Database roles

Similar Messages

• BC4J temp tables & database role

  There are two essential BC4J temp tables (PCOLL_CONTROL, PS_TXN), along with others: http://www.oracle.com/technetwork/developer-tools/jdev/overview/bc4j-temp-tables-087270.html
  We have 'sysadmin' role associated in our Development DB, the passivation store table PS_TXN is populated as expected.
  However, in our production DB, we ONLY manually created the two above tables granted with Insert/Delete/Update/Select permissions (DBA will NOT agree to assign 'sysadmin' role), PS_TXN is not populated at all, which results in some session management issue in our application.
  So the question is: What is the proper database role to associate with for the temp tables to work properly (in our case, we use SQL server data source).
  Thank you,

  Mike, you need at least to add a sequence (PS_TXN_SEQ if I remember right) do you need to add a grant to create a sequence.
  Timo

• How do I add a securable to a database role?

  I have a database where the stored procedures used by SSRS reports have to be added as securables to the db_execproc database role.
  Easy enough to do with SSMS but despite much searching, I can't see how to script that. With the Database Role Properties open, the securables page selected and one of the securable stored procedures select including the Explicit Execute Grant, I tried clicking
  the Script button at the top of that dialogue. It tells me no action to script. What's the point of that button then, if it won't script that for me?
  Yeah, bad practice to do it that way but I don't have the authority to change things so best thing in the circumstances is to code it.
  Nick Ryan SQL Server Developer OnePath (NZ) Ltd

  The script button will produce a script only if you made any changes - i.e., if you were to click the OK button on the Properties dialog that would have applied some changes to the existing properties. 
  In any case, if you want to grant execute privilege to a stored proc, the script would be
  use [YourDBName]
  GO
  GRANT EXECUTE ON [dbo].[YourStoredProc] TO [YourRollName]
  GO

• Discoverer 4i error msg "A database role exists which confilcts with this username"

  When I try to open workbooks -> from database, I get a Discoverer 4i error msg "A database role exists which confilcts with this username" with only an "OK" button in the window. The database works fine for Discoverer 3.1. After clicking on the OK button, I get an empty list of workbooks to open. If I create a new workbook & try to save it, I see the list of dozens of workbooks in the database.
  Which role is it complaining about? How can I fix this?
  null

  What you will have to do is log into the database as a user with DBA priveleges, query the DBA_ROLES table (SELECT * FROM DBA_ROLES) and see what role exists that has the same name as the user you are logging in as... that should give you a direction to either rename the role, or the drop the user and recreate with a unique name... Good Luck!
  <BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by William Sheridan ([email protected]):
  When I try to open workbooks -> from database, I get a Discoverer 4i error msg "A database role exists which confilcts with this username" with only an "OK" button in the window. The database works fine for Discoverer 3.1. After clicking on the OK button, I get an empty list of workbooks to open. If I create a new workbook & try to save it, I see the list of dozens of workbooks in the database.
  Which role is it complaining about? How can I fix this?
  <HR></BLOCKQUOTE>
  null

• How to create database roles  ?

  Hi ,
  i am trying to create database roles,
  what is the best way to do that ?
  I want to be able to create the following database roles on my local machine:
  CSDExec
  CSDAdmin     
  TCFBurOps     
  TCFAreaLieutenants     
  TCFCourtSupervisors
  More to this problem, each role will be accessing an X number of tables , not all.
  Also, I will be creating the same roles on the Dev Box at the client site.
  What is the best way to do it in ?
  Should I use a procedure, package, etc.
  Please help me with examples:
  This is my first time creating database roles.
  I am using SQL Developer
  thanks,

