Execute any procedure for developers

Hello,
our developers want the privilege "execute any procedure" because the self-programmed application needs execute on unknown procedures. (Oracle 10.2) It's the application-administrator-user on which the development has full access.
On AskTom I read, that "execute any procedure" is extremely powerful an should not be granted to normal users.
I would like to know, if this is only not recommended for O7_DICTIONARY_ACCESSIBILITY=true or under any circumstances.
Any ideas how we can find out, which procedures are used by this user? Or on the other hand, which are the risky elements from "execute any procedure"?
Any arguments against giving this privilege are welcome, I have to give a statement on this.
Thanks,
M.Hannibal

Ok. I just browsed through Asktom for this issue and it is true that there are NO risks highlighted over there after granting "EXECUTE ANY PROCEDURE" to a user.
Though, I would like to put forth following points.
1. Some of procedures/functions in SYS as not supposed to be used by the normal database users (results can be unpredictable)
2. Upon grant of this privilege, the user can execute procedure of any schema in the database. This can be problematic if an user of PAYROLL schema starts executing procedures of FINANCE schema and change all accounts (kind of) related information.
In your situation, you can handle this by creating a DDL trigger in the schema where the procedure will be created. Via trigger, grant execute on this procedure to the user under which the application is going to run.
Thus you will have control over the procedure execution and you can easily track down the problem if somehting goes wrong (as will then you know who all can execute a particular procedure).

Similar Messages

Why doesn't the "grant execute any procedure" work?

Hi to all.
I want to grant the execute privilege for all SYS schema functions/procedures. To achieve it I do the following:
SQL> connect sys/*****@orcl
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as SYS
SQL> create user test identified by test;
User created
SQL> grant create session to test;
Grant succeeded
SQL> grant execute any procedure to test;
Grant succeeded
According to the [http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_9013.htm] the "grant execute any procedure" - grants Execute procedures or functions, either standalone or packaged.
So, the steps seem to be right. Then, I try to connect to the test user and execute any procedure from the SYS schema, for example, dbms_lock.sleep:
SQL> connect test/test@dizzy/orcl
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as test
SQL> begin
2 sys.dbms_lock.sleep(1);
3 end;
4 /
begin
sys.dbms_lock.sleep(1);
end;
ORA-06550: line 3, column 1:
PLS-00201: identifier 'SYS.DBMS_LOCK' must be declared
ORA-06550: line 3, column 1:
PL/SQL: Statement ignored
So, the execution fails due to insufficient rights. However, the direct grant on the sys.dbms_lock works!
SQL> connect sys/*****@dizzy/orcl as sysdba
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as SYS
SQL> grant execute on dbms_lock; to test;
grant execute on dbms_lock; to test
ORA-00911: invalid character
SQL> grant execute on dbms_lock to test;
Grant succeeded
SQL> connect test/test@dizzy/orcl
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as test
SQL> begin
2 sys.dbms_lock.sleep(1);
3 end;
4 /
PL/SQL procedure successfully completed
So, to be sure that the grant on any procedure from the definite scheme is given, should I avoid giving the execute any procedure grant?
P.S. Is there any special tag for code?
Thanks in advance.

Sybrand, thank you for the reply.
You are right. I tried to connect by another user NOT SYS and created the function:
SQL> create user testic identified by i;
User created
SQL> grant create session, execute any procedure to testic;
Grant succeeded
SQL> create or replace function get1 return number is
2 begin
3 return 1;
4 end;
5 /
Function created
SQL> connect testic/i@orcl
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as testic
SQL> select get1 from dual;
select get1 from dual
ORA-00904: "GET1": invalid identifier
SQL> select kaisa_rgali.get1 from dual;
      GET1
         1Thank you for the tag. This's exactly what I asked about.
Finally, I tried t open the hyperlink http://download.oracle.com/docgs/cd/B10501_01/server.920/a96521/privs.htm but it failed.

