Integrating all individual privileges to a db role....

Similar Messages

• Isn't there DBA_ view to see the privileges granted to a role ?

  DB version :11.2
  I couldn't find a DBA_ view which would list all the privileges granted to a role. Finally I had to grant the role to a user and then connect as that granted user and then query ROLE_TAB_PRIVS view. As a DBA , I can't login into business schemas to check this.
  The scenario
  ==============
  SCOTT schema has two tables : HRTB_EMP_MASTER and HELLOWORLD
  I want to grant SELECT privileges on these two tables to another user called TESTUSER but not directly ; through roles
  SQL> conn / as sysdba
  Connected.
  SQL> grant create role to testuser;
  Grant succeeded.
  SQL> conn testuser/test123
  Connected.
  SQL>
  SQL> create role testuser_ro; 
  Role created.
  SQL> conn / as sysdba
  Connected.
  SQL> grant select on scott.hrtb_emp_master to testuser_ro;         --- > Granting the SELECT priv to the role first
  Grant succeeded.
  SQL> grant select on scott.helloworld to testuser_ro;               
  Grant succeeded.
  SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';  ----> This won't work because I am connected as SYS
                                                            ----> ROLE_TAB_PRIVS is user specific view
  no rows selectedSince I couldn't find a DBA view which will the privileges granted to a role , I granted the role to the user I had to login to the user (against our security policy) and query
  ROLE_TAB_PRIVS.
  SQL> grant testuser_ro to testuser;
  Grant succeeded.
  SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';
  no rows selected
  SQL> conn testuser/test123
  Connected.
  SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';
  ROLE            OWNER           TABLE_NAME           PRIVILEGE
  TESTUSER_RO     SCOTT           HELLOWORLD           SELECT
  TESTUSER_RO     SCOTT           HRTB_EMP_MASTER      SELECT

  you should search for grantee, not owner
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> create role r1;
  Role created.
  SQL> grant select on sys.v$database to r1;
  grant select on sys.v$database to r1
  ERROR at line 1:
  ORA-02030: can only select from fixed tables/views
  SQL> grant select on sys.v_$database to r1;
  Grant succeeded.
  SQL> select grantee, privilege, owner, table_name from dba_tab_privs where grantee='R1';
  GRANTEE         PRIVILEGE                                OWNER           TABLE_NAME
  R1              SELECT                                   SYS             V_$DATABASE

• How to check the privileges assigned to a role

  Hi All,
  Can you please let me know how to check the privileges assigned to a role in Oracle?
  When I query the dba_tab_privs it says no rows returned.
  Please help..
  Regards,
  Dan

  user9212851 wrote:
  Can you please let me know how to check the privileges assigned to a role in Oracle?
  When I query the dba_tab_privs it says no rows returned.
  When you've checked the manuals and identified the views suggested by other posters you will find that it's still not a trivial problem since a role may be granted to another role - which means you need to do some recursion to uncover all the privileges available to a role.
  Pete Finnigan - who specialises in Oracle security - published some appropriate scipts a few years ago; they are probably still relevant. Here's a starting link: http://www.petefinnigan.com/weblog/archives/00001243.htm
  Regards
  Jonathan Lewis

• While doing fi integration with mm & sd what is the role as a fi consultant

  Dear Friends Good Morning,
  While doing FI Integration with MM & SD what is the role as a FI Consultant?
  Plese let me  know what is the configuration need?  plese reply me as early as possible
  its veryhelpful for me.
  Thanks in advance,
          babu

