Grant privileges for future object?
Hi all. Need help.
1) Bob grants object priveleges on cars to Anna
2) Anna renames cars to cars_old
3) Anna creates cars .
4) Bob has no privelges to cars:(
How to grant privelges on 'created in future' tables?
Here Demo
test - as Anna
monitor - Bob
Session : As Sys User
SQL>
SQL>
SQL> create user test identified by test default tablespace users quota unlimited on
2 users;
User created.
SQL> create user monitor identified by monitor default tablespace users quota
2 unlimited on users;
User created.
SQL> grant create session, create table, create procedure to test;
Grant succeeded.
SQL> grant create session, create ANY table to monitor;
Grant succeeded.
SQL> create role test_access;
Role created.
SQL>
SQL>
Session : 2
Test User
SQL> create table job_parm_table( job number primary key, tname varchar2(30) )
2 organization index;
Table created.
SQL> create or replace procedure do_grant( p_job in number )
2 as
3 l_rec job_parm_table%rowtype;
4 begin
5 select * into l_rec from job_parm_table where job = p_job;
6 execute immediate 'grant select, insert, update, delete on ' || l_rec.tname || ' to
7 test_access';
8 delete from job_parm_table where job = p_job;
9 end;
10 /
Procedure created.
SQL> grant insert on job_parm_table to sys;
Grant succeeded.
SQL> grant execute on do_grant to sys;
Grant succeeded.
SQL>
Sys User -- SEssion 1
SQL> create table msg ( txt varchar2(255) );
Table created.
SQL> create or replace trigger test_schema_trig
2 before CREATE on database
3 declare
4 l_str varchar2(255);
5 l_job number;
6 begin
7 if ( ora_dict_obj_type = 'TABLE' and ora_dict_obj_owner = 'TEST' )
8 then
9 dbms_job.submit( l_job, 'test.do_grant(JOB);' );
10 insert into test.job_parm_table( job, tname ) values ( l_job,
11 ora_dict_obj_name );
12 end if;
13 end;
14 /
Trigger created.
SQL>
Test - USer
SQL> create table t1( x int );
Table created.
monitor - User
SQL> create table test.t2(name varchar2(30));
Table created.
Sys User
SQL> select grantee, privilege from dba_tab_privs where owner = 'TEST';
GRANTEE PRIVILEGE
SYS EXECUTE
SYS INSERT
TEST_ACCESS DELETE
TEST_ACCESS INSERT
TEST_ACCESS SELECT
TEST_ACCESS UPDATE
TEST_ACCESS DELETE
TEST_ACCESS INSERT
TEST_ACCESS SELECT
TEST_ACCESS UPDATE
10 rows selected.
SQL> select * from test.job_parm_table;
no rows selected
{ Code }
- Failed Atlast.. Checking the Code give osm time...
I can access the table's created in "TEST" by monitor got the privlileges.... Successs but one thing is could not able to
find the records in job_parm_table...
Is It Okay with you know...
Problem.. Solved... :-)
- Pavan Kumar N
Edited by: Pavan Kumar on Sep 20, 2008 12:58 AM
Similar Messages
-
How To Modify Privileges For APEX Objects Granted To PUBLIC?
I have searched this forum but couldn't any threads relating to this...
We have APEX 3.0.1 installed in some 10g (10.2.0.2) databases that host GIS data. I was informed by a GIS administrator that when using ESRI tool to search for data, the objects that belongs to FLOWS_030000 schema and ones that were granted to PUBLIC are shown. He would like to know if there is a way to hide these objects so they don't show up on the list? There are about 176 objects granted to public from the flows_030000 schema.
Could we establish a different security scheme that could accomplish the same thing? Maybe we need to create a new account and a role. Grant all of the privileges for flows_030000 to public to the new role. Then grant the role to the new account and the flow_files schema?
Our goal here is to make the flows_030000 objects hidden from the ESRI tools and still have APEX working properly.If you look at the grants, you'll see that there are over 170 objects from the FLOWS_030000 granted to PUBLIC:
SQL> select count(*) from dba_tab_privs where owner= 'FLOWS_030000' and grantee = 'PUBLIC';
173
If we were go grant these privileges to a role, called APEX_APP_RU, and grant this role to APEX_PUBLIC_USER and any schemas an application is linked to (Workspace to Schema), would that be a workable solution?
