Grant access to sub-package via hdbsql

Hi All,
I am having trouble running an hdbsql command in a shell script and wondering if anyone could help. (I am running HANA DB SP6, Revision 60)
Basically, I would like to give a user REPO.READ access to the Competition sub-package as shown below.
I am attempting to use the following command:
su - <sid>adm -c "hdbsql -i <##> -u SYSTEM -p <password> \ "GRANT REPO.READ on "ERPSIM.Competition" to USER\""
but I am getting this error - "424: invalid name of package COMPETITION: line 1 col 7 (at pos 6) SQLSTATE: HY000"
The weird thing is that that SQL command will work as intended if I run it in HANA Studio, but not when I run it though hdbsql. Also, if I do a GRANT REPO.READ on ERPSIM.ERPSIM, it will succesfully authorize the user for the ERPSIM package.
Does anyone know how to authorize a user for a sub-package via a hdbsql script?
Thanks in advance!
Jerad

SAP Support was able to resolve this issue for me . The following syntax allowed me to assign privileges for a sub-package via hdbsql:
su - <sid>adm -c "hdbsql -i <##> -u SYSTEM -p <password> \"GRANT REPO.READ on \\\"ERPSIM.Competition\\\" to USER\""

Similar Messages

  • Grant access to package in schema2 from schema1- how? Or...

    Hi
    I am trying to test utPLSQL. utPLSQl is installed in schema1@instance1 and the package that I need to test is located in schema2@instance1.
    How can I access package to be tested present in schema2 from schema1? The package has a number of procedures accessing many tables etc.
    GRANT EXECUTE ON SCHEMA.PACKAGE TO USER
    Will this be enough?

    If the schema2.package_name has been successfully compiled using defining user authorization (default) and not current user authorization then yes all any other username requires to use the package and perform any DML activity defined in the package is an "execute" grant on the package.
    In the case of current user authorization then the executing user would also need DML grants on the referenced objects.
    HTH -- Mark D Powell --

  • How can I grant Application access to a user via API ) programattically

    how do I grant access to a portal user from API
    I want to grant access to a user from an API, ie I need a
    command to grant "SCOTT" access to "EXAMPLE_APP" APPLICATION as
    an end user?

    Hi,
    I am assuming that you have already updated the EUL in the Administrator Edition, correct? If not, open Discoverer Administrator and login to the database you want to connect to. You must use your EUL user name which I assume has already been created and assigned the correct privileges in the database. You will be asked to update your EUL. Follow the prompts.
    Once logged into the EUL, go to Tools \ Privileges and find the user that you want to give administrator access to.
    Hopefully, this answers your question.
    Regards,
    Nancy

  • Trouble with shares and access to sub folders

    We're attempting to replicate our Netware configuration to a new MacOS 10.4.6 server. On Netware we where able to create a share that was available to all users, however the folders they saw within the share where governed by their access rights within the tree. For example, take the following structure:
    Data --+-- Folder1
    |
    +-- Folder2
    Rights for Folder1 where assigned to Group1 and rights to Folder2 to Group2. All users in Group1 and Group2 could then mount the drive and see the folders that they where a member of.
    We have attempted to replicate this on MacOS as follows:
    Data --+-- Folder1 (ACL Group1 = Read/Write)
    |
    +-- Folder2 (ACL Group2 = Read/Write)
    However, when you mount Data on Mac or Windows it says you have no access rights and won't let you dig down to Folder1 or Folder2. Is there something I'm missing?

