Granting Privileges on Objects and Workspace

Similar Messages

• SQL*Modeler - Granting Privileges on Directories and Types

  SQL*Modeler 2.0.0 Build 584
  I see no way against a Directory to specify grants to this directory. It would be nice to have the ability to add privileges by user in the same way as for tables/view/sequences etc or have a script option similar to that for tables which could be executed after the creation of a directory to grant the relevant users read/write privileges.
  Same thing applies to Types, Collections, External tables.
  At the moment I usethe first table to run an END OF SCRIPT which contains these thing butthese have no visibility or validation.
  On external tables I see no way to specify NOLOGGING. If I had this option I would not have to grant my users WRITE access to the directory since log files would not be produced each time an external table is queried.
  Well while I'm at it might as well shoot for the moon......
  I have a requirement to grant an ORACLE supplied Role but I do't want to import it into the model. It would be nice to have the Oracle standard roles available to the model. Alternatively what about an after script for the Use as per tables.
  One futher requirement is to grant execute to users to access ORACLE supplied packages (specifically DBMS_LOCK). Again an after script for a user would alleviate this but give it visibility against the user.
  I live in hope.....
  Regards
  Ian Bainbridge

  On external tables I see no way to specify NOLOGGING. If I had this option I would not have to grant my users WRITE access to the directory since log files would not be produced each time an external table is queried.This can be done by including NOLOGFILE in the Opaque Format Spec.
  For example, if the Access Driver is ORACLE_LOADER, the Opaque Format Spec
  could be set to:
  RECORDS DELIMITED BY NEWLINE NOLOGFILE
  If the Access Driver is ORACLE_DATAPUMP, the Opaque Format Spec could be set
  to
  NOLOGFILE

• Grant Privileges on schema objects

  Hello all,
  I need to grant all privs to one user on another user all objects.
  I am not findign exact command to do so.
  eg: x have y objects.
  user z should be able to select,update, delete all x.y objects.
  Any help/insight is highly appreciated. !

  You have to grant the privileges on an object by object basis.
  You can use a bit of dynamic SQL to automate the process (note that I'm only showing the process of granting privileges on tables-- you can write similar bits of code to grant privileges on views and other types of objects as well).
  BEGIN
    FOR i IN (SELECT * FROM dba_tables where owner = 'X')
    LOOP
      EXECUTE IMMEDIATE 'grant select, update, delete on x.' || i.table_name || ' to z';
    END LOOP;
  END;If Z does not need the privileges granted directly, you would probably be better off creating a role, granting the privileges to the role, and then granting the role to Z. That will make it easier in the future if you need to create another user that has the same privileges as Z.
  Justin
  Edited by: Justin Cave on Oct 15, 2012 11:50 AM

• Granting privileges BUG, Help!

  I am working with Discoverer 10.1.2.48.18.
  After granting any "Desktop and Plus Privileges" (select on tables also include) and workbooks and BA access, user CANNOT see any data in workbooks.
  When i do the same many times in Administrator, the user suddenly can get requisite abilities.
  Then i analysed the table "EUL5_ACCESS_PRIVS" and detected, that, when privilege whith GP_APP_ID = 1013 is appear, User CAN SEE the data in workbooks, granted to him. But i don't understand when this row is appear.
  Also i supposed, that Command Line for Java can help me, but privilege with GP_APP_ID = 1013 don't appear :(, even after granting "all_user_privs".
  Only after some games with checkboxes in Administrator i get required result.
  Help, please.

  Hi,
  The object and workspace privileges are separate. You would need to grant access to user B for both the workspace and the table. The object permissions can be granted prior to executing dbms_wm.enableversioning or during a DDL session.
  Regards,
  Ben

• Differences Between Object And System Privileges

  Hi,
  Whats the difference between object and system privileges in oracle?
  Cheers
  Paul