The only problem I see right off hand that this might not work is that PUBLIC has synonyms created for the FLOWS_030000 objects. If we revoke the underlying privileges, because of the synonyms, this might not work.
SQL> select COUNT(*) from dba_synonyms where table_owner = 'FLOWS_030000' and owner = 'PUBLIC';
176
Does anyone else have any ideas? -
Grant Privileges on schema objects
Hello all,
I need to grant all privs to one user on another user all objects.
I am not findign exact command to do so.
eg: x have y objects.
user z should be able to select,update, delete all x.y objects.
Any help/insight is highly appreciated. !You have to grant the privileges on an object by object basis.
You can use a bit of dynamic SQL to automate the process (note that I'm only showing the process of granting privileges on tables-- you can write similar bits of code to grant privileges on views and other types of objects as well).
BEGIN
FOR i IN (SELECT * FROM dba_tables where owner = 'X')
LOOP
EXECUTE IMMEDIATE 'grant select, update, delete on x.' || i.table_name || ' to z';
END LOOP;
END;If Z does not need the privileges granted directly, you would probably be better off creating a role, granting the privileges to the role, and then granting the role to Z. That will make it easier in the future if you need to create another user that has the same privileges as Z.
Justin
Edited by: Justin Cave on Oct 15, 2012 11:50 AM -
Grant privileges to all objects
Oracle 11.0.1.7.0:
When I create new user I do something like:
create user abc identified by abc
grant create session, create table, create views, create snapshot to abc - separate grant for each object
grant unlimited tablespace to abc;So when I do that sometimes I forget privileges for sequences. Is there a way to give privilege in one sql to the user to let that user create table, views, session, tablespace etc.
Edited by: user628400 on Jun 9, 2009 5:35 PMIs there a list of things like create table, session etc. that I can look at to determine what options I have?select distinct privilege from role_sys_privs order by 1;
will give you a list of privileges which can be granted to role.
is there a way to grant privileges to all different types like create table, session etc in one statement without having to type each one of them separately like grant create session, grant table?As other replied, this can be achieved by creating a role like:
SQL> create role newrole;
Role created.
SQL> grant create table,query rewrite to newrole; -- Or any privilege by above command.
Grant succeeded.
SQL> grant newrole to <YourUserName>; --
Grant succeeded.HTH
Girish Sharma -
How to grant privilege for a specific function?
Hello all,
I wonder if exists a privilege, that i could grant to a user, just to run a specific function.
I searched in dba_sys_privs something about it but, returned nothing.
13:38:10 brunos@fastora1> select * from dba_sys_privs where privilege like '%FUNCTION%';
GRANTEE PRIVILEGE ADMIN_OPTION
Do you guys have any idea for my issue ?
Thanks in advance.BSalesRashid wrote:
Hello all,
I wonder if exists a privilege, that i could grant to a user, just to run a specific function.
I searched in dba_sys_privs something about it but, returned nothing.
13:38:10 brunos@fastora1> select * from dba_sys_privs where privilege like '%FUNCTION%';
GRANTEE PRIVILEGE ADMIN_OPTION
Do you guys have any idea for my issue ?
Thanks in advance.GRANT EXECUTE ON SPECIFIC_FUNCTION TO NEWBIE_USER; -
SAP HANA Privileges for Frontend Tools
Hello,
I am pretty new to HANA and having problems to access my created views from Frontend Tools like Design Studio or Lumira.
I have created several tables and on top created an Analytic View. Tables and views are in the same schema, but I assigned the view to a package. If I want to access the view via Design Studio there are no views or packages shown.
My User has the following privileges and roles:
Roles:
CONTENT_ADMIN
USER
MODELING
MONITORING
PUBLIC
Object Privileges:
_SYS_REPO
REPOSITORY_REST (SYS)
Analytical Privileges:
_SYS_BI_CP_ALL
Package Privileges:
package to which the View was assigned
If I want to Data Preview myView I get an error: inssuficient privileges.
