Account repeatedly GRANTs itself privileges to a hidden type
We have noticed a situation where an account is repeatedly GRANTing itself privilieges to a hidden type - a SQL type that mirrors a type hidden in a PL/SQL package.
The background:
Schema USER has execute privilege on package OWNER.PKG.
OWNER.PKG is like below:
PACKAGE owner.pkg AS
TYPE rec IS RECORD(...)
TYPE tab IS TABLE OF r;
FUNCTION func RETURN tab PIPELINED;
END;
The result:
Type OWNER.PKG.TAB is mirrored in the database as type SYS_PLSQL_999999_100_1.
Whenever USER connects and queries SELECT * from TABLE(OWNER.PKG.FUNC), it then GRANTs itself execute on SYS_PLSQL_999999_100_1.
The question:
Is this just how PL/SQL -> SQL type mirroring works, or is something misconfigured? Will USER keep granting itself privileges on the type?
Jeff Klein wrote:
We have noticed a situation where an account is repeatedly GRANTing itself privilieges to a hidden type - a SQL type that mirrors a type hidden in a PL/SQL package.
The background:
Schema USER has execute privilege on package OWNER.PKG.
OWNER.PKG is like below:
PACKAGE owner.pkg AS
TYPE rec IS RECORD(...)
TYPE tab IS TABLE OF r;
FUNCTION func RETURN tab PIPELINED;
END;
The result:
Type OWNER.PKG.TAB is mirrored in the database as type SYS_PLSQL_999999_100_1.
Whenever USER connects and queries SELECT * from TABLE(OWNER.PKG.FUNC), it then GRANTs itself execute on SYS_PLSQL_999999_100_1.
The question:
Is this just how PL/SQL -> SQL type mirroring works, or is something misconfigured? Will USER keep granting itself privileges on the type?How do I ask a question on the forums?
SQL and PL/SQL FAQ
how can we reproduce what you report?
Similar Messages
-
I am running version 3.0.6.6.5 on Solaris 2.6 and using Netscape Navigator 4.51.
On the Grant Object Privileges Page for a database object, the "Add to List" button is in an odd spot (crosses over a border) and does not work unless you click it on the left 1/3 of the button. This is not a problem when using IE 5.
Is this a known bug?
Fran Bailey
EDS - Meredith Accounti logged in as User1 and wrote:
desc dbms_lock
and nothing happened, then i disconnected and connected to db1 as User1 and retry and it was all the same (didn't assign the privilege). then i shut down sql plus and started it again as sys and when ran EXECUTE ON DBMS_LOCK the message is shown:
SP2-0103: Nothing in SQL buffer to run
then i logged in as User1 and repeat the EXECUTE ON DBMS_LOCK command, the same error message is thrown. same happened when tried with desc dbms_lock.
am i doing something wrong or what? -
Which view I can query to get the granted objects privilege to a user?
Hi all,
which view I can query to get the granted objects privilege to a user?
for example:
grant execute on accounting.get_name to scott;
Which view has above object granted information?
ThanksSQL> select * FROM all_tab_privs where grantor = upper('accounting');
no rows selected -
Grant Administrator privileges to users
Post Author: mwong
CA Forum: crystalreports.com
Problem Description:
I need to grant Administrator privileges to one of my users. How do I do that? He needs to upload the reports and invite the users to view them.Post Author: mwong
CA Forum: crystalreports.com
HiAs of Dec 16, 2007, administrator can now grant administrator privileges to other users.We have added a new Administrators group in the users tab. There are 3 scenarios for adding users to the Administrators group:Scenario 1: New user - If the user does not currently exist within
your crystalreports.com account, you can add the new Administrator by clicking
the Administrator user group on the Users tab
and then clicking Add User.
Scenario 2: Existing user added before December 15, 2007 - If the
user is already in your crystalreports.com account and was added before December
15, 2007, send an email to crystalreports.com Support at [email protected]
with the user's email address. Support will notify you when the user is ready to
be upgraded to Administrator status. Once you receive approval, you can then add
the user to the Administrator user group on the
Users tab.
