Grant Privilege to Role instead of Direct grant doesn't work

Hi all
My scenario is sas follow:
create user a identified by a;
create user b identified by b;
grant connect,resource to a ;
grant connect,resource to b ;
conn a/a
create table tbl( c1 number(10));
conn system/sys
create role roll;
grant roll to b;
conn a/a
grant select on tbl to roll;
conn b/b
set role roll;
create or replace procedure b.pr
as
v number(10);
begin
select a into v
from a.tbl
where a=0;
end;
show error
Errors for PROCEDURE B.P:
LINE/COL ERROR
6/1 PL/SQL: SQL Statement ignored
7/6 PL/SQL: ORA-00942: table or view does not exist
This happen because i granted the SELECT privilege to user b through the role ROLL but if i granted the user b the SELECT privilege directly it work properly
Why???
And how could I grant the privilege from within a role, Because i don't want to grant it directly
Thank in advance
Bassil

There is no other way. The owner of stored code must have been directly granted all necessary (used in code) select, insert, update, or delete privileges. The code owner cannot just have the referenced privileges granted to them via a role. There is no workaround, nor should there be as this is a security feature. Just because you have been granted insert or delete to another user's tables does not mean you should be able to grant that access to some other user. This is exactly what you do when you grant execute to stored code that referenced another user's objects.
The referenced article is by Tom Kyte and there are few people who understand how to use Oracle to better effect than Tom. The same information can be found in the official documentation and is referenced by the article.
You can write packages that use the privileges of the executing person. Perhaps for the specific problem you are writing the code to handle this is the route you want to take. See the manuals for the details.
Note - If user A grants insert to user B on table_a then user B can write a procedure, proc_b, and grant execute to a role and anyone with the role can perform inserts into table_a via proc_b, without having any grants on table_a. You do not need to grant privileges on the objects referenced in stored code that runs as the code owner if this is what you are worried about. The users just need execute on the package, procedure, or function that performs the DML operations in this case and they can get that from a role.
If you still do not understand you need to state exactly what it is you either do not understand or want to know how to do.
HTH -- Mark D Powell --

Similar Messages

How to check granted privileges on role.

Hi,
Can any one explain how to check granted privileges on role.
I have created one role called ALL_SYSPRIVS
but I forgot what privileges granted to this role
Thank you...

Hi Vijay,
Last week i saw the following thread:
Finding the privileges assigned to a user
Re: Finding the privileges assigned to a user
From there, you'll be able to find a few scripts that will provide you with an overview of grants assigned to user, or role....
HTH,
Thierry

Granting privilege through role not working for PL/SQL

Version: 11.2.0.2
In our shop, we don't grant privileges directly to a user, we grant it to a role and grant that role to the intended grantee.
Granting privileges through a role seems to be fine with SQL Engine. But it doesn't work from PL/SQL engine.
In the below example GLS_DEV user is granted SELECT access on SCOTT.pets table through a role called tstrole. GLS_DEV can select this table from SQL. But PL/SQL Engine doesn't seem to know this.
Reproducing the issue:
SQL> show user
USER is "SCOTT"
SQL> select * from pets;
NAME
PLUTO
SQL> conn / as sysdba
Connected.
SQL> create user GLS_DEV identified by test1234 default tablespace TSTDATA;
User created.
SQL> alter user GLS_DEV quota 25m on TSTDATA;
User altered.
SQL> grant create session, resource to GLS_DEV;
Grant succeeded.
--- Granting SELECT privilege on scott.pets to tstrole and then grant this role to GLS_DEV.
SQL> conn / as sysdba
Connected.
SQL>
SQL> create role tstrole;
Role created.
SQL> grant select on scott.pets to tstrole;
Grant succeeded.
SQL> grant tstrole to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> select * From scott.pets;
NAME
PLUTO
---- All fine till here. From SQL engine , GLS_DEV user can SELECT scott.pets table.
--- Now , I am going to create a PL/SQL object in GLS_DEV which tries to refer scott.pets
SQL> show user
USER is "GLS_DEV"
create or replace procedure my_proc
is
myvariable varchar2(35);
begin
     select name into myvariable from scott.pets ;
     dbms_output.put_line(myvariable);
end my_proc;
Warning: Procedure created with compilation errors.
SQL> show errors
Errors for PROCEDURE MY_PROC:
LINE/COL ERROR
6/2      PL/SQL: SQL Statement ignored
6/41     PL/SQL: ORA-01031: insufficient privileges
SQL>
SQL> 6
6*    select name into myvariable from scott.pets ;
--- PL/SQL Engine doesn't seem to know that GLS_DEV has select privilege on scott.pets indirectly granted through a role
--- Fix
--- Instead of granting privilege through a role, I am granting the SELECT privilege on scott.pets to GLS_DEV directly.
--- The error goes away, I can compile and execute the procedure !!
SQL> conn / as sysdba
Connected.
SQL>
SQL> grant select on scott.pets to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> create or replace procedure my_proc
is
myvariable varchar2(35);
begin
        select name into myvariable from scott.pets ;
        dbms_output.put_line(myvariable);
end my_proc; 2    3    4    5    6    7    8    9   10
11 /
Procedure created.
SQL> set serveroutput on
SQL> exec my_proc;
PLUTO
PL/SQL procedure successfully completed.Has anyone encountered the same issue ?