Has anybody an Idea? Is there an tutorial for granting privileges for reporting purpose? The Admin Guide is very general and I thought by using the standrad roles are sufficient for my sceanrio.
Help would be appreciated.
Thanks
WaldemarSo as the trace is saying did you give "Grant" option? And hence you are able to preview the data in HANA. It means:
1) You are able to see the package from "myUser"
2) You were able to do data preview from HANA on the analytic view
Right?
If it is "myUser" who created the tables, then i don't think you need to grant again.
I was mentioning you to grant SYS_BI (SELECT) ,_SYS (SELECT) to "myUser"
And after all this your issue currently is "myUser" cant see the views in Design studio? Could you confirm that you are logging into Design studio using "myUser"?
Regards,
Krishna Tangudu -
Grant Privilege to Role instead of Direct grant doesn't work
Hi all
My scenario is sas follow:
create user a identified by a;
create user b identified by b;
grant connect,resource to a ;
grant connect,resource to b ;
conn a/a
create table tbl( c1 number(10));
conn system/sys
create role roll;
grant roll to b;
conn a/a
grant select on tbl to roll;
conn b/b
set role roll;
create or replace procedure b.pr
as
v number(10);
begin
select a into v
from a.tbl
where a=0;
end;
show error
Errors for PROCEDURE B.P:
LINE/COL ERROR
6/1 PL/SQL: SQL Statement ignored
7/6 PL/SQL: ORA-00942: table or view does not exist
This happen because i granted the SELECT privilege to user b through the role ROLL but if i granted the user b the SELECT privilege directly it work properly
Why???
And how could I grant the privilege from within a role, Because i don't want to grant it directly
Thank in advance
BassilThere is no other way. The owner of stored code must have been directly granted all necessary (used in code) select, insert, update, or delete privileges. The code owner cannot just have the referenced privileges granted to them via a role. There is no workaround, nor should there be as this is a security feature. Just because you have been granted insert or delete to another user's tables does not mean you should be able to grant that access to some other user. This is exactly what you do when you grant execute to stored code that referenced another user's objects.
The referenced article is by Tom Kyte and there are few people who understand how to use Oracle to better effect than Tom. The same information can be found in the official documentation and is referenced by the article.
You can write packages that use the privileges of the executing person. Perhaps for the specific problem you are writing the code to handle this is the route you want to take. See the manuals for the details.
Note - If user A grants insert to user B on table_a then user B can write a procedure, proc_b, and grant execute to a role and anyone with the role can perform inserts into table_a via proc_b, without having any grants on table_a. You do not need to grant privileges on the objects referenced in stored code that runs as the code owner if this is what you are worried about. The users just need execute on the package, procedure, or function that performs the DML operations in this case and they can get that from a role.
If you still do not understand you need to state exactly what it is you either do not understand or want to know how to do.
HTH -- Mark D Powell -- -
Can't retrieve folder privileges for a specific user
I am trying to get the granted privilege for a specified user for a certain folder. I am using the wwsec_api.get_granted_user_privilege function. When I run my code, nothing is ever returned. Here is my code:
l_priv_varchar := wwsec_api.get_granted_user_privilege(
p_user_id => 0,
p_object_type_name => 'FOLDER',
p_name => '2889');
p_user_id is from wwsec_person.id$
p_object_type_name is my object type
p_name is from wwv_corners.id
I have looked at the properties of this folder and this user, 0, is set up as the owner. So I am expecting to see 'OWN' returned. I have another user set up to only VIEW the folder and when I put that user's id into the p_user_id parameter I still do not get any return. I can run this same code (with different parameter values) and get the privileges for a 'PAGE', but never for a FOLDER.
Does anyone have this problem or can tell what I am missing?
Thanks.
nullp_name for a folder is "sitename/parentfolder/foldername". You can see that in the syspriv_name field on the WWV_CORNERS table.
-
ORACLE - How to GRANT privilegies on ALL the tables belonging to a schema
Is there a way to grant to a user the same privilegies on ALL the tables belonging to the same schema, so that, in case a new table is created afterwards, the grant is automatically given ?