    If all users in Group 1 and Group2 have access to
    the root Data folder then that permission will
    propogate down the tree and they will have read
    access to each of the sub folders. If folders within
    suddenly gain everyone RW access then they will be
    able to open and see the folder.
    Thanks, I've solved the problem. I needed all users to have access to the root of the 'volume' but for that not to propogate down the tree. I've found the inheritence settings and that I think has solved the problems.
    You can control this by propagating permissions
    downward from the top level folder. Do this:
    Create a group for everyone who accesses Data called
    DataGroup.
    Add DataGroup to the group list for everyone. (You
    can mass select Users and add the group to everyone
    who needs it at once.)
    Change the Unix group owner of the Data folder to
    DataGroup and set these permissions:
    Owner: admin RW, Group: DataGroup R, Everyone: None
    Open Data and set Folder1 privileges to:
    Owner: admin RW, Group: Group1 RW, Everyone: None
    and propagate these settings to the subfolders. Be
    sure to propagate Group Ownership and Group
    Permissions and Everyone permissions.
    NOTE: This is the traditional *nix way - with ACLs
    you can do this and then fine-grain the control using
    the ACL granting Group 1 Full Control and propagating
    that.
    Now set Folder2 to Group2 etc.
    This allows you access to Data (versus using staff or
    some generic Unix group but those will work too) but
    allows you to control who has access to the
    subfolders. In this case membership in DataGroup only
    grants you access to see the folders - it doesn't
    even guarantee access to any of the subfolders.
    If you want nested folders within Folder1 or Folder2
    you can do the same thing - create a folder owned by
    a specific user and set Group Read access to none and
    propagate that through the subtree. Just be aware
    that propagations that happen above that folder can
    reverse the settings. Always set large and then get
    specific. New Users are granted access to Data by
    adding DataGroup and users access to folders are
    granted or revoked by adding or removing the Group1,
    Group2 etc settings.
    I think that once you get it set how you want and try
    it you'll find that the Data folder is redundant and
    is giving you unnecessary conceptual problems. If you
    make the Folder1, Folder2 etc shares then after a
    user authenticates they will see only the folders
    they have permission to access. If I am in Group1 and
    I authenticate my selection of folders will only be
    folders accessible by Group1 - I will never even see
    Folder2. By grouping them in Data you are adding a
    layer of permissions that is probably not needed. But
    everyone has their own organizational system and
    sometimes it's easier to leave users with what their
    used to using. (I have users that still mount Users
    and navigate to their own folder even though their
    user folder shows up at the login level simply
    because that's the way they've always done it.)
    No there are good reasons to share the Data folder and not the children below. For example, if you are on Windows clients and you wish to map the share to a drive letter you will have no way of doing this if you don't have the containing folder.
    Yes, I understand with ACLs (or at least I think I
    do and have setup a system that works). The problem
    is that new folders get Everyone Read access. Which
    ruins the effective permissions for that folder. I
    need a way of making the default posix permissions
    O=RW,G=None,Everyone=None.
    We have a lot of folders to deal with Folder 1 and
    Folder 2 are only examples. We have about 15 or more
    folders with sub folders that have differing access
    rights. All this we have sorted out except the
    default POSIX permissions for new folders/files.
    You can change Umask default privilege settings but
    DON'T. Well, DON'T unless you're a *nix guru. It
    changes the default for all created files - including
    those created by the system and this can lead to
    serious problems down the road.
    I don't want a whole system default change to umask I want one that works only for people connected via AFP, you would think that would be possible. Similarly I want one for SMB access also.
    If you get this working you will see that despite the
    POSIX settings the ACLs are working. If you really
    need your Unix permissions to be set a certain way
    chuck ACLs and set "Inherit from Parent Folder" in
    AFP and SAMBA. With ACLs on the system will only do
    POSIX settings.
    In the windows world you either use POSIX or ACLs in the mac world you use a combination of both. That can be an asset but it can also be a major problem. If only you could use the inherit setting for POSIX when ACLs where enabled it would solve all these worries.
    Thanks for your time on this.
    Ian

  • Grant access to all the views created in user schema to another schema

    How to grant access for all the views created in own HAGGIS schema to comqdhb schema on the HAGGIS database.
    Oracle Grant Privileges
    ===============
    Object privileges assign the right to perform a particular operation on a specific object
    I read that we can use select 'grant select on' ||view_name||'HAGGIS' user_views where owner='COMQDHB'
    Is this right
    Oracle System Privileges
    ===============
    System privileges should be used in only cases where security isnt important,because a single grant statement could remove all security from the table
    Role based security
    ============
    Role security allows you to gather related grants into a collection-since the role is a predefined collection of privileges that are grouped together.privileges are easier to assign to users.
    [http://www.dba-oracle.com/art_builder_grant_sec.htm]
    can we grant select update to all the views at a time to the other schema.
    Are there any other ways to secure the data other than creating users and assigning roles.
    Thank you
    Edited by: Trooper on Dec 23, 2008 9:24 AM