Scenario 3: Existing user added after December 15, 2007 - If the
user is already in your crystalreports.com account and was added after December
15, 2007, as a Member, you can add the new Administrator by
clicking on the Administrator user group on the
Users tab and then clicking Add User. If the
user was added after Dec. 15, 2007 as a Guest, you must follow
the instruction in Scenario 2. After completing either of the three scenario
above, the new Administrator user will now have full rights to add users, upload
or publish reports, and manage your crystalreports.com account. thanks!Michelle Certain criteria must be met for an account to become an Administrator.See ALSO: http://technicalsupport.businessobjects.com/cs/forums/thread/14541.aspx -
Grant select privilege to specific columns on a table to user in Oracle 9i
Can anyone tell me how to grant select privilege to a user for specific columns in a table?
I have tried the following statement
GRANT SELECT (EMP_ID) ON EMP TO USER1
But it's not working and I am getting this error "Missing ON Keyword".
Please anyone tell me how to grant select privilege for specific columns.
Edited by: 899045 on Nov 24, 2011 7:03 AM899045 wrote:
Can anyone tell me how to grant select privilege to a user for specific columns in a table?
I have tried the following statement
GRANT SELECT (EMP_ID) ON EMP TO USER1
But it's not working and I am getting this error "Missing ON Keyword".
Please anyone tell me how to grant select privilege for specific columns.
Edited by: 899045 on Nov 24, 2011 7:03 AMFrom the 9.2 SQL Reference manual, found at tahiti.oracle.com (http://docs.oracle.com/cd/B10501_01/server.920/a96540/statements_912a.htm#2062456)
*"You can specify columns only when granting the INSERT, REFERENCES, or UPDATE privilege. "* -
Granting table privileges on another users tables
Can anyone tell me what privilege needs to be granted to a user to be able to grant insert/update/select/delete/execute on another users tables/packages?
I had thought that 'grant any privilege' was the one to have... and - the user I am trying to use to grant the privileges on the other users schema has this however - I'm still getting : ORA-01031: insufficient privileges when trying to run the grants.
Any ideas what I'm doing wrong here?Ok... well...
The 'with grant' option doesn't appear to be the issue.
The user attempting to perform the grants:
i.e. GRANT SELECT ON user_2.table_1 TO view_role
has the 'grant any object privilege' and - that seems to be enough. When I run the statement above as a simply as typed - it works fine.
However - what I'm actually doing is concatenating that together in a string and running (from a package created by/as user_1) and doing an execute immediate...
i.e.
l_sql := 'GRANT ' || l_rec.privilege || ' ON ' || l_rec.owner || '.' || l_rec.table_name || ' TO ' || p_role;
EXECUTE IMMEDIATE l_sql;
And - it's this that's giving me the insufficient privileges...
I do not have invokers rights set on the package - so that shouldn't be an issue. And - I can't find any documented restriction on doing this (and - in fact - it works fine if I create the package as user_2 and run it as user_2 - the owner of the objects).
I'm at a loss. -
Granting object privileges to remote users.
Hello,
Here's the situation:
I have 2 databases located on 2 different servers both running Win2k3. In the first database the main schema is M1 and it has to read objects on the another schema M2, located on the second database.
I created a database link on the first database, to point to the second database
create database link connect2M2db connect to M2 identified by M2 using 'connect2M2db'Now I would like to grant object privileges(insert,update,delete) to M1 on M2' objects. Can anyone tell me how to do that?
Thanks in advance.I didn't put the whole thing, (my bad) but your reply was helpful. As I said before, I have 2 dbs, on 2 differents servers. I created the dblink on the first server. I also created synonyms on the first server using the following syntax:
"create or replace synonym syn_name for user2.table" which from the link you provided me, is wrong as I didn't append the dblink name.
After that, I would like to grant object privileges to user1, by executing the command from server2. For doing that, is the following syntax correct: "grant select on table_name to user1". My issue is that user1 does not exist on server2. Should I rather use the following: "grant select on table_name@dblink to user1"? -
JMS grant queue privileges problem
I have two test users set up in different schemas. They each have their own identical queue tables and queues in their own schemas.