Thanks in adance for any replyYes of course ! Just do the same as Oracle Applications: an end user has no Oracle account, the application code connects with the Oracle account that is the schema owner:
no more grant needed ... That's a joke but it's also true ! In this case, your application must implement its own security (password management, audit, privileges) and you will not be able to use Oracle privileges, auditing and advanced security features ... just like Oracle Applications.
The above answers are of course correct. You can also create an Oracle role that you can grant to the Oracle users and grant the privileges to this role everytime a new table is created to avoid granting privileges for each new object to each user. -
READ privileges for *all the databases*
Is it possible to grant READ privileges for all the databases objects (tables, schema, triggers, procedures, view and etc)
SHANOJ wrote:
Is it possible to grant privileges to all objects in one time?It depends on what you mean by 'in one time'. In one single SQL statement? No. But there's nothing stopping you issuing a billion grants one after the other in your session.
Roles are probably better suited for this task. But are you sure you really want to grant SELECT privileges on all the tables in the database? It's more common to grant SELECT on all the 'MARKAPP' tables to the 'MARKAPP_READ_ONLY' role... -
How to restrict a schema owner from granting privileges to other users.
How can we restrict a schema owner from granting privileges to other users on his objects (e.g. tables). Lets say we have user called XYZ and he has tables in his schema TAB1, TAB2 an TAB3. How can we restrict user XYZ from granting privileges on TAB1, TAB2 and TAB3 to other users in the database. Is it possible in Oracle 10g R2? Any indirect or direct way to achieve this? Please help on this.
Thanks,
ManoharWhenever someone is trying to prevent an object owner from doing something, that's generally a sign of a deeper problem. In a production database, the object owner shouldn't generally have CREATE SESSION privileges, so the user shouldn't be able to log in, which would prevent the user from issuing any grants.
As a general rule, you cannot stop an object owner from granting privileges on the objects it owns. You can work around this by creating a database-level DDL trigger that throws an exception if the user issuing the statement is XYZ and the DDL is a GRANT. But long term, you probably want to get to the root of the problem.
Justin
Edited by: Justin Cave on Nov 6, 2008 9:52 PM
Enrique beat me to it. -
ORA-04021 while granting sys privilege to an object
Hello,
While granting a system privilege to an object using the TOAD software, ORA-04021 error arised, ORA-00600 was written in the alert.log, and a new trace file appeared. Can you help understand the reason for the error
Here is the trace file:
mis64_ora_2210.trc
Oracle9i Enterprise Edition Release 9.2.0.1.0 - 64bit Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
ORACLE_HOME = /mis64/ora/oracle
System name: HP-UX
Node name: ncdb001
Release: B.11.11
Version: U
Machine: 9000/800
Instance name: MIS64
Redo thread mounted by this instance: 1
Oracle process number: 17
Unix process pid: 2210, image: oracle@ncdb001 (TNS V1-V3)
*** SESSION ID:(31.923) 2004-12-03 13:04:03.754
*** 2004-12-03 13:04:03.754
ksedmp: internal or fatal error
ORA-00600: internal error code, arguments: [qerfxFetch_01], [], [], [], [], [], [], []
Current SQL statement for this session:
SELECT
s.username,
s.osuser,
S.PROGRAM "Program",
s.serial# "Serial#",
s.sql_address "address", s.sql_hash_value "Sql hash",
lk.sid, DECODE(lk.TYPE,
'MR', 'Media Recovery',
'RT', 'Redo Thread',
'UN', 'User Name',
'TX', 'Transaction',
'TM', 'DML',
'UL', 'PL/SQL User Lock',
'DX', 'Distributed Xaction',
'CF', 'Control File',
'IS', 'Instance State',
'FS', 'File Set',
'IR', 'Instance Recovery',
'ST', 'Disk Space Transaction',
'TS', 'Temp Segment',
'IV', 'Library Cache Invalidation',
'LS', 'Log Start or Switch',
'RW', 'Row Wait',
'SQ', 'Sequence Number',
'TE', 'Extend Table',
