Default roles and grants

I have role called role_test and this is granted to user user_test and made it as default role.
but role_test is protected by password i.e to set role need to give password.
set role role_test identified by test_role_pass;
My question is when the user user_test loggs in will automatically gets this role_test as it is grated as default role ?
or still he needs to call set role identified by password to enable this role.
I am using oracle 11g database.Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
Is there any change of this behaviour with oracle versions 10g to 11g ?
Thanks,
Phani

Phani_Orcl wrote:
Is there any change of this behaviour with oracle versions 10g to 11g ?Yes, there is. Password protected roles in 11g are not enabled at login time even if it is a default role:
SQL> create role r1;
Role created.
SQL> create role r2 identified by r2;
Role created.
SQL> create user u1 identified by u1
2 /
User created.
SQL> grant create session to u1
2 /
Grant succeeded.
SQL> grant r1,r2 to u1
2 /
Grant succeeded.
SQL> alter user u1 default role all
2 /
User altered.
SQL> connect u1/u1
Connected.
SQL> select * from session_roles;
ROLE
R1
SQL>
And it is documented
Authorizing a Role by Using the Database
You can protect a role authorized by the database by assigning the role a password. If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. <font color=red>You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.</font>
SY.

Similar Messages

DEFAULT ROLE FOR USER

I swich to Oracle11g express and create user
CREATE USER LEO
IDENTIFIED BY xy
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK;
-- 3 Roles for LEO
GRANT AUTHENTICATEDUSER TO LEO;
GRANT CONNECT TO LEO;
GRANT FER_ADMIN TO LEO WITH ADMIN OPTION;
ALTER USER LEO DEFAULT ROLE FER_ADMIN;
-- 1 System Privilege for LEO
GRANT CREATE SESSION TO LEO;
-- 1 Tablespace Quota for LEO
ALTER USER LEO QUOTA UNLIMITED ON USERS;
and after login i check
select * from SESSION_ROLES
and i have none role
if I set role all works fine.
Why I doesn't have DEFAULT ROLE after login.
Pleas for help .

here is the solution
default roles and grants
Edited by: Leo Lakota on 4.10.2012 5:52

Problem with Roles and Triggers

I'm having a strange problem with Roles and Triggers in Oracle. It's a little difficult to describe, so bear with me...
I'm trying to create a trigger that inserts records into a table belonging to a different user/owner. Of course, the owner of this trigger needs rights to insert records into this other table. I find that if I add these rights directly to the owner of the trigger, everything works okay and the trigger compiles successfully.
However, if I first create a Role and grant the "insert" rights to it, and then assign this role to the owner of the trigger, the trigger does not compile successfully.
To illustrate this, here's an example script. I'm using Oracle 10g Release 2...
-- Clean up...
DROP TABLE TestUser.TrigTable;
DROP TABLE TestUser2.TestTable;
DROP ROLE TestRole;
DROP TRIGGER TestUser.TestTrigger;
DROP USER TestUser CASCADE;
DROP USER TestUser2 CASCADE;
-- Create Users...
CREATE USER TestUser IDENTIFIED BY password DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" QUOTA UNLIMITED ON "USERS";
CREATE USER TestUser2 IDENTIFIED BY password DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" QUOTA UNLIMITED ON "USERS";
CREATE TABLE TestUser.TrigTable (TestColumn VARCHAR2(40));
CREATE TABLE TestUser2.TestTable (TestColumn VARCHAR2(40));
-- Grant Insert rights on TestTable to TestRole...
CREATE ROLE TestRole NOT IDENTIFIED;
GRANT INSERT ON TestUser2.TestTable TO TestRole;
-- Add TestRole to TestUser. TestUser should now have rights to INSERT on TestTable
GRANT TestRole TO TestUser;
ALTER USER TestUser DEFAULT ROLE ALL;
-- Now, create the trigger. This compiles unsuccessfully...
CREATE TRIGGER TestUser.TestTrigger AFTER INSERT ON TestUser.TrigTable
BEGIN
INSERT INTO TestUser2.TestTable (TestColumn) VALUES ('Test');
END;
When I do a "SHOW ERRORS;" after this, I get:
SQL> show errors;
Errors for TRIGGER TESTUSER.TESTTRIGGER:
LINE/COL ERROR
2/3 PL/SQL: SQL Statement ignored
2/25 PL/SQL: ORA-00942: table or view does not exist
SQL>
As I said above, if I just add the Insert rights directly to TestUser, the trigger compiles perfectly. Does anyone know why this is happening?
Thanks!
Adrian