One of the users cannot seem to grant queue privileges to the main schema owner. The error is as follows:
Eception: oracle.jms.AQjmsException: JMS-122: Internal error payload object type must be specified
at oracle.jms.AQjmsDestinatio.grantQueuePrivilege(AQjmsDestination.java:406)
at src.AQSetup.jmsInitializeQueue(AQSetup.java:246)
the offending code is as follows:
cq_conn = AQjmsQueueConnectionFactory.createQueueConnection(p_conn);
// create queue session
commQSession = cq_conn.createQueueSession(true, Session.AUTO_ACKNOWLEDGE);
// AUTO_ACKNOWLEDGE
try
cQTable = ((AQjmsSession)commQSession).getQueueTable(userID, QueueTableName);
catch (AQjmsException e)
cQTable = createJMSQueueTable(commQSession, userID, QueueTableName);
try
cQueue = ((AQjmsSession)commQSession).getQueue(userID, QueueName);
catch (AQjmsException e)
cQueue = createJMSQueue(commQSession, cQTable, QueueName);
((AQjmsDestination)cQueue).grantQueuePrivilege(commQSession, "ENQUEUE", "icowner",false);
with the error coming from the last line and the referenced table and queue definition code as folows:
private AQQueueTable createJMSQueueTable(QueueSession q_sess, String userID, String q_tableName) {
try {
AQQueueTableProperty qtable_prop = null;
AQQueueTable cq_table = null;
// Create an AQQueueTableProperty object (payload type - BYTES):
qtable_prop = new AQQueueTableProperty("SYS.AQ$_JMS_TEXT_MESSAGE");
// Create a queue table called command_table in user schema:
cq_table = ((AQjmsSession)q_sess).createQueueTable(userID, q_tableName, qtable_prop);
return cq_table;
} catch (Exception ex) {
return null;
private Queue createJMSQueue(QueueSession q_sess, AQQueueTable q_table, String q_name) {
try {
AQjmsDestinationProperty dest_prop = null;
Queue lq_queue = null;
dest_prop = new AQjmsDestinationProperty();
// create a queue
lq_queue = ((AQjmsSession)q_sess).createQueue(q_table, q_name, dest_prop);
return lq_queue;
} catch (Exception ex) {
return null;
both users seem to have the same privileges.
Can you tell me if it is an error in my code and what that is?
- Ken
nullMight be a bug.
Do you get the error when
createQueue is followed by grantQueuePrivilege OT
getQueue is followed by grantQueuePrivilege.
null -
Grant sequence privilege issue
Hi,
OS is windows server 2008
Database oracle 11g r2
i have created a schema with name SME having DBA privilege from SME i have created another user SME_USER using the same tablespace of SME with limited privileges. The sequence was created in SME user. I am accessing the tables from SME schema. I have given insert privilege to one of the table in SME to SME_USER,but while insertiing we are using the sequnece with name IPSRNO from SME schema. Now when i tried to insert value inot the table from SME_USER its giving me the output "Sequence does not exist". I have given the grant select privilege for sequence IPSRNO.
Please guide me on this issue.
Regards,
BobbySee Using Synonyms in DML Statements in the DBA guide
http://docs.oracle.com/cd/B28359_01/server.111/b28310/views003.htm
>
You can successfully use any private synonym contained in your schema or any public synonym, assuming that you have the necessary privileges to access the underlying object, either explicitly, from an enabled role, or from PUBLIC. You can also reference any private synonym contained in another schema if you have been granted the necessary object privileges for the underlying object.
You can reference another user's synonym using only the object privileges that you have been granted. For example, if you have only the SELECT privilege on the jward.emp table, and the synonym jward.employee is created for jward.emp, you can query the jward.employee synonym, but you cannot insert rows using the jward.employee synonym.
A synonym can be referenced in a DML statement the same way that the underlying object of the synonym can be referenced. For example, if a synonym named employee refers to a table or view, then the following statement is valid:
INSERT INTO employee (empno, ename, job)
VALUES (emp_sequence.NEXTVAL, 'SMITH', 'CLERK');
If the synonym named fire_emp refers to a standalone procedure or package procedure, then you could execute it with the command
EXECUTE Fire_emp(7344); -
Bug: Grant/Revoke Privileges (11.1.0.5.10 Beta)
Started getting this when attempting to change Privileges on a proc:
"Could not launch the Grant/Revoke Privileges dialog:
Value was either too large or too small for an Int32."
This is happening consistently on one database but not on another.
JohnI am also seeing this bug. When I right click on anything in the Server Explorer under my ODP based connection, I get this same message. It happens when I right click on any table icon and select "Privileges..."
-Valkyrie-MT -
How to grant view privilege for Instant Portal to public users?