'TT', 'Temp Table',
'BL','Buffer hash table instance',
'CI','Cross-instance function invocation instance',
'CU','Cursor bind',
'DF','Data file instance',
'DL','Direct loader parallel index create',
'DM','Mount/startup db primary/secondary instance',
'DR','Distributed recovery process',
'HW','Space management operations on a specific segment',
'IN','Instance number',
'JQ','Job queue',
'KK','Thread kick',
'LA','Library cache lock instance lock namespace A',
'LB','Library cache lock instance lock namespace B',
'LC','Library cache lock instance lock namespace C',
'LD','Library cache lock instance lock namespace D',
'LE','Library cache lock instance lock namespace E',
'LF','Library cache lock instance lock namespace F',
'LG','Library cache lock instance lock namespace G',
'LH','Library cache lock instance lock namespace H',
'LI','Library cache lock instance lock namespace I',
'LJ','Library cache lock instance lock namespace J',
'LK','Library cache lock instance lock namespace K',
'LL','Library cache lock instance lock namespace L',
'LM','Library cache lock instance lock namespace M',
'LN','Library cache lock instance lock namespace N',
'LO','Library cache lock instance lock namespace O',
'LP','Library cache lock instance lock namespace P',
'MM','Mount definition global enqueue',
'NA','Library cache pin instance A',
'NB','Library cache pin instance B',
'NC','Library cache pin instance C',
'ND','Library cache pin instance D',
'NE','Library cache pin instance E',
'NF','Library cache pin instance F',
'NG','Library cache pin instance G',
'NH','Library cache pin instance H',
'NI','Library cache pin instance I',
'NJ','Library cache pin instance J',
'NK','Library cache pin instance K',
'NL','Library cache pin instance L',
'NM','Library cache pin instance M',
'NN','Library cache pin instance N',
'NO','Library cache pin instance O',
'NP','Library cache pin instance P',
'NQ','Library cache pin instance Q',
'NR','Library cache pin instance R',
'NS','Library cache pin instance S',
'NT','Library cache pin instance T',
'NU','Library cache pin instance U',
'NV','Library cache pin instance V',
'NW','Library cache pin instance W',
'NX','Library cache pin instance X',
'NY','Library cache pin instance Y',
'NZ','Library cache pin instance Z',
'PF','Password File',
'PI',' PS Parallel operation',
'PR','Process startup',
'QA','Row cache instance A',
'QB','Row cache instance B',
'QC','Row cache instance C',
'QD','Row cache instance D',
'QE','Row cache instance E',
'QF','Row cache instance F',
'QG','Row cache instance G',
'QH','Row cache instance H',
'QI','Row cache instance I',
'QJ','Row cache instance J',
'QK','Row cache instance K',
'QL','Row cache instance L',
'QM','Row cache instance M',
'QN','Row cache instance N',
'QO','Row cache instance O',
'QP','Row cache instance P',
'QQ','Row cache instance Q',
'QR','Row cache instance R',
'QS','Row cache instance S',
'QT','Row cache instance T',
'QU','Row cache instance U',
'QV','Row cache instance V',
'QW','Row cache instance W',
'QX','Row cache instance X',
'QY','Row cache instance Y',
'QZ','Row cache instance Z',
'SC','System commit number instance',
'SM','SMON',
'SN','Sequence number instance',
'SS','Sort segment',
'SV','Sequence number value',
'TA','Generic enqueue',
'US','Undo segment DDL',
'WL','Being-written redo log instance',
lk.TYPE) lock_type,
DECODE(lk.lmode,
0, 'None',
1, 'Null',
2, 'Row-S (SS)',
3, 'Row-X (SX)',
4, 'Share',
5, 'S/Row-X (SSX)',
6, 'Exclusive',
TO_CHAR(lk.lmode)) mode_held,
DECODE(request,
0, 'None',
1, 'Null',
2, 'Row-S (SS)',
3, 'Row-X (SX)',
4, 'Share',
5, 'S/Row-X (SSX)',
6, 'Exclusive',
TO_CHAR(lk.request)) mode_requested,
TO_CHAR(lk.id1) lock_id1,
TO_CHAR(lk.id2) lock_id2,
s.USERNAME "DB User", s.sid,
OWNER||'.'||OBJECT_NAME "Object"
FROM v$lock lk, v$session s
, DBA_OBJECTS ao
WHERE
lk.lmode > 1
AND s.username is not null
AND lk.sid = s.sid
AND ao.OBJECT_ID(+) = lk.id1
ORDER BY 1, "Object"
----- Call Stack Trace -----
calling call entry argument values in hex
location type point (? means dubious value)
ksedmp()+184 ? ksedst() 80000001001B14C8 ?
