Execute CreateUser() Procedure without "create user" rights
Is it possible to create and execute a procedure that would use Dynamic SQL (or some other method) to create a user even though the user executing the procedure does not have "create user" privileges?
Thank You for any assistance
Yes, with a default definer's rights procedure, only the owner of the procedure would need the CREATE USER privilege. The invoker of the procedure would only need EXECUTE on the procedure.
Similar Messages
-
Modify Script to Create User Role on Single Database.
Hi All,
Below is the script to create user role on database. Here problem is when I execute this script, it creates user role for all database within an instance and I want it to create user role only on 2 database say TEST1 and TEST2
Can anyone help me to modify the script?
--===================================================================================
-- Description
-- Database Type: MSSQL
-- This script creates a role called 'gdmmonitor' for ALL databases.
-- It grants some system catalogs to this role to allow Classification and Assessment on the database.
-- It then adds a user called "sqlguard" to all databases and grants this user gdmmonitor role.
-- before runnign this script
-- you MUST CREATE A SQL LOGIN CALLED 'sqlguard'
-- This sqlguard login doesn't need to be added to any database or given
-- any privilege. The script will take care of that.
-- Note:
-- If you wish to use a different login name (instead of 'sqlguard') you need to change
-- the value of the variable '@Guardium_user' in the script below;
-- (Look for the string: "set @Guardium_user = 'sqlguard'" and replace the 'sqlguard')
-- after runnign this script
-- Nothing to do, the script already creates the db user
-- User/Password to use
-- User: sqlguard (or any other name, if changed)
-- Pass: user defined
-- Role: gdmmonitor
--===================================================================================
PRINT '>>>==================================================================>>>'
PRINT '>>> Creating role: "gdmmonitor" at the server level.'
PRINT '>>>==================================================================>>>'
-- Change to the master database
USE master
-- *** If a different login name is desired, define it here. ***
DECLARE @Guardium_user AS varchar(50)
set @Guardium_user = 'sqlguard'
DECLARE @dbName AS varchar(256)
DECLARE @memberName AS varchar(256)
DECLARE @dbVer AS nvarchar(128)
SET @dbVer = CAST(serverproperty('ProductVersion') AS nvarchar)
SET @dbVer = SUBSTRING(@dbVer, 1, CHARINDEX('.', @dbVer) - 1)
IF (@dbVer = '8') SET @dbVer = '2000'
ELSE IF (@dbVer = '9') SET @dbVer = '2005'
ELSE IF (@dbVer = '10') SET @dbVer = '2008'
ELSE IF (@dbVer = '11') SET @dbVer = '2012'
ELSE SET @dbVer = '''Unsupported Version'''
IF (@dbVer != '2000')
BEGIN
-- This privilege is required to peform a specific MSSQL test.
-- Test name: SQL OLEDB disabled (DisallowAdhocAccess registry key)
-- Procedure execute: EXEC master.dbo.sp_MSset_oledb_prop
-- Purpose: To display provider property, not changing anything.
PRINT '==> Granting MSSSQL 2005 and above setupadmin server role'
EXEC master..sp_addsrvrolemember @loginame = @Guardium_user, @rolename = N'setupadmin'
END
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if they exist
CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL)
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND mbr.groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the role gdmmonitor on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the role gdmmonitor on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.spt_values TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysconfigures TO gdmmonitor
GRANT SELECT ON dbo.sysdatabases TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syslogins TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
-- Grant execute privileges to the role for MSSql Common
PRINT '==> Granting common EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON sp_helpdbfixedrole TO gdmmonitor
GRANT EXECUTE ON sp_helprotect TO gdmmonitor
GRANT EXECUTE ON sp_helprolemember TO gdmmonitor
GRANT EXECUTE ON sp_helpsrvrolemember TO gdmmonitor
GRANT EXECUTE ON sp_tables TO gdmmonitor
GRANT EXECUTE ON sp_validatelogins TO gdmmonitor
GRANT EXECUTE ON sp_server_info TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sql_logins TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
GRANT SELECT ON sys.server_role_members TO gdmmonitor
GRANT SELECT ON sys.configurations TO gdmmonitor
GRANT SELECT ON sys.master_key_passwords TO gdmmonitor
GRANT SELECT ON sys.server_principals TO gdmmonitor
GRANT SELECT ON sys.server_permissions TO gdmmonitor
GRANT SELECT ON sys.credentials
TO gdmmonitor
--This is called by master.dbo.sp_MSset_oledb_prop.
--By defautl it should have already been granted to public.