You really should start your own new thread for this question instead of resurrecting an old one, but to answer your question.
There are two things going on here. First, there are a number of aler session commands that can be used by any user regardless of what privileges they are granted. Although I do not have the entire list at hand, things like nls_date_format and current_schema are available to all users, sort of like the grants to public in the data dictionary.
Second, when you use execute immediate, the PL/SQL engine never really sees the statement, as far as the compiler is concerned it is just a string. It is only when the string is passed to the sql engine that permissions are checked, and there roles are not enabled.
SQL> create role t_role;
Role created.
SQL> grant select on ops$oracle.t to t_role;
Grant succeeded.
SQL> create user a identified by a default tablespace users;
User created.
SQL> grant create session, create procedure to a;
Grant succeeded.
SQL> grant t_role to a;
Grant succeeded.
SQL> connect a/a
Connected.
SQL> select * from ops$oracle.t;
        ID DESCR
         1 One
         1 Un
SQL> create function f (p_descr in varchar2) return number as
2     l_num number;
3 begin
4     select id into l_num
5     from ops$oracle.t
6     where descr = p_descr;
7     return l_num;
8 end;
9 /
Warning: Function created with compilation errors.
SQL> show error
Errors for FUNCTION F:
LINE/COL ERROR
4/4      PL/SQL: SQL Statement ignored
5/20     PL/SQL: ORA-00942: table or view does not exist
SQL> create or replace function f (p_descr in varchar2) return number as
2     l_num number;
3 begin
4     execute immediate 'select id from ops$oracle.t where descr = :b1'
5                       into l_num using p_descr;
6     return l_num;
7 end;
8 /
Function created.
SQL> select f('One') from dual;
select f('One') from dual
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "A.F", line 4John