000000000 ? 000000000 ?
000000000 ?
ksfdmp()+32 ? ksedmp() 000007FFE ? 000000000 ?
800000010000BD40 ?
40000000026CE5A7 ?
kgerinv()+152 ? ksfdmp() 800000010000BD40 ?
40000000026CE5A7 ?
8000000100149370 ?
000000000 ?
kgeasnmierr()+88 ? kgerinv() 000000000 ? 000000000 ?
40000000004F57D0 ?
C000000018380C38 ?
qerfxFetch()+2760 ? kgeasnmierr() 800000010012AB70 ?
400000000066848A ?
400000000070A490 ?
A900748690 ?
rwsfcd()+120 ? qerfxFetch() 000000000 ?
C0000000116641B8 ?
00121EDA7 ?
400000000156A43B ?
qeruaFetch()+240 ? rwsfcd() 8000000100149370 ?
000000002 ?
800000010012C370 ?
800003FB800653A8 ?
qervwFetch()+160 ? qeruaFetch() 0000000E0 ?
4000000000D9A748 ?
800003FFFF7F6F98 ?
100000080 ?
rwsfcd()+120 ? qervwFetch() 8000000100149370 ?
C000000011663EC0 ?
800003FFFF7F6F98 ?
800000010000 ?
qeruaFetch()+240 ? rwsfcd() 8000000100149370 ?
8000000100149370 ?
000000000 ? 30001001C42E0 ?
qervwFetch()+160 ? qeruaFetch() 8000000100143BA8 ?
800003FB8007F5B0 ?
8000000100144CF8 ?
055555555 ?
qerjoFetch()+480 ? qervwFetch() 40000000010530DB ?
8000000100000018 ?
4000000001400253 ?
8000000100144CF8 ?
rwsfcd()+120 ? qerjoFetch() 20000010C ? 000000000 ?
000000000 ?
400000000121EF73 ?
qerhjFetch()+1216 ? rwsfcd() C000000010B6B898 ?
400000000140ED7F ?
C00000000028DB33 ?
800003FB800603E0 ?
qersoFetch()+696 ? qerhjFetch() 80000001001C0720 ?
C000000000280A13 ?
80000001001623C0 ?
000000000 ?
opifch2()+3304 ? qersoFetch() 000000000 ?
8000000100149370 ?
40000000010675DF ?
8000000100143898 ?
opiall0()+3584 ? opifch2() 4E1D000023A3 ?
8000000100149370 ?
C000000018311A98 ?
000000000 ?
kpoal8()+3448 ? opiall0() 8000000100149370 ?
000000000 ? 000000000 ?
000000000 ?
opiodr()+2332 ? kpoal8() 000000D00 ?
40000000015460D7 ?
72000696F6E00 ?
1000000000000000 ?
ttcpip()+1880 ? opiodr() 000000000 ?
692E7369642C2073 ?
80000001001B19F0 ?
000000000 ?
opitsk()+1248 ? ttcpip() 00000001E ?
800003FDC0002ED8 ?
00000001E ?
800003FC800142E0 ?
opiino()+1464 ? opitsk() 000000000 ? 000000000 ?
000000000 ? 000000000 ?
opiodr()+2332 ? opiino() 000000000 ? 000000000 ?
000000000 ?
800003FDC0002ED8 ?
opidrv()+752 ? opiodr() 8000000100143A24 ?
000000000 ?
8000000100143A24 ?
80000001001D5AC8 ?
sou2o()+40 ? opidrv() 800003FFBFFFF480 ?
C0000000000218B3 ?
000000000 ?
C00000000030105B ?
main()+228 ? sou2o() 000000000 ?
C00000000030105B ?
000000002 ? 000000230 ?
$START$()+160 ? main() 21408130800 ?
800003FFFF7F04AB ?
800003FFFF7F03F3 ?
800003FFFF7F0017 ?