  Hi,
  For things like that, I use SQL*Plus scripts, containing the CREATE ROLE and GRANT commands.
  Often, in the Development database, I build these scripts a little at a time, commenting out commands after I've done them. Then, when I'm ready to make the changes in the Test and Production databases, I remove the comments.
  For example, on Monday I may create a role and grant some privileges, so I write and run a script like this:
  CREATE ROLE     firbolig_user;
  GRANT SELECT      ON  table_x      TO firbolig_user;
  GRANT EXECUTE      ON  pkg_a       TO firbolig_user;On Tuesday, I create another table, and schange the script to this:
  /*     *****  This section has already been done in Development  *****
  CREATE ROLE     firbolig_user;
  GRANT SELECT      ON  table_x      TO firbolig_user;
  GRANT EXECUTE      ON  pkg_a       TO firbolig_user;
  GRANT SELECT      ON  table_y      TO firbolig_user;and run it.
  On Wednesday, I decide I need another role, so I change the script to this:
  /*     *****  This section has already been done in Development  *****
  CREATE ROLE     firbolig_user;
  GRANT SELECT      ON  table_x      TO firbolig_user;
  GRANT SELECT      ON  table_y      TO firbolig_user;
  GRANT EXECUTE      ON  pkg_a       TO firbolig_user;
  CREATE ROLE     firbolig_admin;
  GRANT          firbolig_user     TO firbolig_admin;
  GRANT SELECT, INSERT, UPDATE, DELETE
            ON table_x     TO firbolig_admin;
  GRANT SELECT     ON table_z     TO firbolig_admin;
  GRANT SELECT     ON x_seq     TO firbolig_admin;and run it.
  I continue like that through the development process.
  Then, when I'm ready to move to the Test database, I remove the comment lines and run the entire script in Test.

• Questions about Database roles

  Hi, 
  Need to setup a new (Windows) user which has varied access to tables, views and procedures in about 8 different schemas all in the same database. 
  I've created a instance level login and then gone to the database to set the more granular details. 
  First question.  Does this user need to own the schemas they will access? 
  Secondly, I'm assumign the best bet would be to create a database role and then apply the privs against that? 
  I need to give access to all stored procedures (and future procedures) in a couple of these schemas and none in the others.  Is it possible to grant execute on all procedures in a schema whist prohibiting others? 
  Then I would assign the database role to the new instance login? 
  Thanks 

  In the database he has access to a number of schemas but I wish to explicitly exclude him from all views in those schemas and in addition to this all the sys catalogs, e.g
  Also have no idea how to restrict access to the user created views without doing them all manually, but then what happens in the future if new views are added? They are not going to be explicitly denied. 
  David nailed the problem.
  There is no way to differentiate SELECT permission between Tables and Views. If they are all in the same schema and tables are allowed and views not.. out of luck and have to include the allowed object one by one (as opposed to denying the not allowed ones
  with the risk of missing some in the future)
  This is why database design should have security in mind from the very beginning and views, being a way to access (aka "access-schema") data in tables should ideally be placed in a separate schemas
  Andreas Wolter (Blog |
  Twitter)
  MCM - Microsoft Certified Master SQL Server 2008
  MCSM - Microsoft Certified Solutions Master Data Platform, SQL Server 2012
  www.andreas-wolter.com |
  www.SarpedonQualityLab.com

• EA2 - request support for database roles

  Would like to see database roles supported in the Connection Navigator for a schema, just like tables, views, etc. Need to be able to create/drop/copy/view roles, see what users or roles have been granted to a particular role, view or update what roles/object privs/system privs this role has been granted.

  Feature requests should be made according to the instructions in the "Feature Requests" sticky on the forum (http://forums.oracle.com/forums/ann.jspa?annID=444). If you go there and search on Roles, you will find an Accepted feature request for Roles Node. How soon this will be built into SQL Developer is another matter - we will have to wait and see.
  theFurryOne

• How i can associate my app user with database role

  In my application (oracle forms application developed in-house - We are using Oracle Forms 11gR2 with WebLogic 10.3.5 ), i want to use "application user" instead of database user.
  I have an application users table, actually, i have database users,and of course, menu application works with database roles (It was developed with oracle forms menu module), my question is, How i can associate my application user with database role, for reusing oracle forms menu funcionality?. It's possible?
  Thanks,
  Edward

  user8929172 wrote:
  In my application (oracle forms application developed in-house - We are using Oracle Forms 11gR2 with WebLogic 10.3.5 ), i want to use "application user" instead of database user.
  I have an application users table, actually, i have database users,and of course, menu application works with database roles (It was developed with oracle forms menu module), my question is, How i can associate my application user with database role, for reusing oracle forms menu funcionality?. It's possible?
  Hi Edward
  You can do this by assigning the role functionality to the application user. For example
  create the table to enter user name.
  create table to enter group name.
  create table to assign user to group.
  assign role to group.
  assign functionality for the user by coding.
  hope this helps

• How can I detect database role BEFORE mounting database?