Direct Rendering doesn't works with radeon

Hi everybody,
I have a Radeon 7000. Then, I want to use the open-source driver.
But it doesn't works...
[nicolas@SonyVaio ~]$ glxinfo
name of display: :0.0
display: :0 screen: 0
direct rendering: No
server glx vendor string: SGI
server glx version string: 1.2
server glx extensions:
GLX_ARB_multisample, GLX_EXT_visual_info, GLX_EXT_visual_rating,
GLX_EXT_import_context, GLX_EXT_texture_from_pixmap, GLX_OML_swap_method,
GLX_SGI_make_current_read, GLX_SGIS_multisample, GLX_SGIX_hyperpipe,
GLX_SGIX_swap_barrier, GLX_SGIX_fbconfig, GLX_MESA_copy_sub_buffer
client glx vendor string: SGI
client glx version string: 1.4
client glx extensions:
GLX_ARB_get_proc_address, GLX_ARB_multisample, GLX_EXT_import_context,
GLX_EXT_visual_info, GLX_EXT_visual_rating, GLX_MESA_allocate_memory,
GLX_MESA_copy_sub_buffer, GLX_MESA_swap_control,
GLX_MESA_swap_frame_usage, GLX_OML_swap_method, GLX_OML_sync_control,
GLX_SGI_make_current_read, GLX_SGI_swap_control, GLX_SGI_video_sync,
GLX_SGIS_multisample, GLX_SGIX_fbconfig, GLX_SGIX_pbuffer,
GLX_SGIX_visual_select_group, GLX_EXT_texture_from_pixmap
GLX version: 1.2
GLX extensions:
GLX_ARB_get_proc_address, GLX_ARB_multisample, GLX_EXT_import_context,
GLX_EXT_visual_info, GLX_EXT_visual_rating, GLX_MESA_copy_sub_buffer,
GLX_OML_swap_method, GLX_SGI_make_current_read, GLX_SGIS_multisample,
GLX_SGIX_fbconfig, GLX_EXT_texture_from_pixmap
OpenGL vendor string: Mesa project: www.mesa3d.org
OpenGL renderer string: Mesa GLX Indirect
OpenGL version string: 1.2 (1.5 Mesa 6.5.1)
OpenGL extensions:
GL_ARB_depth_texture, GL_ARB_imaging, GL_ARB_multitexture,
GL_ARB_point_parameters, GL_ARB_point_sprite, GL_ARB_shadow,
GL_ARB_shadow_ambient, GL_ARB_texture_border_clamp,
GL_ARB_texture_cube_map, GL_ARB_texture_env_add,
GL_ARB_texture_env_combine, GL_ARB_texture_env_crossbar,
GL_ARB_texture_env_dot3, GL_ARB_texture_mirrored_repeat,
GL_ARB_texture_non_power_of_two, GL_ARB_texture_rectangle,
GL_ARB_transpose_matrix, GL_ARB_window_pos, GL_EXT_abgr, GL_EXT_bgra,
GL_EXT_blend_color, GL_EXT_blend_func_separate, GL_EXT_blend_logic_op,
GL_EXT_blend_minmax, GL_EXT_blend_subtract, GL_EXT_clip_volume_hint,
GL_EXT_copy_texture, GL_EXT_draw_range_elements, GL_EXT_fog_coord,
GL_EXT_framebuffer_object, GL_EXT_multi_draw_arrays, GL_EXT_packed_pixels,
GL_EXT_point_parameters, GL_EXT_polygon_offset, GL_EXT_rescale_normal,
GL_EXT_secondary_color, GL_EXT_separate_specular_color,
GL_EXT_shadow_funcs, GL_EXT_stencil_wrap, GL_EXT_subtexture,
GL_EXT_texture, GL_EXT_texture3D, GL_EXT_texture_edge_clamp,
GL_EXT_texture_env_add, GL_EXT_texture_env_combine,
GL_EXT_texture_env_dot3, GL_EXT_texture_lod_bias, GL_EXT_texture_object,
GL_EXT_texture_rectangle, GL_EXT_vertex_array, GL_APPLE_packed_pixels,
GL_ATI_texture_env_combine3, GL_ATI_texture_mirror_once,
GL_ATIX_texture_env_combine3, GL_IBM_texture_mirrored_repeat,
GL_INGR_blend_func_separate, GL_MESA_pack_invert, GL_MESA_ycbcr_texture,
GL_NV_blend_square, GL_NV_point_sprite, GL_NV_texgen_reflection,
GL_NV_texture_rectangle, GL_SGIS_generate_mipmap,
GL_SGIS_texture_border_clamp, GL_SGIS_texture_edge_clamp,
GL_SGIS_texture_lod, GL_SGIX_depth_texture, GL_SGIX_shadow,
GL_SGIX_shadow_ambient, GL_SUN_multi_draw_arrays
glu version: 1.3
glu extensions:
GLU_EXT_nurbs_tessellator, GLU_EXT_object_space_tess
visual x bf lv rg d st colorbuffer ax dp st accumbuffer ms cav
id dep cl sp sz l ci b ro r g b a bf th cl r g b a ns b eat
0x23 24 tc 0 24 0 r y . 8 8 8 0 0 16 0 0 0 0 0 0 0 None
0x24 24 tc 0 24 0 r y . 8 8 8 0 0 16 8 16 16 16 0 0 0 None
0x25 24 tc 0 32 0 r y . 8 8 8 8 0 16 8 16 16 16 16 0 0 None
0x26 24 tc 0 32 0 r . . 8 8 8 8 0 16 8 16 16 16 16 0 0 None
0x27 24 dc 0 24 0 r y . 8 8 8 0 0 16 0 0 0 0 0 0 0 None
0x28 24 dc 0 24 0 r y . 8 8 8 0 0 16 8 16 16 16 0 0 0 None
0x29 24 dc 0 32 0 r y . 8 8 8 8 0 16 8 16 16 16 16 0 0 None
0x2a 24 dc 0 32 0 r . . 8 8 8 8 0 16 8 16 16 16 16 0 0 None
See my /etc/X11/xorg.conf :
# Copyright 2004 The X.Org Foundation
# Permission is hereby granted, free of charge, to any person obtaining a
# copy of this software and associated documentation files (the "Software"),
# to deal in the Software without restriction, including without limitation
# the rights to use, copy, modify, merge, publish, distribute, sublicense,
# and/or sell copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
# The X.Org Foundation BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
# OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
# Except as contained in this notice, the name of The X.Org Foundation shall
# not be used in advertising or otherwise to promote the sale, use or other
# dealings in this Software without prior written authorization from
# The X.Org Foundation.
# Refer to the xorg.conf(5x) man page for details about the format of
# this file.
# Module section -- this section is used to specify
# which dynamically loadable modules to load.
Section "Module"
# This loads the DBE extension module.
Load "dbe" # Double buffer extension
# This loads the miscellaneous extensions module, and disables
# initialisation of the XFree86-DGA extension within that module.
SubSection "extmod"
Option "omit xfree86-dga" # don't initialise the DGA extension
EndSubSection
# This loads the font modules
# Load "type1"
# Load "speedo"
Load "freetype"
# Load "xtt"
# This loads the GLX module
Load "glx"
# This loads the DRI module
Load "dri"
EndSection
# Files section. This allows default font and rgb paths to be set
Section "Files"
# The location of the RGB database. Note, this is the name of the
# file minus the extension (like ".txt" or ".db"). There is normally
# no need to change the default.
# RgbPath "/usr/share/X11/rgb"
# Multiple FontPath entries are allowed (which are concatenated together),
# as well as specifying multiple comma-separated entries in one FontPath
# command (or a combination of both methods)
FontPath "/usr/share/fonts/misc"
FontPath "/usr/share/fonts/75dpi"
FontPath "/usr/share/fonts/100dpi"
FontPath "/usr/share/fonts/TTF"
FontPath "/usr/share/fonts/Type1"
# FontPath "/usr/lib/X11/fonts/local/"
# FontPath "/usr/lib/X11/fonts/misc/"
# FontPath "/usr/lib/X11/fonts/75dpi/:unscaled"
# FontPath "/usr/lib/X11/fonts/100dpi/:unscaled"
# FontPath "/usr/lib/X11/fonts/Speedo/"
# FontPath "/usr/lib/X11/fonts/Type1/"
# FontPath "/usr/lib/X11/fonts/TrueType/"
# FontPath "/usr/lib/X11/fonts/freefont/"
# FontPath "/usr/lib/X11/fonts/75dpi/"
# FontPath "/usr/lib/X11/fonts/100dpi/"
# The module search path. The default path is shown here.
# ModulePath "/usr/lib/modules"
EndSection
# Server flags section.
Section "ServerFlags"
# Uncomment this to cause a core dump at the spot where a signal is
# received. This may leave the console in an unusable state, but may
# provide a better stack trace in the core dump to aid in debugging
# Option "NoTrapSignals"
# Uncomment this to disable the <Ctrl><Alt><Fn> VT switch sequence
# (where n is 1 through 12). This allows clients to receive these key
# events.
# Option "DontVTSwitch"
# Uncomment this to disable the <Ctrl><Alt><BS> server abort sequence
# This allows clients to receive this key event.
# Option "DontZap"
# Uncomment this to disable the <Ctrl><Alt><KP_>/<KP_> mode switching
# sequences. This allows clients to receive these key events.
# Option "Dont Zoom"
# Uncomment this to disable tuning with the xvidtune client. With
# it the client can still run and fetch card and monitor attributes,
# but it will not be allowed to change them. If it tries it will
# receive a protocol error.
# Option "DisableVidModeExtension"
# Uncomment this to enable the use of a non-local xvidtune client.
# Option "AllowNonLocalXvidtune"
# Uncomment this to disable dynamically modifying the input device
# (mouse and keyboard) settings.
# Option "DisableModInDev"
# Uncomment this to enable the use of a non-local client to
# change the keyboard or mouse settings (currently only xset).
# Option "AllowNonLocalModInDev"
EndSection