Hi Raghu,
If the insert rights exist only on TestRole, and TestRole is assigned to TestUser, I can do the INSERT statement you suggest with no problems if I just execute it from SQLPlus (logged in as TestUser).
The question is, why does the same INSERT fail when it's inside the trigger?

Role and security

i have problem with role in my database
i have 2 table
t1 and t2
owner = ERP
i create user HAMID with grant connect,resource
then
create role xx and grant all on t1 and t2 to xx
then grant xx to HAMID
when hamid connect to database and select from t2 get error table dosnt exist
whyyyyyyyyyyyyyyyyy?

plz help me
see this:
i have 2 table
t1 and t2
owner = ERP
conn sys
create role r1;
create role r2;
grant all on erp.t1 to r1
grant all on erp.t2 to r2
create user HAMID identified by hamid;
grant resource,connect to hamid;
alter user hamid default role connect;
grant r1 to hamid;
conn hamid
SELECT * FROM SESSION_ROLES;
see this
CONNECT
RESOURCE
R1
conn sys
grant r2 to hamid;
conn hamid
SELECT * FROM SESSION_ROLES;
see this
CONNECT
RESOURCE
R1
where is R2 ??????????????????????????????????????????

Default role with password - reality check

I support the database for an application. We upgraded from Oracle10 to Oracle11 9 months ago. Then recently we applied the OCT CPU.
The application admin says that they have a program that has recently stopped working that worked after the Oracle11 upgrade.
The application user has a default role which has a password. Is that possible? A default role with a password. Would this have ever worked in any version of Oracle?

