CREATE ANY PROCEDURE privilege

Hello,
According to my exam prep source,
A user having the CREATE ANY PROCEDURE system privilege can also alter, drop, and execute the PL/SQL subprograms in his own schema as well as other schemas without any further privileges being required.
I have run a test and this appears to be *******. I (as SYSDBA) granted the privilege to SCOTT, created (as SCOTT) a procedure in HR, and tried (as SCOTT) to execute that procedure, and it didn't work. So it would appear my source is incorrect.
Similarly, SCOTT is unable to DROP or ALTER the procedure that he just created.
Is there any way at all to find out what other privileges, than the obvious (create a procedure in any schema) are attached to this system privilege. This kind of information does not appear to be easy to find and it would be useful, rather than having to spend time creating and recreating scenarios to try to deduce what the "set" of privileges attached to a named privilege actually are.
Of course, what is really desired, is something that works not just for CREATE ANY PROCEDURE, but for any privilege.
Thanks.

Your exam prep source is not correct, see the example below. I hope it wasn't a book I wrote or edited. If it was, send me the details and I'll make sure the publisher includes this in the errata. It is frighteningly easy for such things to slip through the technical edit process.
orcl> create user jw identified by jw;
User created.
orcl>
orcl> grant create session,create any procedure to jw;
Grant succeeded.
orcl> conn jw/jw
Connected.
orcl> create procedure scott.p1 as begin
2 null;
3 end;
4 /
Procedure created.
orcl> exec scott.p1
BEGIN scott.p1; END;
ERROR at line 1:
ORA-06550: line 1, column 13:
PLS-00904: insufficient privilege to access object SCOTT.P1
ORA-06550: line 1, column 7:
PL/SQL: Statement ignored
orcl> drop procedure scott.p1;
drop procedure scott.p1
ERROR at line 1:
ORA-01031: insufficient privileges
orcl>

Similar Messages

Does GRANT CREATE ANY PROCEDURE auto grants EXECUTE on created obj to user?

I have a User ABC which has GRANT CREATE ANY PROCEDURE on schema XYZ. Now, I create a new Function in schema XYZ using my ID ABC named "func123". My question is, would my User ID ABC being creator of func123 be able to EXECUTE it by default ???
Note: ID ABC has not been explicitly given GRANT EXECUTE on this func123 function, neither it has GRANT EXECUTE ANY PROCEDURE on schema XYZ.
Thanks in advance.

There is no such thing as 'create any procedure on schema xyz'. When an user has create any procedure, he can create a procedure in any schema, including SYS.
You have an unprotected and unsecured database by granting this powerful privilege to multiple users.
Also when you create a procedure in a different schema, that schema becomes the owner, not the user creating it.
Kindly brush up your basics and (re)read documentation.
Sybrand Bakker
Senior Oracle DBA

About "EXECUTE ANY PROCEDURE" privilege

I found in our EBS system. New user is default granted "EXECUTE ANY PROCEDURE" privilege and it seems I cannot revoke it. Is this supposed to be?

What is the application release?EBS: 12.1.1
database: 11.1.07.0
Is this new user a custom user or seeded one?It is a custom user. I used admin account to create a new user. Only explicitly grant create seesion privilege.
Do you get any error when you try to revoke it?No error. It works fine.
If this is a custom schema user, you need to verify why this privilege was granted to the user and what is the impact if you revoke it (try it on a test instance first).It seems be granted default. The impact is the user has more privileges supposed to grant.

Can i create any procedure or function inside a oracle reserve package?

Hi!
Can i create any procedure or function inside a oracle reserve package. Suppose, I want to create a function called x in the dbms_output package. Can i do that? Or can i extend the features of this package and create/derived a function from it like we extend any class in JAVA. I'm not sure - whether this is at all possible. I'll be waiting for your reply.
Thanks in advance.
Satyaki De.

No, but you can write a wrapper package and use that instead of using the Built-In package directly. So, instead of calling DBMS_OUTPUT, you call your own Package.
Steven Feuerstein wrote a wrapper for DBMS_OUTPUT, called P:
Re: DBMS_OUTPUT.PUT_LINE

FLOWS_030000 and the EXECUTE ANY PROCEDURE privilege

Our database security is cracking down on schema's with EXECUTE ANY PROCEDURE privilege. And I was wondering is the FLOWS_030000 needs to have the EXECUTE ANY PROCEDURE privilege? Could everything function correctly without it? Is there any other permission(s) that you could give it instead of the EXECUTE ANY PROCEDURE privilege?