GRANT EXECUTE ON sys.xp_instance_regread TO GDMMONITOR
GRANT EXECUTE ON sys.sp_MSset_oledb_prop TO GDMMONITOR
END
-- Re-add the dropped members
IF EXISTS (SELECT 1 FROM #rolemember)
BEGIN
PRINT '==> Re-adding the role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- END of role creation on database
PRINT '==> END of role creation on: ' + @dbName
PRINT ''
-- Change to the msdb database
USE msdb
set @memberName = ''
SELECT @dbName = DB_NAME()
PRINT '==> Starting MSSql ' + @dbVer + ' role creation on database: ' + @dbName
-- find any members of the role if it exists
TRUNCATE TABLE #rolemember
INSERT INTO #rolemember
SELECT DISTINCT usr.name FROM .dbo.sysusers usr, .dbo.sysmembers mbr
WHERE usr.uid = mbr.memberuid
AND groupuid = (SELECT uid FROM .dbo.sysusers WHERE name = 'gdmmonitor')
-- Drop the Role Members If they exist
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Dropping the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Dropping member: ''' + @memberName + ''''
exec('EXEC sp_droprolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the role if it exists
IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = 'gdmmonitor')
BEGIN
PRINT '==> Dropping the gdmmonitor role on: ' + @dbName
exec sp_droprole 'gdmmonitor'
END
-- Create the role
PRINT '==> Creating the gdmmonitor role on: ' + @dbName
exec sp_addrole 'gdmmonitor'
-- Grant select privileges to the role for MSSql Common
PRINT '==> Granting common SELECT privileges on: ' + @dbName
GRANT SELECT ON dbo.sysobjects TO gdmmonitor
GRANT SELECT ON dbo.sysusers TO gdmmonitor
GRANT SELECT ON dbo.sysprotects TO gdmmonitor
GRANT SELECT ON dbo.sysmembers TO gdmmonitor
GRANT SELECT ON dbo.sysfiles TO gdmmonitor
GRANT SELECT ON dbo.syspermissions TO gdmmonitor
GRANT SELECT ON dbo.backupset TO gdmmonitor
-- Check if the version is 2005 or greater
IF (@dbVer != '2000')
BEGIN
-- Grant select privileges to the role for MSSql 2005 and above
PRINT '==> Granting MSSql 2005 and above SELECT privileges on: ' + @dbName
GRANT SELECT ON sys.all_objects TO gdmmonitor
GRANT SELECT ON sys.database_permissions TO gdmmonitor
GRANT SELECT ON sys.database_principals TO gdmmonitor
GRANT SELECT ON sys.sysfiles TO gdmmonitor
-- Grant execute privileges to the role for MSSql 2005 or above
PRINT '==> Granting MSSql 2005 and above EXECUTE privileges on: ' + @dbName
GRANT EXECUTE ON msdb.dbo.sp_enum_login_for_proxy TO gdmmonitor
GRANT SELECT ON sys.database_role_members TO gdmmonitor
END
IF (@dbVer > '2000' and @dbVer < '2012')
--This sp is not available in SQL 2012
BEGIN
GRANT EXECUTE ON sp_get_dtspackage TO gdmmonitor
END
-- Re-add the dropped members
IF EXISTS (SELECT count(*) FROM #rolemember)
BEGIN
PRINT '==> Re-adding the gdmmonitor role members on: ' + @dbName
DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember
OPEN DropCursor
FETCH DropCursor INTO @memberName
WHILE @@Fetch_Status = 0
BEGIN
PRINT '==> Re-adding member: ''' + @memberName + ''''
exec('EXEC sp_addrolemember ''gdmmonitor'', ''' + @memberName + ''' ;')
FETCH DropCursor INTO @memberName
END
CLOSE DropCursor
DEALLOCATE DropCursor
END
-- drop the temporary table
DROP TABLE #rolemember
-- END of role creation on database
PRINT '==> END of gdmmonitor role creation on: ' + @dbName
-- Role creation complete
PRINT '<<<==================================================================<<<'
PRINT '<<< END of creating role: "gdmmonitor" at the server level.'