  Hi
  As a FI Consultant should know the FI-MM & FI-SD Integration process.   The following Q&A will be useful and FI Consultant has to configure both MM & SD related process based on the requirement.
  FI-MM-SD Integration
  FI MM account determination:
  FI MM settings are maintained in transaction code OBYC. Within these
  there are various transaction keys to be maintained like BSX, WRX,
  GBB, PRD etc. In each of these transaction keys you specify the GL
  accounts which gets automatically passed at the time of entry.
  Few examples could be: BSX- Stands for Inventory Posting Debit
  GBB-Standsfor Goods Issue/Scrapping/delivery
  of goods etc
  PRD- Stands for Price Differences.
  Q: what level is the FI-MM, FI-SD account determination settings?
  A: They are at the chart of accounts level.
  Q: What are the additional settings required while maintaining or
  creating the GL codes for Inventory accounts?
  A:  In the Inventory GL accounts (Balance sheet) you should switch on the
  u2018Post automatically onlyu2019 tick. It is also advisable to maintain the
  aforesaid setting for all FI-MM accounts and FI-SD accounts. This helps
  in preserving the sanctity of those accounts and prevents from having
  any difference between FI and MM, FI and SD.
  Q: What is Valuation and Account assignment in SAP?
  A: This is actually the link between Materials Management and Finance.
  The valuation in SAP can be at the plant level or the company code level.
  If you define valuation at the plant level then you can have different
  prices for the same material in the various plants. If you keep it at the
  company code level you can have only price across all plants.
  Valuation also involves the Price Control .Each material is assigned to a
  material type in Materials Management and every material is valuated
  either in Moving Average Price or Standard Price in SAP. These are the
  two types of price control available.
  What is Valuation Class?
  The Valuation Class in the Accounting 1 View in Material Master is the
  main link between Material Master and Finance. This Valuation Class
  along with the combination of the transaction keys (BSX,WRX,GBB,PRD )
  defined above determine the GL account during posting.
  We can group together different materials with similar properties by
  valuation class. Eg Raw material,Finsihed Goods, Semi Finished
  We can define the following assignments in customizing :
  All materials with same material type are assigned to just one valuation
  class.
  Different materials with the same material type can be assigned to
  different valuation classes.
  Materials with different material types
  Q:  What is the accounting entry in the Financial books of accounts
  when the goods are received in unrestricted use stock? Also
  mention the settings to be done in the u2018Automatic postingsu2019 in SAP
  for the specific G/L accounts.
  A:  On receipt of the goods in unrestricted-use stock, the Inventory account
  is debited and the GR/IR account gets credited. In customization, in the
  automatic postings, the Inventory G/L account is assigned to the
  Transaction event key BSX and the GR/IR account is assigned to the
  Transaction event key WRX.
  Q:  How do you configure FI-SD account determination?
  The FI-SD account determination happens through an access sequence.
  The system goes about finding accounts from more specific criteria to
  less specific criteria.
  This is the sequence it would follow:
  1) It will first access and look for the combination of Customer
  accounts assignment grp/ Material account assignment grp/
  Account key.
  2) If it does not find the accounts for the first combination it will look
  for Customer account assignment grp and account key
  combination.
  3) Furthermore, if it does not find accounts for the first 2 criteriau2019s
  then it will look for Material account assignment grp/Account key.
  4) If it does not find accounts for the all earlier criteriau2019s then finally it
  will look for Account key and assign the GL code.
  Thus posting of Sales Invoices into FI are effected on the basis of a
  combination of Sales organization, Account type, or Customer and
  Material Account assignment groups and following are the options
  available.
  a. Customer AAG/Material AAG/Account type
  b. Material AAG/Account type
  c. Customer AAG/Account type
  For each of this option you can define a Gl account. Thus the system
  uses this gl account to automatically pass the entries.
  All the best.
  Regards
  GB

• List of all objects authorized for standard abap role

  Hi all,
  Can any body help me to get " List of all objects authorized for standard abap role "
  And List of all objects authorized for "admin role".
  Thanks
  Basu

  See the database security guide http://docs.oracle.com/cd/B28359_01/network.111/b28531/authorization.htm#BABFHBFH
  Finding Information About User Privileges and Roles
  This section discusses the system views that have the grant information.
  The tricky part of this is that because roles can be granted to other roles the data is hierarchical.
  So start with the grants made to the FDIREADR role. So referring to the doc above;
  select * from role_role_privs where role = 'FDIREADR'will list the roles granted to your role.
  You will want to look at ROLE_ROLE_PRIVS, ROLE_TAB_PRIVS and ROLE_SYS_PRIVS.
  I suggest you walk thru the views manually to see how the information is related. Then write a test script that queries the views for you.