  Once a database is mounted, it is possible to query the V$database view to check the database_role IE: Primary, Physical Standby or Logical Standby.
  When starting a Physical standby, the correct sequence is to:
  SQL> startup nomount
  SQL> alter database mount standby database
  SQL> recover managed standby database nodelay disconnect
  This will get it going without any errors in the alertlog (which we monitor and Email ORA- lines automatically). We Can get "ORA-01153: an incompatible media recovery is active" if the Primary is already up, but usually it wont, so Ignore this.
  How can I determine the DB's role so I can issue the correct commands for startup, when the Instance is DOWN or in unmounted 'STARTED' mode?
  (Unix, Solaris, 9i)
  Regards, Vin.

  Thank you for the reply.
  I have decided that before a shutdown is done (and these stops & starts are all done from a script, middle if night when backups are done) , that it will check the 'open mode' of the database. If it isn't just STARTED, it has to be open or mounted & thus I can query the v$database view. This I will query and store in the form of a unix file named `uname -n`_SID_databaseRole IE:sunbox2_SALES_PHYSICAL.
  I will look for these files before a startup and if present and less than an hour old, issue (in the case that we are starting a Physical standby) startup nomount, mount standby database, recover managed .....etc . If the database role is PRIMARY, then just issue a 'startup', same if for some reason the unix file doesn't exist or the file is more than an hour old. A plain startup on a Physical Standby can generate some messages, but it still works, and will prompt people to question why the backup took so long.
  The only time this could all muck up is if we do a switchover at the same time as we shutdown for cold backups. I will make the policy that switchovers are not to be done at that time.
  The only gripe I have left is that I cannot find how to STOP the Instance (message free) after doing a database dismount. A ' shutdown immediate' generates an ora 1109 message and I want to avoid prompting as many messages possible. Some messages are unavoidable and my "alertwatch" program is configured to blanket ignore them, but I want to use the correct commands to generate the least amount of messages that will be skipped for Emailing.

• How to view Database roles?

  Hello, is it possible to get a list of all database roles in SQL Developer and then look up all users assigned to a specific role? I can't find this option. Thank you, Lolita

  One of the long awaited features, should be available in the forthcoming 3.0.
  Until then, you can add User Defined Reports. There are a couple of them (for roles) on the SQL Developer Exchange (look for Donat's reports, now also as Shared Reports).
  Have fun,
  K.

• Database roles and APEX

  Can database roles be used with APEX to control table and other object access between schemas?
  If so, please provide an example.
  If not, please explain why the product would be limited in this way. One of the major short comings we see is the need to directly grant privileges to each schema, rather than having the power of roles to do this.

  Kannan,
  With DATABASE ACCOUNT credentials set, we were able to authenticate users for each page, in accordance with their table privileges, as follows. Please join us in encouraging Oracle to build this logic into Application Express, as one of the authentication options. We consider this to be a major shortcoming of an otherwise great product.
  For each page, create a PL/SQL anonymous block process "before header", to determine if the user has the necessary privileges. In this example, the user must have UPDATE privilege for one table, and SELECT privilege for the other table used by the page.
  DECLARE
  CURSOR c_get_role IS
  SELECT DISTINCT drp.granted_role,dtp.privilege,dtp.table_name
  FROM dba_tab_privs dtp, dba_role_privs drp
  WHERE dtp.grantor = '<database name>'
  AND dtp.grantee = drp.granted_role
  AND drp.grantee = v('APP_USER')
  AND dtp.table_name IN ('<updateable table name>','<readable table name>')
  AND dtp.privilege IN ('UPDATE','SELECT');
  BEGIN
  :Pnn_USER_ROLE_MESSAGE := 'NO ROLE';
  :Pnn_USER_ROLE_PROTOCOL := 'NO ROLE';
  :Pnn_USER_HAS_PRIVS_FLAG := 0;
  FOR rec IN c_get_role
  LOOP
  IF rec.table_name = '<updateable table name>' AND
  (rec.privilege = 'UPDATE')
  THEN
  :Pnn_USER_ROLE_MESSAGE := rec.granted_role;
  ELSIF rec.table_name = '<readable table name>' AND
  (rec.privilege = 'SELECT' OR rec.privilege = 'UPDATE')
  THEN
  :Pnn_USER_ROLE_PROTOCOL := rec.granted_role;
  END IF;
  END LOOP;
  IF (:Pnn_USER_ROLE_MESSAGE != 'NO ROLE') AND (:Pnn_USER_ROLE_PROTOCOL != 'NO ROLE')
  THEN
  :Pnn_USER_HAS_PRIVS_FLAG := 1;
  END IF;
  END;
  Note that APEX_PUBLIC_USER must have read privilege for the dictionary tables.
  Now you can use the flag variable and create an HTML region to source the error message to display if the user has insufficient privileges.
  PL/SQL Function Body Returning a Boolean..
  IF :Pnn_USER_HAS_PRIVS_FLAG = 0 THEN
  RETURN TRUE;
  ELSE
  RETURN FALSE;
  END IF;
  Add a condition to the normal page regions to display themselves only if the user has privileges and appropriate role, based on the flag being TRUE (same as the IF block above, except FLAG = 1).

