Definer and Invoker Rights

If a package is defined as AUTHID CURRENT_USER but inside one of the procedures in the package it calls another package that is defined with DEFINER rights (default) does that called package execute with the invoker rights or definer rights?
Im trying to grant a user alter user privs then revoke it and I keep getting insuffcient priv error.
I think the called packaged is invoked with invoker rights not definer.

The owner of the called package has to have alter user privs WITH admin option.
It works now.

Similar Messages

  • Definer and Invoker Rights Privileges

    Hi all,
    I am little confused with Definer and Invoker Rights Privileges. As per my understanding when you have the definer rights on a procedure then you don't explicitly required any privileges on the object under that procedure.
    Can anyone pls explain me about this or provide me the useful link.
    Thanks in advance.

    when you have the definer rights on a procedure then you don't explicitly required
    any privileges on the object under that procedure.Exactly. Definer rights means that you run the program as though you were the program owner.
    It's explained in more detail in the PL/SQL Developers' Guide.
    Cheers, APC

  • Definer rights VS. invoker rights (same old story...)

    /Disclaimer:/
    Look, I know that this one has been discussed like hundreds of times already...
    Anyway, as I was browsing the forum yesterday, I have noticed this thread:
    Re: Different data dictionaries inside stored procedures?
    and it actually reminded me of a question I once had but never got the anwser.
    So, here goes...
    Imagine a pretty common situation of a DBA creating a new user account 'JOHN' and granting John some privileges:
    create user john identified by xxxxx default tablespace .... ;
    grant connect to john;
    grant create procedure to john;Afterwards John opens a session, creates the following PL/SQL procedure and executes it:
    create or replace procedure table_creator (tab_name varchar2)
    is
    begin
      execute immediate 'create table '||tab_name||' (n number)';
    end;
    exec table_creator('test')And we all know what happens:
    BEGIN table_creator('test'); END;
    ERROR at line 1:
    ORA-01031: insufficient privileges
    ORA-06512: at "JOHN.TABLE_CREATOR", line 5
    ORA-06512: at line 1Now, the 2 well-known solutions to this problem are:
    1) grant create table to john; (and thus do not rely on roles);
    2) create or replace procedure table_creator (tab_name varchar2) authid current_user is...
    My question is: which one of the two above is the best one?
    I mean, the first solution seems pretty straightforward, but then the question that emerges is why do we have roles anyway if we can't truly rely on them (?)
    As for the second one, there're issues like performance downgrade due to runtime name/privilege resolution, etc.
    Or is there some other way to go?
    Message was edited by:
    iferous

    // ACEs where r u ?!Oh don't Re: Needs another simple fix ! (Its been over 24hrs, nobody tried! Strange) Alex, I thought you were one of the good guys.
    Anyway, I expect a lot of the Aces are in the air right now, heading for 'Frisco.
    To your question:
    which one of the two above is the best one?It depends. Is John a developer or a user? If John is a developer then the DBA should grant him privileges explicitly. If John is a user then it is appropriate to use a role for his privileges and thus use the AUTHID CURRENT_USER approach.
    Note, I think this example is flawed because I would not expect a user to have a procedure which dynamically creates a table. Certainly I wouldn't expect John as a user to be creating procedures or to know about invoker rights. But the same model applies if the privilege is say SELECT access on another user's tables.
    the question that emerges is why do we have roles anyway if we can't truly rely on them (?)In my view ROLES are intended for managing users rather than developers. Generally I think this means granting table privileges to roles but not system privileges (although CREATE SESSION is an obvious exception). We should not use Roles for managing the privileges of developers, or for application owner accounts come to that. If the account has a schema it probably should have individually granted system privileges; as with most generalisations there is a grey area.
    Cheers, APC
    Message was edited by: inserting the crucial NOT that makes the sentence make sense
    APC

  • Invoker Rights and Triggers

    Let's say that a procedure is created with invoker rights which updates a table named Table_1. If table_1 has a trigger on it which updates another table named Table_2: Will the trigger update Table_2 if the user does not have rights on Table_2? Will the initial procedure fail in its update of Table_1? Thanks
    -Jeff

    The trigger itself has "owner rights", so it will always execute without error
    when someone updates table_1.
    The procedure will only fail if your user doesn't have the rights to modify
    table_1.

