Integrating all individual privileges to a db role....
Hi,
Assume that some individual privileges on db objects have been declared... sucha as:
grant insert on dept to user_a;
grant insert on emp to user_a;
grant select on emp to user_a ;
grant select on emp to user_b;
grant select on dept to user_b;
Is it possible to 'insert' these privileges in some newly created db role , by using objects of data dictionary.....???? For example , i want to create two roles user_a_role , user_b_role .. where:
user_a_role will contain all individual db privileges on db objects granted to user_a...e.t.c. How is the fastest way to do that...?????
After that , should i revoke these individual-atomic privileges defined ... as these written above...???
NOTE: I use Oracle 10g v.2
many thanks,
Simon
SQL> create role role_A;
Role created.
select 'grant '||privilege|| ' on ' || table_name || ' to role_A;' from dba_tab_privs where grantee='USER_A'
See the output
grant INSERT on DEPT to role_A;
grant SELECT on EMP to role_A;
grant INSERT on EMP to role_A;
do the same for user_b also
run the below command to revoke everything from user a and b;
for e.g...
select 'revoke ' || privilege || ' on ' || table_name || ' from ' || grantee ||';' from dba_tab_privs where grantee in ('USER_A', 'USER_B');
now once you revoke evrything, u can just simply assign a role to ur users.
Similar Messages
-
Isn't there DBA_ view to see the privileges granted to a role ?
DB version :11.2
I couldn't find a DBA_ view which would list all the privileges granted to a role. Finally I had to grant the role to a user and then connect as that granted user and then query ROLE_TAB_PRIVS view. As a DBA , I can't login into business schemas to check this.
The scenario
==============
SCOTT schema has two tables : HRTB_EMP_MASTER and HELLOWORLD
I want to grant SELECT privileges on these two tables to another user called TESTUSER but not directly ; through roles
SQL> conn / as sysdba
Connected.
SQL> grant create role to testuser;
Grant succeeded.
SQL> conn testuser/test123
Connected.
SQL>
SQL> create role testuser_ro;
Role created.
SQL> conn / as sysdba
Connected.
SQL> grant select on scott.hrtb_emp_master to testuser_ro; --- > Granting the SELECT priv to the role first
Grant succeeded.
SQL> grant select on scott.helloworld to testuser_ro;
Grant succeeded.
SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT'; ----> This won't work because I am connected as SYS
----> ROLE_TAB_PRIVS is user specific view
no rows selectedSince I couldn't find a DBA view which will the privileges granted to a role , I granted the role to the user I had to login to the user (against our security policy) and query
ROLE_TAB_PRIVS.
SQL> grant testuser_ro to testuser;
Grant succeeded.
SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';
no rows selected
SQL> conn testuser/test123
Connected.
SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';
ROLE OWNER TABLE_NAME PRIVILEGE
TESTUSER_RO SCOTT HELLOWORLD SELECT
TESTUSER_RO SCOTT HRTB_EMP_MASTER SELECTyou should search for grantee, not owner
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create role r1;
Role created.
SQL> grant select on sys.v$database to r1;
grant select on sys.v$database to r1
ERROR at line 1:
ORA-02030: can only select from fixed tables/views
SQL> grant select on sys.v_$database to r1;
Grant succeeded.
SQL> select grantee, privilege, owner, table_name from dba_tab_privs where grantee='R1';
GRANTEE PRIVILEGE OWNER TABLE_NAME
R1 SELECT SYS V_$DATABASE -
How to check the privileges assigned to a role
Hi All,
Can you please let me know how to check the privileges assigned to a role in Oracle?
When I query the dba_tab_privs it says no rows returned.
Please help..
Regards,
Danuser9212851 wrote:
Can you please let me know how to check the privileges assigned to a role in Oracle?
When I query the dba_tab_privs it says no rows returned.
When you've checked the manuals and identified the views suggested by other posters you will find that it's still not a trivial problem since a role may be granted to another role - which means you need to do some recursion to uncover all the privileges available to a role.
Pete Finnigan - who specialises in Oracle security - published some appropriate scipts a few years ago; they are probably still relevant. Here's a starting link: http://www.petefinnigan.com/weblog/archives/00001243.htm
Regards
Jonathan Lewis -
While doing fi integration with mm & sd what is the role as a fi consultant
Dear Friends Good Morning,
While doing FI Integration with MM & SD what is the role as a FI Consultant?