• Find particular database role permission on all the databases of an instance

  Hi Team,
  I want to find particular database role permission on all the databases of a instance.
  Example: 50 databases are running on an instance. I want to find datareader permission of ABCDE account, on which of the databases it exist?
  Please provide me a customized script to find it.
  Thanks
  Kumar

  Hi K735,
  According to your description, you want to find databases where a specific database role of a specific user exists. To do this, you could execute the stored procedure below by proving a value for each of the two parameters (@databaseRole, @user)  to
  specify the database role and the user as the following example: execute findDatabaseRole 'db_datareader', 'testUser'
  USE master
  GO
  CREATE PROCEDURE dbo.findDatabaseRole
  @databaseRole VARCHAR(200),
  @user VARCHAR(250)
  AS
  DECLARE @DBuser_sql VARCHAR(4000)
  DECLARE @DBuser_table TABLE
  AssociatedDatabaseRole VARCHAR(200),
  DBName VARCHAR(200),
  UserName VARCHAR(250),
  LoginType VARCHAR(500)
  INSERT @DBuser_table
  EXEC sp_MSforeachdb @command1='SELECT USER_NAME(b.role_principal_id) AS AssociatedDatabaseRole, "[?]" AS DBName, a.name AS Name,
  a.type_desc AS LoginType FROM [?].sys.database_principals a
  , [?].sys.database_role_members b where a.principal_id=b.member_principal_id and
  a.sid NOT IN (0x01,0x00) AND a.sid IS NOT NULL AND a.type NOT IN ("C")
  AND a.is_fixed_role <> 1 AND a.name NOT LIKE "##%" AND "?" NOT IN ("master","msdb","model","tempdb")
  ORDER BY Name'
  SELECT AssociatedDatabaseRole, DBName,UserName,LoginType
  FROM @DBuser_table WHERE UserName=@user and AssociatedDatabaseRole=@databaseRole
  group by AssociatedDatabaseRole, DBName,UserName,LoginType
  GO
  Regards,
  Michelle Li

• When will APEX be capable of observing Database Roles?

  Hi All,
  When will APEX be capable of observing Database Roles and RLS?
  Joel Kallman in his APEX blogspot article " [Application Express and parsing SQL|http://joelkallman.blogspot.com/]" states that
  +"the execution of SQL in an Application Express application still does not observe roles when parsing user SQL. This remains true for the recently released Application Express 4.0"+
  Is there anyone with inside knowledge of APEX who can shed light on this?
  Amgine