• Root. how to give all the privileges to user?

  hi! im root and i want to give all the privileges to my user so he can open any program and any root folder. not in terminal (sudo gparted... for example) but i want to double click the program and open it. im using gnome. also i dont want to right click and open as admin. how can i do that?
  thanks

  jowilkin wrote:
  manolos wrote:
  eldragon wrote:
  no, no, no.....if you really want to do this...get a mac..
  there are really good reasons for these limitations in user access..
  if you want to stay away from the terminal, i think gksu should help you with that. (still need to type your password though)... if you dont like the terminal, maybe arch linux isnt the right distro for you, how about ubuntu?
  its not a solution for me but thanks! ubuntu is very simple. i want to learn from linux... not just install!
  Well, first lesson...what you want to do is a really bad idea.
  hahaha! ill stay in terminal thanks for the advice!

• How grant all the privilege of a specific schema to a user?

  How grant all the privilege of a specific schema to a user?
  I already create a new schema and import the neccessary data for that schema.
  Now I want to assign all the privilege for that schema to user HR (let user HR become the owner of that schema). How to deal with it?
  Edited by: qkc on May 13, 2011 10:45 AM

  qkc wrote:
  How grant all the privilege of a specific schema to a user?
  I already create a new schema and import the neccessary data for that schema.
  Now I want to assign all the privilege for that schema to user HR (let user HR become the owner of that schema). How to deal with it?
  Edited by: qkc on May 13, 2011 10:45 AMThere is no way - by definition - that one user can "become the owner" of another schema. A schema is, by definition, the collection of objects that belong to one owner.
  but perhaps that is just semantics in the context of what you really want.
  use sql to build sql:
  spool doit.sql
  select 'grant select on someuser.' || table_name || ' to someotheruser;'
  from dba_tables
  where owner = 'SOMEUSER';
  spool off

• All objects are inactive in derived roles (copied from existing derived role)

  I need to create more than 1000 derived roles, from existing reference roles.
  Reference roles are also derived roles. So I executed LSMW for mass copy.
  Eg: Reference role XYZ with parent role XXX
  New role(ABC) copied from XYZ ,so ABC is having same values as XYZ and master role also.
  Now the issue is after executing the LSMW all roles are copied to new roles, but all objects are inactive in new roles .I am not able to activate the object also.

  Hi Colleen,
  Issue: I have derived roles for plant XX, now I want to derive same set of roles for YY plant. My reference plant is XX, So what am doing is copying the XX roles to New roles (YY) .No change in object or description, just copy role to new role. And I am using LSMW for the same.
  After copy the roles, I will change the description and profile using another script and manually change the org values. But after copy the roles to new roles using script all objects are inactive (In red color),if am selecting the org tab ,I will get message like ,no org levels maintained. Because all objects are inactive .And there are no options (edit) to activate the objects or maintain the fields.
  Thanks,
  Anusha

• How do I go about deleting mulitple song files all at one time as opposed to deleting them all individually off of the latest version of iTunes

  How do I go about deleting mulitple song files all at one time as opposed to deleting them all individually off of the latest version of iTunes?
  Also I have tried authorizing my computer to play the songs I purchased off of iTunes when I had an iPhone 4 and it will not allow me to play them whatsoever. I now have an iPhone 5 and wish to load these past song purchases onto my new phone. How do I solve this issue?

  what you're missing to export multiple files is the batch export command available in the file menu or by control clicking on the items in the browser.  You can export multiple sequences/clips at full resolution with this.
  This has been available in fcp for a long long time.
  Wow, you are right.  Now that you mention it, I can't believe I never noticed that.  Thanks.
  Only if you have the 'Self-Contained' box checked.  Otherwise you'll end up with a reference movie.
  Correct.  That box is typically checked by default.  There are other default settings you could change that would not result in a full-quality version, but what I meant was hitting that option from the pull-down menu, then changing nothing and hitting ok.

• HT3529 How do I send a group text, I have set up groups in my gmail account but can't figure out how to send a group text without adding them all individually

  How do I send a group text message, I have groups set up in my gmail account but can't figure out how to send a group text without adding them all individually ?