Default role with password is a feature even available with Oracle XE. Default roles are activated without requiring role password in Oracle 10.2:
SQL> drop user admin cascade;
User dropped.
SQL> drop user test cascade;
User dropped.
SQL> drop role rwp;
Role dropped.
SQL> select * from v$version;
BANNER
Oracle Database 10g Express Edition Release 10.2.0.1.0 - Product
PL/SQL Release 10.2.0.1.0 - Production
CORE 10.2.0.1.0 Production
TNS for 32-bit Windows: Version 10.2.0.1.0 - Production
NLSRTL Version 10.2.0.1.0 - Production
SQL>
SQL> create user admin identified by oraclexe;
User created.
SQL> grant create session, create table to admin;
Grant succeeded.
SQL> grant unlimited tablespace to admin;
Grant succeeded.
SQL> grant create user to admin;
Grant succeeded.
SQL> grant create role to admin;
Grant succeeded.
SQL>
SQL> create user test identified by oraclexe;
User created.
SQL> grant create session to test;
Grant succeeded.
SQL>
SQL> connect admin/oraclexe;
Connected.
SQL> create table t(x varchar2(10));
Table created.
SQL> insert into t values('admin OK');
1 row created.
SQL> commit;
Commit complete.
SQL> create role rwp identified by oraclexe;
Role created.
SQL> grant all on t to rwp;
Grant succeeded.
SQL> grant rwp to test;
Grant succeeded.
SQL>
SQL> connect test/oraclexe;
Connected.
SQL> select * from session_roles;
ROLE
RWP
SQL> select * from admin.t;
X
admin OK
SQL> insert into admin.t values('test OK');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from admin.t;
X
admin OK
test OK
SQL>There have been changes between Oracle 10.2 and 11.2 because the same script fails in 11.2 unless the role is set with the password:
SQL> drop user admin cascade;
User dropped.
SQL> drop user test cascade;
User dropped.
SQL> drop role rwp;
Role dropped.
SQL> select * from v$version;
BANNER
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
PL/SQL Release 11.2.0.1.0 - Production
CORE 11.2.0.1.0 Production
TNS for Linux: Version 11.2.0.1.0 - Production
NLSRTL Version 11.2.0.1.0 - Production
SQL>
SQL> create user admin identified by oraclexe;
User created.
SQL> grant create session, create table to admin;
Grant succeeded.
SQL> grant unlimited tablespace to admin;
Grant succeeded.
SQL> grant create user to admin;
Grant succeeded.
SQL> grant create role to admin;
Grant succeeded.
SQL>
SQL> create user test identified by oraclexe;
User created.
SQL> grant create session to test;
Grant succeeded.
SQL>
SQL> connect admin/oraclexe;
Connected.
SQL> create table t(x varchar2(10));
Table created.
SQL> insert into t values('admin OK');
1 row created.
SQL> commit;
Commit complete.
SQL> create role rwp identified by oraclexe;
Role created.
SQL> grant all on t to rwp;
Grant succeeded.
SQL> grant rwp to test;
Grant succeeded.
SQL>
SQL> connect test/oraclexe;
Connected.
SQL> select * from session_roles;
no rows selected
SQL> select * from admin.t;
select * from admin.t
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> insert into admin.t values('test OK');
insert into admin.t values('test OK')
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> commit;
Commit complete.
SQL> select * from admin.t;
select * from admin.t
ERROR at line 1:
ORA-00942: table or view does not exist
SQL>
SQL> set role rwp identified by oraclexe;
Role set.
SQL> select * from session_roles;
ROLE
RWP
SQL> select * from admin.t;
X
admin OK
SQL> insert into admin.t values('test OK');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from admin.t;
X
admin OK
test OK
SQL>10.2 Security Guide says:
If you are granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in a SET ROLE statement. However, if the role is made a default role and enabled at connect time, then the user is not required to enter a password.
11.1 and 11.2 Secuirty Guide says:
If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.
Edited by: P. Forstmann on 20 févr. 2010 10:28

ARQ: Default Role Provisioning Problem in Access Request???

Hi,
This Business Scenario is very common to have default role(s) assigned to a User at the back end system. So I have the same requirement. In achieving this, I followed below thread here:
MSMP Issue - GRC 10
I have also followed the note#1616092 for configuring the Default Roles.
I have performed below activities:
1. Param#2009 = YES
2. Param#2010 = 001
3. Param#2011 = REQUEST
4. Param#2013 = SYSTEM
5. Param#2038 = YES
6. Imported a test role and NO ROLE OWNER is maintained.
7.In NWBC->-AM->RM, I maintained a test role as a default.
Now when I raise a request, application is successfully adding the default role to the request. However, the problem I am facing is that, one Manager approves the request, it is getting failed.
The Audit Log says that, the STAGE is "Completed" but I could also see "No Agent Found, Cancelling path XYZ (in stage no. 002- GRAC_ROLEOWNER)
May I know what I am missing here? Why I am getting error and how can I resolve it?
Please advise.
Regards,
Faisal