  Hi All,
  Thank you for responding to this discussion.
  The initial point of my post was to indicate that applying fine grained data security with APEX, is problematic. In my organisation we have hundreds of databases, thousands of tables and a requirement to protect confidential data. The DBA's and Developers over the years have developed a system of controlled data access based on database roles, Row Level Security with policies, and even Cell Level Security.
  We are looking at APEX as a means of replacing Oracle Forms and Reports. The method by which CRUD applications are made with
  APEX methodology, involves assigning schemas to a workspace. Doing this circumvents all of the above-mentioned security, because APEX developers, then take on the effective role of schema owner.
  If an application is created using the schema, assigned to a workspace, it requires the APEX application developer to develop a parallel authentication/authorization scheme, to match the levels of control normally achieved by the database data security methods.
  e.g.. I can easily create a form with select, insert, update capability, based on a table normally having restricted record access and even select only access, controlled by roles or RLS methods. If do not explicitly create a complex Authentication/Authorization system to protect the data, I could easily, and accidently, expose restricted or confidential data, and the unintended ability to modify it, to the end user.
  I have found by experiment that there is a partial solution to this problem:
  If schema's are not directly assigned to the workspace but instead, a single parsing schema with minimal system privileges is created, and no other schema is assigned to the workspace. The privileges on individual schema objects are then granted to the parsing schema. Applications can then be built which limit the CRUD operations which may be implemented.
  With my current APEX /Oracle DB There is still the problem that privileges (e.g. insert, update select on table X) cannot be granted to the parsing schema via a role but need to be explicitly granted. This becomes a maintenance nightmare for the schema owner or DBA, normally avoided by use of roles and/or RLS.
  In answer to Andre. I a currently use APEX ver. 3.1.2.00.0 and Oracle 10.2.0.
  According the APEX Builder notes:
  In Oracle Database Server versions before 10.2.0.3, these privileges must be granted directly to the schema. In Oracle Database Server versions 10.2.0.3 and later, these privileges may be granted to the schema directly or through a role in order for the SQL Workshop to be able to perform the operation using the selected schema.
  The reason you can't use roles is because you are always identified in session as APEX_PUBLIC_USER with privileges granted by proxy via the parsing schema, never as the logged on user.
  Using the following query logged on as sys:
  select
  username,
  osuser,
  program
  from v$session
  where type='USER'
  gives results:
  USERNAME    OS_USER    PROGRAM
  APEX_PUBLIC_USER SYSTEM Apache.exe
  Amgine

• Sql 2000 database role

  Hi ,
  I want to grant execute permission to all SP's in SQL 2000  database, when I tried to create a db_execprocs role it is throwing an error near ROLE, and when I googled  I have found a script as 
  CREATE PROCEDURE dbo.spGrantExectoAllStoredProcs @user ABC\venkat
  AS
  -- Object Name: spGrantExectoAllStoredProcs
  -- Author: Edgewood Solutions
  -- Development Date: 03.19.2007
  -- Called By: TBD
  -- Description: Issue GRANT EXEC statement for all stored procedures 
  -- based on the user name that is passed in to this stored procedure
  -- Project: SQL Server Security
  -- Database: User defined databases 
  -- Business Process: SQL Server Security
  -- Num | CRF ID | Date Modified | Developer | Description
  -- 001  | N\A     | 03.15.2007    | Edgewood | Original code for the GRANT 
  -- EXEC process
  SET NOCOUNT ON
  -- 1 - Variable declarations
  DECLARE @CMD1 varchar(8000)
  DECLARE @MAXOID int
  DECLARE @OwnerName varchar(128)
  DECLARE @ObjectName varchar(128)
  -- 2 - Create temporary table
  CREATE TABLE #StoredProcedures
  (OID int IDENTITY (1,1),
  StoredProcOwner varchar(128) NOT NULL,
  StoredProcName varchar(128) NOT NULL)
  -- 3 - Populate temporary table
  INSERT INTO #StoredProcedures (StoredProcOwner, StoredProcName)
  SELECT u.[Name], o.[Name]
  FROM dbo.sysobjects o
  INNER JOIN dbo.sysusers u
  ON o.uid = u.uid
  WHERE o.Type = 'P'
  AND o.[Name] NOT LIKE 'dt_%'
  -- 4 - Capture the @MAXOID value
  SELECT @MAXOID = MAX(OID) FROM #StoredProcedures
  -- 5 - WHILE loop
  WHILE @MAXOID > 0
  BEGIN 
   -- 6 - Initialize the variables
   SELECT @OwnerName = StoredProcOwner,
   @ObjectName = StoredProcName
   FROM #StoredProcedures
   WHERE OID = @MAXOID
   -- 7 - Build the string
   SELECT @CMD1 = 'GRANT EXEC ON ' + '[' + @OwnerName + ']' + '.' 
   + '[' + @ObjectName + ']' + ' TO ' + '[' + ABC\venkat + ']'
   -- 8 - Execute the string
   -- SELECT @CMD1
   EXEC(@CMD1)
  -- 9 - Decrement @MAXOID
  SET @MAXOID = @MAXOID - 1
  END
  -- 10 - Drop the temporary table
  DROP TABLE #StoredProcedures
  SET NOCOUNT OFF
  GO
  this too is throwin an error as:
  Msg 170, Level 15, State 1, Procedure spGrantExectoAllStoredProcs, Line 1
  Line 1: Incorrect syntax near '\'.
  Msg 170, Level 15, State 1, Procedure spGrantExectoAllStoredProcs, Line 52
  Line 52: Incorrect syntax near '\'.
  Can someone help me with this.
  I just need to grant execute permission on all SP's  to 1 database only.
  Thanks.