  • How to implement invoker rights in oracle 9i

    implement invoker rights in oracle 9i

    Invoker rights is a new model for resolving references to database elements in a PL/SQL program unit. From Oracle 8i onwards, we can decide if a program unit should run with the authority of the definer or of the invoker. This means that multiple schemas, accessing only those elements belonging to the invoker, can share the same piece of code.
    To enable code to run with Invoker rights, an AUTHID clause needs to be used before the IS or AS keyword in the routine header. The AUTHID clause tells Oracle whether the routine is to be run with the invoker rights (CURRENT_USER), or with the Owner rights (DEFINER). If you do not specify this clause, Oracle by default assumes it to be AUTHID DEFINER.
    create or replace procedure update_par(pi_parcod  in     varchar2,
                                           pi_val     in     varchar2,
                                           pio_status in out varchar2)
    authid current_user is
    begin
      pio_status = 'OK';
      update appparmst
      set    parval = pi_val
      where  parcod = pi_parcod
      and    rownum = 1;
      if sql%notfound then
        pio_status = 'Error in resetting the parameter';
      end if;
    end; Restriction in using Invoker rights
    1. When compiling a new routine, direct privileges are only considered to resolve any external references. Grants through roles are ignored. The same applies when executing a routine created with invoker rights.
    2. AUTHID is specified in the header of a program unit. The same cannot be specified for individual programs or methods within a package or object type.
    3. Definer rights will always be used to resolve any external references when compiling a new routine.
    4. Maintain extra caution on privileges being assigned to a different user. If the wrong privileges are assigned, a routine with invoker rights may have a mind of its own! Such issues would be difficult to debug. So ensure that the grants are perfectly in place.
    5. For an invoker rights routine referred in a view or a database trigger, the owner of these objects is always considered as the invoker, and not the user triggering it.
    ~ Madrid.

  • COMMIT needed for invoker rights proc?

    The following proc EXEC_PROC in a package named PKG_DYNAMIC_SQL is called by the proc RUN_PROCS which is in a different package shown below:
    PROCEDURE exec_proc (pi_proc_name IN varchar2 ,pi_acctky IN varchar2 )
    AS
    PRAGMA AUTONOMOUS_TRANSACTION;
    BEGIN
    EXECUTE IMMEDIATE 'BEGIN ' || pi_proc_name || '(:acctky );' || ' END;' USING IN pi_acctky ;
    END exec_proc;
    PROCEDURE run_procs(pi_proc_names_tab IN pkg_types.t_tab_proc_names)
    IS
    BEGIN
    FOR indx IN pi_proc_names_tab.FIRST .. pi_proc_names_tab.LAST
    LOOP
    pkg_dynamic_sql.EXEC_PROC ( pi_proc_names_tab(indx) ,pi_acctky) ;
    END LOOP;
    END run_procs;
    The pi_proc_name is a set of stand alone procs that do an UPDATE statement. I find that unless I have a COMMIT statement inside each pi_proc_name I get a RUN TIME ERROR. Am I right in saying that cause I have a BEGIN END ( Anonymous block) pair round the invocation of pi_proc_name I am using INVOKER RIGHTS? Has that something to do with the error when the called proc does not commit before it exits?
    Please help me understand why?

    does the called proc inherit the AUTONOMOUS TRANSACTION from the caller as in my example?No.
    Actually, I'm not sure what you mean:
    RUN_PROCS is calling EXEC_PROC (the autonomous transaction).
    So: RUN_PROCS is the caller, not EXEC_PROC.
    And I would only use autonomous transactions for error logging purposes. Nothing else.
    If I understand correctly you're executing several procedures dynamically and each procedure gets committed as a separate transaction, (since they're all autonomous, they cannot 'see' each other anymore, all transactional logic is gone) all in one loop. That's a classic recipe for disaster when unexpected things happen, and they will happen sooner or later.
    Are you sure it is safe to execute procedure 'Y' when procedure 'X' went into an error/committed 'the wrong' data/?
    In other words: I hope this whole approach a well thought-out strategy, but usually dynamic (PL/)SQL + autonomous transactions = trouble/breaking code/corrupting data.