We (the developers) are inclined to say that this privilege can be revoked, after installation, with no adverse effects. But we have not yet proven that. If you revoke the privilege and have no problems, do let us know. We will strive to reduce the privileges of the FLOWS_xxxxxx schema in this way in post-3.1 versions.
Keep in mind that after doing this should you need to contact Oracle Support with an Application Express problem that you should grant that privilege back and reproduce the problem before doing so, just to rule that out as a factor, and you should inform Oracle Support of this modified configuration.
Scott

Dynamic SQL and GRANT CREATE ANY TABLE

hi gurus,
i have a dynamic SQL in a procedure where a table will be created from an existing table without data.
strSQL:='create table ' || strTemp || ' as select * from ' || strArc || ' where 1=2';
execute immediate strSQL;
without GRANT CREATE ANY TABLE for the user, *"ORA-01031: insufficient privileges"* error during execution.
Is there a way to tackle this issue without providing GRANT CREATE ANY TABLE privilige?
many thanks,
Charles

ravikumar.sv wrote:
The problem is not because of dynamic sql...It probably has something to do with dynamic SQL or, more accurately, dynamic SQL within a stored procedure.
From a SQL*Plus command prompt, you can create a table if your account has the CREATE TABLE privilege either granted directly to it or granted to a role that has been granted to your account. Most people probably have the CREATE TABLE privilege through a role (hopefully a custom "developer role" that has whatever privileges you grant to users that will own objects but potentially through the default RESOURCE role). That is not sufficient to create tables dynamically via a definer's rights stored procedure. Only privileges that are granted directly to the user, not those granted via a role, are visible in that case.
I expect that the DBAs are granting the CREATE ANY TABLE privilege directly to the account in question rather than through whatever role(s) are being used which is why that appears to solve the problem.
Justin

Execute any procedure???

Inorder to execute the job at the allotted time the user need to be able to create a procedure and execute it.
but is execute any procedure privilege required to enable scheduling???
what could be the reason??
this allow the user to run procedures created by other users, right?