  First create the procedure and then call the procedure with parameter.
  Try this 
  CREATE PROCEDURE dbo.spGrantExectoAllStoredProcs @user varchar(20)
  AS
  -- Object Name: spGrantExectoAllStoredProcs
  -- Author: Edgewood Solutions
  -- Development Date: 03.19.2007
  -- Called By: TBD
  -- Description: Issue GRANT EXEC statement for all stored procedures
  -- based on the user name that is passed in to this stored procedure
  -- Project: SQL Server Security
  -- Database: User defined databases
  -- Business Process: SQL Server Security
  -- Num | CRF ID | Date Modified | Developer | Description
  -- 001 | N\A | 03.15.2007 | Edgewood | Original code for the GRANT
  -- EXEC process
  SET NOCOUNT ON
  -- 1 - Variable declarations
  DECLARE @CMD1 varchar(8000)
  DECLARE @MAXOID int
  DECLARE @OwnerName varchar(128)
  DECLARE @ObjectName varchar(128)
  -- 2 - Create temporary table
  CREATE TABLE #StoredProcedures
  (OID int IDENTITY (1,1),
  StoredProcOwner varchar(128) NOT NULL,
  StoredProcName varchar(128) NOT NULL)
  -- 3 - Populate temporary table
  INSERT INTO #StoredProcedures (StoredProcOwner, StoredProcName)
  SELECT u.[Name], o.[Name]
  FROM dbo.sysobjects o
  INNER JOIN dbo.sysusers u
  ON o.uid = u.uid
  WHERE o.Type = 'P'
  AND o.[Name] NOT LIKE 'dt_%'
  -- 4 - Capture the @MAXOID value
  SELECT @MAXOID = MAX(OID) FROM #StoredProcedures
  -- 5 - WHILE loop
  WHILE @MAXOID > 0
  BEGIN
  -- 6 - Initialize the variables
  SELECT @OwnerName = StoredProcOwner,
  @ObjectName = StoredProcName
  FROM #StoredProcedures
  WHERE OID = @MAXOID
  -- 7 - Build the string
  SELECT @CMD1 = 'GRANT EXEC ON ' + '[' + @OwnerName + ']' + '.'
  + '[' + @ObjectName + ']' + ' TO ' + '[' + @user + ']'
  -- 8 - Execute the string
  -- SELECT @CMD1
  EXEC(@CMD1)
  -- 9 - Decrement @MAXOID
  SET @MAXOID = @MAXOID - 1
  END
  -- 10 - Drop the temporary table
  DROP TABLE #StoredProcedures
  SET NOCOUNT OFF
  GO
  dbo.spGrantExectoAllStoredProcs 'abc\venkat'
  OR
  directly execute the below script
  Change the @user parameter with valid account
  DECLARE @User Varchar(20)
  DECLARE @CMD1 varchar(8000)
  DECLARE @MAXOID int
  DECLARE @OwnerName varchar(128)
  DECLARE @ObjectName varchar(128)
  SET @user='abc\venkat'
  -- 2 - Create temporary table
  CREATE TABLE #StoredProcedures
  (OID int IDENTITY (1,1),
  StoredProcOwner varchar(128) NOT NULL,
  StoredProcName varchar(128) NOT NULL)
  -- 3 - Populate temporary table
  INSERT INTO #StoredProcedures (StoredProcOwner, StoredProcName)
  SELECT u.[Name], o.[Name]
  FROM dbo.sysobjects o
  INNER JOIN dbo.sysusers u
  ON o.uid = u.uid
  WHERE o.Type = 'P'
  AND o.[Name] NOT LIKE 'dt_%'
  -- 4 - Capture the @MAXOID value
  SELECT @MAXOID = MAX(OID) FROM #StoredProcedures
  -- 5 - WHILE loop
  WHILE @MAXOID > 0
  BEGIN
  -- 6 - Initialize the variables
  SELECT @OwnerName = StoredProcOwner,
  @ObjectName = StoredProcName
  FROM #StoredProcedures
  WHERE OID = @MAXOID
  -- 7 - Build the string
  SELECT @CMD1 = 'GRANT EXEC ON ' + '[' + @OwnerName + ']' + '.'
  + '[' + @ObjectName + ']' + ' TO ' + '[' + @user + ']'
  -- 8 - Execute the string
  -- SELECT @CMD1
  EXEC(@CMD1)
  -- 9 - Decrement @MAXOID
  SET @MAXOID = @MAXOID - 1
  END
  -- 10 - Drop the temporary table
  DROP TABLE #StoredProcedures
  --Prashanth