# Input devices
# Core keyboard's InputDevice section
Section "InputDevice"
Identifier "Keyboard1"
Driver "kbd"
# For most OSs the protocol can be omitted (it defaults to "Standard").
# When using XQUEUE (only for SVR3 and SVR4, but not Solaris),
# uncomment the following line.
# Option "Protocol" "Xqueue"
Option "AutoRepeat" "500 30"
# Specify which keyboard LEDs can be user-controlled (eg, with xset(1))
# Option "Xleds" "1 2 3"
# Option "LeftAlt" "Meta"
# Option "RightAlt" "ModeShift"
# To customise the XKB settings to suit your keyboard, modify the
# lines below (which are the defaults). For example, for a non-U.S.
# keyboard, you will probably want to use:
# Option "XkbModel" "pc105"
# If you have a US Microsoft Natural keyboard, you can use:
# Option "XkbModel" "microsoft"
# Then to change the language, change the Layout setting.
# For example, a german layout can be obtained with:
# Option "XkbLayout" "de"
# or:
# Option "XkbLayout" "de"
# Option "XkbVariant" "nodeadkeys"
# If you'd like to switch the positions of your capslock and
# control keys, use:
# Option "XkbOptions" "ctrl:swapcaps"
# These are the default XKB settings for Xorg
# Option "XkbRules" "xorg"
# Option "XkbModel" "pc105"
# Option "XkbLayout" "us"
# Option "XkbVariant" ""
# Option "XkbOptions" ""
# Option "XkbDisable"
Option "XkbRules" "xorg"
Option "XkbModel" "pc105"
Option "XkbLayout" "fr"
# Option "XkbVariant" "fr"
EndSection
# Core Pointer's InputDevice section
Section "InputDevice"
# Identifier and driver
Identifier "Mouse1"
Driver "mouse"
Option "Protocol" "Auto"
Option "Device" "/dev/input/mice"
# When using XQUEUE, comment out the above two lines, and uncomment
# the following line.
# Option "Protocol" "Xqueue"
# Mouse-speed setting for PS/2 mouse.
# Option "Resolution" "256"
# Baudrate and SampleRate are only for some Logitech mice. In
# almost every case these lines should be omitted.
# Option "BaudRate" "9600"
# Option "SampleRate" "150"
# Mouse wheel mapping. Default is to map vertical wheel to buttons 4 & 5,
# horizontal wheel to buttons 6 & 7. Change if your mouse has more than
# 3 buttons and you need to map the wheel to different button ids to avoid
# conflicts.
Option "ZAxisMapping" "4 5"
# Emulate3Buttons is an option for 2-button mice
# Emulate3Timeout is the timeout in milliseconds (default is 50ms)
# Option "Emulate3Buttons"
# Option "Emulate3Timeout" "50"
# ChordMiddle is an option for some 3-button Logitech mice
# Option "ChordMiddle"
EndSection
# Other input device sections
# this is optional and is required only if you
# are using extended input devices. This is for example only. Refer
# to the xorg.conf man page for a description of the options.
# Section "InputDevice"
# Identifier "Mouse2"
# Driver "mouse"
# Option "Protocol" "MouseMan"
# Option "Device" "/dev/mouse2"
# EndSection
# Section "InputDevice"
# Identifier "spaceball"
# Driver "magellan"
# Option "Device" "/dev/cua0"
# EndSection
# Section "InputDevice"
# Identifier "spaceball2"
# Driver "spaceorb"
# Option "Device" "/dev/cua0"
# EndSection
# Section "InputDevice"
# Identifier "touchscreen0"
# Driver "microtouch"
# Option "Device" "/dev/ttyS0"
# Option "MinX" "1412"
# Option "MaxX" "15184"
# Option "MinY" "15372"
# Option "MaxY" "1230"
# Option "ScreenNumber" "0"
# Option "ReportingMode" "Scaled"
# Option "ButtonNumber" "1"
# Option "SendCoreEvents"
# EndSection
# Section "InputDevice"
# Identifier "touchscreen1"
# Driver "elo2300"
# Option "Device" "/dev/ttyS0"
# Option "MinX" "231"
# Option "MaxX" "3868"
# Option "MinY" "3858"
# Option "MaxY" "272"
# Option "ScreenNumber" "0"
# Option "ReportingMode" "Scaled"
# Option "ButtonThreshold" "17"
# Option "ButtonNumber" "1"
# Option "SendCoreEvents"
# EndSection
# Monitor section
# Any number of monitor sections may be present
Section "Monitor"
Identifier "My Monitor"
# HorizSync is in kHz unless units are specified.
# HorizSync may be a comma separated list of discrete values, or a
# comma separated list of ranges of values.
# NOTE: THE VALUES HERE ARE EXAMPLES ONLY. REFER TO YOUR MONITOR'S
# USER MANUAL FOR THE CORRECT NUMBERS.
HorizSync 31.0 - 50.0
# HorizSync 30-64 # multisync
# HorizSync 31.5, 35.2 # multiple fixed sync frequencies
# HorizSync 15-25, 30-50 # multiple ranges of sync frequencies
# VertRefresh is in Hz unless units are specified.
# VertRefresh may be a comma separated list of discrete values, or a
# comma separated list of ranges of values.
# NOTE: THE VALUES HERE ARE EXAMPLES ONLY. REFER TO YOUR MONITOR'S
# USER MANUAL FOR THE CORRECT NUMBERS.
VertRefresh 43-75
EndSection
# Graphics device section
# Any number of graphics device sections may be present
# Standard VGA Device:
Section "Device"
Identifier "Standard VGA"
VendorName "Unknown"
BoardName "Unknown"
# The chipset line is optional in most cases. It can be used to override
# the driver's chipset detection, and should not normally be specified.
# Chipset "generic"
# The Driver line must be present. When using run-time loadable driver
# modules, this line instructs the server to load the specified driver
# module. Even when not using loadable driver modules, this line
# indicates which driver should interpret the information in this section.
Driver "vga"
# The BusID line is used to specify which of possibly multiple devices
# this section is intended for. When this line isn't present, a device
# section can only match up with the primary video device. For PCI
# devices a line like the following could be used. This line should not
# normally be included unless there is more than one video device
# intalled.
# BusID "PCI:0:10:0"
# VideoRam 256
# Clocks 25.2 28.3
EndSection
# Device configured by xorgconfig:
Section "Device"
Identifier "** ATI Radeon (generic) [radeon]"
Driver "radeon"
#VideoRam 8192
# Insert Clocks lines here if appropriate
EndSection
# Screen sections
# Any number of screen sections may be present. Each describes
# the configuration of a single screen. A single specific screen section
# may be specified from the X server command line with the "-screen"
# option.
Section "Screen"
Identifier "Screen 1"
Device "** ATI Radeon (generic) [radeon]"
Monitor "My Monitor"
DefaultDepth 24
Subsection "Display"
Depth 8
Modes "1280x1024" "1024x768" "800x600" "640x480"
ViewPort 0 0
EndSubsection
Subsection "Display"
Depth 16
Modes "1280x1024" "1024x768" "800x600" "640x480"
ViewPort 0 0
EndSubsection
Subsection "Display"
Depth 24
Modes "1280x1024" "1024x768" "800x600" "640x480"
ViewPort 0 0
EndSubsection
EndSection
# ServerLayout sections.
# Any number of ServerLayout sections may be present. Each describes
# the way multiple screens are organised. A specific ServerLayout
# section may be specified from the X server command line with the
# "-layout" option. In the absence of this, the first section is used.
# When now ServerLayout section is present, the first Screen section
# is used alone.
Section "ServerLayout"
# The Identifier line must be present
Identifier "Simple Layout"
# Each Screen line specifies a Screen section name, and optionally
# the relative position of other screens. The four names after
# primary screen name are the screens to the top, bottom, left and right
# of the primary screen. In this example, screen 2 is located to the
# right of screen 1.
Screen "Screen 1"
# Each InputDevice line specifies an InputDevice section name and
# optionally some options to specify the way the device is to be
# used. Those options include "CorePointer", "CoreKeyboard" and
# "SendCoreEvents".
InputDevice "Mouse1" "CorePointer"
InputDevice "Keyboard1" "CoreKeyboard"
EndSection
Section "DRI"
Group "video"
Mode 0666
EndSection
I precise I loaded my modules : dri, radeon, ati_agp and intel_agp.
Any ideas ?
Thanks

