Granting Role [Urgent]
An employee left my company unexpected, he has created some critical tables using his user_id, how can I assign privileges to other users on his tables using the system/manager DBA logon privileges.
It depends on what version of Oracle you are using. Prior to (I think 9.2), no user, not even sys could grant privileges on another user's objects. In 9.2, there is a new privilege "GRANT ANY OBJECT PRIVILEGE" that allows a user with that privilege to grant privileges on another user's objects.
However, you will still probably want to change the password for the colleague that left to something you know if he owns objects that are used in your application.
John
Similar Messages
-
How can use Oracle Developer2000 Form6 to grant priveledge and role to user in database (oracle 8i) from Trigger of Form6. Is there any built-in about this statement?
PL/SQL doesn't allow you to issue DDL commands directly, but it does provide a utility package called DBMS_SQL. This allows you to create dynamic SQL statements at runtime and execute them. The code you would need are as follows:
In declaration section -
v_sql varchar2(200);
v_cursor number;
v_result number;
In the code body -
v_sql := 'GRANT <ROLES> TO <USER>';
v_cursor := dbms_sql.open_cursor;
dbms_sql.parse(v_cursor, v_sql, dbms_sql.native);
v_result := dbms_sql.execute(v_cursor);
You can ignore the value of v_result as it is not a DML statement. Also you could build your SQL string up dynamically using variables from your form ie:
v_sql := 'GRANT '||:FORM.ROLE||' TO '||:FORM.USER;
Hope that helps!
Ian -
Grant role and make it default
Hello all,
I'm facing an awkward situation whit the grant command.
Let's say we have a user some_owner that is granted the role some_role with admin option.
We have a procedure owned by some_owner as follows:
CREATE PROCEDURE "+some_owner"."GRANT_ROLE"
(P_USER IN VARCHAR2
BEGIN
EXECUTE IMMEDIATE 'GRANT some_role TO ' ||UPPER(P_USER);
END;
A user some_user who has execute privilege on the procedure is able to successfully execute the procedure using SQL+ and the role some_role is granted (default = Y) to the user.
However, when the procedure is called from a 10g form, the role is granted (default =N)
Have you ever faced a similar situation?
Thanks in advanse
JosephTest first post second.
SQL> CREATE USER john identified by john;
User created.
SQL> GRANT oem_monitor TO john;
Grant succeeded.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE DEF
OEM_MONITOR YES
SQL> GRANT hs_admin_role TO john;
Grant succeeded.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE DEF
HS_ADMIN_ROLE YES
OEM_MONITOR YES
SQL> GRANT finrep TO john;
Grant succeeded.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE DEF
FINREP YES
HS_ADMIN_ROLE YES
OEM_MONITOR YES
SQL> ALTER USER john DEFAULT ROLE ALL EXCEPT finrep;
User altered.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE DEF
FINREP NO
HS_ADMIN_ROLE YES
OEM_MONITOR YES
SQL> REVOKE hs_admin_role FROM john;
Revoke succeeded.
SQL> GRANT dba TO john;
Grant succeeded.
SQL> SELECT granted_role,default_role
2 FROM dba_role_privs
3 WHERE grantee = 'JOHN';
GRANTED_ROLE DEF
DBA YES
FINREP NO
OEM_MONITOR YESGranting or revoking roles has no effect on other existing roles. A granted role is always a default row unless you tell Oracle otherwise.
TTFN
John -
Granting roles permission to run packages created by somone else
Hi there,
I'm using Oracle 9i and I've written a package that has several functions that need to be run by a role other than the owner. I have 2 roles I granted execute permission on the package itself but when I log in to our app as another user with one of those granted roles, I get the 'insufficient privilege' error.
My DBA mentioned something about doing a pl/sql wrapper. I did a search under wrap in the oracle index and came up with a wrap utility. If this is what he meant, I don't understand how that helps with permissions if the wrap util just encrypts my package. How do the roles get permission to run it then?
Thanks
EvitaIf you call the stored procedure from a PL/SQL block, there will be a problem that PL/SQL does not, by default, recognize privileges granted through a role. You can either make a direct grant or you can change the PL/SQL block to specify authid current_user.
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC -
Oracle 10.2.05
Linux environment
I just granted a role to a user, but the user does not have privileges base on the role.
Here is what I did:
First create a user (db_user) using system id
Second, create role schema_admin_role
Then run the script to grant privileges to the role
(SELECT 'grant select, insert, update, delete on ' ||owner|| '.'||table_name || ' to schema_admin_role;' from dba_tables WHERE OWNER = 'another_schema';
Then run
grant schema_admin_role to db_user;
The problem:
When db_user tries to update table X own by another_schema, he gets not sufficent privileges
But when I run (select owner, table_name,privilege from dba_tab_privs where grantee = 'SCHEMA_ADMIN_ROLE'; ), I see all the privileges owned by this role.
