Invoker rights

Similar Messages

• How to implement invoker rights in oracle 9i

  implement invoker rights in oracle 9i

  Invoker rights is a new model for resolving references to database elements in a PL/SQL program unit. From Oracle 8i onwards, we can decide if a program unit should run with the authority of the definer or of the invoker. This means that multiple schemas, accessing only those elements belonging to the invoker, can share the same piece of code.
  To enable code to run with Invoker rights, an AUTHID clause needs to be used before the IS or AS keyword in the routine header. The AUTHID clause tells Oracle whether the routine is to be run with the invoker rights (CURRENT_USER), or with the Owner rights (DEFINER). If you do not specify this clause, Oracle by default assumes it to be AUTHID DEFINER.
  create or replace procedure update_par(pi_parcod  in     varchar2,
                                         pi_val     in     varchar2,
                                         pio_status in out varchar2)
  authid current_user is
  begin
    pio_status = 'OK';
    update appparmst
    set    parval = pi_val
    where  parcod = pi_parcod
    and    rownum = 1;
    if sql%notfound then
      pio_status = 'Error in resetting the parameter';
    end if;
  end; Restriction in using Invoker rights
  1. When compiling a new routine, direct privileges are only considered to resolve any external references. Grants through roles are ignored. The same applies when executing a routine created with invoker rights.
  2. AUTHID is specified in the header of a program unit. The same cannot be specified for individual programs or methods within a package or object type.
  3. Definer rights will always be used to resolve any external references when compiling a new routine.
  4. Maintain extra caution on privileges being assigned to a different user. If the wrong privileges are assigned, a routine with invoker rights may have a mind of its own! Such issues would be difficult to debug. So ensure that the grants are perfectly in place.
  5. For an invoker rights routine referred in a view or a database trigger, the owner of these objects is always considered as the invoker, and not the user triggering it.
  ~ Madrid.

• Definer and Invoker Rights Privileges

  Hi all,
  I am little confused with Definer and Invoker Rights Privileges. As per my understanding when you have the definer rights on a procedure then you don't explicitly required any privileges on the object under that procedure.
  Can anyone pls explain me about this or provide me the useful link.
  Thanks in advance.

  when you have the definer rights on a procedure then you don't explicitly required
  any privileges on the object under that procedure.Exactly. Definer rights means that you run the program as though you were the program owner.
  It's explained in more detail in the PL/SQL Developers' Guide.
  Cheers, APC

• Definer rights VS. invoker rights (same old story...)

  /Disclaimer:/
  Look, I know that this one has been discussed like hundreds of times already...
  Anyway, as I was browsing the forum yesterday, I have noticed this thread:
  Re: Different data dictionaries inside stored procedures?
  and it actually reminded me of a question I once had but never got the anwser.
  So, here goes...
  Imagine a pretty common situation of a DBA creating a new user account 'JOHN' and granting John some privileges:
  create user john identified by xxxxx default tablespace .... ;
  grant connect to john;
  grant create procedure to john;Afterwards John opens a session, creates the following PL/SQL procedure and executes it:
  create or replace procedure table_creator (tab_name varchar2)
  is
  begin
    execute immediate 'create table '||tab_name||' (n number)';
  end;
  exec table_creator('test')And we all know what happens:
  BEGIN table_creator('test'); END;
  ERROR at line 1:
  ORA-01031: insufficient privileges
  ORA-06512: at "JOHN.TABLE_CREATOR", line 5
  ORA-06512: at line 1Now, the 2 well-known solutions to this problem are:
  1) grant create table to john; (and thus do not rely on roles);
  2) create or replace procedure table_creator (tab_name varchar2) authid current_user is...
  My question is: which one of the two above is the best one?
  I mean, the first solution seems pretty straightforward, but then the question that emerges is why do we have roles anyway if we can't truly rely on them (?)
  As for the second one, there're issues like performance downgrade due to runtime name/privilege resolution, etc.
  Or is there some other way to go?
  Message was edited by:
  iferous