  System Privileges
  A system privilege is the right to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the privileges to create tablespaces and to delete the rows of any table in a database are system privileges.
  Schema Object Privileges
  A schema object privilege is a privilege or right to perform a particular action on a specific schema object:
  For example, the privilege to delete rows from the departments table is an object privilege.
  Some schema objects, such as clusters, indexes, triggers, and database links, do not have associated object privileges. Their use is controlled with system privileges. For example, to alter a cluster, a user must own the cluster or have the ALTER ANY CLUSTER system privilege.
  A schema object and its synonym are equivalent with respect to privileges. That is, the object privileges granted for a table, view, sequence, procedure, function, or package apply whether referencing the base object by name or using a synonym.
  Granting object privileges on a table, view, sequence, procedure, function, or package to a synonym for the object has the same effect as if no synonym were used. When a synonym is dropped, all grants for the underlying schema object remain in effect, even if the privileges were granted by specifying the dropped synonym.

• DFD diagram and ER crossmatrix for role definitions and role's privileges on objects

  Hello,
  Having the question on derivative use of combination of DFDs and ER diagrams ( let us be more fixes and focus on Relational model ).
  In DFD there are defined external entities and functions, data flows and data stores that are forming processes.
  Functions represents procedures, transactions, transformations.
  Dataflows presents procedures parameters, intermediate reports, temporary table data, data that is passed , retrieved/written, signals, triggers/events that controle or trigger function...
  Context of my question is focused on external entities.
  External entity suppose to denote the sourced or destinationed system ( for example Archiving system ) or operator, system that is out of scope of the DFD and it is mentioned just as target or destination or source of dataflow or control flow.
  In context of these understandings I am using external entitiy also for types of users of the system:  staff that is triggering functions or schedulers or job managers, or reporting systems ( or components of reporting systems like for example business intelligence extraction processes ).
  What is my problem that on basis of external entity definitions and E/R model also define roles and privilege classes for access to data objects.
  And from those generating ddls for database roles, privileges on entitities to those roles.
  But in privileges granting to role having two different kind of privileges on data objects:
  - privileges that are granted on various schema objects
     For example role1 has grant on tab1, view2, procedure1, package3,
  - the other type of privilega is based on the scope or range of semantically defined scope or semantic area.
  Semantic area is scattered through tables because of normalisation and using semantic area as entity of which primary key is
  partitioning the table data through many semantic areas.
  So this privilege should be granted on basis of the rows in table not column ( more semantically then structurally ...row oriented more than column ).
  Both privileges that are granted to roles are also basis for functional roles
  ( privilege that is granted that functional role has grant to trigger or execute some function or process ).
  My question is?
  How do you handle modeling technology for analysis and design for role privileges and consolidation between database and functional roles ?
  Grateful for any idea, experience and suggestions.

  Hello,
  Guess I was looking for the formal sequence of steps that would bring me to the
  ddls for "create role ..." and "grant privileges to role".
  You can do that.
  1) I assume you have logical model and it's engineered to relational model, also you have data flow diagram created
  2) You need to define information structures for flows connecting "Information store" to primitive process - attribute usage of particular entities should be defined for those "information structures" processed in flows
  3) You need to define create, update and delete operation for flow going from primitive process to store - read is assumed in opposite direction
  4) create a role in Process model and assign primitive processes to it - list of available processes to add depends on current data flow diagram
  5) You need an open physical model for your relational model
  6) Select "transfer process model roles to physical model roles" from context menu of top level DFD - select roles, relational and physical model there - roles with related permissions will be created in physical model
  Entity1 is divided in several subtypes for different business areas.
  And account manager for business_area1 is allowed to work on subtype1 ( view on prime table )...
  Different implementation of entity hierarchies are not processed correctly in that wizard - i.e to get permissions to table corresponding to child entity - that entity should be used in information structure and flow.
  Philip

• Grant privileges to all objects

  Oracle 11.0.1.7.0:
  When I create new user I do something like:
  create user abc identified by abc
  grant create session, create table, create views, create snapshot to abc - separate grant for each object
  grant unlimited tablespace to abc;So when I do that sometimes I forget privileges for sequences. Is there a way to give privilege in one sql to the user to let that user create table, views, session, tablespace etc.
  Edited by: user628400 on Jun 9, 2009 5:35 PM