• Assigning database roles on SQL Server db

  I am trying to set up a SQL Server adapter (not a database table adapter for SQL tables) to manage role assignment on a database 'test1' on my sql server ( 2000) 'sqlserver1' using IdM 7.1. I am trying to assign role1 to user tuser1 on test1. I am using 'sa' account so permissions should not be an issue.
  Per resource reference document, I mapped:
  userNametest1 <-> userNametest1
  rolestest1 <-> rolestest1
  My login for user 'tuser1' gets created on the SQL server. However the database and role assignment is not happening. I do not get any errors in the IdM admin pages from where I am testing this. Hence I am assuming I am not setting something right in the resource schema. I have tried different ways such as
  userNametest1 <->userName
  rolestest1 <-> roles
  and some more combination but none seem to work. How can i find out what my resource attribute mapping should be? If anyone has done this, can you please share how you got it work?
  Thanks in advance.

  Some more info.
  I have set up the out of the box MS SQL server adapter to connect to MSDE version of SQL server running on my local machine. I used the MSSQLServer Form provided in the samples folder and assigned it to an admin user and turned on the trace.
  I am able to create logins by assigning the resource to a user. Using the admin user I am able to see in the trace that the server Roles are also being retrieved fine. What I am not able to get is assigning a database to the user and then assigning db roles.
  Following the documentation (Resource Reference guide for IdM 7.1) I have created following attributes on the left hand side of schema.
  defaultDB,serverRoles,domain, userNameMyTestDb,rolesMyTestDb.
  No matter what I map the last two attribute I am not able to assign a db and dbroles to a user. I turned on sql profiler and then again used the admin user to view a test user using MSSqlServer form and it appears that the procedure sp_databases is not being called at all. I have decompiled the sql server class file and it appears there might be an issue with the way list of databases is being retrieved.
  Has any one seen this before? If you were able to get it to work, can you please give me information on the resource schema and any other settings you had to make to get it to work?
  Thanks in advance.

• Database roles seems like its not working for me - your help is appreciated

  Hi,
  I am using database 10g express edition.
  I am using sql developer to connect to database.
  I have 2 database connections,
  one is called TCF and has a user called oracle.
  two is called TCF_TEST and has a user called smith.
  oracle user has privileges to do anything.
  smith user has privileges to only connect, and something called resources.
  I logged in to the database using oracle and gave the following command:
  CREATE ROLE TCF_R;
  GRANT SELECT ON EMP_IOD TO TCF_R;
  GRANT TCF_R TO SMITH;Then I logged in as smith and was able to create a table.
  first of all, the user does not have any privileges to create a table.
  Second, when creating a table, smith can insert, update, delete records which also smith does not have any privileges to do.
  so basically this whole thing is not working the way I want.
  what am I doing wrong and what do I do to fix it ??
  Thanks,
  if you need more info, please let me know so I can provide it.

  hey 009,
  thanks for your help,
  ok this is what I did step by step:
  first , I created a user and granted create session to that user as below
  CREATE USER SMITH IDENTIFIED BY SMITH;
  GRANT CREATE SESSION TO SMITH;Then I logged in and gave SMITH privilege to create tables. (the reason for this is only for testing, I create a table and then I want to check if SMITH can drop it later on).
  Then I created one table.
  then Revoked the create table privilege from SMITH, log out, log back in and tested to make sure SMITH cannot create tables.
  up to here everything is successfull.
  Now since SMITH only has the following privileges which is only create session:
  Privilege     Admin Option     From Role
  CREATE SESSION          -
            1 - 1      
  it should not drop, insert , or update any table, or even select because I did not give it any grants.
  but its doing all of the above.