  You can use iCloud:
  Step 1. Log into www.icloud.com using your Apple ID.
  Step 2. Click on Contacts and then click the groups ribbon (the red icon with two people) which is on the left-hand page when viewing All Contacts.
  Step 3. The left page changes to a list of Groups (only those groups stored in iCloud are shown). Click the + button at the bottom to add a new group.
  Step 4. Type a name for the new group and press Enter to save it. To change it after this, double-click its entry in the groups list.
  Step 5. To add contacts to the new group, click on the All Contacts group and locate the first person to be added (you can use the search bar to find them quickly).
  Step 6. Drag their name on top of the new group and drop it to add it to that group.
  Step 7. To add more contacts, repeat steps 5 and 6, but you can add multiple contacts at once by pressing Ctrl (on a PC) or Command (on a Mac) and clicking on each contact in the list that you wish to select. Then, drag one of the highlighted names to the new group and they will all be added.
  It's possible to add names to more than one group, and you can create as many groups as you like.
  Step 8. Launch the Contacts app on your device (iPhone, iPod touch or iPad) and you should see the new group appear almost immediately - as long as you have an internet connection.
  Until Apple builds in a function to create groups directly within the Contacts app, this is the best way to do it.

• Cisco Unity Connection - Miu SIP Integration, All lines are busy

  Hi,
  We have a CUCM/CUC Cluster since 2009 and we never had problems with accessing Voicemail. We configured a Secure Siptrunk between the CUCM Cluster and the CUC-Server.
  CUCM 8.5.1SU4/CUC8.5.1SU1
  2 weeks ago we upgraded CUC from 8.5.1SU1 to 8.5.1SU5
  Since this upgrade we had at 2 times no voicemail access from the IP-Phones registered on CUCM-Cluster (reorder tone) - in the log of CUC we saw that  all 144 ports become busy !!
  History:
  Update CUC from 8.5.1SU1 to 8.5.1SU5 on Saturday 10/26
  - first outage on wed. 10/31 ; 1:48 pm
  - second outage on tue 11/6  10:26 am
  After restart of the  CUC-Server  the system works normally - I think stopping and starting Connection Manager coiuld also be a workaround, but i did not verified this :
  here the log from wed 10/31
  Oct 31 13:48:37 CUC1 local7 4 : 4298: CUC1.sprachdienst.fraunhofer.de: Oct 31 2012 12:48:37 PM.862 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Oct 31 13:48:44 CUC1 local7 4 : 4299: CUC1.sprachdienst.fraunhofer.de: Oct 31 2012 12:48:44 PM.931 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Oct 31 13:48:47 CUC1 local7 4 : 4300: CUC1.sprachdienst.fraunhofer.de: Oct 31 2012 12:48:47 PM.508 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered....
  the log from yesterday
  Nov  6 10:26:43 CUC1 local7 4 : 14264: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:26:43 AM.732 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Nov  6 10:26:56 CUC1 local7 4 : 14265: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:26:56 AM.942 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Nov  6 10:27:03 CUC1 local7 4 : 14266: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:27:03 AM.147 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Nov  6 10:27:11 CUC1 local7 4 : 14267: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:27:11 AM.359 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Nov  6 10:27:59 CUC1 local7 4 : 14268: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:27:59 AM.155 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Nov  6 10:27:59 CUC1 local7 4 : 14269: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:27:59 AM.177 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Nov  6 10:29:33 CUC1 local7 4 : 14270: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:29:33 AM.475 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Nov  6 10:29:48 CUC1 local7 4 : 14271: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:29:48 AM.770 UTC :  %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
  Question:
  do we have a  bug in the software CUC 8.5.1SU5 or is there another problem ?
  Any Ideas ?
  regards
  alex

  Hi,
  we opened a tac case and it seems we run into a bug which is known in Version 8.6. (We run 8.5.1SU5)
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc22800
  Cisco already have the fix available for version 8.6.2 ES52.
  Cause we can not upgrade to 8.6 (Server Hardware not supported) we will wait for the Version 8.5 Fix.
  Meanwhile I will change the SIP-Trunk between the Unity Connection Server and the Call Manager Server from TLS to non-TLS (described in CSCuc22800 as a workaround)
  regards
  Alex