"GRANT EXECUTE ANY PROCEDURE TO " does not work in some cases

Hello,
I some of my PL/SQL-packages I'm using DBMS-packages.
Because I don't want to grant access for every single package, I granted EXECUTE ANY PROCEDURE to the user/schema of my packages.
This did work in several installation.
But for what reason ever, in one installation DBMS_RANDOM cannot be used (DBMS_RANDOM must be declared). If I explicitly grant execute on this package, it works. When I revoke it and renew the ANY PROCEDURE, it doesn't again.
What's wrong.
Version 11.2.0.2 on Win2008R2
Regards,
Mynz

Mynz wrote:
Hello,
I some of my PL/SQL-packages I'm using DBMS-packages.
Because I don't want to grant access for every single package, I granted EXECUTE ANY PROCEDURE to the user/schema of my packages.
This did work in several installation.
But for what reason ever, in one installation DBMS_RANDOM cannot be used (DBMS_RANDOM must be declared). If I explicitly grant execute on this package, it works. When I revoke it and renew the ANY PROCEDURE, it doesn't again.
What's wrong.privilege acquired via ROLE do NOT apply within named PL/SQL procedures/functions

Execute any procedure???

Inorder to execute the job at the allotted time the user need to be able to create a procedure and execute it.
but is execute any procedure privilege required to enable scheduling???
what could be the reason??
this allow the user to run procedures created by other users, right?