Plese let me know what is the configuration need? plese reply me as early as possible
its veryhelpful for me.
Thanks in advance,
babuHi
As a FI Consultant should know the FI-MM & FI-SD Integration process. The following Q&A will be useful and FI Consultant has to configure both MM & SD related process based on the requirement.
FI-MM-SD Integration
FI MM account determination:
FI MM settings are maintained in transaction code OBYC. Within these
there are various transaction keys to be maintained like BSX, WRX,
GBB, PRD etc. In each of these transaction keys you specify the GL
accounts which gets automatically passed at the time of entry.
Few examples could be: BSX- Stands for Inventory Posting Debit
GBB-Standsfor Goods Issue/Scrapping/delivery
of goods etc
PRD- Stands for Price Differences.
Q: what level is the FI-MM, FI-SD account determination settings?
A: They are at the chart of accounts level.
Q: What are the additional settings required while maintaining or
creating the GL codes for Inventory accounts?
A: In the Inventory GL accounts (Balance sheet) you should switch on the
u2018Post automatically onlyu2019 tick. It is also advisable to maintain the
aforesaid setting for all FI-MM accounts and FI-SD accounts. This helps
in preserving the sanctity of those accounts and prevents from having
any difference between FI and MM, FI and SD.
Q: What is Valuation and Account assignment in SAP?
A: This is actually the link between Materials Management and Finance.
The valuation in SAP can be at the plant level or the company code level.
If you define valuation at the plant level then you can have different
prices for the same material in the various plants. If you keep it at the
company code level you can have only price across all plants.
Valuation also involves the Price Control .Each material is assigned to a
material type in Materials Management and every material is valuated
either in Moving Average Price or Standard Price in SAP. These are the
two types of price control available.
What is Valuation Class?
The Valuation Class in the Accounting 1 View in Material Master is the
main link between Material Master and Finance. This Valuation Class
along with the combination of the transaction keys (BSX,WRX,GBB,PRD )
defined above determine the GL account during posting.
We can group together different materials with similar properties by
valuation class. Eg Raw material,Finsihed Goods, Semi Finished
We can define the following assignments in customizing :
All materials with same material type are assigned to just one valuation
class.
Different materials with the same material type can be assigned to
different valuation classes.
Materials with different material types
Q: What is the accounting entry in the Financial books of accounts
when the goods are received in unrestricted use stock? Also
mention the settings to be done in the u2018Automatic postingsu2019 in SAP
for the specific G/L accounts.
A: On receipt of the goods in unrestricted-use stock, the Inventory account
is debited and the GR/IR account gets credited. In customization, in the
automatic postings, the Inventory G/L account is assigned to the
Transaction event key BSX and the GR/IR account is assigned to the
Transaction event key WRX.
Q: How do you configure FI-SD account determination?
The FI-SD account determination happens through an access sequence.
The system goes about finding accounts from more specific criteria to
less specific criteria.
This is the sequence it would follow:
1) It will first access and look for the combination of Customer
accounts assignment grp/ Material account assignment grp/
Account key.
2) If it does not find the accounts for the first combination it will look
for Customer account assignment grp and account key
combination.
3) Furthermore, if it does not find accounts for the first 2 criteriau2019s
then it will look for Material account assignment grp/Account key.
4) If it does not find accounts for the all earlier criteriau2019s then finally it
will look for Account key and assign the GL code.
Thus posting of Sales Invoices into FI are effected on the basis of a
combination of Sales organization, Account type, or Customer and
Material Account assignment groups and following are the options
available.
a. Customer AAG/Material AAG/Account type
b. Material AAG/Account type
c. Customer AAG/Account type
For each of this option you can define a Gl account. Thus the system
uses this gl account to automatically pass the entries.
All the best.
Regards
GB -
List of all objects authorized for standard abap role
Hi all,
Can any body help me to get " List of all objects authorized for standard abap role "
And List of all objects authorized for "admin role".
Thanks
BasuSee the database security guide http://docs.oracle.com/cd/B28359_01/network.111/b28531/authorization.htm#BABFHBFH
Finding Information About User Privileges and Roles
This section discusses the system views that have the grant information.
The tricky part of this is that because roles can be granted to other roles the data is hierarchical.
So start with the grants made to the FDIREADR role. So referring to the doc above;
select * from role_role_privs where role = 'FDIREADR'will list the roles granted to your role.
