Grant privileges, roles within Forms
Hello,
i have a forms application where each year can appear new users (e.g. employees), and i when a new employee appears i wanna grant him privileges, roles, etc within Forms. so is it possible having a form(accesible just for dba user) from where he can assign roles to another users ? (in employee table i have a column 'username'). also, when i insert a new employee, in post-insert query (i think) is it possible to have something like
create user .... identified by ....... but here is a problem.. where can i write the password?
Please clarify :)
Regards,
Roger22 wrote:
but when i run the script how can i specify the password?what do you mean by specify the password? What's exactly your problem/requirement with specifying the pw?
You can do this in forms using forms_ddl, but I'd use a database procedure for this which creates the user, does the granting stuff etc.
e.g.:
create or replace procedure createUser(ivUsername in varchar2) is
cursor cGrants(cvUsername varchar2) is
select 'grant '||decode(object_type, 'TABLE', 'select, insert, update, delete ', 'PROCEDURE', 'execute ', [...])|| ' to '||cvUserName as grant_stmt,
'create synonym '||object_name||' for '||cvUserName||'.'||object_name as syn
from user_objects
where object_name != 'CREATEUSER'
and object_name not in (select synonym_name from all_synonyms where owner = upper(cvUserName);
begin
execute immediate 'create user '||ivUserName||'identified by '||ivUserName||' default tablespace my_tbs temporary tablespace my_temptbs quota unlimited on my_tbs';
execute immediate 'grant connect, resource to '||ivUserName;
for rGrants in cGrants(ivUsername) loop
execute immediate rGrants.grant_stmt;
execute immediate rGrants.syn;
end loop;
end;
/A user with pw = username get's created (maybe you should provide your users a pw change functionality to change their passwords afterwards), he gets granted all the privilages to objects from the current user, and also synonyms get's created (if you want to use this the calling user should have the create any synonym privilage). Beware: If you want to do this you MUST NOT grant this procedure to the other users (so object_name != 'CREATEUSER') or use any other database procedures in it, as you'll get a lock when executing the grant statement and the procedure hangs.
If you want to manage more schemas, you could create this procedure with the system user, modify the cursor to do a query on all_objects and restrict it to the schema from where you want to grant the privilages to (grant execute on schema.object to user), and pass the schema and the user to create to it.
Similar Messages
-
Easy Question: How to identify user roles within form?
Hi folks,
I would like to display/hide button which calls static data maintenance form (from other form) based on current user roles.
If user has role "STATIC_DATA" granted then DISPLAY button (which calls static data form), else DO NOT DISPLAY it.
Any example, how to get user roles within form?
Thanks,
TomasI can do it with below code:
declare
l_cnt number;
begin
select count(*)
into l_cnt
from user_role_privs
where granted_role = 'STATIC_DATA';
if l_cnt > 0 then
-- display it
else
-- do not display
end if;
end;I think, above should work.
Thanks,
Tomas -
Grant Privilege to Role instead of Direct grant doesn't work
Hi all
My scenario is sas follow:
create user a identified by a;
create user b identified by b;
grant connect,resource to a ;
grant connect,resource to b ;
conn a/a
create table tbl( c1 number(10));
conn system/sys
create role roll;
grant roll to b;
conn a/a
grant select on tbl to roll;
conn b/b
set role roll;
create or replace procedure b.pr
as
v number(10);
begin
select a into v
from a.tbl
where a=0;
end;
show error
Errors for PROCEDURE B.P:
LINE/COL ERROR
6/1 PL/SQL: SQL Statement ignored
7/6 PL/SQL: ORA-00942: table or view does not exist
This happen because i granted the SELECT privilege to user b through the role ROLL but if i granted the user b the SELECT privilege directly it work properly
Why???
And how could I grant the privilege from within a role, Because i don't want to grant it directly
Thank in advance
BassilThere is no other way. The owner of stored code must have been directly granted all necessary (used in code) select, insert, update, or delete privileges. The code owner cannot just have the referenced privileges granted to them via a role. There is no workaround, nor should there be as this is a security feature. Just because you have been granted insert or delete to another user's tables does not mean you should be able to grant that access to some other user. This is exactly what you do when you grant execute to stored code that referenced another user's objects.
The referenced article is by Tom Kyte and there are few people who understand how to use Oracle to better effect than Tom. The same information can be found in the official documentation and is referenced by the article.
You can write packages that use the privileges of the executing person. Perhaps for the specific problem you are writing the code to handle this is the route you want to take. See the manuals for the details.