Hi Visakh
From my own notes here is what I have:
Setting up Workbook Scheduling
==============================
The workbook scheduling feature in Discoverer uses native features in the Oracle DBMS, and is therefore only available when running against the Oracle database. This feature uses the same highly scalable and reliable processing procedures within the kernel, since the summary management capability and the setup for both features is similar. These procedures use standard packages in the DBMS called DBMS_JOB.
To enable the processing procedures for workbook scheduling in Discoverer, follow these steps:
A. Grant Schedule Workbook Privilege to the user.
B. Confirm that DBMS_JOBS has been installed.
C. Specify result set storage.
D. Set the time period at which the process kicks in.
These procedures are described in the following sections:
A. Grant Schedule Workbook Privilege to the User
The user must be granted the Schedule Workbooks privilege in the Privileges dialog. Connect to the Administration Edition, and grant the Schedule Workbooks privilege in Tools | Privileges dialog.
B. Confirming that DBMS_JOBS is Installed
1. Log onto SQL*Plus as the Administrator, and execute the following SQL statement:
SQL> select * from all_objects where object_name='DBMS_JOB' and object_type = 'PACKAGE';
2. If you get no rows returned you need to install this package. Your DBA will know how to do it.
C. Specifying Result Set Storage
When a scheduled workbook is run, the results are stored in database tables within the database. The resulting data created as part of the workbook scheduling process may be stored in one of two areas: the user's own schema or a centralized schema.
User's Schema
In order to enable workbook scheduling in the user's own database schema, the user requires the following database privileges:
Create Procedure - needed to create the job
Create Table - needed to create tenporary holding table(s) for the results, each run of the same scheduled worksheet produces a new temporary table - see general notes at end for more help
Create View - needed to pull the results from the database
You will also need these three grants:
SELECT ON SYS.V_$PARAMETER;
EXECUTE ON SYS.DBMS_JOB; won't be able to execute the job without this
UNLIMITED TABLESPACE; needed to stop user's schema running out of space while creating the table(s) of results. Discoverer does not leave it to the DBA to set artificial limits. The only way it knows for certain that it will have enough is to have this privilese.
As you can see, execute any procedure is not needed.
When the schedule is first created a view is created. This allows Discoverer to run that view at the scheduled time using whatever conditions and parameters you have set. The results are populated into the table when the query is run. If you subsequently have multiple sets of results you will see them named T1, T2 and so on.
To grant these privileges, do the following:
1. Log onto SQL*Plus or SQLDBA as the Database Administrator.
2. Type the following:
SQL> Grant CREATE PROCEDURE to <USER>;
SQL> Grant CREATE TABLE to <USER>;
SQL> Grant CREATE VIEW to <USER>;
where <USER> is the userid of the person who is to be allowed to schedule workbooks.
These privileges must be granted directly to the user and not to a database role.
Advantages: A database limit can be specified on the maximum amount of data a user can store in the database. If the result set is stored under the user's schema, then you keep control over the maximum amount of space one individual user can fill with result sets. If the user creates a scheduled workbook that fills that space, it affects only his/her own scheduled workbook.
Disadvantage: The user is required to have the above privileges in the database.
Repository User's Schema
In order to enable workbook scheduling using a centralized repository user's schema, the SQL script batchusr.sql must be run in SQL*Plus or SQLDBA as a database administrator (such as, SYSTEM). This script creates a new user that is granted the above privileges.
In addition, the administrator of the EUL must change the user so that the Repository User property is pointing to the repository user's schema just created. The centralized repository user's schema may be customized by the database administrator for space management purposes and underlying data access.
NOTE: SELECT ANY TABLE access is given by the script batchusr.sql, but this may be limited provided the repository user's schema is granted access to the underlying data that will be accessed for workbook scheduling.
The repository user created will not be able to directly schedule a workbook through the User Edition.
Advantages: Each user does not need DML procedures to run scheduled workbooks.
Disadvantages: One user can potentially run a scheduled workbook that fills the available result set space, preventing other scheduled workbooks from running until it is cleared.
D. Setting the Start Time for Workbook Processing
The workbook processes run within the database on the server, and are controlled by parameters in the initialization file of the Oracle DBMS - the INIT<SID>.ORA file.
To limit the number of processing requests that can run simultaneously:
The parameter job_queue_processes specifies the number of concurrent processes to use to process DBMS_JOB. It controls the number of processing requests that can be handled simultaneously. The default value is zero, which means processing requests will not be created. You should set it to a minimum of 2 or more if you have any other applications that use DBMS_JOB.
You need more than one job queue process, because if one job fails for any reason, it may keep getting re-submitted, and thus, prevent everything else in the queue from being completed. If you want to have 10 simultaneous processing requests handled, then you will need to set this to 10.
The INIT<SID>.ORA parameter job_queue_interval is the time in seconds that controls how often the job processes wake up to process pending jobs. The default is 60, which is quite frequent. What you set this to depends on how frequently you want the process to wake up and serve the requests that have been made. Oracle recommends that you update the 60 seconds default to at least 10 minutes (a value of 600).
NOTE: This parameter also affects summary management.
To enable these parameters:
1. Locate the INIT<SID>.ORA file.
For example, on Personal Oracle7 the INIT<SID>.ORA file is held in <ORACLE_HOME>\database. Its default name is INITORCL.ORA where ORCL is the <SID> name.
2. Enter 2 lines into the file. For example:
job_queue_processes = 2
job_queue_interval = 600 (equivalent to 10 minutes)
GENERAL NOTES:
The summary management and workbook scheduling features both use this scheduling capability within the Oracle DBMS. The interval you specify and the number of concurrent requests affect both features.
The results from the worksheet are held in a temporary table until you remove the results or you delete the scheduled workbook.
Tables look like this: EUL5_B060914015847Q1R1
Views look like this: EUL5_B060914015847Q1V1
These temporary tables are stored within the schema of the user who owns the workbook - not within the standard EUL schema. The format of the table is as follows:
EUL5_B060914015847Q1R1 which can be broken into six separate pieces.
These pieces are as follows:
EUL5_ B YYMMDD HHMISS Q9 R9, where
EUL5_ is a fixed name
B means Batch and is a constant
YYMMDD is the date that the worksheet was run,
HHMISS is the time when the worksheet was run, the time is in the 24 hour clock format,
Q9 means this is the letter Q followed by a number - E.g. Q1, which signifies the query number. I believe Oracle have some plans to allow multiple queries but for now this is always Q1,
R9 means this is the letter R followed by a number - E.g. R1, R2 and so on. This is the run number.
Using the above logic therefore, this is a valid example:
EUL5_B090914015847Q1R1
This means this is result set number 1 for query 1, run at 1:58:46 AM on 14th September 2009.
So if you can figure out which worksheet was scheduled and when it was run you can build a view that sits on top of the latest table to give you the latest results. Something else which adds interest here is that the column names within the table do not match the column names as in your original query. The scheduled results column names use generic names such as BRVC1, BRVC2, BRD1, BRD2, BRN1 and BRN2.
These are codes and can be interpreted as follows:
BRCV1 and BRCV2 mean Batch Result Var Char 1 and 2,
BRD1 and BED2 mean Batch Result Date 1 and 2,
BRN1 and BEN2 mean Batch Result Number 1 and 2
Best wishes
Michael