You will want to look at ROLE_ROLE_PRIVS, ROLE_TAB_PRIVS and ROLE_SYS_PRIVS.
I suggest you walk thru the views manually to see how the information is related. Then write a test script that queries the views for you. -
Root. how to give all the privileges to user?
hi! im root and i want to give all the privileges to my user so he can open any program and any root folder. not in terminal (sudo gparted... for example) but i want to double click the program and open it. im using gnome. also i dont want to right click and open as admin. how can i do that?
thanksjowilkin wrote:
manolos wrote:
eldragon wrote:
no, no, no.....if you really want to do this...get a mac..
there are really good reasons for these limitations in user access..
if you want to stay away from the terminal, i think gksu should help you with that. (still need to type your password though)... if you dont like the terminal, maybe arch linux isnt the right distro for you, how about ubuntu?
its not a solution for me but thanks! ubuntu is very simple. i want to learn from linux... not just install!
Well, first lesson...what you want to do is a really bad idea.
hahaha! ill stay in terminal thanks for the advice! -
How grant all the privilege of a specific schema to a user?
How grant all the privilege of a specific schema to a user?
I already create a new schema and import the neccessary data for that schema.
Now I want to assign all the privilege for that schema to user HR (let user HR become the owner of that schema). How to deal with it?
Edited by: qkc on May 13, 2011 10:45 AMqkc wrote:
How grant all the privilege of a specific schema to a user?
I already create a new schema and import the neccessary data for that schema.
Now I want to assign all the privilege for that schema to user HR (let user HR become the owner of that schema). How to deal with it?
Edited by: qkc on May 13, 2011 10:45 AMThere is no way - by definition - that one user can "become the owner" of another schema. A schema is, by definition, the collection of objects that belong to one owner.
but perhaps that is just semantics in the context of what you really want.
use sql to build sql:
spool doit.sql
select 'grant select on someuser.' || table_name || ' to someotheruser;'
from dba_tables
where owner = 'SOMEUSER';
spool off -
All objects are inactive in derived roles (copied from existing derived role)
I need to create more than 1000 derived roles, from existing reference roles.
Reference roles are also derived roles. So I executed LSMW for mass copy.
Eg: Reference role XYZ with parent role XXX
New role(ABC) copied from XYZ ,so ABC is having same values as XYZ and master role also.
Now the issue is after executing the LSMW all roles are copied to new roles, but all objects are inactive in new roles .I am not able to activate the object also.Hi Colleen,
Issue: I have derived roles for plant XX, now I want to derive same set of roles for YY plant. My reference plant is XX, So what am doing is copying the XX roles to New roles (YY) .No change in object or description, just copy role to new role. And I am using LSMW for the same.
After copy the roles, I will change the description and profile using another script and manually change the org values. But after copy the roles to new roles using script all objects are inactive (In red color),if am selecting the org tab ,I will get message like ,no org levels maintained. Because all objects are inactive .And there are no options (edit) to activate the objects or maintain the fields.
Thanks,
Anusha -
How do I go about deleting mulitple song files all at one time as opposed to deleting them all individually off of the latest version of iTunes?
Also I have tried authorizing my computer to play the songs I purchased off of iTunes when I had an iPhone 4 and it will not allow me to play them whatsoever. I now have an iPhone 5 and wish to load these past song purchases onto my new phone. How do I solve this issue?what you're missing to export multiple files is the batch export command available in the file menu or by control clicking on the items in the browser. You can export multiple sequences/clips at full resolution with this.
This has been available in fcp for a long long time.
Wow, you are right. Now that you mention it, I can't believe I never noticed that. Thanks.
Only if you have the 'Self-Contained' box checked. Otherwise you'll end up with a reference movie.
Correct. That box is typically checked by default. There are other default settings you could change that would not result in a full-quality version, but what I meant was hitting that option from the pull-down menu, then changing nothing and hitting ok. -
How do I send a group text message, I have groups set up in my gmail account but can't figure out how to send a group text without adding them all individually ?
You can use iCloud:
Step 1. Log into www.icloud.com using your Apple ID.
Step 2. Click on Contacts and then click the groups ribbon (the red icon with two people) which is on the left-hand page when viewing All Contacts.
Step 3. The left page changes to a list of Groups (only those groups stored in iCloud are shown). Click the + button at the bottom to add a new group.