For Radeon 7000, you need to:
pacman -S xf86-video-ati
You need to load those modules in /etc/rc.conf:
MODULES=(agpgart via-agp)
And in xorg.conf:
Driver "radeon"

8350i Nextel Direct Connect doesn't work with GM Onstar Bluetooth

Paired my 8350i to my 2009 Chevy Silverado with Onstar and Bluetooth. Can make and receive phonecalls with Bluetooth but Direct Connect cannot. I have to turn off Bluetooth on the 8350i in order to utilize Direct Connect.

I have an 8350i with Nextel, and had similar issues with the Bluetooth in my 2012 Hyundai Accent.     Also by accident, I was able to figure out how to work the Nextel. You do need to use the PTT button on the phone as you normally would.  (If you try listening in the handset it will not work, the connection to the bluetooth in the car needs to activate.)   If someone initiates a PTT conversation with you press the green "pick up call" button on the vehicle's bluetooth.   This will cause the bluetooth connection with the vehicle to activate.   Then you will be able to hear and speak through the vehicles bluetooth system while pressing and releasing the PTT button as you would if you were using Nextel through the handset.
It is even more awkward if you try placing a PTT call.   Hit the green "pick up call" button and even though the bluetooth system will be asking you for verbal commands to initiate a phone call, ignore them and "chirp" the person as you normally would. It will work, not pretty, but it will work. At the end of the call the system will still be asking for verbal commands, but simply hang up.
This worked whether the phone was in vibrate, speaker or not.

HT1203 Followed directions, still doesn't work.

I have two users on one computer. MOST of the music from itunes is on both accounts. I've used the public folder like it said. But one account is still missing a lot of music. How do I make them the exact same?

You don't need to set these properties from 1.4 onwards, but otherwise this has nothing to do with 'not recognizing https', it's just a question about how to start a Java application named 'myApp' which is in the default package. If your class isn't called 'myApp' or isn't in the default package you need to substiture.
Look up the 'java' command in the Javadoc.

Grant execute via role has odd limitations

Hi,
I have execute grants (with admin option) on a pl/sql package via a role. When I try to compile a pl/sql procedure that uses functions/procedures from that package, I get error
PLS-00201: identifier '<packagename>' must be declared
So the only workaround I see is to grant the execute rights (with grant option) straight to my userid, instead of via a role. That seems very odd.
Can someone tell me the subtle thoughts behind this??
Regards, Paul.

- Definer's rights stored procedures (the default) cannot see privileges granted to a role. Invoker's rights stored procedures, however, can access privileges granted to roles. I don't expect this to help you much in general-- using all invoker's rights stored procedures probably increases your grant management issues-- but it may be an option for some.
- Among the problems with allowing a definer's rights stored procedure to access privileges granted through a role is that roles can be enabled and disabled at runtime for a particular session and can be password protected. If your session enables a password protected role that has access to procedure A in one session, and you create a procedure B that calls A, Oracle would have no way of knowing whether some other session created with the same user account some time later still remembered the password. You'd have similar problems with non-default roles (or roles that were made non-default) for the owner of a procedure.
Since there are relatively few schemas in a system that will own procedures and relatively many user accounts that need to execute those procedures, it also makes sense to require DBAs to grant privileges to application user accounts directly since that has the side effect of preventing normal users that can execute a stored procedure from creating (and relying) on stored procedures or views inadvertently. If you've ever come across a system where some random user accidentally had a view promoted in their schema rather than in a shared schema that some critical report relies on (ideally if you see this the day after that random user resigns and the security folks drop his schema) you'd appreciate the rule that normal user grants should be via roles while application user grants should be direct.
Justin

How to restrict a schema owner from granting privileges to other users.