PRINT '<<<==================================================================<<<'
PRINT ''
PRINT '>>>==================================================================>>>'
PRINT '>>> Starting application database role creation'
PRINT '>>>==================================================================>>>'
use master
DECLARE @databaseName AS varchar(80)
DECLARE @executeString AS varchar(7950)
DECLARE @dbcounter as int
set @dbcounter = 0
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases where name not in ('master', 'msdb')
and not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @dbcounter = @dbcounter + 1
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'PRINT ''>>> Starting MSSql ' + @dbVer + ' role creation on database: ' + @databaseName + ''' ' +
'PRINT ''>>>==================================================================>>>'' ' +
'/* Variable @memberNameDBname must be declare within the string or else it will fail */ ' +
'DECLARE @memberName' + cast(@dbcounter as varchar(5)) + ' as varchar(50) ' +
'/*find any members of the role if it exists*/ ' +
'CREATE TABLE #rolemember (membername VARCHAR(256) NOT NULL) ' +
'INSERT INTO #rolemember ' +
'SELECT DISTINCT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr ' +
'WHERE usr.uid = mbr.memberuid ' +
'AND groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'/*Drop the Role Members If they exist*/ ' +
'IF EXISTS (SELECT * FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Dropping the role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Dropping member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_droprolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/*drop the role if it exists*/ ' +
'IF EXISTS (SELECT 1 FROM .dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'BEGIN ' +
'PRINT ''==> Dropping the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_droprole ''gdmmonitor'' ' +
'END ' +
'/* Create the role */ ' +
'PRINT ''==> Creating the gdmmonitor role on: ' + @databaseName + ''' ' +
'exec sp_addrole ''gdmmonitor'' ' +
'/* Grant select privileges to the role for MSSql Common */ ' +
'PRINT ''==> Granting common SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON dbo.sysmembers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysobjects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysprotects TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysusers TO gdmmonitor ' +
'GRANT SELECT ON dbo.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON dbo.syspermissions TO gdmmonitor ' +
'/* Check if the version is 2005 or greater */ ' +
'IF (' + @dbVer + ' != ''2000'') ' +
'BEGIN ' +
'/* Grant select privileges to the role for MSSql 2005 and above */ ' +
'PRINT ''==> Granting MSSql 2005 and above SELECT privileges on: ' + @databaseName + ''' ' +
'GRANT SELECT ON sys.database_permissions TO gdmmonitor ' +
'GRANT SELECT ON sys.all_objects TO gdmmonitor ' +
'GRANT SELECT ON sys.database_principals TO gdmmonitor ' +
'GRANT SELECT ON sys.sysfiles TO gdmmonitor ' +
'GRANT SELECT ON sys.database_role_members TO gdmmonitor ' +
'END ' +
'/* Re-add the dropped members */ ' +
'IF EXISTS (SELECT 1 FROM #rolemember) ' +
'BEGIN ' +
'PRINT ''==> Re-adding the gdmmonitor role members on: ' + @databaseName + ''' ' +
'DECLARE DropCursor CURSOR FOR SELECT membername from #rolemember ' +
'OPEN DropCursor ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'WHILE @@Fetch_Status = 0 ' +
'BEGIN ' +
'PRINT ''==> Re-adding member: '' + @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'exec(''EXEC sp_addrolemember ''''gdmmonitor'''', '''''' + @memberName' + cast(@dbcounter as varchar(5)) + ' + '''''';'') ' +
'FETCH DropCursor INTO @memberName' + cast(@dbcounter as varchar(5)) + ' ' +
'END ' +
'CLOSE DropCursor ' +
'DEALLOCATE DropCursor ' +
'END ' +
'/* drop the temporary table */ ' +
'DROP TABLE #rolemember ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT ''<<< END of role creation on: ' + @databaseName + ''' ' +
'PRINT ''<<<==================================================================<<<'' ' +
'PRINT '' ''' +
'PRINT '' '''
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
-- Adding user to all the databases
-- and grant gdmmonitor role, only if login exists.
PRINT '>>>==================================================================>>>'
PRINT '>>> Add and Grant gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '>>> on all databases.'
PRINT '>>>==================================================================>>>'
USE master
/* Check if @Guardium_user is a login exist, if not do nothing.*/
IF NOT EXISTS (select * from syslogins where name = @Guardium_user)
BEGIN
PRINT ''
PRINT '************************************************************************'
PRINT '*** ERROR: Could not find the login: ''' + @Guardium_user + ''''
PRINT '*** Please add the login and re-run this script.'
PRINT '************************************************************************'
PRINT ''
END
ELSE
BEGIN
DECLARE @counter AS smallint
set @counter = 0
-- This loop runs 4 time just to make sure that the @Guardium_user gets added to all db.
-- 99% of the time, this is totally unnecessary. But in some rare case on SQL 2005
-- the loop skips some databases when it tried to add the @Guardium_user.
-- After two to three executions, the user is added in all the dbs.
-- Might be a SQL Server bug.