  • GRC: defining and maintaining profile with GRC.

    Hi to all. 
    Some questions from operational staff: 
    1- With GRC, could I define and maintain and delete users, roles, profiles for all Sap systems I'm managing  ? 
    2- How GRC can help me to define and maintain and delete users, roles, profiles ? 
    3- Could GRC become  the only system I've to logon for define and maintain and delete users, roles, profiles ?
    Thanks a lot.

    Hi Alpesh,
    I was thinking that ERM (GRC RE module) and CUP ( GRC AE module) could be an help to create/maintain user/role/profile.
    Now you are writing me that ERM and CUP will substitute TA SU01/PFCG we are using now in development systems; We will maintain prod system via change request transports.
    So I'm realizing we will work only on GRC and we will transport what done in GRC via change request into all our Sap systems...
    It's right ?
    Thanks a lot for your answer.
    Regards

  • Where are my photos on the PC after sync with an iphone?  I know nobody out there is stupid enough to suggest to me that they are encrypted and inaccessible, right?  Seriously?  How stupid would Apple corporation have to be to do something like this?

    Where are my photos on the PC after synching with an iphone?  I know nobody out there is stupid enough to suggest to me that they are encrypted and inaccessible, right?  Seriously?  How stupid would Apple corporation have to be to do something like this? That would be just as foolish as making my music unusable on the PC...
    Okay, Let's assume that Apple is indeed THAT foolish.......How does one get the photos from the phone to the PC and still use them?

    The photos are still on your phone, and if enabled in your Photo Stream. They are not automatically transferred to your computer when syncing.
    See iOS: Import personal photos and videos from iOS devices to your computer and iCloud: My Photo Stream FAQ
    tt2

  • Bought iphone 5C on December. No additional warranty purchased. The phone keeps not working and the top and bottom right corners look melted. Can I send it in amd get a new one on manufacturer warranty? Or what are my options? Thanks

    I Purchased iphone 5C on December 2014. However now it's very difficult to have it working. The screen is constantly not working and the right side bottom&top does looks like its melted? the cover I mean , which maked the phone slide out of its cover. I did not purchase anny additional warranty or insurance so I don't know what to do with it? Can i send it in and they can send me a new one under the manufacturer warranty or what do i do with it?
    I Have alwa had an iphone but this 5c is making me never have one again. Thanks in advance

    Each iPhone comes with a one-year warranty. You said it looks melted? That's going to be difficult to prove that you did not damage it, and it happened on its own. That is the only way it would be covered.

  • Error Message on the printer - Remove and check right cartridge

    How to fix error message:  "remove and check right cartridge" which you have done numerous times, plus cleaned cartridge nozzle.  Also, I have turned off power to printer, but nothing changed.  Help for HP Officejet 7210 All-in-One needed.
    This question was solved.
    View Solution.

    Funny that multiple people have this problem appear just after 9/1 on multiple printers/all-in-ones. I wonder how many people have this problem and don't report it here. Mine is on a 2710a all-in-one in excellent condition except for this cartridge problem.
    My contacts are not suddenly damaged and it is a relatively new well within the expiration date genuine HP cartridge that we have had for more than a few months. It has not been out of the printer nor has the printer been moved. It sits in a clean room with very little temperature variation from 72 degrees. All printers should be so lucky.
    This is not the first time nor the first printer I've had cartridge problems with HP printers. This is my third one and I'm done with HP printers. I love all other aspects of the printer but this one is infuriating enough to sour me for good.