How to grant view privilege for Instant Portal to public users?
Oracle Instant Portal was designed to offer secure access to company and departmental information, and it isn't currently possible to make instant portal pages public.
-
DP93 SD document item is not account assigned to itself
HII,
While running TA DP93 getting error "Sales and distribution document item is not account assigned to itself".
I have implimented the note 1343813... after technical analysis in the vbap(item table) it's not storing object number.
Could please share your views..
Thanks&Regards,
SivaHI,
EK01 condition has no value updated with actual price and i have linked the object number of sales order item to to DIP Profile.. still no clue why the object number in VBAP has no value.... inorder to process DP93 TA it's checking Sales order item object number.
Thanks®ards,
Siva -
I want to grant select privileges on all tables and views belonging to database xyz to the user abc.
What's the best way to do that?
Message was edited by: Diarmuid - 11/07/07
user580522I beg to differ. Of course OP can try to 'GRANT SELECT ANY TABLE'. It's just a matter of his own privileges if he succeeds or not.
To OP: Reading about GRANT might help:
http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_9013.htm#i2077938
Note this part from the docs:
To grant a system privilege, you must either have been granted the system privilege with the ADMIN OPTION or have been granted the GRANT ANY PRIVILEGE system privilege. -
•Install Photoshop Elements with an account that has administrative privileges
I will be upgrading to photoshop elements 12 and read that it was necessary to install photoshop elements with an account that has administrative privileges. I'm not sure how to do this.
Waltard wrote:
I guess I’m wondering if I upgrade to photoshop elements 12 whether the problem will continue with 12
There is no problem with any of the PSE versions. I have used version 10, version 11 and version 12 in trial mode and I didn't see any problems with any of them.
Your case is unique in that you have only one user account on the machine and so by default that account has all the privileges of an Administrator.
also, you don't need to uninstall anything; Version 10 and version 12 can work from your one machine. they are installed on separate folders so don't worry about having old version on your machine.
Just go ahead and install version 12. You can download a trial version of PSE12 and it has all the features and functions of the boxed version that you can buy from Amazon or some big name stores. After installing the trial version, you can use it for 30 days and by that time you will have made up your mind whether 12 is better for your need. If you like it, all you need to do is to buy the boxed version and use the serial number to activate what is already on your machine. You don't need to re-install it using the DVDs in the box.
Hope this helps. -
Grant any privilege, privilege
About 4 weeks ago i got some much appreciated assistance in setting up my environment so that a user could grant object privileges on objects in another user's schema. This solution required a function to be built in the schema which owned objects.
I just found the 'GRANT ANY PRIVILEGE' privilege. Anyone know when this came about (we're using 10g) and if there's any problem to granting this?
We have the init param 07_DICTIONARY_ACCESSIBILITY set to False. Will we be able to keep people of the SYS schema?
-cfLet me specify, I was referring to the GRANT ANY OBJECT PRIVILEGE above, although I do see the GRANT ANY PRIVILEGE out there as well.
-cf
Maybe you are looking for
-
Error when running a report in BPC NW
I am getting the following error when running a report for my application in BPC NW. EVDRE encountered an error retrieving data from the Web Server (retrying in (X) seconds). This error comes with this dialog option box to either continue or cancel r
-
Someone else opened an itunes account with my email address
I attempted to change my email address on my itunes account and discovered that my current email address was already in use. I thought I must have registered it at some point and forgotten the password so I did the password reset. When I logged in, I
-
I have windows 7 64 bit and followed the steps in the article. What I would like to know is if I was to sync my ipad would the backup file be created on the external harddrive automatically or do I have do these steps at least once a week. Everytime
-
Hi, I am not able to use airprint for my m1212nf and P1102w from my apple IPAD2 & Iphone 4
Hi, I had updated my HP Laserjet M1212NF & Laserjet P1102w with the latest firmware last night for airprint, but I still cannot print from my IPAD2 & Iphone 4 both with latest iOS 5.1.1, Please advise what should I do. All devises are connect to the
-
Changing Drop Shadow Default - PSE3, Mac
Is there a way to change the default setting on the drop shadow length of 21 to a lower number? 21 just is way too much for a layer with say an envelope. An envelope just wouldn't leave that large of a drop shadow! I'm much more likely to need to low