  Is there a list of things like create table, session etc. that I can look at to determine what options I have?select distinct privilege from role_sys_privs order by 1;
  will give you a list of privileges which can be granted to role.
  is there a way to grant privileges to all different types like create table, session etc in one statement without having to type each one of them separately like grant create session, grant table?As other replied, this can be achieved by creating a role like:
  SQL> create role newrole;
  Role created.
  SQL> grant create table,query rewrite to newrole;  -- Or any privilege by above command.
  Grant succeeded.
  SQL> grant newrole to <YourUserName>;  --
  Grant succeeded.HTH
  Girish Sharma

• To grant  privileges to user or/and group

  Hi,
  I need information about to grant privileges on content area and folders.
  For example, if I grant privilege to view content on Content area and I grant privilege of Manage Items on folder. Can the users or group add items to folder? Or can they view the content?
  Thank you for information,
  Noel

  I changed the file (sudo vi $ORACLE_HOME/rdbms/admin/externaljob.ora) to read run_user = oracle and run_group = dba. The error remains the same - also after restart of dbconsole. Anyway, the file has note: The user and group specified here should be a lowly privileged user and group for your platform. For Linux this is nobody and nobody. Which it was, and I changed it back to that.
  Btw:
  SQL> SELECT owner, credential_name, username FROM dba_scheduler_credentials;
  no rows selected
  SQL> execute DBMS_SCHEDULER.CREATE_CREDENTIAL('oracle','oracle','password');
  After the above I was able to select "sys.oracle" as the credential name pull-down menu of the scheduler job edit mode.
  And the job succeeded: EXTERNAL_LOG_ID="job_73826_863", USERNAME="oracle"
  How does one set credentials if not in the "preferred credential setup" in dbconsole EM?
  Edited by: Dude on Jan 14, 2011 2:11 PM

• Error while granting privileges to new user

  hi all,
  I created new user and i tried to grant privileges to that new user by using ( SQL> CONNECT / AS sysdba;
  Connected.
  SQL> CREATE USER cdcproj IDENTIFIED BY cdcproj
  2 QUOTA UNLIMITED ON SYSTEM
  3 QUOTA UNLIMITED ON SYSAUX;
  User created.
  SQL> GRANT CREATE SESSION TO cdcproj;
  Grant succeeded.
  SQL> GRANT CREATE TABLE TO cdcproj;
  Grant succeeded.
  SQL> GRANT SELECT_CATALOG_ROLE TO cdcproj;
  Grant succeeded.
  SQL> GRANT EXECUTE_CATALOG_ROLE TO cdcproj;
  Grant succeeded.
  SQL> EXECUTE DBMS_STREAMS_AUTH.GRANT_ADMIN_PRIVILEGE(grantee => 'cdcproj'); PL/SQL procedure successfully completed.
  SQL> GRANT ALL ON PL.PROJ_HISTORY TO cdcproj;
  Grant succeeded. ). All the commands worked except last command. It is giving error i.e (GRANT ALL ON PL.PROJ_HISTORY TO cdcproj; ) error is ( table / view not exists ).
  What i can do. Any help.
  Otherwise is there any other method to grant privileges.
  Thanks in advance.

  What is your Oracle version ?
  Are you sure the object PL.PROJ_HISTORY exists ?
  What is the output of (using the Oracle account that executes the GRANT):
  select * from session_roles;
  select * from session_privs;

• Grant Privilege to Role instead of Direct grant doesn't work

  Hi all
  My scenario is sas follow:
  create user a identified by a;
  create user b identified by b;
  grant connect,resource to a ;
  grant connect,resource to b ;
  conn a/a
  create table tbl( c1 number(10));
  conn system/sys
  create role roll;
  grant roll to b;
  conn a/a
  grant select on tbl to roll;
  conn b/b
  set role roll;
  create or replace procedure b.pr
  as
  v number(10);
  begin
  select a into v
  from a.tbl
  where a=0;
  end;
  show error
  Errors for PROCEDURE B.P:
  LINE/COL ERROR
  6/1 PL/SQL: SQL Statement ignored
  7/6 PL/SQL: ORA-00942: table or view does not exist
  This happen because i granted the SELECT privilege to user b through the role ROLL but if i granted the user b the SELECT privilege directly it work properly
  Why???
  And how could I grant the privilege from within a role, Because i don't want to grant it directly
  Thank in advance
  Bassil