  • My Macbook Pro (OSX 10.6.7 2.26 GHz Intel Core 2 Duo) has started misbehaving on me. When I'm working, the cursor will start spontaneously moving to the left in a straight line, and randomly right clicking on things.  If I close the computer and open it b

    my Macbook Pro (OSX 10.6.7 2.26 GHz Intel Core 2 Duo) has started misbehaving on me. When I'm working, the cursor will start spontaneously moving to the in a straight line, and randomly right clicking on things.
    If I close the computer and open it back up, it sometimes stops for a little while, then will spontaneously start again. Any help would be truly appreciated. Thanks!

    See this knowledge base article. Also, you might want to update to 10.6.8 (don't know that that will fix your problem, but it's the latest version of Snow Leopard).
    Clinton

  • Proper user and group rights

    Dear readers and admins
    My question is about the "correct" setting of the user and group rights, so the following is possible. It relates to Server 10.3 and to 10.4.
    Requirements:
    Group 1 = "Regular user"
    Group 2 = "Administration, Accounting"
    User 1 and 2 belong to Group 1, users 3 and 4 belong to Group 2.
    User 1 & 2 must have read/write access to files and folders in Group 1, but may not have access to files and folders of Group 2.
    User 1 & 2 must be in a position of creation and deletion of file and directory of Group 1, as if they were their own files and directories. I.e. User 2 must be in a position to delete or change files and directories that an other user of Group 1 has created.
    User 3 & 4 must have read and write access to files and directories of Group 1 & 2. They must be able to creating and changing such files and directories, as if they were their own files and directories. I.e. User 3 & 4 must be able to create and change files and directories which belong to user 1 & 2.
    As I understand it, this can be achieved with ACL's under Server 10.6.
    Am I right?
    What would such a structure look like with ACL's?
    I unfortunately don't have a server 10.6 running, as, down due to technical problems, my server is down.
    Thank you in advance for your help.
    All a happy new year.
    Regards
    Thomas Thaler

    Yes - and it's pretty easy.
    1. You would create whatever share points you would like (very easy to do)
    2. You would make sure in Workgroup Manager you have the users assigned to the correct groups that you discussed.
    3. On the folders for Group 1 you would add ACL permissions of Full Control for Group 1 and Full Control for Group 2.
    4. On the folders for Group 2 you would add an ACL permission of Full Control for Group 2.

  • I just brought 15-inch macbook pro with retina display for about 3 weeks, will there be any refund or upgrade to my macbook due to the discount and upgraded right now

    I just brought 15-inch macbook pro with retina display for about 3 weeks, will there be any refund or upgrade to my macbook due to the discount and upgraded right now

    https://discussions.apple.com/thread/4806203?tstart=0

  • My macbook keeps freezing with the left side of the screen on the right and the right side of the screen on the left. Help

    My 17-inch early 2011 macbook pro keeps freezing on me.  The freeze usually occurs when I'm importing or exporting pictures, when I stream anything, or If I am watching a dvd.  The left side of the screen shifts to the right and the right side of the screen shifts to the left.  lines also appear on my screen and I can not force quit any open application.  I have not dropped my laptop at all. 
    Mac OSX Lion version 10.7.5
    2.2 Ghz Intel Core i7
    I would like to avoid going to the an apple store to fix this problem if possible.  The closest one to me is 40 miles away. 
    Help : )

    If you don't have the Applecare extended warranty then you will need to pay for the fix. The fix is a New Logic Board. It seems as your Graphics card is failing in some way. No there is no software fix for this.
    The Graphic chip is soldered to the logic board and the only way to change/fix it is to replace the complete logic board.
    Good Luck and Best Wishes

  • What can I do simply  to keep all my previous contents, (own pics, videos, etc.) on my previously authorized iPad on PC, but get a new authorisation and a right syncronization, without data loss with a new  iTunes on my new Mac?