Procedure privileges

Hello,
I have give the system privilege 'create any procedure' so that the users of the development team can see the pacakage body and the contents of the procedures of other schemas..
The issue that we have is that with this privilege the users of the development team can compile these type of objects and that is something that we would like to remove from them..
Does anyone know what options do we have?
Regards,

Where/ how are the developers trying to see the source?
Many GUIs will only show the source for packages that a user has the ability to execute. That is not an Oracle restriction, that is a restriction of the particular tool.
If you give the developers SELECT access on DBA_SOURCE, they can view the source code for any object in the database (you could grant the developers access to just that data dictionary view, but I would tend to think that giving them SELECT ANY DICTIONARY (or SELECT_CATALOG_ROLE) in development would be appropriate). That may or may not allow them to view the source in their favorite GUI, but that is a GUI issue not an Oracle privileges issue.
Justin

Granting system privileges DEBUG ANY PROCEDURE and CONNECT SESSION in 10gXE

I am using Oracle DB 10g Express Edition and trying out SQL Developer. Whenever I want to debug a procedure I got the error:
This session requires DEBUG CONNECT SESSION and DEBUG ANY PROCEDURE user privileges.
But I don't see these privileges to grant in the XE GUI for users.
Does anybody know if this is supported in XE.
Thanks.

Hi
Use SQL*Plus (or the apex interface), logon as dba and type this sql statements:
grant DEBUG CONNECT SESSION to <username>;
grant CONNECT SESSION to <username>;

Why doesn't the "grant execute any procedure" work?

Hi to all.
I want to grant the execute privilege for all SYS schema functions/procedures. To achieve it I do the following:
SQL> connect sys/*****@orcl
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as SYS
SQL> create user test identified by test;
User created
SQL> grant create session to test;
Grant succeeded
SQL> grant execute any procedure to test;
Grant succeeded
According to the [http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_9013.htm] the "grant execute any procedure" - grants Execute procedures or functions, either standalone or packaged.
So, the steps seem to be right. Then, I try to connect to the test user and execute any procedure from the SYS schema, for example, dbms_lock.sleep:
SQL> connect test/test@dizzy/orcl
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as test
SQL> begin
2 sys.dbms_lock.sleep(1);
3 end;
4 /
begin
sys.dbms_lock.sleep(1);
end;
ORA-06550: line 3, column 1:
PLS-00201: identifier 'SYS.DBMS_LOCK' must be declared
ORA-06550: line 3, column 1:
PL/SQL: Statement ignored
So, the execution fails due to insufficient rights. However, the direct grant on the sys.dbms_lock works!
SQL> connect sys/*****@dizzy/orcl as sysdba
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as SYS
SQL> grant execute on dbms_lock; to test;
grant execute on dbms_lock; to test
ORA-00911: invalid character
SQL> grant execute on dbms_lock to test;
Grant succeeded
SQL> connect test/test@dizzy/orcl
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as test
SQL> begin
2 sys.dbms_lock.sleep(1);
3 end;
4 /
PL/SQL procedure successfully completed
So, to be sure that the grant on any procedure from the definite scheme is given, should I avoid giving the execute any procedure grant?
P.S. Is there any special tag for code?
Thanks in advance.

Sybrand, thank you for the reply.
You are right. I tried to connect by another user NOT SYS and created the function:
SQL> create user testic identified by i;
User created
SQL> grant create session, execute any procedure to testic;
Grant succeeded
SQL> create or replace function get1 return number is
2 begin
3 return 1;
4 end;
5 /
Function created
SQL> connect testic/i@orcl
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as testic
SQL> select get1 from dual;
select get1 from dual
ORA-00904: "GET1": invalid identifier
SQL> select kaisa_rgali.get1 from dual;
      GET1
         1Thank you for the tag. This's exactly what I asked about.
Finally, I tried t open the hyperlink http://download.oracle.com/docgs/cd/B10501_01/server.920/a96521/privs.htm but it failed.

How can we give a user, alter procedure privilege on only one procedure of another schema.

Scenerio:
User A owns a procedure
called 'TESTPROCEDURE'.
User B has execute privilege on 'TESTPROCEDURE';
Now i want to give user
B , alter procedure privilege for only one procedure i.e 'TESTPROCEDURE';
I do not want to give
ALTER ANY PROCEDURE to user B since the user just wants to alter only 1
procedure.
How can we do that?
Thanks & regards,
Mohd Shahid Shaikh.