WHILE @counter <= 3
BEGIN
set @counter = @counter + 1
set @databaseName = ''
set @executeString = ''
DECLARE DatabaseCursor CURSOR FOR SELECT name from sysdatabases
where not (status & 1024 > 1)
--read only
and not (status & 4096 > 1)
--single user
and not (status & 512 > 1)
--offline
and not (status & 32 > 1)
--loading
and not (status & 64 > 1)
--pre recovery
and not (status & 128 > 1)
--recovering
and not (status & 256 > 1)
--not recovered
and not (status & 32768 > 1)
--emergency mode
OPEN DatabaseCursor
FETCH DatabaseCursor INTO @databaseName
WHILE @@Fetch_Status = 0
BEGIN
set @databaseName = '"' + @databaseName + '"'
set @executeString = ''
set @executeString = 'use ' + @databaseName + ' ' +
'/*Check if the login already has access to this database */ ' +
'IF EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'/*Check if login already have gdmmonitor role*/ ' +
'IF NOT EXISTS (SELECT usr.name FROM dbo.sysusers usr, dbo.sysmembers mbr WHERE usr.uid = mbr.memberuid ' +
'AND mbr.groupuid = (SELECT uid FROM dbo.sysusers WHERE name = ''gdmmonitor'') ' +
'AND usr.name = ''' + @Guardium_user + ''') ' +
'BEGIN ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END ' +
'END ' +
'IF NOT EXISTS (select * from sysusers where name = ''' + @Guardium_user + ''' and islogin = 1) ' +
'BEGIN ' +
'PRINT ''==> Adding user [' + @Guardium_user + '] to database: ' + @databaseName + ''' ' +
'execute sp_adduser [' + @Guardium_user + '] ' +
'PRINT ''==> Granting gdmmonitor role to ' + @Guardium_user + ' on database ' + @databaseName + ''' ' +
'execute sp_addrolemember ''gdmmonitor''' + ', [' + @Guardium_user + '] ' +
'PRINT '' ''' +
'END '
execute (@executeString)
FETCH DatabaseCursor INTO @databaseName
END
CLOSE DatabaseCursor
DEALLOCATE DatabaseCursor
END -- end while
-- Required for Version 2005 or greater.
IF (@dbVer != '2000')
BEGIN
-- Grant system privileges to the @guardium_user. This is a requirement for >= SQL 2005
-- or else some system catalogs will filter our result from assessment test.
-- This will show up in sys.server_permissions view.
PRINT '==> Granting catalog privileges to: ''' + @Guardium_user + ''''
execute ('grant VIEW ANY DATABASE to [' + @Guardium_user + ']' )
execute ('grant VIEW ANY DEFINITION to [' + @Guardium_user + ']' )
END
PRINT '<<<==================================================================<<<'
PRINT '<<< Finished Adding and Granting gdmmonitor role to: ''' + @Guardium_user + ''''
PRINT '<<< on all databases.'
PRINT '<<<==================================================================<<<'
PRINT ''
END
GOThanks a lot Sir... it worked.
Can you also help me in troubleshooting below issue?
This script is working fine on all databases except one MS SQL 2005 database. build of this database is 9.00.3042.00
SA account with highest privileges is been used for script execution. errors received are as follow:
>>>==================================================================>>>
>>> Creating role: "gdmmonitor" at the server level.
>>>==================================================================>>>
==> Granting MSSSQL 2005 and above setupadmin server role
==> Starting MSSql 2005 role creation on database: master
(0 row(s) affected)
==> Dropping the gdmmonitor role members on: master
==> Creating the role gdmmonitor on: master
Msg 15002, Level 16, State 1, Procedure sp_addrole, Line 16
The procedure 'sys.sp_addrole' cannot be executed within a transaction.
==> Granting common SELECT privileges on: master
Msg 15151, Level 16, State 1, Line 117
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 118
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 119
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 120
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 121
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 122
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 123
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 124
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 125
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 126
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
==> Granting common EXECUTE privileges on: master
Msg 15151, Level 16, State 1, Line 130
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 131
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 132
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 133
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 134
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 135
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission.
Msg 15151, Level 16, State 1, Line 136
Cannot find the user 'gdmmonitor', because it does not exist or you do not have permission. -
Problem in executing a procedure ?
Hello ,
I have this procedure :
CREATE OR REPLACE procedure FUNDINFO.clonestockpos2
is
v_tab number;
begin
select count(*)
into v_tab
from tab
where TNAME = 'STOCKPOS2_TEMP';
if v_tab > 0 then
EXECUTE IMMEDIATE ' drop table STOCKPOS2_TEMP ';
EXECUTE IMMEDIATE ' create table STOCKPOS2_TEMP as select * from STOCKPOS2 ';
else
EXECUTE IMMEDIATE ' create table STOCKPOS2_TEMP as select * from STOCKPOS2 ';
end if;
end;
/Im trying to execute it , but it gives me this error :
exec FUNDINFO.clonestockpos2
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "FUNDINFO.CLONESTOCKPOS2", line 13
ORA-06512: at line 1What privileges is missing , I dont know ?Privileges granted through roles are not valid in PL/SQL.
connect with a dba user and give explicit grant to the user that is trying to execute the procedure:
GRANT CREATE TABLE TO FUNDINFO;
GRANT DROP TABLE TO FUNDINFO;Max
http://oracleitalia.wordpress.com -
Execute any procedure for developers
Hello,
our developers want the privilege "execute any procedure" because the self-programmed application needs execute on unknown procedures. (Oracle 10.2) It's the application-administrator-user on which the development has full access.