    Friends,
    I already had an iPad(1) and its full contents (not only the purchased items, applications from Apple, but my all own pics, videos, songs etc.) is normally syncronized with an authorized PC (Windows) computer.
    Now,  I've bought a new MacBook Air computer, and want to sell my PC. But I don't know how to transfer (or syncronize) all of the contents from my previous iTunes on PC to the new one on the Mac.
    When I connected my iPad to my new MacBook Air, I promted, if I want to change authorization of my iPad to the MacBook.
    But also got a warning, that the new iTunes will delete from my iPad all my previously syncronized items, pics, videos and music, with the previously authorized  iTunes on the previous computer, expect the saved pics from the net.
    What can I do just like that, simply  to keep all my previous contents on my iPad, but have a new authorisation and a right syncronization, without data loss with the new  iTunes on my new Mac?
    Thanks a lot for your answer.
    ([email protected])

    Here are some instructions that I have posted several times that may be helpful to you as they have been to others. You can simply ignore anything that does not apply or that you have already done.
    As Alan stated above - transferring the iTunes library is the best first step. If you can transfer the iTunes library to the Mac, most of this will be unecessary for you to do.
    Very Important ....
    1. Authorize the computer.
    2. Turn off auto sync in iTunes
    3. Transfer purchases
    The text in italics is from the other thread - non italics are my words.
    The following was copied from this thread. This is essentially what you want to accomplish.
    https://discussions.apple.com/message/11527071#11527071
    1) Without connecting your iPad to your new computer, start iTunes. Click on iTunes. Click on Preferences. Click on Devices. Check the box next to "Prevent your iPod etc. from automatically syncing." Click OK.
    2) Now connect your iPad to your computer and start iTunes.
    3) When iTunes starts, right click on your iPad under Devices in the left column. Select Transfer purchases etc.
    4) After it finishes transferring all your apps to your computer, right click on your iPad and select Backup your iPad.
    5) After it finishes backing up your iPad, right click on your iPad and select Restore etc.
    6) After it finishes restoring, left click on your iPad , then click on the Apps tab on top, and check the box next to Sync Apps, then click on Apply below.
    If everything on your iPad looks good after the sync, go back and click on iTunes / Preferences / Devices and UN-check the box next to Prevent your iPod etc. The only other thing you may want to check is if your contacts, bookmarks, etc. are syncing correctly now. If not, go to the Info tab after connecting and make sure you indicate which features you want to sync with what sources.
    Read this thread and the support links as well. There are apps that you can purchase that will allow you to transfer photos from the iPad to your computer. Look at Photo Transfer App in the App store and you can search for others as well.
    https://discussions.apple.com/message/13016026#13016026
    This support site will help you with transferring iTunes music to your new computer.
    http://support.apple.com/kb/HT4527
    One final note - you may want to leave auto sync turned off - but that is totally up to you. I never did use auto sync.

Maybe you are looking for

  • Mail crashes

    Hello. Every time I want to open Mail it crashes with the following message: Can someone help me? I Crashed Thread:        31  -[MailApp _setSourceOnGmailLabels]  Dispatch queue: NSOperationQueue 0x60000005de20 :: NSOperation 0x60000084bf10 (QOS: LEG

  • Command to be executed in solaris machine to know the existing heap size

    Hi, I want to know the command to get the existing heap size of JVM. Java version is 1.5 and runs in solaris machine. Thanks Regards, Nanda

  • Mouse-over pic A to make pop up pic B ...

    Hi there! Could need a quick solution for this, cause my (too) limited HTML knowledge doesn't help a bit ... I have a permanent picture A which, while mouse-over, should make picture B pop up. A mouse-over at picture B area (which is again invisible

  • GB3 issues w/M-Audio & other Softsynth plug-ins?

    Gang: Anyone else exausted their install count trying to get Key Rig or Drum & Bass Rig (both M-Audio softsynths) to run as a "generator" sound source on the CoreDuo machines? Spent most of an evening trying to install these apps with the "Plug-In no

  • Sql Server Installing Issues

    Hello,            I am Manikumar, I am using Windows 8 Pro edition and i want install SQL Server 2012 RTM Version in my pc so my system configuration ,i have mentioned below Processor: AMD Althon(tm) 64 X2 Dual Core Processor  RAM: 1 gb System Type :