How can we restrict a schema owner from granting privileges to other users on his objects (e.g. tables). Lets say we have user called XYZ and he has tables in his schema TAB1, TAB2 an TAB3. How can we restrict user XYZ from granting privileges on TAB1, TAB2 and TAB3 to other users in the database. Is it possible in Oracle 10g R2? Any indirect or direct way to achieve this? Please help on this.
Thanks,
Manohar

Whenever someone is trying to prevent an object owner from doing something, that's generally a sign of a deeper problem. In a production database, the object owner shouldn't generally have CREATE SESSION privileges, so the user shouldn't be able to log in, which would prevent the user from issuing any grants.
As a general rule, you cannot stop an object owner from granting privileges on the objects it owns. You can work around this by creating a database-level DDL trigger that throws an exception if the user issuing the statement is XYZ and the DDL is a GRANT. But long term, you probably want to get to the root of the problem.
Justin
Edited by: Justin Cave on Nov 6, 2008 9:52 PM
Enrique beat me to it.

Granting Privileges question

This is not a duplicate post. User Wilhem posted it in the wrong forum.
In the below mentioned link, user CD has provided a quick way to grant privileges to another user. But it didn't work for me. Is there something wrong with with the DECODE expressions?
Re: Granting Privileges question

Instead of granting privileges to a user, i wanted to grant these privileges to a role. So i created a role
CREATE ROLE jenrole;
And then i tried the below mentioned script. But i am getting error
DECLARE
v_sql VARCHAR2(4000);
BEGIN
FOR obj IN (SELECT object_name
, object_type
, DECODE (OBJECT_TYPE,
'PROCEDURE','EXECUTE',
'FUNCTION' ,'EXECUTE',
'PACKAGE' ,'EXECUTE',
'SYNONYM' ,'SELECT' ,
'SELECT, INSERT, UPDATE, DELETE') rights
FROM user_objects)
LOOP
v_sql := 'GRANT '|| obj.rights ||' ON '|| obj.object_name ||' TO JENROLE' ;
dbms_output.put_line(v_sql);
EXECUTE IMMEDIATE v_sql; END LOOP;
END;
ERROR at line 1:
ORA-00911: invalid character
ORA-06512: at line 16
Why am i getting error? The error line is boldened

What is the difference between granting privilege directly and via role

When we want create a view in user1 schema , that user must be granted by select privilege on table user2.t2 , but not via a role , what is the difference?
Is there any other privileges that must be directly granted?

please look into the scenario ,
I have a schema with a table in it. I have granted select on that table to a role.
grant select on user1.example_table to example_role;
I then grant that role to a user:
grant example_role to user2;
Then user2 wants to create a view on top of that table:
create or replace view user2.example_view as
select *
from user1.example_table;
That throws an error however:
ORA-01031: insufficient privileges
Why though? If they have select permission via the role, why can they not then create a view on that object?
I found that I had to grant the object directly to the user before it would work.
grant select on user1.example_table to user2;
why this is so,
Thanks,
uday
Edited by: udayjampani on May 16, 2012 4:42 PM

Direct grants working, but not roles

Newbie question on roles.
I'm trying to give access to tables in one schema, zowner, to another (empty) schema, zuser, which represents an application user.
If I grant zuser a privilege directly, it works. For example:
SQL> grant insert on zowner.items to zuser; -- as DBA
Grant succeeded.
SQL> select count(*) from zowner.items; -- as zuser
COUNT(*)
3
But if I create a role instead, and grant it a privilege, and then grant zuser that role, then it doesn't work:
SQL> create role zowner_delete; -- as DBA
Role created.
SQL> grant delete on zowner.items to zowner_delete; -- as DBA
Grant succeeded.
SQL> grant zowner_delete to zuser; -- as DBA
Grant succeeded.
SQL> delete from zowner.items where num=3; -- as zuser
delete from zowner.items where num=3
ERROR at line 1:
ORA-01031: insufficient privileges
What am I missing??? Thanks, --DD