    I think what was suggested was that you use SQL to generate the grants on each and every view, that is, you use SQL to generate SQL where the SQL being generated is "grant select on view_name to role'"
    If you users to connect to Oracle you have to create usernames for them though if the users only connect via an application the application might run just as one user and access to the application is controled via application security. The control on the application can be via Directory Services such as OID or MS Active Directory. User access to Oracle can also be controlled via OID.
    To connect to Oracle you can use OS authenication (not recommended), usernames with passwords, or via Advanced Security Option which supports single sign-on products like Kebros or Oracle Internet Directory etc....
    Example using SQL to generate SQL
    How do I find out which users have the rights, or privileges, to access a given object ?
    http://www.jlcomp.demon.co.uk/faq/privileges.html
    HTH -- Mark D Powell --

  • Grant permission to all packages in another schema

    Is there a way I can grant access to all the packages in another user's schema?
    Please guide me.
    Thanks!

    The one way is to use cursor :
    BEGIN
      FOR Rec IN (SELECT object_name, object_type FROM all_objects WHERE owner='SOURCEUSER' AND object_type IN ('PACKAGE')) LOOP
          EXECUTE IMMEDIATE 'GRANT EXECUTE ON SOURCEUSER.'||Rec.object_name||' TO TARGETUSER';
        END IF;
      END LOOP;
    END;Edited by: Radrigez on 13.07.2011 21:38

  • Accessing Windows CIFS Shares via Nautilus

    Hi,
    I've recently installed and configured Solaris 11, am having problems accessing Windows CIFS shares via Nautilus.
    I've installed both samba (needed for CUPS to print to printers connect to a windows pc) and smb/client. The smb/client and samba services are running. The smb/server service is not installed.
    I can print to any printer on the windows PC I'm trying to access via Nautilus, so I know my username/password for accessing the pc are correct.
    I can also manually mount any share on the windows PC via the cli (eg mount -F smfs -o user=elin //elink/users /mnt), and browse the files directly that way, except the file permisssions don't seem to align with any unix user. Again this just shows that the username/password combination is ok.
    For Samba, I'm using the default smb.conf file as /etc/samba/samba.conf. Workgroup is set to WORKGROUP in smb.conf.
    On the Windows pc, in the security event viewer, I can see the auth request, however is failing with bad password (event ID 4776, error code 0x006a). In the default group policy object for networking, I've set to accept "LM & NT, NTLMv2 when neogiatated", as this allows legacy clients to connect. (Legacy meaning NT4, Win95, etc, and also has the benefit of allowing other OSes to connect as well).
    I'm also able to access the WIndows PC CIFS shares from an Arch Linux based setup (running GNOME 3.2 w/ Nautilus 3.2), so I doubt it's the Windows side of things causing the problems. Additionally, when I was running Solaris 10u9 (just before upgrading to Sol11), I was able to access the shares via Nautilus as well.
    So my question is:
    1. Does Nautilus use Samba or the Oracle smb/client service to handle mount windows CIFS shares?
    2. What log files or configuration files do I need to looking at to help with this error?
    As a side question,
    I've found that on a clean installation running the "Print Manager" accesses CUPS fine, but once you install a printer, it'll no longer connect to CUPS, unless run from the cli "sudo system-config-printers". So this is a permissions issue, where's the best place to fix/handle that one.