Note - If user A grants insert to user B on table_a then user B can write a procedure, proc_b, and grant execute to a role and anyone with the role can perform inserts into table_a via proc_b, without having any grants on table_a. You do not need to grant privileges on the objects referenced in stored code that runs as the code owner if this is what you are worried about. The users just need execute on the package, procedure, or function that performs the DML operations in this case and they can get that from a role.
If you still do not understand you need to state exactly what it is you either do not understand or want to know how to do.
HTH -- Mark D Powell -- -
Grant privileges to subprogram via role: should not work?
I bought Selftestsoftware for 1z0-147 for 9i and 10g. Selftestsoftware is endorsed by Oracle, should be high quality.
But its below sample question and answer seem to be wrong: It says that privilege for subprogram can be granted via role. But from Urman 9i book, all roles are disabled inside stored procedures.
Did Selftestsoftware made a mistake? Or the question did not mention or assume that the subprogram is based on invoker rights not definer right?
Question:
All users in the HR_EMP role have UPDATE privileges on the EMPLOYEE table. You create the UPDATE_EMPLOYEE procedure. HR_EMP users should only be able to update the EMPLOYEE table using this procedure.
Which two statements should you execute? (Choose two.)
GRANT UPDATE ON employee TO hr_emp;
GRANT SELECT ON employee to hr_emp;
REVOKE UPDATE ON employee FROM hr_emp;
REVOKE UPDATE ON employee FROM public;
GRANT EXECUTE ON update_employee TO hr_emp;
Explanation:
The two statements you should execute are:
REVOKE UPDATE ON employee FROM hr_emp;
GRANT EXECUTE ON update_employee TO hr_emp;
Unless you are the owner of the PL/SQL construct, you must be granted the EXECUTE object privilege to run it or have the EXECUTE ANY PROCEDURE system privilege. By default, a PL/SQL procedure executes under the security domain of its owner. This means that a user can invoke the procedure without privileges on the procedures underlying objects. To allow HR_EMP users to execute the procedure, you must issue the GRANT EXECUTE ON update_employee TO hr_emp; statement. To prevent HR_EMP users from updating the EMPLOYEE table unless they are using the UPDATE_EMPLOYEE procedure, you must issue the REVOKE UPDATE ON employee FROM hr_emp;
All of the other options are incorrect because they will not meet the specified requirements.
Edited by: user13270686 on Jun 7, 2010 9:22 PMThe answer is correct, and the explanation complete.
Inside stored procedures roles are disabled. This is because privileges are checked at compile time and roles can change between compile time and execute time.
However, privilege to execute the procedure can be granted to a role. During execution of the procedure the privileges of the procedure's owner apply.
This is because you want to have encapsulation: when tables and procedures are in the same schema, you won't have any privilege problem, as the owner of a set of tables will always have privilege (you can not revoke them).
Sybrand Bakker
Senior Oracle DBA -
Can't grant privilege on column to user via role?
Hi:
From what I read in the docs I should be able to create a role that has UPDATE privs on a column of a table, and then grant that role to a user, who should be able to update the column of the table. I get "insufficient privileges" when I try that, although it works as advertised if I grant directly to the user. Am I mis-reading the docs?
Session GAFF:
CREATE TABLE "GAFF"."FOO2"
( "F1" NUMBER,
"F2" NUMBER,
"F3" VARCHAR2(50),
"F4" NUMBER,
CONSTRAINT "FOO2_PK" PRIMARY KEY ("F1")
create role foo2_u_f2;
grant update (f2) on foo2 to foo2_u_f2 ;
grant select on gaff.foo2 to play ;
grant foo2_u_f2 to play ;session PLAY:
update gaff.foo2 set f2 = 1 where f1 = 1ORA-01031: insufficient privilegesMost likely role foo2_u_f2 is not a default role for user play. Initially, when user is created default role is set to ALL. Later it can be changed to NONE or a set of roles. Login as play and issue:
select * from session_roles
/I bet you will not see foo2_u_f2. Then issue:
select granted_role,default_role from user_role_privs
/That will give you a list of user play default roles. You can either issue:
set role foo2_u_f2
/This will enable foo2_u_f2 role in current session. Or you can login as privileged user and issue ALTER USER DEFUALT ROLE ...,foo2_u_f2.
SY. -
Granting privilege through role not working for PL/SQL
Version: 11.2.0.2
In our shop, we don't grant privileges directly to a user, we grant it to a role and grant that role to the intended grantee.