• Active Directory LDAP integration; can not see the XMLP_ groups/roles

  We have configured XMLP 10.1.3.3 to use "LDAP" as the Security model. The LDAP server is Active Directory running under Windows Server 2003.
  It is working to a certain extent:
  Users can log on to the XML Publisher using login/password as defined in AD.
  -When logged in as administrator, groups (roles) are visible in Admin/Roles and Permissions and can have assigned folders and data sources.
  Problems/questions:
  The required roles ("XMLP_ADMIN, etc) can not be seen in Admin/Roles and Permissions. Is this as expected or is it an error?
  -When logging in as a user who is member of the group/role XMLP_ADMIN, I do not get any administrator privileges (I have not tested the other XMLP_* roles defined in AD yet). So all administration has to be done as the local superuser.
  Is there any way to monitor the login process to try and see what goes wrong?
  -Roald
  -Roald

  The problem has been solved, it was self inflicted, typo in the config file:
  <property name="LDAP_PROVIDER_USER_DN" value="Cn=Users;dc=company,dc=com"/>
  (semicolon instead of comma after Users).
  It is a little surprising that this typo lead to problems with group matching, though. It took some time before this part of the config got enough attention.
  -Roald

• 1)some setting missing in BI Integration to EP 2)publish the BI role to EP?

  Hi All,
  1) We almost done BI EP integration, getting error in step: Maintain User Assignment in Portal.
  - what are settings in BI connection in EP? we are using SAP Logon Tickit method(not Uid Passs method), is there any user with user name and password required in this conneciton? if yes with wich Authorization in EP & BI?
  we have defined system alias in EP, is that same alias any where need to maintain in BI?
  - when i run BI report from RSRT > Java web OR Query desinger run to portal option, its giving me some error and required to check log at portal, what authorization required for My BI developer user id in BI and EP to run the report on EP from RSRT JAVA Wev or query desinger or WAD? in BI i have FULL authorization(SAP_ALL, SAP_NEW, ..) Is there any Authorizaiton required to give in EP as well?
  2) How to Publish the BI role In EP:
  Question is our EP guy is lookin new, and not sure what all authorizaiton to give to me, and how adjuctely creat ivew on top of BI reports,
  so I have already developed one enduser role consists all required authorization to run the BI report/query/view,
  we can publish the our report in existing role, we can also publish direct developed role to EP but from where to download upload this BI role to EP need to know? what all are the Steps authorization required for that? if anyboday have already gone through this.
  Regards,
  Dushyant.

  Hi Dushyant,
  I am supposing you are doing the BI Java x BI ABAP integration, right?
  Let's go per parts... I will try to respond directly some of your questions but frst of all, I think you should have ran the Template Installer (CTC) and after that checked the configuration with the supportdesk tool as per SAP Note 937697.
  What are settings in BI connection in EP?
  You have to maintain in the portal system landscape a system with alias "SAP_BW" which would be your BI Master System for that portal. The template installer creates this automatically.
  we are using SAP Logon Tickit method(not Uid Passs method), is there any user with user name and password required in this conneciton?
  You could use assertion ticket instead. The user mapping is automatic once you configure the system on both sides with the integration process. If you have problems after, we can look deeper.
  we have defined system alias in EP, is that same alias any where need to maintain in BI?
  Kind of... You need to maintain the default portal destination for the relevant portal through SM30 -> table RSPOR_T_PORTAL and it should have a destination in transaction SM59, too.
  when i run BI report from RSRT > Java web OR Query desinger run to portal option, its giving me some error and required to check log at portal, what authorization required for My BI developer user id in BI and EP to run the report on EP from RSRT JAVA Wev or query desinger or WAD? in BI i have FULL authorization(SAP_ALL, SAP_NEW, ..) Is there any Authorizaiton required to give in EP as well?
  RSRT uses the default destination in RSPOR_T_PORTAL. Try to use J2EE_ADMIN user for the first tests, at least. At first, no special authorizations are needed to run reports in BEx Web (which RSRT calls).
  2) How to Publish the BI role In EP: Question is our EP guy is lookin new, and not sure what all authorizaiton to give to me, and how adjuctely creat ivew on top of BI reports, so I have already developed one enduser role consists all required authorization to run the BI report/query/view, we can publish the our report in existing role, we can also publish direct developed role to EP but from where to download upload this BI role to EP need to know?
  There is a tool called "Role Upload" in EP. You could search about. If you need some help, I can get from the EP guys here (I am from BW). Of course, the process must be done with an administrator id.
  I hope it helps.
  Kind Regards,
  Marcio