On AskTom I read, that "execute any procedure" is extremely powerful an should not be granted to normal users.
I would like to know, if this is only not recommended for O7_DICTIONARY_ACCESSIBILITY=true or under any circumstances.
Any ideas how we can find out, which procedures are used by this user? Or on the other hand, which are the risky elements from "execute any procedure"?
Any arguments against giving this privilege are welcome, I have to give a statement on this.
Thanks,
M.HannibalOk. I just browsed through Asktom for this issue and it is true that there are NO risks highlighted over there after granting "EXECUTE ANY PROCEDURE" to a user.
Though, I would like to put forth following points.
1. Some of procedures/functions in SYS as not supposed to be used by the normal database users (results can be unpredictable)
2. Upon grant of this privilege, the user can execute procedure of any schema in the database. This can be problematic if an user of PAYROLL schema starts executing procedures of FINANCE schema and change all accounts (kind of) related information.
In your situation, you can handle this by creating a DDL trigger in the schema where the procedure will be created. Via trigger, grant execute on this procedure to the user under which the application is going to run.
Thus you will have control over the procedure execution and you can easily track down the problem if somehting goes wrong (as will then you know who all can execute a particular procedure). -
Schedule a job(execute a procedure periodically)
as I explained in subject I want to schedule a job which executes a procedure without parameters on oracle managment system. Then,I schedule job as "on interval" and "1 minutes". But when I monitor the job status, there is no change. it says submitted. what is wrong, could you explain how it is with an example.
thanks.
Message was edited by:
user554973You need to be a bit clearer on what you're monitoring. What "status" stays unchanged?
Some basics. When a job is submitted an entry is made into the Job Queue (a data dictionary table). The views DBA_JOBS, USER_JOBS and ALL_JOBS are views on this table.
When the job is to be executed, it is executed by a job queue process. There is a pool of these Job Processes that checks the job queue and execute jobs in the queue. Such a Job Process will have an entry in the V$SESSION virtual view.
To monitor the status of the actual executing job, requires you to look at the active sessions on the database and not at the job queue. Looking at the Job Queue is not looking at the actual process running and executing the job.
So what status is being looked at here? What status do you want, or do you expect to see? -
How can I dynamically create users ?
Hi,
My application needs to programatically create users and roles. Is that any special
API for doing that or I have to use JMX ? Can I used JNDI in order to create LDAP
users ?
Kind regards,
Nicolas DUMINIL"Nicolas DUMINIL" <[email protected]> wrote in message
news:3f8d785d$[email protected]..
>
Hi,
My application needs to programatically create users and roles. Is thatany special
API for doing that or I have to use JMX ? Can I used JNDI in order tocreate LDAP
users ?
You can use the UserEditor mbean createUser api to create users in the
default authenticator embedded
ldap server. You can also use jndi and ldap to create users. Or you can use
a LDAP SDK
product.
Search the newsgroup via google for some examples of the usereditor calls.
There is no easy way to create roles programatically. -
"GRANT EXECUTE ANY PROCEDURE TO " does not work in some cases
Hello,
I some of my PL/SQL-packages I'm using DBMS-packages.
Because I don't want to grant access for every single package, I granted EXECUTE ANY PROCEDURE to the user/schema of my packages.
This did work in several installation.
But for what reason ever, in one installation DBMS_RANDOM cannot be used (DBMS_RANDOM must be declared). If I explicitly grant execute on this package, it works. When I revoke it and renew the ANY PROCEDURE, it doesn't again.
What's wrong.
Version 11.2.0.2 on Win2008R2
Regards,
MynzMynz wrote:
Hello,
I some of my PL/SQL-packages I'm using DBMS-packages.
Because I don't want to grant access for every single package, I granted EXECUTE ANY PROCEDURE to the user/schema of my packages.
This did work in several installation.
But for what reason ever, in one installation DBMS_RANDOM cannot be used (DBMS_RANDOM must be declared). If I explicitly grant execute on this package, it works. When I revoke it and renew the ANY PROCEDURE, it doesn't again.
What's wrong.privilege acquired via ROLE do NOT apply within named PL/SQL procedures/functions -
Can anyone let me know the step by step procedure for creating userexits?