Granting privileges through a role seems to be fine with SQL Engine. But it doesn't work from PL/SQL engine.
In the below example GLS_DEV user is granted SELECT access on SCOTT.pets table through a role called tstrole. GLS_DEV can select this table from SQL. But PL/SQL Engine doesn't seem to know this.
Reproducing the issue:
SQL> show user
USER is "SCOTT"
SQL> select * from pets;
NAME
PLUTO
SQL> conn / as sysdba
Connected.
SQL> create user GLS_DEV identified by test1234 default tablespace TSTDATA;
User created.
SQL> alter user GLS_DEV quota 25m on TSTDATA;
User altered.
SQL> grant create session, resource to GLS_DEV;
Grant succeeded.
--- Granting SELECT privilege on scott.pets to tstrole and then grant this role to GLS_DEV.
SQL> conn / as sysdba
Connected.
SQL>
SQL> create role tstrole;
Role created.
SQL> grant select on scott.pets to tstrole;
Grant succeeded.
SQL> grant tstrole to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> select * From scott.pets;
NAME
PLUTO
---- All fine till here. From SQL engine , GLS_DEV user can SELECT scott.pets table.
--- Now , I am going to create a PL/SQL object in GLS_DEV which tries to refer scott.pets
SQL> show user
USER is "GLS_DEV"
create or replace procedure my_proc
is
myvariable varchar2(35);
begin
select name into myvariable from scott.pets ;
dbms_output.put_line(myvariable);
end my_proc;
Warning: Procedure created with compilation errors.
SQL> show errors
Errors for PROCEDURE MY_PROC:
LINE/COL ERROR
6/2 PL/SQL: SQL Statement ignored
6/41 PL/SQL: ORA-01031: insufficient privileges
SQL>
SQL> 6
6* select name into myvariable from scott.pets ;
--- PL/SQL Engine doesn't seem to know that GLS_DEV has select privilege on scott.pets indirectly granted through a role
--- Fix
--- Instead of granting privilege through a role, I am granting the SELECT privilege on scott.pets to GLS_DEV directly.
--- The error goes away, I can compile and execute the procedure !!
SQL> conn / as sysdba
Connected.
SQL>
SQL> grant select on scott.pets to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> create or replace procedure my_proc
is
myvariable varchar2(35);
begin
select name into myvariable from scott.pets ;
dbms_output.put_line(myvariable);
end my_proc; 2 3 4 5 6 7 8 9 10
11 /
Procedure created.
SQL> set serveroutput on
SQL> exec my_proc;
PLUTO
PL/SQL procedure successfully completed.Has anyone encountered the same issue ?You really should start your own new thread for this question instead of resurrecting an old one, but to answer your question.
There are two things going on here. First, there are a number of aler session commands that can be used by any user regardless of what privileges they are granted. Although I do not have the entire list at hand, things like nls_date_format and current_schema are available to all users, sort of like the grants to public in the data dictionary.
Second, when you use execute immediate, the PL/SQL engine never really sees the statement, as far as the compiler is concerned it is just a string. It is only when the string is passed to the sql engine that permissions are checked, and there roles are not enabled.
SQL> create role t_role;
Role created.
SQL> grant select on ops$oracle.t to t_role;
Grant succeeded.
SQL> create user a identified by a default tablespace users;
User created.
SQL> grant create session, create procedure to a;
Grant succeeded.
SQL> grant t_role to a;
Grant succeeded.
SQL> connect a/a
Connected.
SQL> select * from ops$oracle.t;
ID DESCR
1 One
1 Un
SQL> create function f (p_descr in varchar2) return number as
2 l_num number;
3 begin
4 select id into l_num
5 from ops$oracle.t
6 where descr = p_descr;
7 return l_num;
8 end;
9 /
Warning: Function created with compilation errors.
SQL> show error
Errors for FUNCTION F:
LINE/COL ERROR
4/4 PL/SQL: SQL Statement ignored
5/20 PL/SQL: ORA-00942: table or view does not exist
SQL> create or replace function f (p_descr in varchar2) return number as
2 l_num number;
3 begin
4 execute immediate 'select id from ops$oracle.t where descr = :b1'
5 into l_num using p_descr;
6 return l_num;
7 end;
8 /
Function created.
SQL> select f('One') from dual;
select f('One') from dual
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "A.F", line 4John -
How to check granted privileges on role.