--------------------- Binary Stack Dump -----------------
========== FRAME [1] (ksedmp()+184 -> ksedst()) ==========
Dump of memory from 0x800003FFFF7F7FC0 to 0x800003FFFF7F8360
800003FFFF7F7FC0 80000001 001449DC 40000000 0041F7F8 [[email protected]..]
800003FFFF7F7FD0 800003FF FF7F7BF0 800003FB 80065338 [......{.......S8]
800003FFFF7F7FE0 40000000 00668488 40000000 00664980 [@[email protected].]
800003FFFF7F7FF0 80000001 0000B870 00000000 00000140 [.......p.......@]
800003FFFF7F8000 80000001 00144D88 00000000 0000000E [......M.........]
800003FFFF7F8010 80000001 00143AE8 80000001 00144DC0 [......:.......M.]
800003FFFF7F8020 00000000 00000001 80000001 001449F0 [..............I.]
800003FFFF7F8030 00000000 00000009 C0000000 1826D1F8 [.............&..]
........................................................Hi,
It's a possible bug id 2306106.8 (affect OEM) which fix in 9.2.0.2.
Nicolas. -
Granting privilege through role not working for PL/SQL
Version: 11.2.0.2
In our shop, we don't grant privileges directly to a user, we grant it to a role and grant that role to the intended grantee.
Granting privileges through a role seems to be fine with SQL Engine. But it doesn't work from PL/SQL engine.
In the below example GLS_DEV user is granted SELECT access on SCOTT.pets table through a role called tstrole. GLS_DEV can select this table from SQL. But PL/SQL Engine doesn't seem to know this.
Reproducing the issue:
SQL> show user
USER is "SCOTT"
SQL> select * from pets;
NAME
PLUTO
SQL> conn / as sysdba
Connected.
SQL> create user GLS_DEV identified by test1234 default tablespace TSTDATA;
User created.
SQL> alter user GLS_DEV quota 25m on TSTDATA;
User altered.
SQL> grant create session, resource to GLS_DEV;
Grant succeeded.
--- Granting SELECT privilege on scott.pets to tstrole and then grant this role to GLS_DEV.
SQL> conn / as sysdba
Connected.
SQL>
SQL> create role tstrole;
Role created.
SQL> grant select on scott.pets to tstrole;
Grant succeeded.
SQL> grant tstrole to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> select * From scott.pets;
NAME
PLUTO
---- All fine till here. From SQL engine , GLS_DEV user can SELECT scott.pets table.
--- Now , I am going to create a PL/SQL object in GLS_DEV which tries to refer scott.pets
SQL> show user
USER is "GLS_DEV"
create or replace procedure my_proc
is
myvariable varchar2(35);
begin
select name into myvariable from scott.pets ;
dbms_output.put_line(myvariable);
end my_proc;
Warning: Procedure created with compilation errors.
SQL> show errors
Errors for PROCEDURE MY_PROC:
LINE/COL ERROR
6/2 PL/SQL: SQL Statement ignored
6/41 PL/SQL: ORA-01031: insufficient privileges
SQL>
SQL> 6
6* select name into myvariable from scott.pets ;
--- PL/SQL Engine doesn't seem to know that GLS_DEV has select privilege on scott.pets indirectly granted through a role
--- Fix
--- Instead of granting privilege through a role, I am granting the SELECT privilege on scott.pets to GLS_DEV directly.
--- The error goes away, I can compile and execute the procedure !!
SQL> conn / as sysdba
Connected.
SQL>
SQL> grant select on scott.pets to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> create or replace procedure my_proc
is
myvariable varchar2(35);
begin
select name into myvariable from scott.pets ;
dbms_output.put_line(myvariable);
end my_proc; 2 3 4 5 6 7 8 9 10
11 /
Procedure created.
SQL> set serveroutput on
SQL> exec my_proc;
PLUTO
PL/SQL procedure successfully completed.Has anyone encountered the same issue ?You really should start your own new thread for this question instead of resurrecting an old one, but to answer your question.
There are two things going on here. First, there are a number of aler session commands that can be used by any user regardless of what privileges they are granted. Although I do not have the entire list at hand, things like nls_date_format and current_schema are available to all users, sort of like the grants to public in the data dictionary.