Hi all,
can anyone let me know the step by step procedure for creating user exits? for any transaction code like mm01 or vd01. If you have any docs send it across to my email id : [email protected]
thanxs in advance
hariHi,
*& Report ZEXITFINDER
*report zexitfinder.
*& Enter the transaction code that you want to search through in order
*& to find which Standard SAP User Exits exists.
*& Tables
tables : tstc, "SAP Transaction Codes
tadir, "Directory of Repository Objects
modsapt, "SAP Enhancements - Short Texts
modact, "Modifications
trdir, "System table TRDIR
tfdir, "Function Module
enlfdir, "Additional Attributes for Function Modules
tstct. "Transaction Code Texts
*& Variables
data : jtab like tadir occurs 0 with header line.
data : field1(30).
data : v_devclass like tadir-devclass.
*& Selection Screen Parameters
selection-screen begin of block a01 with frame title text-001.
selection-screen skip.
parameters : p_tcode like tstc-tcode obligatory.
selection-screen skip.
selection-screen end of block a01.
*& Start of main program
start-of-selection.
Validate Transaction Code
select single * from tstc
where tcode eq p_tcode.
Find Repository Objects for transaction code
if sy-subrc eq 0.
select single * from tadir
where pgmid = 'R3TR'
and object = 'PROG'
and obj_name = tstc-pgmna.
move : tadir-devclass to v_devclass.
if sy-subrc ne 0.
select single * from trdir
where name = tstc-pgmna.
if trdir-subc eq 'F'.
select single * from tfdir
where pname = tstc-pgmna.
select single * from enlfdir
where funcname = tfdir-funcname.
select single * from tadir
where pgmid = 'R3TR'
and object = 'FUGR'
and obj_name = enlfdir-area.
move : tadir-devclass to v_devclass.
endif.
endif.
Find SAP Modifactions
select * from tadir
into table jtab
where pgmid = 'R3TR'
and object = 'SMOD'
and devclass = v_devclass.
select single * from tstct
where sprsl eq sy-langu
and tcode eq p_tcode.
format color col_positive intensified off.
write:/(19) 'Transaction Code - ',
20(20) p_tcode,
45(50) tstct-ttext.
skip.
if not jtab[] is initial.
write:/(95) sy-uline.
format color col_heading intensified on.
write:/1 sy-vline,
2 'Exit Name',
21 sy-vline ,
22 'Description',
95 sy-vline.
write:/(95) sy-uline.
loop at jtab.
select single * from modsapt
where sprsl = sy-langu and
name = jtab-obj_name.
format color col_normal intensified off.
write:/1 sy-vline,
2 jtab-obj_name hotspot on,
21 sy-vline ,
22 modsapt-modtext,
95 sy-vline.
endloop.
write:/(95) sy-uline.
describe table jtab.
skip.
format color col_total intensified on.
write:/ 'No of Exits:' , sy-tfill.
else.
format color col_negative intensified on.
write:/(95) 'No User Exit exists'.
endif.
else.
format color col_negative intensified on.
write:/(95) 'Transaction Code Does Not Exist'.
endif.
Take the user to SMOD for the Exit that was selected.
at line-selection.
get cursor field field1.
check field1(4) eq 'JTAB'.
set parameter id 'MON' field sy-lisel+1(10).
call transaction 'SMOD' and skip first screen.
look in txn CMOD or SMOD, check enhancement 0VRF0001. It uses function module EXIT_SAPL0VRF_001. It is used to manipulate route determination for SD.
Here is the code
DATA: ls_xvbpa LIKE xvbpa,
lf_aland LIKE tvst-aland,
lf_azone LIKE tvst-azone,
lf_lland LIKE trolz-lland,
lf_lzone LIKE trolz-lzone,
ls_vbadr LIKE vbadr,
ls_xvbap LIKE xvbap,
ls_tvst LIKE tvst,
lv_route LIKE trolz-route.
LOOP AT xvbap INTO ls_xvbap.
IF NOT ls_xvbap-vstel IS INITIAL.
SELECT SINGLE * FROM tvst
INTO ls_tvst
WHERE vstel EQ ls_xvbap-vstel.
IF sy-subrc = 0.
lf_aland = ls_tvst-aland.
lf_azone = ls_tvst-azone.
ENDIF.
ENDIF.
READ TABLE xvbpa INTO ls_xvbpa WITH KEY vbeln = ls_xvbap-vbeln
posnr = ls_xvbap-posnr
parvw = 'Q1'.
IF sy-subrc = 0.