    Replying to my own thread, as I have a possible but very-hackish solution.
    To add some further details to my original post.
    There are 4 PCs on the LAN.
    1. Hellfire - OS = Solaris 11 11/11
    2. Brimstone - OS = Arch Linux
    3. Elink - OS = Win7 Pro x64 SP1
    4. IsaacPC - OS = WinXP Home SP3
    Attempting to connect to Elink from Hellfire, accessing CIFS shares via Nautulis fails. (Mounting shares via Nautulis fails, but works fine from CLI using 'mount' command which to my understanding uses the smb/client service to work). Elink also hosts all the printers on the LAN, a HP LJ1200 and an Epson Fax/Printer/Scanner.
    Helfire does attempt to authenticate, as listed in the event logs on the Win7 PC (elink), but is returning bad password when using Nautulis. (but printing from hellfire to either printer on elink works fine, as does mounting CIFS shares using 'mount').
    Booting the live CD of Solaris 11, also exhibits the same non-working behaviour when attempting to mount CIFS shares in Nautulis.
    Attempting to access CIFS shares on elink from Brimstone (via Nautulis 3.2 within GNOME 3.2), or from IsaacPC works fine.
    Hellfire configuration.
    Samba is installed, but NOT running (samba is needed for accessing the printers on elink, as CUPS needs smbspool which is part of the samba package), and the native smb/client service is also running.
    smb.conf is a direct copy of the default *.conf file, except the WORKGROUP is set to 'WORKGORUP'. There is a symlink to smb.conf in /etc/sfw/smb.conf -> /etc/samba/smb.conf
    Onto the hackish-fix.
    I've noticed that there are 2 copies of libsmbclient.so installed on the system, one in /usr/sfw/lib (part of the "libsmbclient" package) and another in /usr/lib/samba (part of the "samba" package).
    "libsmbclient" appears to be based on samba 3.5.8 codebase, and is linked to the gvfsd-smb daemon (this is the software that Nautulis uses to talk SMB to access CIFS shares).
    "samba" is based on the samba 3.5.10 codebase, and it's installation has nothing to do with GNOME or Nautulis in any manner.
    Using any of the samba included tools to test SMB/CIFS functions, work with 1 minor exception (which I'll list below). eg, using smbclient I can list all shares on any PC on the LAN, etc.
    So as a hunch, I renamed the libsmbclient.so.0 in /usr/sfw/lib, and symlinked /usr/sfw/lib/libsmbclient.so.0 -> /usr/lib/samba/libsmbclient.so.0 (so that gvfsd-smb is linked against the slightly newer version of the libsmbclient.so as included in the samba package located in /usr/lib/samba).
    I rebooted Hellfire, and now I'm able to access CIFS shares via Nautulis, provided that some form of authentication is needed (that is a username and password is needed - guest access and blanks passwords don't work - but these IMO should be disabled immediately as part of a baseline security package in regards to Windows - so no harm there).
    Now to the minor exception I noted earlier. When using smbclient to actually connect and transfer files, I get:
    ld.so.1: smbclient: fatal: relocation error: file /usr/lib/libreadline.so.5: symbol tgetent: referenced symbol not found
    As far as I know, tgetent is part of libtermcap.so, so I guess when building smbclient or libreadline.so, the link reference to termcap was left out? (or something like that). Anyway, that's another issue...

  • Grant Access on View

    Hi,
    I would like to know the appropriate and easy way of granting access (SELECT,INSERT,UPDATE..Etc) on newly created object (VIEWS/SYNONYMS) to all users at one go.
    I have created a public synonym so that I can grant the access on synonym.
    Appreciate any suggestions.
    Thanks

    You will need a script or package to do this.
    e.g something like :-
    spool grant_select_to_all.sql
    select 'grant select on '||object_name||' to select_role;'
    from user_objects where object_type in('VIEW','TABLE');
    spool off;
    @grant_select_to_all.sql

  • Accessing a JSP file via context URL

    Hi experts ,
    i have a requirement to access a jsp file via context url i.e. /irj/... abc.jsp , can  any one please suggest how to access this , i have a jsp dynpage component in the pagelet folder i have a jsp page, that im not able to access via the context url , and the images that are there in the image folder are accessible via context path i.e /irj/.. abc.gif etc.
    can any one please suggest a solution .
    Regards
    Govardan Raj

              Hi,
              1) what is your "weblogic.httpd.documentRoot=????"
              2) if it is "public_html" put your jsp there.
              Joe
              "Prasad" <[email protected]> wrote:
              >
              >hi all,
              >
              >i am working on weblogic5.1 under solaris platform.
              >
              >my folder hierarchy is as follows weblogic_home/classes/weblogic/sun1/sun2.
              >
              >i have an import statement as follows import sun1.sun2.* in my JSP file.
              >
              >when i access this jsp file from my browser i have an error.
              >
              >the error is import package sun1 not found.
              >
              >i have set my classpath correctly(i feel so)...
              >
              >can anybody help me with this problem.
              >
              >if there is some fault in my classpath please tell me where exactly i should set my classpath for jsp files.
              >
              >thanx in advance.
              >Prasad.
              