Hi Faisal,
sorry for late resposne I was away traveling.
default roles are being added by default to access request
Yes, these roles are added to the access request.
FN: OK
and this roles are following your normal paths which I guess assumes manager and role owner.
How such roles (not having role owner) will follow the normal path Manager->Role Owner if we are enabling routing (Rule ID: GRAC_MSMP_ROUTE_NO_ROLEOWNER) at manager stage level? Can you please help me understand this?
FN: OK If you enable routing it will go to routing path. I have understood your post as you put in question the behavior of default roles and my point was - they act exacly the same like regular roles.
- request is going to detour path
Does it answer my question?
FN: My point was default roles like all other will go to detur path (assuming you setup it globaly)
Deafault roles can have separate path (in my case) where only supervisor is approving it.
Instead of "GRAC_MSMP_ROUTE_NO_ROLEOWNER" I believe we can have our own rule to have a separate path for such default roles based upon business requirement. Correct me, if required.
FN; correct
It was design in way that initiator rule based on role crtivality is sending this rule to separate path without role owner.
Again, I believe you have enabled your custom rule here to achieve your business requirement instead standard rule id.
correct
If you do not have separate path - this role like any other will follow standard path you have.
Here, I had used a stage called "ZNO_STAGE_PATH" for routing the system line item, which does not have any owner. I used the same path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER"Rule ID and it is working fine as of now.
FN: good
My question is that, do you think if I don't use "ZNO_STAGE_PATH" as Path ID for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, should it follow the standard Manager->Role Owner path and these default roles get approved and assigned automatically?
FN: You should use the path ZNO_STAGE_PATH as path ID for routing rule.
If the role does not have role owner it will not allow you the even get to Role Onwer stage - request will be detured.
My point from the begining was - instead of using the routing rule - in our case we used separate path for default roles without role owner:) only consisted with manager stage. Again your approach is different but also will work.
Then which Path ID should I use for "GRAC_MSMP_ROUTE_NO_ROLEOWNER" Rule ID, as it is mandatory?
Should I use my current path for New/Change Account where at Manager level this was routed due to non availability of role owner?
Are you asking for default roles?
Please advise.
Regards,
Faisal

Error adding Default roles after transport

we are trying to transport our GP to another system.
the transport imported successfully.
but we are getting below error if we need to add the Default roles in the new portal system.
Administartion -> Assign default roles ->
Error/Message: The process template does not contain roles to which you can assign default values.
     Could not retrieve process template
Design time:
     Error/Message: 1.Cannot retrieve activity template: Development object does not exist in the database
                    2.      Cannot retrieve object:
Please suggest me if you have faced simiilar issue.

Already I have tried in both from Administartion -> Assign Default Roles -> Select the process, by selecting the process & when we click on Open, this error is populated.
Also in Design time -> select the process -> by clicking on the "Open" , I am getting this error.
Also, I have tried the option to do "Edit All" to change the version of all the objects and transport them to targeted system.
and , also implemented the SAP Note: 1321013.
But in all the above cases, I am getting the same error.
Then tried to remove the Default Roles and assigned all the roles to Initiator, then transported, still when I try to run the process and when I open the process getting the same error.
SAP Note: 1321013:
Terminate all process instances.
Unlock all objects.
Delete all process templates.
Empty trash.
Redeploy process templates.
Release objects after Import.
(http://wiki.sdn.sap.com/wiki/display/JSTSG/(GP)ICannotStartorOpenaProcess)

Menu Role and Security

How do you enable menu roles and enforce security in forms?
For example in an complex application if we want to have a control of access of menus based on user login
I know it can be done thru the front-end itself by using an if then condition.
but can it be integrated with the database user logins itself
kindly reply
Thanx in advance

Hi,
first RUN frm60sec.sql under system/manager
create different roles
GRANT roles to users
Grant select access to the view created by frm60sec as follows:
SQL > Grant select on frm50_enabled_roles to public;
Note it is NOT frm60_enabled_roles.
To verify that your roles and grants are correct, log on as a user and run the following:
SQL>Select * from frm50_enabled_roles;
You should be able to see the users roles.
then come to MMB file contibue assiging the roles in each menu Item. U ll see get the result.
regards

Mapping a user's role and privilege to another

Hi all,
Is there a command/way to map the role and privileges of a current user to a new user? I am new to oracle, I did read through the online docs but was not able to figure it out.
Thank you very much!