CALL FUNCTION 'SD_ADDRESS_GET'
EXPORTING
fif_address_number = ls_xvbpa-adrnr
IMPORTING
fes_address = ls_vbadr
EXCEPTIONS
address_not_found = 1
address_type_not_exists = 2
no_person_number = 3
OTHERS = 4.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ELSE.
lf_lland = ls_vbadr-land1.
lf_lzone = ls_vbadr-lzone.
ENDIF.
ENDIF.
CALL FUNCTION 'SD_ROUTE_DETERMINATION'
EXPORTING
i_aland = lf_aland
i_azone = lf_azone
i_lland = lf_lland
i_lzone = lf_lzone
IMPORTING
e_route = lv_route
EXCEPTIONS
no_route_found = 1
departure_error = 2
destination_error = 3
invalid_generic_key = 4
customer_exit_error = 5
OTHERS = 6.
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ELSE.
ls_xvbap-route = lv_route.
MODIFY xvbap FROM ls_xvbap TRANSPORTING route.
ENDIF.
ENDLOOP.
For information on Exits, check these links
http://www.sap-img.com/abap/a-short-tutorial-on-user-exits.htm
http://www.sapgenie.com/abap/code/abap26.htm
http://www.sap-img.com/abap/what-is-user-exits.htm
http://wiki.ittoolbox.com/index.php/HOWTO:Implement_a_screen_exit_to_a_standard_SAP_transaction
http://www.easymarketplace.de/userexit.php
http://www.sap-img.com/abap/a-short-tutorial-on-user-exits.htm
http://www.sappoint.com/abap/userexit.pdfUser-Exit
http://www.planetsap.com/userexit_main_page.htm
User-Exits
http://www.sap-img.com/abap/a-short-tutorial-on-user-exits.htm
http://www.sap-img.com/ab038.htm
http://www.planetsap.com/userexit_main_page.htm
http://www.sap-basis-abap.com/sapab013.htm
http://sap.ittoolbox.com/documents/popular-q-and-a/user-exits-for-the-transaction-code-migo-3283
<b>Reward points</b>
Regards -
Steps to create user exit Macro
Hello,
Can any share the step by Step procedure to create user exit macro for APO DP planning book.
Regards,
ManishHi Manish,
Please see OSS note 418801.
Regards,
Alexander -
Procedure for creating a user and assigning him a role
Hi folks,
has anyone of you a procedure for creating a user and then assigning him a spezial role?
The procedure has 2 arguments username and password. I think that its an easy one but I
have not found the right packages.
Thankscreate or replace procedure new_user(username_in IN VARCHAR2, password_in IN VARCHAR2) is
C_TEMP_TSP CONSTANT VARCHAR2(30) := 'TEMP';
C_DEFAULT_TSP CONSTANT VARCHAR2(30) := 'USERS';
C_DEFAULT_ROLE CONSTANT VARCHAR2(30) := 'SPECIALROLE';
begin
execute immediate 'create user ' || username_in ||
' identified by ' || password_in ||
' default tablespace ' || C_DEFAULT_TSP ||
' temporary tablespace ' || C_TEMP_TSP;
execute immediate 'grant '|| C_DEFAULT_ROLE ||' to '||username_in;
end new_user; -
Creating Support Messages from Satellite System without SolMan user account
Hi
We are having some problems with users "creating support message" from our ECC system to SolMan, if the user does not have a user account in Solution Manager.
It is not correct, that users from Satellite systems can create support messages from these systems, without the user having an account in Solution Manager? And that the user is identified by the business partner for the user, that must exist in the Solution Manager system ?
We have set up the RFC for the supportmessages between SolMan and the ECC system as trusted RFC, with the "Current user" as the user, but how should this be set up, if the user does not have an account in the Solution Manager system. If we enter a user with the right authorizations in the RFC, will the messages that come through not just appear as created by that user, instead of the ECC user and corresponding business partner ?
Regards
LarsHi,
you can use the use the user for the RFC-Connection in that case. I have customizied a similar scenario. In my scenario the System from which the message was created, is the business partner (SOLD-TO-PARTY). For that you have to create a communication user (i.e SOLMAN<SYSID>). In TA SM59 in the satellite-system you assign this user for the connection. (Don't forget to assign the user to the role "SAP_SV_FDB_NOTIF_BC_ADMIN"). Now, it schould be possible to create messages from the satellite system to the solution manager. Additionally you should create business-partner for each user of the satellite system, by using TA DSWP>EDIT>CREATE BUSINESS PARTNER.
With this TA, it is easy to create BP for each satellite system.
Best regards
Marc -
How do I install SN without creating a user?
I am selling one of my Mac Pro's.
I'll reformat the disk and install a fresh system, but how do I do that without creating a user account?