Step 4. Type a name for the new group and press Enter to save it. To change it after this, double-click its entry in the groups list.
Step 5. To add contacts to the new group, click on the All Contacts group and locate the first person to be added (you can use the search bar to find them quickly).
Step 6. Drag their name on top of the new group and drop it to add it to that group.
Step 7. To add more contacts, repeat steps 5 and 6, but you can add multiple contacts at once by pressing Ctrl (on a PC) or Command (on a Mac) and clicking on each contact in the list that you wish to select. Then, drag one of the highlighted names to the new group and they will all be added.
It's possible to add names to more than one group, and you can create as many groups as you like.
Step 8. Launch the Contacts app on your device (iPhone, iPod touch or iPad) and you should see the new group appear almost immediately - as long as you have an internet connection.
Until Apple builds in a function to create groups directly within the Contacts app, this is the best way to do it. -
Cisco Unity Connection - Miu SIP Integration, All lines are busy
Hi,
We have a CUCM/CUC Cluster since 2009 and we never had problems with accessing Voicemail. We configured a Secure Siptrunk between the CUCM Cluster and the CUC-Server.
CUCM 8.5.1SU4/CUC8.5.1SU1
2 weeks ago we upgraded CUC from 8.5.1SU1 to 8.5.1SU5
Since this upgrade we had at 2 times no voicemail access from the IP-Phones registered on CUCM-Cluster (reorder tone) - in the log of CUC we saw that all 144 ports become busy !!
History:
Update CUC from 8.5.1SU1 to 8.5.1SU5 on Saturday 10/26
- first outage on wed. 10/31 ; 1:48 pm
- second outage on tue 11/6 10:26 am
After restart of the CUC-Server the system works normally - I think stopping and starting Connection Manager coiuld also be a workaround, but i did not verified this :
here the log from wed 10/31
Oct 31 13:48:37 CUC1 local7 4 : 4298: CUC1.sprachdienst.fraunhofer.de: Oct 31 2012 12:48:37 PM.862 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Oct 31 13:48:44 CUC1 local7 4 : 4299: CUC1.sprachdienst.fraunhofer.de: Oct 31 2012 12:48:44 PM.931 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Oct 31 13:48:47 CUC1 local7 4 : 4300: CUC1.sprachdienst.fraunhofer.de: Oct 31 2012 12:48:47 PM.508 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered....
the log from yesterday
Nov 6 10:26:43 CUC1 local7 4 : 14264: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:26:43 AM.732 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Nov 6 10:26:56 CUC1 local7 4 : 14265: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:26:56 AM.942 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Nov 6 10:27:03 CUC1 local7 4 : 14266: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:27:03 AM.147 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Nov 6 10:27:11 CUC1 local7 4 : 14267: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:27:11 AM.359 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Nov 6 10:27:59 CUC1 local7 4 : 14268: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:27:59 AM.155 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Nov 6 10:27:59 CUC1 local7 4 : 14269: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:27:59 AM.177 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Nov 6 10:29:33 CUC1 local7 4 : 14270: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:29:33 AM.475 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Nov 6 10:29:48 CUC1 local7 4 : 14271: CUC1.sprachdienst.fraunhofer.de: Nov 06 2012 09:29:48 AM.770 UTC : %UC_UCEVNT-4-EvtMiuBusyHere: %[AppID=CuCsMgr][ClusterID=][NodeID=CUC1]: Miu SIP Integration, All lines are busy on redirector 10.37.239.21:5061. An incoming call will not be answered.
Question:
do we have a bug in the software CUC 8.5.1SU5 or is there another problem ?
Any Ideas ?
regards
alexHi,
we opened a tac case and it seems we run into a bug which is known in Version 8.6. (We run 8.5.1SU5)
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCuc22800
Cisco already have the fix available for version 8.6.2 ES52.
Cause we can not upgrade to 8.6 (Server Hardware not supported) we will wait for the Version 8.5 Fix.
Meanwhile I will change the SIP-Trunk between the Unity Connection Server and the Call Manager Server from TLS to non-TLS (described in CSCuc22800 as a workaround)
regards
Alex -
Active Directory LDAP integration; can not see the XMLP_ groups/roles
We have configured XMLP 10.1.3.3 to use "LDAP" as the Security model. The LDAP server is Active Directory running under Windows Server 2003.
It is working to a certain extent:
Users can log on to the XML Publisher using login/password as defined in AD.