Hi Visakh
From my own notes here is what I have:
Setting up Workbook Scheduling
==============================
The workbook scheduling feature in Discoverer uses native features in the Oracle DBMS, and is therefore only available when running against the Oracle database. This feature uses the same highly scalable and reliable processing procedures within the kernel, since the summary management capability and the setup for both features is similar. These procedures use standard packages in the DBMS called DBMS_JOB.
To enable the processing procedures for workbook scheduling in Discoverer, follow these steps:
A. Grant Schedule Workbook Privilege to the user.
B. Confirm that DBMS_JOBS has been installed.
C. Specify result set storage.
D. Set the time period at which the process kicks in.
These procedures are described in the following sections:
A. Grant Schedule Workbook Privilege to the User
The user must be granted the Schedule Workbooks privilege in the Privileges dialog. Connect to the Administration Edition, and grant the Schedule Workbooks privilege in Tools | Privileges dialog.
B. Confirming that DBMS_JOBS is Installed
1. Log onto SQL*Plus as the Administrator, and execute the following SQL statement:
SQL> select * from all_objects where object_name='DBMS_JOB' and object_type = 'PACKAGE';
2. If you get no rows returned you need to install this package. Your DBA will know how to do it.
C. Specifying Result Set Storage
When a scheduled workbook is run, the results are stored in database tables within the database. The resulting data created as part of the workbook scheduling process may be stored in one of two areas: the user's own schema or a centralized schema.
User's Schema
In order to enable workbook scheduling in the user's own database schema, the user requires the following database privileges:
Create Procedure - needed to create the job
Create Table - needed to create tenporary holding table(s) for the results, each run of the same scheduled worksheet produces a new temporary table - see general notes at end for more help
Create View - needed to pull the results from the database
You will also need these three grants:
SELECT ON SYS.V_$PARAMETER;
EXECUTE ON SYS.DBMS_JOB; won't be able to execute the job without this
UNLIMITED TABLESPACE; needed to stop user's schema running out of space while creating the table(s) of results. Discoverer does not leave it to the DBA to set artificial limits. The only way it knows for certain that it will have enough is to have this privilese.
As you can see, execute any procedure is not needed.
When the schedule is first created a view is created. This allows Discoverer to run that view at the scheduled time using whatever conditions and parameters you have set. The results are populated into the table when the query is run. If you subsequently have multiple sets of results you will see them named T1, T2 and so on.
To grant these privileges, do the following:
1. Log onto SQL*Plus or SQLDBA as the Database Administrator.
2. Type the following:
SQL> Grant CREATE PROCEDURE to <USER>;
SQL> Grant CREATE TABLE to <USER>;
SQL> Grant CREATE VIEW to <USER>;
where <USER> is the userid of the person who is to be allowed to schedule workbooks.
These privileges must be granted directly to the user and not to a database role.
Advantages: A database limit can be specified on the maximum amount of data a user can store in the database. If the result set is stored under the user's schema, then you keep control over the maximum amount of space one individual user can fill with result sets. If the user creates a scheduled workbook that fills that space, it affects only his/her own scheduled workbook.
Disadvantage: The user is required to have the above privileges in the database.
Repository User's Schema
In order to enable workbook scheduling using a centralized repository user's schema, the SQL script batchusr.sql must be run in SQL*Plus or SQLDBA as a database administrator (such as, SYSTEM). This script creates a new user that is granted the above privileges.
In addition, the administrator of the EUL must change the user so that the Repository User property is pointing to the repository user's schema just created. The centralized repository user's schema may be customized by the database administrator for space management purposes and underlying data access.
NOTE: SELECT ANY TABLE access is given by the script batchusr.sql, but this may be limited provided the repository user's schema is granted access to the underlying data that will be accessed for workbook scheduling.
The repository user created will not be able to directly schedule a workbook through the User Edition.
Advantages: Each user does not need DML procedures to run scheduled workbooks.
Disadvantages: One user can potentially run a scheduled workbook that fills the available result set space, preventing other scheduled workbooks from running until it is cleared.
D. Setting the Start Time for Workbook Processing
The workbook processes run within the database on the server, and are controlled by parameters in the initialization file of the Oracle DBMS - the INIT<SID>.ORA file.
To limit the number of processing requests that can run simultaneously:
The parameter job_queue_processes specifies the number of concurrent processes to use to process DBMS_JOB. It controls the number of processing requests that can be handled simultaneously. The default value is zero, which means processing requests will not be created. You should set it to a minimum of 2 or more if you have any other applications that use DBMS_JOB.
You need more than one job queue process, because if one job fails for any reason, it may keep getting re-submitted, and thus, prevent everything else in the queue from being completed. If you want to have 10 simultaneous processing requests handled, then you will need to set this to 10.
The INIT<SID>.ORA parameter job_queue_interval is the time in seconds that controls how often the job processes wake up to process pending jobs. The default is 60, which is quite frequent. What you set this to depends on how frequently you want the process to wake up and serve the requests that have been made. Oracle recommends that you update the 60 seconds default to at least 10 minutes (a value of 600).
NOTE: This parameter also affects summary management.
To enable these parameters:
1. Locate the INIT<SID>.ORA file.
For example, on Personal Oracle7 the INIT<SID>.ORA file is held in <ORACLE_HOME>\database. Its default name is INITORCL.ORA where ORCL is the <SID> name.
2. Enter 2 lines into the file. For example:
job_queue_processes = 2
job_queue_interval = 600 (equivalent to 10 minutes)
GENERAL NOTES:
The summary management and workbook scheduling features both use this scheduling capability within the Oracle DBMS. The interval you specify and the number of concurrent requests affect both features.
The results from the worksheet are held in a temporary table until you remove the results or you delete the scheduled workbook.
Tables look like this: EUL5_B060914015847Q1R1
Views look like this: EUL5_B060914015847Q1V1
These temporary tables are stored within the schema of the user who owns the workbook - not within the standard EUL schema. The format of the table is as follows:
EUL5_B060914015847Q1R1 which can be broken into six separate pieces.
These pieces are as follows:
EUL5_ B YYMMDD HHMISS Q9 R9, where
EUL5_ is a fixed name
B means Batch and is a constant
YYMMDD is the date that the worksheet was run,
HHMISS is the time when the worksheet was run, the time is in the 24 hour clock format,
Q9 means this is the letter Q followed by a number - E.g. Q1, which signifies the query number. I believe Oracle have some plans to allow multiple queries but for now this is always Q1,
R9 means this is the letter R followed by a number - E.g. R1, R2 and so on. This is the run number.
Using the above logic therefore, this is a valid example:
EUL5_B090914015847Q1R1
This means this is result set number 1 for query 1, run at 1:58:46 AM on 14th September 2009.
So if you can figure out which worksheet was scheduled and when it was run you can build a view that sits on top of the latest table to give you the latest results. Something else which adds interest here is that the column names within the table do not match the column names as in your original query. The scheduled results column names use generic names such as BRVC1, BRVC2, BRD1, BRD2, BRN1 and BRN2.
These are codes and can be interpreted as follows:
BRCV1 and BRCV2 mean Batch Result Var Char 1 and 2,
BRD1 and BED2 mean Batch Result Date 1 and 2,
BRN1 and BEN2 mean Batch Result Number 1 and 2
Best wishes
Michael

FLOWS_030000 and the EXECUTE ANY PROCEDURE privilege

Our database security is cracking down on schema's with EXECUTE ANY PROCEDURE privilege. And I was wondering is the FLOWS_030000 needs to have the EXECUTE ANY PROCEDURE privilege? Could everything function correctly without it? Is there any other permission(s) that you could give it instead of the EXECUTE ANY PROCEDURE privilege?