Right after installing OS X the computer has to be rebooted, and that's when one creates a user account.
Should I just turn the machine off after the install instead of rebooting?
In fact, I'd like the buyer to enjoy the multi-language 'Welcome' intro, just like when one buys a new Mac and turns it on for the first time.
Thanks for any tips on that.YaY! Cool! You guys rock!
I'll give it a try next week. I'm currently archiving/cleaning everything.
Thank you -
How to create tables and views and procedures in other users as one
HI to all,
I am having a user named vijay and i am trying to create the tables in user srini as user vijay
in user vijay i'm having tables
1. company
2. department
i wrote one procedure
create or replace procedure sp_createobjects{short_name in varchar2}
{my openbracket key is not working so that i put open braces here}
as
cursor table_name is select object_name from dba_tables where object_type = 'TABLE';
var_table_name varchar2{1000};
begin
open table_name;
loop
fetch table_name into var_table_name;
execute immediate 'create table ' || short_name || '.' || var_table_name || ' as select * from '||var_table_name;
end loop;
end;
the procedure is created sucessfully. but when i am trying to execute the procedure it is throwing the error as insufficient privileges.
my 2nd question is how to create the procedures into the other user?
Thanks in advanceFirst of all, your query "from dba_tables where object_type = 'TABLE'" returns all tables, not just the tables of the user vijay.
So there are two possibilities, you may be getting the error because you cannot select from another user's table or you may be getting the error because you cannot create a table under the user srini. To create tables in another schema you need the "create any table" privilege. -
How to create Users/Roles for ldap in weblogic without using admin console
Is it possible to create Users/Roles for ldap in weblogic without using admin console? if possible what are the files i need to modify in DefaultDomain?
or is there any ant script for creating USers/Roles?
Regards,
Raghu.
Edited by: user9942600 on Jul 2, 2009 1:00 AM
Edited by: user9942600 on Jul 2, 2009 1:58 AMHi..
You can use wlst or jmx to perform all security config etc.. same as if it were perfomred from the admin console..
.e.g. wlst create user
..after connecting to admin server
serverConfig()
cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator")
cmo.createUser("userName","Password","UserDesc")
..for adding/configuring a role
cd("/SecurityConfiguration/your_domain_name/Realms/myrealm/RoleMappers/XACMLRoleMapper")
cmo.createRole('','roleName', 'userName')
...see the mbean docs for all the different attributes, operations etc..
..Mark. -
Grant execute to newly created user upon user creation
Hi
I have a procedure test in schema of user1.
I have to grant exec on this procedure to the new user upon creation of the new user.
like upon
create user USER1 identified by ....
then USER1 should be able to execute user1.test after that
in short every user created should have grant to execute this procedure.
Please suggest.
Thanks in AdvanceHello, if you have a procedure in the schema of user1 then the user is user1, i.e., you cannot be creating a new user if user1 if user1 owns the test procedure.
To grant execute for a user on a procedure, just run:
GRANT EXECUTE ON user1.TEST TO <new_user>;If you want to allow every user to execute this procedure then run something like:
BEGIN
FOR cur_rec IN (SELECT username FROM ALL_USERS WHERE username NOT IN ('SYS','SYSTEM'))
LOOP
EXECUTE IMMEDIATE 'GRANT EXECUTE ON user1.test TO ' || cur_rec.username;
END LOOP;
END;
/And that will grant execute on the procedure for all users.
Maybe you are looking for
-
Please help - computer illiterate trying to install CS5 master suite - Exit Code 6??
This is what I have gotten over the course of a full day's installing and uninstalling and installing again: Exit Code: 6 -------------------------------------- Summary -------------------------------------- - 0 fatal error(s), 42 error(s), 38 warnin
-
Unable to find communication channel -XI adapter
Hi Experts, I am doing a file - proxie scenario. I am unable to view the communucation channel I created for XI. I tried to refresh the Start complete cache refresh and tried to refresh the cache in IR and ID. I am able to see my Service(business syt
-
I purchased mountain lion in the app store but it won't download
I bought OS X Mountain Lion in the App Store on my Macbook. It asked for my computer password and itunes accont password. After I entered them a button labeled "Download" replaced the "$19.99" button. When I click on the button a small whirling symbo
-
Hi chirag With your answers I learned some thing about seeburger adapters , will expect any projects....on this combination. We are expecting internal training thats what? any prerequisites before moving to SEEBURGER Thanks Sushma .
-
Satellite U200-122: How to use Pivot function on external Monitor?
I have a Satellite U200-122, would like to use the external monitor in pivbot function. But I do not find where I can have the display rotate, so that it will be displayed in portrait format on the external monitor and accept resolution 1024x1280. An