-When logged in as administrator, groups (roles) are visible in Admin/Roles and Permissions and can have assigned folders and data sources.
Problems/questions:
The required roles ("XMLP_ADMIN, etc) can not be seen in Admin/Roles and Permissions. Is this as expected or is it an error?
-When logging in as a user who is member of the group/role XMLP_ADMIN, I do not get any administrator privileges (I have not tested the other XMLP_* roles defined in AD yet). So all administration has to be done as the local superuser.
Is there any way to monitor the login process to try and see what goes wrong?
-Roald
-RoaldThe problem has been solved, it was self inflicted, typo in the config file:
<property name="LDAP_PROVIDER_USER_DN" value="Cn=Users;dc=company,dc=com"/>
(semicolon instead of comma after Users).
It is a little surprising that this typo lead to problems with group matching, though. It took some time before this part of the config got enough attention.
-Roald -
1)some setting missing in BI Integration to EP 2)publish the BI role to EP?
Hi All,
1) We almost done BI EP integration, getting error in step: Maintain User Assignment in Portal.
- what are settings in BI connection in EP? we are using SAP Logon Tickit method(not Uid Passs method), is there any user with user name and password required in this conneciton? if yes with wich Authorization in EP & BI?
we have defined system alias in EP, is that same alias any where need to maintain in BI?
- when i run BI report from RSRT > Java web OR Query desinger run to portal option, its giving me some error and required to check log at portal, what authorization required for My BI developer user id in BI and EP to run the report on EP from RSRT JAVA Wev or query desinger or WAD? in BI i have FULL authorization(SAP_ALL, SAP_NEW, ..) Is there any Authorizaiton required to give in EP as well?
2) How to Publish the BI role In EP:
Question is our EP guy is lookin new, and not sure what all authorizaiton to give to me, and how adjuctely creat ivew on top of BI reports,
so I have already developed one enduser role consists all required authorization to run the BI report/query/view,
we can publish the our report in existing role, we can also publish direct developed role to EP but from where to download upload this BI role to EP need to know? what all are the Steps authorization required for that? if anyboday have already gone through this.
Regards,
Dushyant.Hi Dushyant,
I am supposing you are doing the BI Java x BI ABAP integration, right?
Let's go per parts... I will try to respond directly some of your questions but frst of all, I think you should have ran the Template Installer (CTC) and after that checked the configuration with the supportdesk tool as per SAP Note 937697.
What are settings in BI connection in EP?
You have to maintain in the portal system landscape a system with alias "SAP_BW" which would be your BI Master System for that portal. The template installer creates this automatically.
we are using SAP Logon Tickit method(not Uid Passs method), is there any user with user name and password required in this conneciton?
You could use assertion ticket instead. The user mapping is automatic once you configure the system on both sides with the integration process. If you have problems after, we can look deeper.
we have defined system alias in EP, is that same alias any where need to maintain in BI?
Kind of... You need to maintain the default portal destination for the relevant portal through SM30 -> table RSPOR_T_PORTAL and it should have a destination in transaction SM59, too.
when i run BI report from RSRT > Java web OR Query desinger run to portal option, its giving me some error and required to check log at portal, what authorization required for My BI developer user id in BI and EP to run the report on EP from RSRT JAVA Wev or query desinger or WAD? in BI i have FULL authorization(SAP_ALL, SAP_NEW, ..) Is there any Authorizaiton required to give in EP as well?
RSRT uses the default destination in RSPOR_T_PORTAL. Try to use J2EE_ADMIN user for the first tests, at least. At first, no special authorizations are needed to run reports in BEx Web (which RSRT calls).
2) How to Publish the BI role In EP: Question is our EP guy is lookin new, and not sure what all authorizaiton to give to me, and how adjuctely creat ivew on top of BI reports, so I have already developed one enduser role consists all required authorization to run the BI report/query/view, we can publish the our report in existing role, we can also publish direct developed role to EP but from where to download upload this BI role to EP need to know?
There is a tool called "Role Upload" in EP. You could search about. If you need some help, I can get from the EP guys here (I am from BW). Of course, the process must be done with an administrator id.
I hope it helps.
Kind Regards,
Marcio -
Grant privileges to subprogram via role: should not work?
I bought Selftestsoftware for 1z0-147 for 9i and 10g. Selftestsoftware is endorsed by Oracle, should be high quality.