  • Manage Access to Named Credentials via EMCLI

    Hi Colleagues,
    does anyone know how to manage access to Named Credentials via EMCLI or does anyone know if this function exist in EMCLI.
    We want to configure the access via scripts, so that we can for example grant access for all database administrators to all named credentials.
    I would be very pleased if anyone has a solution.
    Thanks in advance!
    Best regards,
    Sönke

    Hi,
    Use the verb grant_privs to grant a user access to a named credential.
    For example:
    emcli grant_privs -name=MARY  -privilege="GET_CREDENTIAL;CRED_NAME=HOST-CREDS:CRED_OWNER=SCOTT"
    ..grants the user MARY view privileges on the credentials called HOST-CREDS owned by SCOTT.
    View privileges will allow Mary to use the credentials but will not allow her to see sensitive information such as the password.
    Check out the security doc for more information on named credentials
    http://docs.oracle.com/cd/E24628_01/doc.121/e36415/sec_features.htm#CJAHBADG
    Other privileges you can grant to credentials are FULL_CREDENTIAL and EDIT_CREDENTIAL.
    Check out the EMCLI reference guide for more details on grant_privs verb:
    http://docs.oracle.com/cd/E24628_01/em.121/e17786/cli_verb_ref.htm#autoId186
    Regards,
    Ana

  • Changing classpath of all sub-packages when moving package

    So I'm new to Flash Builder and trying to make a Starling project. I want the Starling package to reside inside of a package called "code" instead of just residing in the root of my project. I can move it to the code package via drag-and-drop, but the classpaths of all the packages inside starling still say "starling.xxx" - whereas I want them to now say "code.starling.xxx".
    How do I 'mass update' the paths of all the packages?

    Adding a new sourcepath is just that... Starting in root package, paths are read from your new classpath.
    So, you need to do a formal move to put starling files in the new sub package either before or after placing them in the new source directory.
    G

  • Installing packages via burned CD

    Hello everyone.
    I have an x86 machine that I've just installed Arch onto. For reasons I won't get into, it's not going to be networked at all (no internet or intranet, therefore no pacman mirrors). I'm wanting to install packages via the CD drive: Ruby, Python, X, BSD games, Tex, etc. The idea is I will download these packages and burn them to CD, then access them via the Arch machine.
    I guess my question is, what is generally the best way to go about this? I think I'd have to get pacman to point to my CD drive to search for new repositories, but I am unaware how this would be accomplished. Google searches do not yield helpful results. I suppose I could just compile them from source, but is there an easier way?
    Any help would be appreciated.
    Thanks
    Dan

    tomk wrote:perbh - his CD is just a bunch of packages, not a repo. The second link in my post above fills the gap.
    ooops *lol* - I checked your first link but not the 2nd - guess my fingers were faster (at a multitude) than my brain.
    I use a portable usb-drive for my repo - and it has 'core', 'extra' and 'community' as the top directories - in which case what I wrote above would work. If your  repo is just a collection of packages, obviously it wont ... sorry for not reading properly :-(

  • ORA-20001: Unauthorized access (security group package variable not set).

    I'm creating an app that uses APEX authentication and features self-registration (working) and forgot password (not working) forms.
    My forgot password is public (requires no authentication). The user provides username and secret answer, which are validated, then provides the new password. I attempt to use htmldb_util.reset_pw to reset the user's password, but it's not working.
    I have a process on the new password page calling a PL/SQL anonymous block that looks like this (see below), where P16_ITEM1 = username and P18_ITEM1 = new password.
    BEGIN
    apex_040000.htmldb_util.reset_pw( V('P16_ITEM1'), V('P18_ITEM1') );
    END;
    I also don't know how to send accurate success/failure messages from such PL/SQL block back to APEX, but that's a separate issue I guess.
    Anyway, when testing via SQL Developer as the user with APEX_ADMINISTRATOR_ROLE, I get the following error:
    ORA-20001: Unauthorized access (security group package variable not set).
    ORA-06512: at "APEX_040000.WWV_FLOW_FND_USER_API", line 22
    ORA-06512: at "APEX_040000.WWV_FLOW_FND_USER_API", line 1220
    ORA-06512: at "APEX_040000.HTMLDB_UTIL", line 1253
    ORA-06512: at line 8
    I've searched previous threads and tried different suggestions with no luck.
    I'm on Oracle DB XE 11g and APEX 4.x.
    Any help will be appreciated. Thanks,
    Alex.