We (the developers) are inclined to say that this privilege can be revoked, after installation, with no adverse effects. But we have not yet proven that. If you revoke the privilege and have no problems, do let us know. We will strive to reduce the privileges of the FLOWS_xxxxxx schema in this way in post-3.1 versions.
Keep in mind that after doing this should you need to contact Oracle Support with an Application Express problem that you should grant that privilege back and reproduce the problem before doing so, just to rule that out as a factor, and you should inform Oracle Support of this modified configuration.
Scott

EXECUTE ANY PROCEDURE issue

Hi,
I have read somewhere that EXECUTE ANY PROCEDURE is one of the most dangerous privilege. Could you please help me understanding it? I mean how exactly is this privilege dangerous and if it at all it is then what is the purpose of providing this privilege as an in-built privilege?
Thanks in advance.
Onkar

onkar.nath wrote:
I do agree that when we assign any privilege with ANY , it has security risk as it allows the user to perform activity in any of the existing schemas in the the system but my concern here is:
1. Why at all this gets created when it is a security threat?Because there is always a DBA, who needs to perform system wide things.
2. I was also told that having this privilege , any user can execute one specific procedure attaining DBA privilege. Is that correct? If so then how?check the second response of this thread.
>
Thanksregards

About "EXECUTE ANY PROCEDURE" privilege

I found in our EBS system. New user is default granted "EXECUTE ANY PROCEDURE" privilege and it seems I cannot revoke it. Is this supposed to be?

What is the application release?EBS: 12.1.1
database: 11.1.07.0
Is this new user a custom user or seeded one?It is a custom user. I used admin account to create a new user. Only explicitly grant create seesion privilege.
Do you get any error when you try to revoke it?No error. It works fine.
If this is a custom schema user, you need to verify why this privilege was granted to the user and what is the impact if you revoke it (try it on a test instance first).It seems be granted default. The impact is the user has more privileges supposed to grant.

Does GRANT CREATE ANY PROCEDURE auto grants EXECUTE on created obj to user?

I have a User ABC which has GRANT CREATE ANY PROCEDURE on schema XYZ. Now, I create a new Function in schema XYZ using my ID ABC named "func123". My question is, would my User ID ABC being creator of func123 be able to EXECUTE it by default ???
Note: ID ABC has not been explicitly given GRANT EXECUTE on this func123 function, neither it has GRANT EXECUTE ANY PROCEDURE on schema XYZ.
Thanks in advance.

There is no such thing as 'create any procedure on schema xyz'. When an user has create any procedure, he can create a procedure in any schema, including SYS.
You have an unprotected and unsecured database by granting this powerful privilege to multiple users.
Also when you create a procedure in a different schema, that schema becomes the owner, not the user creating it.
Kindly brush up your basics and (re)read documentation.
Sybrand Bakker
Senior Oracle DBA

Grant execute any function or package

Hi,
Does the below command give execute priviliges on functions and packages too ?
grant execute any procedure to <user>;
When i give same for fucntion it gives following error,
SQL> grant execute any function to user2;
grant execute any function to user2
ERROR at line 1:
ORA-00990: missing or invalid privilege
Thanks.

EXECUTE ANY PROCEDURE grants permission to all procedures and all functions, whether stand alone or packaged.
Hopefully, you're well aware of this, but the various ANY privileges, like EXECUTE ANY PROCEDURE, are exceptionally powerful. You want to be very cautious about granting those privileges because they can introduce a number of security holes.
Justin

OWB10gR2 grant_upgrade_privileges.sql: EXECUTE ANY PROC & SELECT ANY TAB

Hi,
Has anyone an idear why the priviledges EXECUTE ANY PROCEDURE and SELECT ANY TABLE needs to be grated to target schemas (see script grant_upgrade_privileges.sql) ?
How do you convince your DBAs to run such a script on production DBs?
Thanks for any input
Maurice

Seems to me that this should simply be filed as a bug.
lucky for me, our DBA didn't notice :)

Execute the Procedure automatically

Hello,
is it possible to execute a procedure for example every 5 minutes automatically?