But its below sample question and answer seem to be wrong: It says that privilege for subprogram can be granted via role. But from Urman 9i book, all roles are disabled inside stored procedures.
Did Selftestsoftware made a mistake? Or the question did not mention or assume that the subprogram is based on invoker rights not definer right?
Question:
All users in the HR_EMP role have UPDATE privileges on the EMPLOYEE table. You create the UPDATE_EMPLOYEE procedure. HR_EMP users should only be able to update the EMPLOYEE table using this procedure.
Which two statements should you execute? (Choose two.)
GRANT UPDATE ON employee TO hr_emp;
GRANT SELECT ON employee to hr_emp;
REVOKE UPDATE ON employee FROM hr_emp;
REVOKE UPDATE ON employee FROM public;
GRANT EXECUTE ON update_employee TO hr_emp;
Explanation:
The two statements you should execute are:
REVOKE UPDATE ON employee FROM hr_emp;
GRANT EXECUTE ON update_employee TO hr_emp;
Unless you are the owner of the PL/SQL construct, you must be granted the EXECUTE object privilege to run it or have the EXECUTE ANY PROCEDURE system privilege. By default, a PL/SQL procedure executes under the security domain of its owner. This means that a user can invoke the procedure without privileges on the procedures underlying objects. To allow HR_EMP users to execute the procedure, you must issue the GRANT EXECUTE ON update_employee TO hr_emp; statement. To prevent HR_EMP users from updating the EMPLOYEE table unless they are using the UPDATE_EMPLOYEE procedure, you must issue the REVOKE UPDATE ON employee FROM hr_emp;
All of the other options are incorrect because they will not meet the specified requirements.
Edited by: user13270686 on Jun 7, 2010 9:22 PMThe answer is correct, and the explanation complete.
Inside stored procedures roles are disabled. This is because privileges are checked at compile time and roles can change between compile time and execute time.
However, privilege to execute the procedure can be granted to a role. During execution of the procedure the privileges of the procedure's owner apply.
This is because you want to have encapsulation: when tables and procedures are in the same schema, you won't have any privilege problem, as the owner of a set of tables will always have privilege (you can not revoke them).
Sybrand Bakker
Senior Oracle DBA -
XPRESS code to find all users with a specific Admin Role
I've been playing around for a while with a way to get a list of all users that have been assigned a particular Admin Role. I have a role for which I want a specific subset of users to be approvers on it, and I want to greate a Rule that will check for people with a particular Admin Role and then return that list as people to be approvers on the role.
I haven't been able to find an easy way to write this code. Anyone run across this before or have another suggestion???
Thanks.Below is the code to find user based on condition.
<set name='adminList'>
<invoke name='getObjectNames' class='com.waveset.ui.FormUtil'>
<ref>:display.session</ref>
<s>User</s>
<map>
<s>conditions</s>
<list>
<new class='com.waveset.object.AttributeCondition'>
<s>AdminRoles</s>
<s>contains</s>
<s>adminRoleName</s>
</new>
</list>
</map>
</invoke>
</set>
Edited by: Jay on Mar 7, 2012 4:03 AM
Maybe you are looking for
-
Ibook g4 no longer recognises iomega external hard drive
I bought a iomega hard drive to use for itunes library and ibook was full up, transfered library over and this week as i was setting up a new play list itunes crashed and the ibook is no longer recognising the iomega. It's extremley annoying and i do
-
My Photoshop Elements 12 is downloading two copies of each photo and there is no Automatically Stack RAW and JPEG Option in the Download Box.
-
EBRS on Reference level Clearing
Dear Expert, I configured Electronic Bank Reconciliation and it's clearing on amount level. The problem is that if there are more than one entry of same amount is there system doesn't clear any amount and we have to go t.code FEBAN and there select l
-
EAL replicated Essbase cube empty
Hi, I am trying to build a replicated Essbase cube using EAL from HFM, all 11.1.2.2. The EAL bridge shows green across the board, so all good. When I build a transparent cube, I can see the data in Essbase, nio problems. Now I am trying to build a re
-
Safari iCloud History Sync not working
Good morning, I've read on forums, people annoyed by the sync of Safari History between iPhone, Mac, etc On my Mac (clean install) of Yosemite and iPhone 6 (clean install) iOS 8.1, it seems Safari doesn't sync the history. Although, tabs, reading lis