No, I don't think I was, yet I'm still seeing some weird stuff going on:
I did get further by granting 'create role' to zowner, and creating the roles using zowner, as it seems that a role created by system is less accessible that one creating by an ad-hoc (non-privileged) user.
But if you look at the SQL*Plus session below, you'll notice that despite granting the delete privileges (on table zowner.items) to zuser, the first delete attempts fails, while the second succeeds! The first one is made withing the test-roles script, while the second is later on, by hand in SQL*Plus, after listing the privileges of the roles.
So there's still something funny going on here, which I don't understand... And as you can also see, I'm alternating connections between zowner and zuser, so I am reconnecting everytime this time.
If anyone can shed more light on this, that be great. Thanks, --DD
Oracle Database 11g Enterprise Edition Release 11.1.0.4.0 - Beta
With the Partitioning, OLAP and Data Mining options
SQL>
SQL>
SQL>
SQL>
SQL>
SQL> @test-roles
SQL> SET SERVEROUTPUT ON
SQL> -- (zdb value changed)
SQL> DEFINE zdb = '@//host:port/sid'
SQL>
SQL> ---- As system ---------------------------------------------
SQL> DROP USER zowner CASCADE;
User dropped.
SQL> CREATE USER zowner IDENTIFIED BY zowner;
User created.
SQL> GRANT CONNECT, RESOURCE, CREATE ROLE, CREATE TABLE TO zowner;
Grant succeeded.
SQL>
SQL> -- Create empty user.
SQL> DROP USER zuser CASCADE;
User dropped.
SQL> CREATE USER zuser IDENTIFIED BY zuser;
User created.
SQL> GRANT CONNECT, RESOURCE TO zuser;
Grant succeeded.
SQL>
SQL> DROP ROLE zowner_insert;
Role dropped.
SQL> DROP ROLE zowner_delete;
Role dropped.
SQL> commit;
Commit complete.
SQL>
SQL> -- As zowner -----------------------------------------------
SQL> CONNECT zowner/zowner&zdb;
Connected.
SQL> create table items (num INTEGER, txt VARCHAR2(32));
Table created.
SQL> insert into items (num,txt) values (1, 'one');
1 row created.
SQL> insert into items (num,txt) values (2, 'two');
1 row created.
SQL> commit;
Commit complete.
SQL> PROMPT Listing items from zowner
Listing items from zowner
SQL> select * from items;
NUM TXT
1 one
2 two
SQL>
SQL> -- As zuser (no grant: select FAILS) -----------------------
SQL> CONNECT zuser/zuser&zdb;
Connected.
SQL> select * from zowner.items;
select * from zowner.items
ERROR at line 1:
ORA-00942: table or view does not exist
SQL>
SQL> -- As zowner -----------------------------------------------
SQL> CONNECT zowner/zowner&zdb;
Connected.
SQL> GRANT select on items to zuser;
Grant succeeded.
SQL>
SQL> -- As zuser (direct grant: select OK) ----------------------
SQL> CONNECT zuser/zuser&zdb;
Connected.
SQL> select * from zowner.items;
NUM TXT
1 one
2 two
SQL>
SQL> -- As zowner -----------------------------------------------
SQL> CONNECT zowner/zowner&zdb;
Connected.
SQL> CREATE ROLE zowner_insert;
Role created.
SQL> GRANT insert on items to zowner_insert;
Grant succeeded.
SQL> GRANT zowner_insert to zuser;
Grant succeeded.
SQL>
SQL> -- As zuser (indirect grant: insert OK) --------------------
SQL> CONNECT zuser/zuser&zdb;
Connected.
SQL> insert into zowner.items (num,txt) values (3, 'three');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from zowner.items;
NUM TXT
3 three
1 one
2 two
SQL>
SQL> set linesize 90
SQL> column ROLE format a20
SQL> column OWNER format a10
SQL> column TABLE_NAME format a20
SQL> column COLUMN_NAME format a10
SQL> column PRIVILEGE format a20
SQL> select * from role_sys_privs;
ROLE PRIVILEGE ADM
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE TYPE NO
CONNECT CREATE SESSION NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE TABLE NO
RESOURCE CREATE INDEXTYPE NO
9 rows selected.
SQL> select * from role_tab_privs;
ROLE OWNER TABLE_NAME COLUMN_NAM PRIVILEGE GRA
ZOWNER_INSERT ZOWNER ITEMS INSERT NO
SQL>
SQL> -- As zowner -----------------------------------------------
SQL> CONNECT zowner/zowner&zdb;
Connected.
SQL> CREATE ROLE zowner_delete;
Role created.
SQL> GRANT delete on items to zowner_delete;
Grant succeeded.
SQL> GRANT zowner_delete to zuser;
Grant succeeded.
SQL>
SQL> -- As zuser (indirect grant: delete ??) --------------------
SQL> CONNECT zuser/zuser&zdb;
Connected.
SQL> delete from owner.items where num=3;
delete from owner.items where num=3
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> commit;
Commit complete.
SQL> select * from zowner.items;
NUM TXT
3 three
1 one
2 two
SQL> -- END OF THE test-roles SCRIPT
SQL> select * from role_sys_privs;
ROLE PRIVILEGE ADM
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE TYPE NO
CONNECT CREATE SESSION NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE TABLE NO
RESOURCE CREATE INDEXTYPE NO
9 rows selected.
SQL> select * from role_tab_privs;
ROLE OWNER TABLE_NAME COLUMN_NAM PRIVILEGE GRA
ZOWNER_INSERT ZOWNER ITEMS INSERT NO
ZOWNER_DELETE ZOWNER ITEMS DELETE NO
SQL>
SQL>
SQL> desc zowner.items
Name Null? Type
NUM NUMBER(38)
TXT VARCHAR2(32)
SQL> insert into zowner.items (num,txt) values (4,'four');
1 row created.
SQL> commit;
Commit complete.
SQL> select * from zowner.items;
NUM TXT
3 three
4 four
1 one
2 two
SQL> delete from zowner.items where num=4;
1 row deleted.
SQL>

Can't grant privilege on column to user via role?

Hi:
From what I read in the docs I should be able to create a role that has UPDATE privs on a column of a table, and then grant that role to a user, who should be able to update the column of the table. I get "insufficient privileges" when I try that, although it works as advertised if I grant directly to the user. Am I mis-reading the docs?
Session GAFF:
CREATE TABLE "GAFF"."FOO2"
   (    "F1" NUMBER,
    "F2" NUMBER,
    "F3" VARCHAR2(50),
    "F4" NUMBER,
     CONSTRAINT "FOO2_PK" PRIMARY KEY ("F1")
create role foo2_u_f2;
grant update (f2) on foo2 to foo2_u_f2 ;
grant select on gaff.foo2 to play ;
grant foo2_u_f2 to play ;session PLAY:
update gaff.foo2 set f2 = 1 where f1 = 1ORA-01031: insufficient privileges

Most likely role foo2_u_f2 is not a default role for user play. Initially, when user is created default role is set to ALL. Later it can be changed to NONE or a set of roles. Login as play and issue:
select * from session_roles
/I bet you will not see foo2_u_f2. Then issue:
select granted_role,default_role from user_role_privs
/That will give you a list of user play default roles. You can either issue:
set role foo2_u_f2
/This will enable foo2_u_f2 role in current session. Or you can login as privileged user and issue ALTER USER DEFUALT ROLE ...,foo2_u_f2.
SY.