• Grant privileges to subprogram via role: should not work?

  I bought Selftestsoftware for 1z0-147 for 9i and 10g. Selftestsoftware is endorsed by Oracle, should be high quality.
  But its below sample question and answer seem to be wrong: It says that privilege for subprogram can be granted via role. But from Urman 9i book, all roles are disabled inside stored procedures.
  Did Selftestsoftware made a mistake? Or the question did not mention or assume that the subprogram is based on invoker rights not definer right?
  Question:
  All users in the HR_EMP role have UPDATE privileges on the EMPLOYEE table. You create the UPDATE_EMPLOYEE procedure. HR_EMP users should only be able to update the EMPLOYEE table using this procedure.
  Which two statements should you execute? (Choose two.)
  GRANT UPDATE ON employee TO hr_emp;
  GRANT SELECT ON employee to hr_emp;
  REVOKE UPDATE ON employee FROM hr_emp;
  REVOKE UPDATE ON employee FROM public;
  GRANT EXECUTE ON update_employee TO hr_emp;
  Explanation:
  The two statements you should execute are:
  REVOKE UPDATE ON employee FROM hr_emp;
  GRANT EXECUTE ON update_employee TO hr_emp;
  Unless you are the owner of the PL/SQL construct, you must be granted the EXECUTE object privilege to run it or have the EXECUTE ANY PROCEDURE system privilege. By default, a PL/SQL procedure executes under the security domain of its owner. This means that a user can invoke the procedure without privileges on the procedures underlying objects. To allow HR_EMP users to execute the procedure, you must issue the GRANT EXECUTE ON update_employee TO hr_emp; statement. To prevent HR_EMP users from updating the EMPLOYEE table unless they are using the UPDATE_EMPLOYEE procedure, you must issue the REVOKE UPDATE ON employee FROM hr_emp;
  All of the other options are incorrect because they will not meet the specified requirements.
  Edited by: user13270686 on Jun 7, 2010 9:22 PM

  The answer is correct, and the explanation complete.
  Inside stored procedures roles are disabled. This is because privileges are checked at compile time and roles can change between compile time and execute time.
  However, privilege to execute the procedure can be granted to a role. During execution of the procedure the privileges of the procedure's owner apply.
  This is because you want to have encapsulation: when tables and procedures are in the same schema, you won't have any privilege problem, as the owner of a set of tables will always have privilege (you can not revoke them).
  Sybrand Bakker
  Senior Oracle DBA

• XPRESS code to find all users with a specific Admin Role

  I've been playing around for a while with a way to get a list of all users that have been assigned a particular Admin Role. I have a role for which I want a specific subset of users to be approvers on it, and I want to greate a Rule that will check for people with a particular Admin Role and then return that list as people to be approvers on the role.
  I haven't been able to find an easy way to write this code. Anyone run across this before or have another suggestion???
  Thanks.

  Below is the code to find user based on condition.
  <set name='adminList'>
  <invoke name='getObjectNames' class='com.waveset.ui.FormUtil'>
  <ref>:display.session</ref>
  <s>User</s>
  <map>
  <s>conditions</s>
  <list>
  <new class='com.waveset.object.AttributeCondition'>
  <s>AdminRoles</s>
  <s>contains</s>
  <s>adminRoleName</s>
  </new>
  </list>
  </map>
  </invoke>
  </set>
  Edited by: Jay on Mar 7, 2012 4:03 AM