Hi,
Can any one explain how to check granted privileges on role.
I have created one role called ALL_SYSPRIVS
but I forgot what privileges granted to this role
Thank you...Hi Vijay,
Last week i saw the following thread:
Finding the privileges assigned to a user
Re: Finding the privileges assigned to a user
From there, you'll be able to find a few scripts that will provide you with an overview of grants assigned to user, or role....
HTH,
Thierry -
Privileges granted to roles sometimes are not effective(not functioning)?
Hello,
I have experienced where roles where granted and privileges granted to the roles. The roles are they granted to certain users. But when these users try to perform dml/ddl, they get insufficient priviledges even though these users were granted the roles which do contain the correct priviledges. Why are some priviledges not functioning when they are granted to the roles? To resolve, direct grants were granted to the users. But why aren't they working through the roles? Thank you.Hi watson2000 ,
can you send the scripts...what you have performed.
Since, I did not faced any problem with granting privliges and roles.
If you provide some information on that (little more) whjat you have done so that we can help you out..
Thanks
Pavan Kumar N -
What is the difference between granting privilege directly and via role
When we want create a view in user1 schema , that user must be granted by select privilege on table user2.t2 , but not via a role , what is the difference?
Is there any other privileges that must be directly granted?please look into the scenario ,
I have a schema with a table in it. I have granted select on that table to a role.
grant select on user1.example_table to example_role;
I then grant that role to a user:
grant example_role to user2;
Then user2 wants to create a view on top of that table:
create or replace view user2.example_view as
select *
from user1.example_table;
That throws an error however:
ORA-01031: insufficient privileges
Why though? If they have select permission via the role, why can they not then create a view on that object?
I found that I had to grant the object directly to the user before it would work.
grant select on user1.example_table to user2;
why this is so,
Thanks,
uday
Edited by: udayjampani on May 16, 2012 4:42 PM -
i have created roles in database successfully....when i try to
connect through same users by forms 5.0 after applying menu and
menu item security thing....i get an error
user is not entitled to run form builder...contact your DBA...
being developer how can i remove this error
and losg-on to the same application by different users having
granted differnt roles thus privileges
thanks in advanceFORMS_DDL('SET ROLE MY_ROLE [IDENTIFIED BY PWD]');
enables the given role and disables all others. -
I'm trying to assign global roles to enterprise users via the ESM but it doesn't seem to work. I'm able to connect to the database and I can see that I'm correctly authenticated using sys_context('userenv','external_name'),sys_context('userenv','session_user'), but I don't get any global roles associated with the enterprise role I'm assigned to.
Ideas? Anyone has an idea how can I debug this or set a trace to see if I'm even really associated with the Enterprise Role?
Edited by: [email protected] on Dec 9, 2008 10:53 PMYou can't unless you use a DDL event trigger
http://www.psoug.org/reference/ddl_trigger.html
or write a stored procedure that allows the user to grant privileges presented as input parameters and contains a hard coded list of those privs that can be granted.
Personally I find the idea of giving anyone, other than a DBA or trusted security officer, the ability to grant privs a violation of governance and security practices and would discourage you from doing so except within the context of a procedure as described above. -
Grant privileges to all objects
Oracle 11.0.1.7.0:
When I create new user I do something like:
create user abc identified by abc
grant create session, create table, create views, create snapshot to abc - separate grant for each object
grant unlimited tablespace to abc;So when I do that sometimes I forget privileges for sequences. Is there a way to give privilege in one sql to the user to let that user create table, views, session, tablespace etc.
Edited by: user628400 on Jun 9, 2009 5:35 PMIs there a list of things like create table, session etc. that I can look at to determine what options I have?select distinct privilege from role_sys_privs order by 1;
will give you a list of privileges which can be granted to role.
is there a way to grant privileges to all different types like create table, session etc in one statement without having to type each one of them separately like grant create session, grant table?As other replied, this can be achieved by creating a role like:
SQL> create role newrole;
Role created.
SQL> grant create table,query rewrite to newrole; -- Or any privilege by above command.
Grant succeeded.
SQL> grant newrole to <YourUserName>; --
Grant succeeded.HTH
Girish Sharma -
Grant Privileges to another user
Hi,
I am new to plsql. In course of my learning. I created two tables BOOKS and AUTHORS in orcl database(10g) through SYSDBA.
Again i logged in to SCOTT user account and am unable to see the BOOKS and AUTHORS tables.