Isn't there DBA_ view to see the privileges granted to a role ?

DB version :11.2
I couldn't find a DBA_ view which would list all the privileges granted to a role. Finally I had to grant the role to a user and then connect as that granted user and then query ROLE_TAB_PRIVS view. As a DBA , I can't login into business schemas to check this.
The scenario
==============
SCOTT schema has two tables : HRTB_EMP_MASTER and HELLOWORLD
I want to grant SELECT privileges on these two tables to another user called TESTUSER but not directly ; through roles
SQL> conn / as sysdba
Connected.
SQL> grant create role to testuser;
Grant succeeded.
SQL> conn testuser/test123
Connected.
SQL>
SQL> create role testuser_ro;
Role created.
SQL> conn / as sysdba
Connected.
SQL> grant select on scott.hrtb_emp_master to testuser_ro;         --- > Granting the SELECT priv to the role first
Grant succeeded.
SQL> grant select on scott.helloworld to testuser_ro;
Grant succeeded.
SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT'; ----> This won't work because I am connected as SYS
                                                          ----> ROLE_TAB_PRIVS is user specific view
no rows selectedSince I couldn't find a DBA view which will the privileges granted to a role , I granted the role to the user I had to login to the user (against our security policy) and query
ROLE_TAB_PRIVS.
SQL> grant testuser_ro to testuser;
Grant succeeded.
SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';
no rows selected
SQL> conn testuser/test123
Connected.
SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';
ROLE            OWNER           TABLE_NAME           PRIVILEGE
TESTUSER_RO     SCOTT           HELLOWORLD           SELECT
TESTUSER_RO     SCOTT           HRTB_EMP_MASTER      SELECT

you should search for grantee, not owner
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create role r1;
Role created.
SQL> grant select on sys.v$database to r1;
grant select on sys.v$database to r1
ERROR at line 1:
ORA-02030: can only select from fixed tables/views
SQL> grant select on sys.v_$database to r1;
Grant succeeded.
SQL> select grantee, privilege, owner, table_name from dba_tab_privs where grantee='R1';
GRANTEE         PRIVILEGE                                OWNER           TABLE_NAME
R1              SELECT                                   SYS             V_$DATABASE

Grant privileges to subprogram via role: should not work?

I bought Selftestsoftware for 1z0-147 for 9i and 10g. Selftestsoftware is endorsed by Oracle, should be high quality.
But its below sample question and answer seem to be wrong: It says that privilege for subprogram can be granted via role. But from Urman 9i book, all roles are disabled inside stored procedures.
Did Selftestsoftware made a mistake? Or the question did not mention or assume that the subprogram is based on invoker rights not definer right?
Question:
All users in the HR_EMP role have UPDATE privileges on the EMPLOYEE table. You create the UPDATE_EMPLOYEE procedure. HR_EMP users should only be able to update the EMPLOYEE table using this procedure.
Which two statements should you execute? (Choose two.)
GRANT UPDATE ON employee TO hr_emp;
GRANT SELECT ON employee to hr_emp;
REVOKE UPDATE ON employee FROM hr_emp;
REVOKE UPDATE ON employee FROM public;
GRANT EXECUTE ON update_employee TO hr_emp;
Explanation:
The two statements you should execute are:
REVOKE UPDATE ON employee FROM hr_emp;
GRANT EXECUTE ON update_employee TO hr_emp;
Unless you are the owner of the PL/SQL construct, you must be granted the EXECUTE object privilege to run it or have the EXECUTE ANY PROCEDURE system privilege. By default, a PL/SQL procedure executes under the security domain of its owner. This means that a user can invoke the procedure without privileges on the procedures underlying objects. To allow HR_EMP users to execute the procedure, you must issue the GRANT EXECUTE ON update_employee TO hr_emp; statement. To prevent HR_EMP users from updating the EMPLOYEE table unless they are using the UPDATE_EMPLOYEE procedure, you must issue the REVOKE UPDATE ON employee FROM hr_emp;
All of the other options are incorrect because they will not meet the specified requirements.
Edited by: user13270686 on Jun 7, 2010 9:22 PM

The answer is correct, and the explanation complete.
Inside stored procedures roles are disabled. This is because privileges are checked at compile time and roles can change between compile time and execute time.
However, privilege to execute the procedure can be granted to a role. During execution of the procedure the privileges of the procedure's owner apply.
This is because you want to have encapsulation: when tables and procedures are in the same schema, you won't have any privilege problem, as the owner of a set of tables will always have privilege (you can not revoke them).
Sybrand Bakker
Senior Oracle DBA

Grant Privileges on schema objects

Hello all,
I need to grant all privs to one user on another user all objects.
I am not findign exact command to do so.
eg: x have y objects.
user z should be able to select,update, delete all x.y objects.
Any help/insight is highly appreciated. !

You have to grant the privileges on an object by object basis.
You can use a bit of dynamic SQL to automate the process (note that I'm only showing the process of granting privileges on tables-- you can write similar bits of code to grant privileges on views and other types of objects as well).
BEGIN
FOR i IN (SELECT * FROM dba_tables where owner = 'X')
LOOP
EXECUTE IMMEDIATE 'grant select, update, delete on x.' || i.table_name || ' to z';
END LOOP;
END;If Z does not need the privileges granted directly, you would probably be better off creating a role, granting the privileges to the role, and then granting the role to Z. That will make it easier in the future if you need to create another user that has the same privileges as Z.
Justin
Edited by: Justin Cave on Oct 15, 2012 11:50 AM

Grant Privilege to Role instead of Direct grant doesn't work

Similar Messages

Maybe you are looking for