Why do you want to do this?
If I'm allowed to alter a procedure, I can alter it to do something completely different. I can modify the procedure to do anything that B can do. If that's what you want to allow, why not just log in as A?
There is no way to grant B the ability to alter a single procedure. You could, I suppose, create another procedure in A that accepts a DDL statement as a string, checks to see if it meets your criteria, and then executes it. You could then grant B the ability to execute this new procedure. A could then send an appropriate CREATE OR REPLACE PROCEDURE statement to the new procedure that replaces TestProcedure. But that's a fair amount of effort and complexity to deal with (particularly when there are errors)-- if you can explain the underlying business problem, we may be able to help you come up with alternate technical solutions.
Justin

EXECUTE ANY PROCEDURE issue

Hi,
I have read somewhere that EXECUTE ANY PROCEDURE is one of the most dangerous privilege. Could you please help me understanding it? I mean how exactly is this privilege dangerous and if it at all it is then what is the purpose of providing this privilege as an in-built privilege?
Thanks in advance.
Onkar

onkar.nath wrote:
I do agree that when we assign any privilege with ANY , it has security risk as it allows the user to perform activity in any of the existing schemas in the the system but my concern here is:
1. Why at all this gets created when it is a security threat?Because there is always a DBA, who needs to perform system wide things.
2. I was also told that having this privilege , any user can execute one specific procedure attaining DBA privilege. Is that correct? If so then how?check the second response of this thread.
>
Thanksregards

Checking for EXECUTE priviledges on any Procedure or Function

Hi All,
I know that the table DBA_SYS_PRIVS can be used to check the priviledges for any object.
But after querying the view, I could see the priviledges on diff packages and other tables but could not find any Procedure or Function name ( Standalone or packaged) in the view.
Where else could I find the same?
Having execute priviledge on compelte package means having same on its contents( procs,functions etc)..is this right?
Rgds,
Aashish S.

Aashish,
You have object privileges (CREATE TABLE, ALTER TABLE and system privileges (ALTER SYSTEM, ALTER USER). They serve different purposed.
DBA_SYS_PRIVS is for system privileges only.
You can not have seen privileges on packages, at least not EXECUTE privileges.
These are in DBA_TAB_PRIVS.
Packages are granted at the package level.
Sybrand Bakker
Senior Oracle DBA

Grant create any database link to user1 ?

Hello. Thank you for helping.
Is there a way to do something like this:
grant create any database link to user1 ?
I tried to create a database link from a procedure, but got an error: Insufficient Privileges.
Any suggestions greatly appreciated.

Thank you, again.
I granted create dblinks to the users/schema with the SP, but the error still occurs: Insufficient Privileges.
In order for the SP to succeed, the user who runs the SP should have permissions to create database links.The SP that is creating a public dblink is executed from another SP on another server across another dblink.
My goal is to create dblinks on all my servers from one central server, as needed in a very dynamic environment in terms of dblinks where servers are added and replaced often.
Do I need to grant create dblink on the external servers as well?
DDL should be run once at application installation time & stored source code version system.
It is bad code to create DB objects on the fly from stored procedures, IMO.I realize this is true under normal circumstances, but in this case there are zero security concerns -- all that matters is efficiency in terms of the amount of work required to create dblinks on all my servers (several dozen in a private research environment with only one user).
Any more suggestions are greatly appreciated.

Please Help: create a procedure that needs a sys view

Hi gurus,
I am trying to create a stored procedure that opens a cursor for a select on a view owned by sys, but the errors says table or view does not exist. I can select * from the view (sys.mgw_gateway) from SQL*Plus or any other tool. Anyone have an idea why I get the ORA-00942: table or view does not exist error when I try to create a procedure? Here is the simple SQL statement for the procedure (I just want the users to see if the messaging gateway is running) and that's all in it.
open p_MGWStatus for
     select AGENT_STATUS, AGENT_PING, to_char(LAST_ERROR_DATE, 'mm/dd/yyyy hh24:mi') as LastErrorDate,
     LAST_ERROR_MSG
     from sys.mgw_gateway;
Thanks a lot.
Ben

Hi
To allow the view owned by sys in a procedure, you have to grant select on that particular view to the owner of that procedure.
Suggestion: may or may not be acceptable: create your own view in system schema (if it has the privilege to select that view else in sys schema) with the required column of the sys view and grant this newly created view to the owner of the procedure.
Regards
Opps! Very late reply
Message was edited by:
Anurag Tibrewal

CREATE ANY PROCEDURE privilege

Similar Messages

Maybe you are looking for