  There is no other way. The owner of stored code must have been directly granted all necessary (used in code) select, insert, update, or delete privileges. The code owner cannot just have the referenced privileges granted to them via a role. There is no workaround, nor should there be as this is a security feature. Just because you have been granted insert or delete to another user's tables does not mean you should be able to grant that access to some other user. This is exactly what you do when you grant execute to stored code that referenced another user's objects.
  The referenced article is by Tom Kyte and there are few people who understand how to use Oracle to better effect than Tom. The same information can be found in the official documentation and is referenced by the article.
  You can write packages that use the privileges of the executing person. Perhaps for the specific problem you are writing the code to handle this is the route you want to take. See the manuals for the details.
  Note - If user A grants insert to user B on table_a then user B can write a procedure, proc_b, and grant execute to a role and anyone with the role can perform inserts into table_a via proc_b, without having any grants on table_a. You do not need to grant privileges on the objects referenced in stored code that runs as the code owner if this is what you are worried about. The users just need execute on the package, procedure, or function that performs the DML operations in this case and they can get that from a role.
  If you still do not understand you need to state exactly what it is you either do not understand or want to know how to do.
  HTH -- Mark D Powell --

• Publish to Apex - User has no privileges on the selected workspace

  Apologies for this novice question,... (re: Apex 4.1.0)
  I am trying to publish output from SQL Developer into Apex via the "Publish to Apex" option, but get the error:
  ORA-20001: User <XXX> has no privileges on the selected workspace.
  ORA-06512: at "APEX_040100.WWV_FLOW_CREATE_APP_FROM_QUERY", line 535
  ORA-06512: at "APEX_040100.WWV_FLOW_API", line 14966
  ORA-06512: at line 1
  Is there an apex privilege I need to grant manually, or somewhere in the front end of APEX to make this work?

  I can't say I've ever used that option, but based on the error, I would suggest your particular schema is not associated with the workspace you selected.
  This means you need to log into the INTERNAL admin workspace and associate your schema with the desired workspace.
  In the same way you can't use the Apex front end to create an application using a schema not associated with the given workspace.
  Make sense?

• Grant privileges to subprogram via role: should not work?

  I bought Selftestsoftware for 1z0-147 for 9i and 10g. Selftestsoftware is endorsed by Oracle, should be high quality.
  But its below sample question and answer seem to be wrong: It says that privilege for subprogram can be granted via role. But from Urman 9i book, all roles are disabled inside stored procedures.
  Did Selftestsoftware made a mistake? Or the question did not mention or assume that the subprogram is based on invoker rights not definer right?
  Question:
  All users in the HR_EMP role have UPDATE privileges on the EMPLOYEE table. You create the UPDATE_EMPLOYEE procedure. HR_EMP users should only be able to update the EMPLOYEE table using this procedure.
  Which two statements should you execute? (Choose two.)
  GRANT UPDATE ON employee TO hr_emp;
  GRANT SELECT ON employee to hr_emp;
  REVOKE UPDATE ON employee FROM hr_emp;
  REVOKE UPDATE ON employee FROM public;
  GRANT EXECUTE ON update_employee TO hr_emp;
  Explanation:
  The two statements you should execute are:
  REVOKE UPDATE ON employee FROM hr_emp;
  GRANT EXECUTE ON update_employee TO hr_emp;
  Unless you are the owner of the PL/SQL construct, you must be granted the EXECUTE object privilege to run it or have the EXECUTE ANY PROCEDURE system privilege. By default, a PL/SQL procedure executes under the security domain of its owner. This means that a user can invoke the procedure without privileges on the procedures underlying objects. To allow HR_EMP users to execute the procedure, you must issue the GRANT EXECUTE ON update_employee TO hr_emp; statement. To prevent HR_EMP users from updating the EMPLOYEE table unless they are using the UPDATE_EMPLOYEE procedure, you must issue the REVOKE UPDATE ON employee FROM hr_emp;
  All of the other options are incorrect because they will not meet the specified requirements.
  Edited by: user13270686 on Jun 7, 2010 9:22 PM

