i must create roles programmatically wont I?
If there another way?
By the way I followed the advices at the following useful links
Chris Muir: http://one-size-doesnt-fit-all.blogspot.com/2008/12/configuring-wls-with-ms-active.html
Frank Nimphius's How-to configure OID for authentication in WebLogic Server
Edwin Biemond's Using OpenLDAP as security provider in WebLogic
Andrejus Baranovskis: Practical ADF Security Deployment on WebLogic Server
And I manage to add users of the Microsoft LDAP at the WLS
but I could't mekae them group members of my application groups (roles)
is this possible?
Thanks -
SECATT for assigning roles to users
Hi All,
How do we make the ECATT to work for the below scenario:
Users already have roles assigned to them. We need to add a new roles to the users which can vary in number based on the users job.
A simple ECATT script that was developed to add a single role to a new user does not work in the above case and gives an error of invalid batch input. How do I create a ECATT to assign role to user who already has a set of roles assigned (number of roles assigned to users differ, so I cannot assume to train the ECATT to assign a role on line X). Is there something I am missing while the ECATT script creation?
We are doing this from a CUA and its very difficult to assume how many roles a user could have.
Thanks,
JayThanks Alex for the insight. For some reason SU10 is slow in the CUA environment and I wanted to avoid it but yes I finally had to use SU10. Talking to one of our ABAPer I came to know that even in their BDC recordings they get the error which I receeived, but he changes his program to skip all the lines with data and then fill the empty line.
In CUA environment, how do we create ECATT to delete a role from many users?
Thanks,
Jay -
How to Create BP in a new role - Internet User
Hi Guru's,
I have a requirement where I need to create BP in role Internet User (BP005) from WEBUI without using the BP Role Assignment block. The condition is, There is a marketing attribute(a checkbox) in BP_HEAD Account Detials View which when checked should automatically try to create BP in role Internet User on Save.
I tried using the ON_SAVE method in BP_HEAD_ACCOUNTDETAILS_IMPL and called BAPI_BP_ROLE_ADD_2 and passed all the values but it gives me an error message saying the BP is locked by me, which makes sense because I am actually editing the same BP.
I am trying to trigger this using an existing relation, but not able to figure out what relation it is or how & where can I code that. Please help...
Surprisingly I could not find any posts similar to my requirement in this forum.
Thanks,
KumarHi Frederick,
That was very helpful, I am able to trigger the creation of the role but it is not saving in backend for some reason. When I change the BP again and save it , this time it says the BP is already created in that role except I don't see that in backend. I can see it has been created somehow in tables but in Tx: BP in Gui the Contact is not in that role. I am guessing it is something to do with authorizations from the WEBUI for on save event. But I got an initial start. Can you tell me if you had to assign any specific roles to WEBUI user or any special authorizations?
Thanks,
Sunil -
Unable to grant sysdba to user
Hi,
On my PC i am using Redhat 5. when I grant sysdba privilege to user hr it gives an error.
SQL> grant sysdba to hr;
grant sysdba to hr
ERROR at line 1:
ORA-01994: GRANT failed: password file missing or disabled
I check the password file is in place in the folder HOME/dbs. what can be the problem.
Plz help
ThanxIt works for me.
bcm@bcm-laptop:~$ sqlplus
SQL*Plus: Release 11.2.0.1.0 Production on Mon Nov 1 10:39:30 2010
Copyright (c) 1982, 2009, Oracle. All rights reserved.
Enter user-name: / as sysdba
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> grant sysdba to hr;
Grant succeeded.Either you are mistaken or Oracle is.
Either you have an error of omission or error of commission, but without knowing what you have & what you do, no advice is possible.
Is COPY & PASTE broken for you?
Post results of
SELECT * from v$version;
Maybe you are looking for
-
OCX ActiveX controls obsolete in ECC6?
We have a Visual Basic (well, VBA in Excel) program that runs RFCs in SAP using the ActiveX controls supplied with the SAP GUI. We have been told that this method is obsolete from SAP ECC6 onwards. However, I can connect our system to an ECC6 system
-
Publish a BI Publisher HTML output to the Oracle Portal
We currently use multiple JSPs to assemble and display employee data in portlets in our Oracle Portal. We're interested in redoing the display of this data using BI Publisher and would still like to send it to a portlet in our Oracle Portal. Essentia
-
Albums out of order..
Hi, I've just used Nokia PC Suite to put some albums on my N73 and the songs are out of order. Is there a way I can edit the album so it's in the right order?
-
How To Get Oracle fresher Dba jobs in a company
How to get oracle dba job in a company . Not a single company consider the fresher for dba. Then how can they get experience without start.
-
How can I use my Keithley 2100 DMM with LabVIEW 7 Express?
How can I communicate with Keithley 2100 digital multimeter using LabVIEW 7.0?