Please let me know how do i grant administrative privileges(to edit,delete,insert,update) to SCOTT user for these tables.
Thanks & Regards,
Amrutha.808099 wrote:
1. Got now that SYSDBA is a role and SYS is user.
2. I was able to login to sqlplus through giving "/ as SYSDBA" as the username. Hence i thought it as user."/ as sysdba" connects to the database as the SYS user using operating system authentication with the SYSDBA role enabled.
3. Secondly, I dont know which schema does my BOOKS table belong to. Because i just ran a create table script in scott/tiger@orcl. PLease suggest how i can know which schema it belongs to.If you connected to the database as the SCOTT user and ran the script to create the table, the table would almost certainly be owned by SCOTT. If you connected to the database as the SYS user and ran the script to create the table, the table would most likely be owned by SYS. If the script specified the schema owner, i.e.
CREATE TABLE library.book ...the table would be created in the specified schema. But you need to have very powerful privileges in order to create objects in other user's schemas and SCOTT does not have those privileges unless you've specifically granted them.
4. Thirdly, I will delete the BOOKS and AUTHORS from SYS and create them in SCOTT user. But thought if GRANT privileges can be an alternative.Not really. It's much better to have the tables owned by the correct schema in the first place. You use grants to allow other users to access (or modify) tables but other users are not going to have the same level of privileges (for example, they're not going to be able to run DDL against the table).
Justin -
ORACLE - How to GRANT privilegies on ALL the tables belonging to a schema
Is there a way to grant to a user the same privilegies on ALL the tables belonging to the same schema, so that, in case a new table is created afterwards, the grant is automatically given ?
Thanks in adance for any replyYes of course ! Just do the same as Oracle Applications: an end user has no Oracle account, the application code connects with the Oracle account that is the schema owner:
no more grant needed ... That's a joke but it's also true ! In this case, your application must implement its own security (password management, audit, privileges) and you will not be able to use Oracle privileges, auditing and advanced security features ... just like Oracle Applications.
The above answers are of course correct. You can also create an Oracle role that you can grant to the Oracle users and grant the privileges to this role everytime a new table is created to avoid granting privileges for each new object to each user. -
This is not a duplicate post. User Wilhem posted it in the wrong forum.
In the below mentioned link, user CD has provided a quick way to grant privileges to another user. But it didn't work for me. Is there something wrong with with the DECODE expressions?
Re: Granting Privileges questionInstead of granting privileges to a user, i wanted to grant these privileges to a role. So i created a role
CREATE ROLE jenrole;
And then i tried the below mentioned script. But i am getting error
DECLARE
v_sql VARCHAR2(4000);
BEGIN
FOR obj IN (SELECT object_name
, object_type
, DECODE (OBJECT_TYPE,
'PROCEDURE','EXECUTE',
'FUNCTION' ,'EXECUTE',
'PACKAGE' ,'EXECUTE',
'SYNONYM' ,'SELECT' ,
'SELECT, INSERT, UPDATE, DELETE') rights
FROM user_objects)
LOOP
v_sql := 'GRANT '|| obj.rights ||' ON '|| obj.object_name ||' TO JENROLE' ;
dbms_output.put_line(v_sql);
EXECUTE IMMEDIATE v_sql; END LOOP;
END;
ERROR at line 1:
ORA-00911: invalid character
ORA-06512: at line 16
Why am i getting error? The error line is boldened
Maybe you are looking for
-
'Error while signing data-Private key or certificate of signer not availabl
Hello All, In my message mapping I need to call a web service to which I need to send a field value consist of SIGNED DATA. I am using SAP SSF API to read the certificate stored in NWA and Signing the Data as explained in http://help.sap.com/saphelp_
-
Feature request... better podcast file mgmt...
In iPod preferences->Podcasts panel, "Keep:" pop-up menu, this podcast management feature is way too global for my liking. This feature is obviously meant to help control the number of podcasts in my library, but I'd like to be able to have this type
-
In a jsp page one name button that corresponding 5 TextField how to insert
hi, In a jsp page one name button that corresponding 5 TextField how to insert values inthe database that 5 textfield values
-
Video not Opening in Photoshop CC
This error prevents me from opening video in Photoshop CC. I am running Windows7 SP1. Any help would be greatly appreciated. Thanks!
-
ABC Analysis report -Inventory
HI Has anyone created this kind of report in B1 . I came to know that this report is kind of standard report in most ERP. Can you please let me know how can i created that kind of report .I need to create that report as soon as possible so i need s