Check this link would help: Check the part where they are copying roles and grants for the users using dbms_metadata. You can limit this to one user you want by adding additional where clause like "where username = <username>
Copying Oracle Users

Grant role and make it default

Hello all,
I'm facing an awkward situation whit the grant command.
Let's say we have a user some_owner that is granted the role some_role with admin option.
We have a procedure owned by some_owner as follows:
CREATE PROCEDURE "+some_owner"."GRANT_ROLE"
(P_USER IN VARCHAR2
BEGIN
EXECUTE IMMEDIATE 'GRANT some_role TO ' ||UPPER(P_USER);
END;
A user some_user who has execute privilege on the procedure is able to successfully execute the procedure using SQL+ and the role some_role is granted (default = Y) to the user.
However, when the procedure is called from a 10g form, the role is granted (default =N)
Have you ever faced a similar situation?
Thanks in advanse
Joseph

Test first post second.
SQL> CREATE USER john identified by john;
User created.
SQL> GRANT oem_monitor TO john;
Grant succeeded.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE                   DEF
OEM_MONITOR                    YES
SQL> GRANT hs_admin_role TO john;
Grant succeeded.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE                   DEF
HS_ADMIN_ROLE                  YES
OEM_MONITOR                    YES
SQL> GRANT finrep TO john;
Grant succeeded.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE                   DEF
FINREP                         YES
HS_ADMIN_ROLE                  YES
OEM_MONITOR                    YES
SQL> ALTER USER john DEFAULT ROLE ALL EXCEPT finrep;
User altered.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE                   DEF
FINREP                         NO
HS_ADMIN_ROLE                  YES
OEM_MONITOR                    YES
SQL> REVOKE hs_admin_role FROM john;
Revoke succeeded.
SQL> GRANT dba TO john;
Grant succeeded.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE                   DEF
DBA                            YES
FINREP                         NO
OEM_MONITOR                    YESGranting or revoking roles has no effect on other existing roles. A granted role is always a default row unless you tell Oracle otherwise.
TTFN
John

Account Creation - Badi for Default values for BP Role and Sales Area

Hi all,
my requirement regards the possibility to create a new prospect (a link should be available in the navigation bar or create section).
Logically, a bp role as "Prospect" and particoular sales area should be created automatically.
I created an implementation for the BADI definition "BADI_CRM_BP_UIU_DEFAULTS". But don't know how to create the default values for BP role and Sales area:
In my code
assign cr_me->('VIEW') to <lv_view_name>.
if sy-subrc ne 0.
exit.
endif.
lv_viewname = <lv_view_name>.
case lv_viewname.
when 'AccountDetails.htm'.
I obtain the viewname "AccountDetails" , the related context "Header". After I don't know how to proceed to obtain the related entities through the relationship BuilRolesRel and BuilSalesArrangementRel.
Am I following the right way? Is there another solution to prepare the output for default values?
Any kind of suggestion will be appreciated.
Regards, Roberto

go to spro>cross-application components>sap busines partner>business partner> basic settings>field groupings>Configure Field Attributes per BP Role
Double click the business role which you want to customaze (e.g. 'A') and change the proper settings.
Regards.

How to create and grant role

hello all
I have created a new database called TEST
I need to create a role for following purposes
create table
read access to all the tables, write access to all the tables that the users created.
and then i need to connect this role to a user (grant)
how can i do this
sample script is much of a help?
Thanks in advance
PRash

As DBA :
SQL> create role my_role;
Role created.
SQL> grant CREATE SESSION to my_role;
Grant succeeded.
SQL> grant ALTER SESSION to my_role;
Grant succeeded.
SQL> grant CREATE TABLE to my_role;
Grant succeeded.
SQL> grant my_role to <your user>;
Grant succeeded.
SQL>Same way you can grant other privileges to the role, and the user will automatically be granted.