VARIABLE jobno number;
BEGIN
   DBMS_JOB.SUBMIT(:jobno,
      'proc;'
      SYSDATE, 'SYSDATE + 5/1440');
   commit;
END;
/See here for more information:
Re: trigger to copy old data
http://download-west.oracle.com/docs/cd/B10501_01/appdev.920/a96612/d_job2.htm#1002030

DEBUG ANY PROCEDURE

Oracle 9.2.0.6, soon to be 11.1.0.7...
Please double-check my understanding of the documentation.
We have at least one developer who likes to use the PL/SQL Debugger functionality, which requires DEBUG ANY PROCEDURE (http://docs.oracle.com/cd/B10501_01/appdev.920/a96590/adg10pck.htm#37819).
Our system DBAs are wisely hesitant in granting an "ANY" privilege. My understanding is that even though this privilege has "ANY" in the name, it is not highly privileged like ALTER ANY TABLE, EXECUTE ANY PROCEDURE, etc.
Should I (or the system DBAs) have any reservation with this privilege in development and test environments?
The SQL reference notes that it is equivalent to granting DEBUG on every applicable object. (http://docs.oracle.com/cd/B10501_01/server.920/a96540/statements_912a.htm#2075179).
If I read this right, and if a DBA will not grant DEBUG ANY PROCEDURE, I should be able to grant DEBUG on each PL/SQL object to the developer to get the same result?
Thanks

in my opinion the Debug is quite safe privilege. It will not alter the procedure.
however still I chose not to grant it in Prod environment since it may cause locking issue (library cache pin).

Checking for EXECUTE priviledges on any Procedure or Function

Hi All,
I know that the table DBA_SYS_PRIVS can be used to check the priviledges for any object.
But after querying the view, I could see the priviledges on diff packages and other tables but could not find any Procedure or Function name ( Standalone or packaged) in the view.
Where else could I find the same?
Having execute priviledge on compelte package means having same on its contents( procs,functions etc)..is this right?
Rgds,
Aashish S.

Aashish,
You have object privileges (CREATE TABLE, ALTER TABLE and system privileges (ALTER SYSTEM, ALTER USER). They serve different purposed.
DBA_SYS_PRIVS is for system privileges only.
You can not have seen privileges on packages, at least not EXECUTE privileges.
These are in DBA_TAB_PRIVS.
Packages are granted at the package level.
Sybrand Bakker
Senior Oracle DBA

Error while executing procedure for excel upload

Hi Friends
Pl. find below error while executing procedure for loading excel data. pl. verify and suggest for any changes in the format of data.
Rgds
SriG

If reading Excel as a database you would use "Access LSLINK"
Access external means you are reading a file. I don't think it is possible to treat Excel as a file because the internal structure is complex.
In the past I have saved the Excel as a CSV or as a Tab delimeted file. Then I use something like
ACCESS External
USE &filename
BEGIN
    DESCRIPTION free ,
    Variables text 20
    Organisation text 20
    'July 2008' numeric 20
    'August 2008' numeric 20
    'September 2008' numeric 20
    'October 2008' numeric 20
    'November 2008' numeric 20
    'December 2008' numeric 20
    'January 2009' numeric 20
    'February 2009' numeric 20
    'March 2009' numeric 20
    'April 2009' numeric 20
    'May 2009' numeric 20
    'June 2009' numeric 20
END
peek
read
... quit the access sub system
END

If there is any restriction for procedure input parameter

Hello expert,
I create a oracle precedure, with a input parameter, but when I used this procedure in SAP BO, it showed following error message:
" a database error occured. the database error text is : cannot parse the stored procedure query: unable to parse stored procedure specification . (WIS 10901)"
I found if I input a value for this parameter including '&', above error displayed.
so , will you please tell me if there is any restriction for procedure input parameter?
Many Thanks,

843178 wrote:
I create a oracle precedure, with a input parameter, but when I used this procedure in SAP BO, it showed following error message:
" a database error occured. the database error text is : cannot parse the stored procedure query: unable to parse stored procedure specification . (WIS 10901)" This is not an Oracle error message. Such a message will have an ORA error code (or PLS code). Neither can stored procedures be executed as queries. They need to be executed via anonymous PL/SQL code blocks.
So from the sounds of it, the problem in your case is that the PL/SQL procedure call is incorrectly made.
Calling a PL/SQL procedure needs 2 basic things:
- make the call code using an anonymous PL/SQL code block
- use bind variables for passing input and output parameters

Execute any procedure for developers

Similar Messages

Maybe you are looking for