  The answer is correct, and the explanation complete.
  Inside stored procedures roles are disabled. This is because privileges are checked at compile time and roles can change between compile time and execute time.
  However, privilege to execute the procedure can be granted to a role. During execution of the procedure the privileges of the procedure's owner apply.
  This is because you want to have encapsulation: when tables and procedures are in the same schema, you won't have any privilege problem, as the owner of a set of tables will always have privilege (you can not revoke them).
  Sybrand Bakker
  Senior Oracle DBA

• Grant Privileges to another user

  Hi,
  I am new to plsql. In course of my learning. I created two tables BOOKS and AUTHORS in orcl database(10g) through SYSDBA.
  Again i logged in to SCOTT user account and am unable to see the BOOKS and AUTHORS tables.
  Please let me know how do i grant administrative privileges(to edit,delete,insert,update) to SCOTT user for these tables.
  Thanks & Regards,
  Amrutha.

  808099 wrote:
  1. Got now that SYSDBA is a role and SYS is user.
  2. I was able to login to sqlplus through giving "/ as SYSDBA" as the username. Hence i thought it as user."/ as sysdba" connects to the database as the SYS user using operating system authentication with the SYSDBA role enabled.
  3. Secondly, I dont know which schema does my BOOKS table belong to. Because i just ran a create table script in scott/tiger@orcl. PLease suggest how i can know which schema it belongs to.If you connected to the database as the SCOTT user and ran the script to create the table, the table would almost certainly be owned by SCOTT. If you connected to the database as the SYS user and ran the script to create the table, the table would most likely be owned by SYS. If the script specified the schema owner, i.e.
  CREATE TABLE library.book ...the table would be created in the specified schema. But you need to have very powerful privileges in order to create objects in other user's schemas and SCOTT does not have those privileges unless you've specifically granted them.
  4. Thirdly, I will delete the BOOKS and AUTHORS from SYS and create them in SCOTT user. But thought if GRANT privileges can be an alternative.Not really. It's much better to have the tables owned by the correct schema in the first place. You use grants to allow other users to access (or modify) tables but other users are not going to have the same level of privileges (for example, they're not going to be able to run DDL against the table).
  Justin

• ORACLE - How to GRANT privilegies on ALL the tables belonging to a schema

  Is there a way to grant to a user the same privilegies on ALL the tables belonging to the same schema, so that, in case a new table is created afterwards, the grant is automatically given ?
  Thanks in adance for any reply

  Yes of course ! Just do the same as Oracle Applications: an end user has no Oracle account, the application code connects with the Oracle account that is the schema owner:
  no more grant needed ... That's a joke but it's also true ! In this case, your application must implement its own security (password management, audit, privileges) and you will not be able to use Oracle privileges, auditing and advanced security features ... just like Oracle Applications.
  The above answers are of course correct. You can also create an Oracle role that you can grant to the Oracle users and grant the privileges to this role everytime a new table is created to avoid granting privileges for each new object to each user.

• How to restrict a schema owner from granting privileges to other users.

  How can we restrict a schema owner from granting privileges to other users on his objects (e.g. tables). Lets say we have user called XYZ and he has tables in his schema TAB1, TAB2 an TAB3. How can we restrict user XYZ from granting privileges on TAB1, TAB2 and TAB3 to other users in the database. Is it possible in Oracle 10g R2? Any indirect or direct way to achieve this? Please help on this.
  Thanks,
  Manohar

  Whenever someone is trying to prevent an object owner from doing something, that's generally a sign of a deeper problem. In a production database, the object owner shouldn't generally have CREATE SESSION privileges, so the user shouldn't be able to log in, which would prevent the user from issuing any grants.
  As a general rule, you cannot stop an object owner from granting privileges on the objects it owns. You can work around this by creating a database-level DDL trigger that throws an exception if the user issuing the statement is XYZ and the DDL is a GRANT. But long term, you probably want to get to the root of the problem.
  Justin
  Edited by: Justin Cave on Nov 6, 2008 9:52 PM
  Enrique beat me to it.