    Anyway, when testing via SQL Developer as the user with APEX_ADMINISTRATOR_ROLE, I get the following error:
    ORA-20001: Unauthorized access (security group package variable not set).When running code outside Apex that depends on the Apex security group being set, run the following before your own code:
    wwv_flow_api.set_security_group_id(apex_util.find_security_group_id('YOUR_SCHEMA_NAME'));Google "wwv_flow_api.set_security_group_id" for more details, such as this blog post:
    http://www.easyapex.com/index.php?p=502
    - Morten
    http://ora-00001.blogspot.com

  • Timecard Approval + Grant Access

    Hello all,
    We have an OTL implementation with supervisor approval setup. We have an issue with the following scenario:
    1. Employee (A) submits time card
    2. Supervisor (B) is unavailable to act on it (sick, unplanned absense etc..)
    3. Supervisor has given access to his/her supervisor (C) (worklist)
    4. C is unavailable too, again, unplanned
    5. C has setup worklist access to his/her supervisor (D)
    Our need is to allow D to act on A's time card without every supervisor providing a grant access to every one above then in the chain of command. Is there any solution/workaround in OTL/Workflow to provide access in a hierarchical manner in such scenarios?
    Thanks in advance,
    Vijay

    I think what was suggested was that you use SQL to generate the grants on each and every view, that is, you use SQL to generate SQL where the SQL being generated is "grant select on view_name to role'"
    If you users to connect to Oracle you have to create usernames for them though if the users only connect via an application the application might run just as one user and access to the application is controled via application security. The control on the application can be via Directory Services such as OID or MS Active Directory. User access to Oracle can also be controlled via OID.
    To connect to Oracle you can use OS authenication (not recommended), usernames with passwords, or via Advanced Security Option which supports single sign-on products like Kebros or Oracle Internet Directory etc....
    Example using SQL to generate SQL
    How do I find out which users have the rights, or privileges, to access a given object ?
    http://www.jlcomp.demon.co.uk/faq/privileges.html
    HTH -- Mark D Powell --

  • Sql server grants access to specific login to database.

    i have created website for intranet and hosted it on server. for that i needed to create login "IIS APPPOOL\hi" in sql server 2008 for my application
    to access my "reportdb" database. "IIS APPPOOL\hi" has sysadmin and public server roles in sql server 2008. And i have default login"sa" same
    as "IIS APPPOOL\hi". these are working correctly. Now I want these two logins to access"reportdb" for all
    operations in database and remaining all logins should be denied to access"reportdb". My Sql Server 2008 is having mixed mode (windows authentication and Sql authentication). plz help me

    I think what Tauseef is requesting is to keep access for the 2 sysadmins & deny access to everyone else, correct?
    As Uri mentioned, by being part of sysadmin role, “IIS APPPOOL\hi” & “sa” would have access to everything in the server, and nobody else should have access to the DB unless explicitly being granted access.
    If you would really deny anyone else access to the database, you can potentially deny connect to public, and only sysadmins (who override permissions) would be able to connect; although I would strongly recommend against such practice.
    Something else I would like to recommend against is the usage of sysadmin for what may not be a DBA role (IIS appPool). Following the least-privilege principle, I would recommend having a non-administrator user for applications that has enough capabilities
    to perform the tasks needed.
    The main risk is that a SQL injection (SQLi) bug in your application would lead to a complete compromise of your SQL server.
    If there are app tasks that would require elevated permissions, I would recommend encapsulating the logic in a stored procedure and either use impersonation or digital signatures to accomplish a controlled elevation of privileges instead. If you have any
    question on this topic I will be glad to assist.
    I hope this information helps,
    -Raul Garcia
     SQL Server Security
    This posting is provided "AS IS" with no warranties, and confers no rights.

Maybe you are looking for