Explanation of Process Default Roles: Administrator and Owner

HI experts,
I am having some trouble understanding the reason of the existence of the process default roles:
Administrator and Owner.
In the CAF-GP Security guide, it says that the Standard Process Role Administrator can "Maintain process instances using the GP administration tools"; what this means ?
My user has de GP Administration role and it DOESN`T have the Standard Process Role Administrator from ANY process, and I can maintain ALL the process instances from the Administration workset, I don´t need to have the Standard Process Role Administrator assigned to me.
The same happens with the Standard Process Role Owner ; the Security Guide says the person who is assigned that role can "Maintain process instances"; my question is: If i assign the "Owner" role to a user that doesn´t have the GP Administrator role and this user wants to "Maintain Process instances" where he has to go? because he won´t have the administration workset !.
Best regards,
Marco.

Hi Marco,
First, check this link: http://help.sap.com/saphelp_nw2004s/helpdata/en/d9/273a4209a6ae04e10000000a1550b0/content.htm
That will explain better the role of each role.
Itu2019s important to you understand that each process may have a responsible person (admin or overseer) that will monitor the progress of the process.
And you will have a u201CBASISu201D person that will have the GP Administrator role. This role allow to maintain process (with other kind of operations like terminate, complete step, etc.), maintain background queues, archiving, transport of objects, configurations, schedule and other admin tasks for all GP infrastructure.
Regards,
Reward points if itu2019s helpful.

Problem with role and user; user can't see the table

Hello forum,
I've created a role:
CREATE ROLE enr_service;
GRANT CONNECT TO enr_service;
GRANT ALL ON Locataires TO enr_service;
GRANT ALL ON Batiments TO enr_service;
GRANT ALL ON Sportifs TO enr_service;
GRANT SELECT ON Epreuves TO enr_service;
and also a user:
CREATE USER ENR1 IDENTIFIED BY password QUOTA UNLIMITED ON USERS;
GRANT enr_service TO ENR1;
ALTER USER ENR1 DEFAULT ROLE enr_service;
ALTER USER ENR1 DEFAULT TABLESPACE USERS;
I can connect to the database with this user but when I try to query a table he's been granted access to I get an error message:
SELECT * FROM Sportifs;
ORA-00942: table or view does not exists
I can't see what I've done wrong. Any help is appreciated.
Sebastian

user2019788 wrote:
Hello forum,
I've created a role:
CREATE ROLE enr_service;
GRANT CONNECT TO enr_service;
GRANT ALL ON Locataires TO enr_service;
GRANT ALL ON Batiments TO enr_service;
GRANT ALL ON Sportifs TO enr_service;
GRANT SELECT ON Epreuves TO enr_service;
and also a user:
CREATE USER ENR1 IDENTIFIED BY password QUOTA UNLIMITED ON USERS;
GRANT enr_service TO ENR1;
ALTER USER ENR1 DEFAULT ROLE enr_service;
ALTER USER ENR1 DEFAULT TABLESPACE USERS;
I can connect to the database with this user but when I try to query a table he's been granted access to I get an error message:
SELECT * FROM Sportifs;
ORA-00942: table or view does not exists
I can't see what I've done wrong. Any help is appreciated.
SebastianThat's probably because ENR1 doesn't have any table named SPORTIFS and he didn't qualify the table name with the schema name ...

SQL VS PLSQL privileges and grants

Hi all
Is there a difference in the way privileges are processed in SQL an PLSQL? I have a user that can select a table with sql, but in plsql the same query reports "table or view does not exist". Later, same thing happend with another user wich was DBA. User can query the v$session view, but can not do it from PLSQL procedure.
Why is that?
DB is 10.2.0.2

When you create named PLSQL (procedures, functions, packages, triggers, methods) the default is to use the definers rights model.
You can optionally use the invokers rights model.
With definers rights, you must have privileges on the referenced objects granted directly to you (not via a role).
Privileges granted via a role can be disabled in one session and enabled in another session - thus they are not reliably enabled.
The privileges are only checked at compile time and directly granted privileges will reliably be available - those based on a role are not reliably available.
If you create your named PLSQL with invokers rights, then the privileges are checked at parse time and can rely on session privileges which include role based privs.
So, either use direct grants and definers rights or user roles and invokers rights.

Default roles and grants

Similar Messages

Maybe you are looking for