Second, when you use execute immediate, the PL/SQL engine never really sees the statement, as far as the compiler is concerned it is just a string. It is only when the string is passed to the sql engine that permissions are checked, and there roles are not enabled.
SQL> create role t_role;
Role created.
SQL> grant select on ops$oracle.t to t_role;
Grant succeeded.
SQL> create user a identified by a default tablespace users;
User created.
SQL> grant create session, create procedure to a;
Grant succeeded.
SQL> grant t_role to a;
Grant succeeded.
SQL> connect a/a
Connected.
SQL> select * from ops$oracle.t;
ID DESCR
1 One
1 Un
SQL> create function f (p_descr in varchar2) return number as
2 l_num number;
3 begin
4 select id into l_num
5 from ops$oracle.t
6 where descr = p_descr;
7 return l_num;
8 end;
9 /
Warning: Function created with compilation errors.
SQL> show error
Errors for FUNCTION F:
LINE/COL ERROR
4/4 PL/SQL: SQL Statement ignored
5/20 PL/SQL: ORA-00942: table or view does not exist
SQL> create or replace function f (p_descr in varchar2) return number as
2 l_num number;
3 begin
4 execute immediate 'select id from ops$oracle.t where descr = :b1'
5 into l_num using p_descr;
6 return l_num;
7 end;
8 /
Function created.
SQL> select f('One') from dual;
select f('One') from dual
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "A.F", line 4John -
Granting Privileges on Objects and Workspace
Hi folks,
I'm a newbie using Workspace Manager and here is a basic question about granting privileges. I think that it's a little bit confused to me the concept regarding objects privileges versus workspace privileges.
Here is the scenario.
User A enable versioning in table TAB1
User A creates a workspace WKS1
User A grants workspace privileges to User B (ACESS, MERGE,....)
User B connects into the database and goto workspace WKS1
User B tries to select, insert, update data using TAB1 but got error that
table does not exist.
So, Should user A, previously, grant select, insert, update permission on table TAB1 to User B?
I understood that it was not necessary once user B would, in fact, access a view created by workspace manager and the privileges would be set using the GrantWorkspacePrivs function.
Regards,
LuisHi,
The object and workspace privileges are separate. You would need to grant access to user B for both the workspace and the table. The object permissions can be granted prior to executing dbms_wm.enableversioning or during a DDL session.
Regards,
Ben -
Privileges to EUL5_X objects for non-developers using PLUS
I have granted only SELECT access to the EUL5_xxx objects (tables, views and Sequence) to users who will only be accessing shared reports and not creating their own.. But those users get an insufficient privileges error.. So I have to give them the same as the developers (INSERT, UPDATE, DELETE),,,
Does anyone know why that is ? Or better what are list of tables that require these DML privileges for users who will only be running reports - again - not creating them
thanks
OBX.....Yes I know the capabilities and function of the Disco Administrator... But I am more concerned with people using their account, inadvertently , to perform DML functions on the EUL_X tables.. To me this seems like a major security hole, for all it takes is a savvy users to use MS Access, setup an ODBC connection and boom - they could easily delete data... Naturally there is no reason for them to do so - but that deos not safeguard the disco metadata..
Seems like a big issue with Discoverer..
So if I am wrong - please let me know....
Maybe you are looking for
-
I am moderately new to Labview and definitely new to the HSDIO platform, so my apologies if this is either impossible or silly! I am working on a system that consists of multiple PXI-6548 modules that are synchronized using T-CLK and I am using hardw
-
Hi guys, I guess this is not really a problem maybe i'm just being paranoid. When i first plug in the shuffle and dock, itunes opens and i realize while i was setting up, a removable drive icon appears on my desktop with my name and a underscore afte
-
Do I need a more recent mac mini to use my iphone 4 with. Im unable to download snow leopard because my mac mini is older. Do I need to get a new mac or is there something else i can do
-
Re-using a deleted object name
Using 7.01.230 on a Windows 7 professional machine An annoyance at best but I was wondering why I can't re-use a name for an object or a group if the previous object or group has been deleted from the project. Sometimes, clients want a new/update ima
-
I received a message that said my Aperture 2 library was unstable and needed to be restored, which I did from an external back up. After the library and projects were restored, my project national parks was missing. I restored the library a second