Any solution from your end will be appreciated.sb92075 wrote:
did db_user start a new session after GRANT was issued?Yes he did - also when I try to list all privileges granted to db_user, I get no row seleted. On the other hand, when I query privileges granted to role schema_admin_role, I see all privileges granted earlier
example
select owner, table_name,privilege from dba_tab_privs where grantee = 'SCHEMA_ADMIN_ROLE'; ---Here we get all privileges
select owner, table_name,privilege from dba_tab_privs where grantee = 'DB_USER'; --No row seleted -
LDAP groups and WebLogic Roles - Urgent ( weblogic 6.1 sp1, iPLanet 5.1)
I have 2 questions and these are very urgent :-
1. Where the mapping can be defined between LDAP groups and WebLogic Roles. I have
2 groups in iPLanet :- Contarctors and employees and I have 2 security roles in weblogic:-
contractactors and employess. How do I map LDAP group contractors to weblogic security
Role contractors? Similarly for employees ?
2. I have not defined contarctors and employeees under People container in IPlanet.
e.g. The RDN for contractor is
uid=1234,ou=dir,dc=orams,dc=com
Can I still use the defualt security realm of weblogic (the WebLogic Security Realm
under People ) OR I have to write my own custom code ?
3. I am planning to use Roles insetad of groups to manage the logical grouping in
iPLant. Can I still use the groups in WebLogic security realm ( in the configuratin
parameters ?)
This is very urgent ....so if any of you can throw any hints that will be greatly
appreciated.
--SunitaHi Ariel,
The driver is bundled with the product in WLS 6.1sp1. you don't have to
download any additional driver. Use it as you normally would only thing to
remember is if you are trying to write standalone java code then you have to
have weblogic.jar in your classpath. For the rest of the info follow the wls
docs for 6.1
HTH
sree
"Ariel" <[email protected]> wrote in message
news:3bb4a643$[email protected]..
We want to connect our Weblogic 6.1 sp1 server to a SQLServer 2000 db. We
downloaded the JDriver from bea.com, but all the istructions that camewith
it are for WLserver 5.1.
What has to be done to do this with 6.1 sp1?
Thanks,
Ariel -
Script to Grant Role for All User Objects.
Hi DBAs,
I have created a select_only role. I need a script to populate that role with all user_objects belonging to one person and eventually grant that role to another person. Perhaps a dynamic sql.
Please help.
Thanks
-Samar-Samar,
Please see if the following documents help.
Note: 18080.1 - Script to Create Roles
Note: 174138.1 - How to Tranfer all Roles and Grants to Another Database
Note: 729428.1 - Script to create roles & apply grants from database A to B
Regards,
Hussein -
Grant role DBA with Database Vault
Hi all,
I need help granting the role DBA to a user with Database Vault option installed. I created a user account and I need that this user be able to do all the things that a regular DBA role can do. I can't find a way to do this in Database Vault... any help will be appreciated.
Thanks!Sysdba can issue powerful statements such as create user, drop user, alter user, create profile .. and so on... can be done only if it is allowed so by modifying the Can maintain accounts/profiles rule set.
You can also login with dvsys account but that account is locked after installation. So unlock it with
alter user username account unlock; command. And be aware that ANY system privileges are blocked in protected schemas. You can try to grant the following roles in DB Vault := DV_OWNER, DV_REALM_OWNER, DV_REALM_RESOURCE, DV_ADMIN, DV_PUBLIC, DV_ACCTMGR, DV_SECANALYST
Following can help you
SELECT TABLE_NAME, OWNER, PRIVILEGE FROM DBA_TAB_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
SELECT PRIVILEGE FROM DBA_SYS_PRIVS WHERE GRANTEE = 'DV_ACCTMGR';
Regards
Karan -
hello all
I have created a new database called TEST
I need to create a role for following purposes
create table
read access to all the tables, write access to all the tables that the users created.
and then i need to connect this role to a user (grant)
how can i do this
sample script is much of a help?
Thanks in advance
PRashAs DBA :
SQL> create role my_role;
Role created.
SQL> grant CREATE SESSION to my_role;
Grant succeeded.
SQL> grant ALTER SESSION to my_role;
Grant succeeded.
SQL> grant CREATE TABLE to my_role;
Grant succeeded.
SQL> grant my_role to <your user>;
Grant succeeded.
SQL>Same way you can grant other privileges to the role, and the user will automatically be granted. -
Who granted role to user and when
In Oracle 11g, is it possible to find out who granted a particular role to a user and when? Like maybe from logs?
SELECT log_mode
FROM v$databasewill tell you whether the database is running in ARCHIVELOG mode or not. You'd need for the database to be running in ARCHIVELOG mode and to have the archived logs back to the point in time that the role was granted in order to use LogMiner.
I don't suppose there is any chance that you had enabled auditing of GRANTs prior to the role being granted, is there? That would be the appropriate way to capture that information going forward.
Justin -
Dear all,
I have a role called ets_manager. How can i grant it to my user steve in forms 6i? I mean what is the script? I have a button when button pressed i want the role be granted to a user
Thanks in advance.
regardsTry out FORMS_DDL Built-in
http://www.oracle.com/webapps/online-help/forms/10g?topic=formsddl_html -
Can i make a role which can grant roles?
i want to make a role which can grants other users except ownself.
How can i do that?i want to make a role which can grants other users except ownself.
How can i do that? You can't. ROLE is not the same as USER. Role can't grant something to someone,
only user can. Read the reference above.
Rgds. -
Granted roles as a non-dba user
One of the goals we are trying to do here is to let departments manage more of their roles by themselves. For instance, the sales department can manage the sales role, the customer service the customer service role, etc.
However, as these are non-dba users, they do not have access to DBA_ROLE_PRIVS. Is there any way for an administrator of a role to see who has this role?
For instance, as a quick example:
create user sales_admin identified by *****;
create role sales;
grant connect to sales_admin;
grant sales to sales_admin with admin option;
connect sales_admin/*****
grant sales to scott;
Is there any way for sales_admin to see who has the sales role? Or will they need to go to the DBA and ask for a list?Granting "select any dictionary" privilege to sales_admin user is something that cannot be proposed ? Like this :
SYS@db102 SQL> get sales
1 create user sales_admin identified by sales_admin;
2 create role sales;
3 grant connect to sales_admin;
4 grant select any dictionary to sales_admin;
5 grant sales to sales_admin with admin option;
6 connect sales_admin/sales_admin
7 grant sales to scott;
8* select * from dba_role_privs where granted_role='SALES';
SYS@db102 SQL> @sales
User created.
Role created.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Connected.
Grant succeeded.
GRANTEE GRANTED_ROLE ADM DEF
SYS SALES YES YES
SALES_ADMIN SALES YES YES
SCOTT SALES NO YES
SALES_ADMIN@db102 SQL> -
Hi,
What is the Syntax for Granting a role just for the current
session? If the user abnormally terminate the session will the
role still be revoked?
Thanks in advance,
VijiVamsee,
If you dwell down to the bottom of the access/authorizations/profile/roles etc what ever you call....you have something called authorizations.
If you are talking about a particular transaction a custom one or a standard one, there is an auth. group assigned to it. Basis is the team which creates auth. objects and they create a profile which are infact added to the roles.
These are the roles which are added to the user ids of the people using the system.
Different roles which give us different authorizations to work with in the system.
Hope I made my point clear.
One more important thing is, you cant just ask basis to assign a particular profile or role which you might have found by some means like SU53. Because a tcode can be there in many roles or profiles. It is up to basis to decide what role they have to assign based on what authorizations you need. The profile or role which you might have found out may contain other auth's for other tcodes which basis may not want to offer.
Thanks,
Message was edited by: Naren Somen -
How to add Reports to existing Role (Urgent).
Hi Experts,
I am working in BI7.0 and there are no workbooks in our project.
There is a Role with two reports. The Role has some users assigned to it.
One of the Users wants to access two additional reports.
How should I add those extra two reports to this Role on BW side? Do I have to do something like Publish to Role on the Query side in BEx Analyzer (Query Design Mode)...???
Thanks in Advance.
Best Regards,
Chandu.One of the Users wants to access two additional reports?
if this two reports are new workbooks, then run the query and save the workbooks directly in the role. if you dont have access to this role then save it in developer role and ask security team to add them in the user role.
if this report /workbooks exist in the system and you dont have access to this roles, then you need to ask secuirty team directly to add them in the user role. ( give them the role in which this workbooks exist and the target role where he need to add , and give them the transport number ) they will add the role and workbooks in the transpot and give it to you.
Thanks
Maybe you are looking for
-
Multiple Users One Computer sharing photo's
Hi, I have two user's on my computer, both with different log on's etc. How can another user look at my photo's that are currently in iPhoto with out having to move folders around. Can this also be done with iTunes so that we can share music without
-
How do you rename a disk without breaking Lightroom?
Hi There, I'm using Lightroom 5.3 and need to rename a volume. Obviously doing this in the finder ruins the catalogue and I can't find an automated way to update the root directory name in Lightroom. I've temporarily changed the name back but still n
-
BlackBerry OS 10.2.1 - Picture Password / Contraseña con imagen
Hello, I updated to BlackBerry OS 10.2.1 a day or two ago and I have my system language set to Spanish. Upon activating the picture password feature, I noticed that the instructional text extends past the limits of the screen. I hope that this is fix
-
Can any1 tell me whats wrong.. trying to read from file..
import java.io.FileReader; import java.io.FileWriter; import java.io.PrintWriter; import java.util.StringTokenizer; import java.util.Scanner; public class AccountClient { public static void main(String[] args) { Scanner in = new Scanner(S
-
%1 is not a valid Win32 application (C309A printer install)
I have three computers on 10/100 home network. I have Photosmart C309A available on two of them. It use to be three of them. No matter what I do I get the same messages when I do an install from the downloads on the HP website and now I get this mess