  // ACEs where r u ?!Oh don't Re: Needs another simple fix ! (Its been over 24hrs, nobody tried! Strange) Alex, I thought you were one of the good guys.
  Anyway, I expect a lot of the Aces are in the air right now, heading for 'Frisco.
  To your question:
  which one of the two above is the best one?It depends. Is John a developer or a user? If John is a developer then the DBA should grant him privileges explicitly. If John is a user then it is appropriate to use a role for his privileges and thus use the AUTHID CURRENT_USER approach.
  Note, I think this example is flawed because I would not expect a user to have a procedure which dynamically creates a table. Certainly I wouldn't expect John as a user to be creating procedures or to know about invoker rights. But the same model applies if the privilege is say SELECT access on another user's tables.
  the question that emerges is why do we have roles anyway if we can't truly rely on them (?)In my view ROLES are intended for managing users rather than developers. Generally I think this means granting table privileges to roles but not system privileges (although CREATE SESSION is an obvious exception). We should not use Roles for managing the privileges of developers, or for application owner accounts come to that. If the account has a schema it probably should have individually granted system privileges; as with most generalisations there is a grey area.
  Cheers, APC
  Message was edited by: inserting the crucial NOT that makes the sentence make sense
  APC

• COMMIT needed for invoker rights proc?

  The following proc EXEC_PROC in a package named PKG_DYNAMIC_SQL is called by the proc RUN_PROCS which is in a different package shown below:
  PROCEDURE exec_proc (pi_proc_name IN varchar2 ,pi_acctky IN varchar2 )
  AS
  PRAGMA AUTONOMOUS_TRANSACTION;
  BEGIN
  EXECUTE IMMEDIATE 'BEGIN ' || pi_proc_name || '(:acctky );' || ' END;' USING IN pi_acctky ;
  END exec_proc;
  PROCEDURE run_procs(pi_proc_names_tab IN pkg_types.t_tab_proc_names)
  IS
  BEGIN
  FOR indx IN pi_proc_names_tab.FIRST .. pi_proc_names_tab.LAST
  LOOP
  pkg_dynamic_sql.EXEC_PROC ( pi_proc_names_tab(indx) ,pi_acctky) ;
  END LOOP;
  END run_procs;
  The pi_proc_name is a set of stand alone procs that do an UPDATE statement. I find that unless I have a COMMIT statement inside each pi_proc_name I get a RUN TIME ERROR. Am I right in saying that cause I have a BEGIN END ( Anonymous block) pair round the invocation of pi_proc_name I am using INVOKER RIGHTS? Has that something to do with the error when the called proc does not commit before it exits?
  Please help me understand why?

  does the called proc inherit the AUTONOMOUS TRANSACTION from the caller as in my example?No.
  Actually, I'm not sure what you mean:
  RUN_PROCS is calling EXEC_PROC (the autonomous transaction).
  So: RUN_PROCS is the caller, not EXEC_PROC.
  And I would only use autonomous transactions for error logging purposes. Nothing else.
  If I understand correctly you're executing several procedures dynamically and each procedure gets committed as a separate transaction, (since they're all autonomous, they cannot 'see' each other anymore, all transactional logic is gone) all in one loop. That's a classic recipe for disaster when unexpected things happen, and they will happen sooner or later.
  Are you sure it is safe to execute procedure 'Y' when procedure 'X' went into an error/committed 'the wrong' data/?
  In other words: I hope this whole approach a well thought-out strategy, but usually dynamic (PL/)SQL + autonomous transactions = trouble/breaking code/corrupting data.

• Definer and Invoker Rights

  If a package is defined as AUTHID CURRENT_USER but inside one of the procedures in the package it calls another package that is defined with DEFINER rights (default) does that called package execute with the invoker rights or definer rights?
  Im trying to grant a user alter user privs then revoke it and I keep getting insuffcient priv error.
  I think the called packaged is invoked with invoker rights not definer.

  The owner of the called package has to have alter user privs WITH admin option.
  It works now.

• Invoker Rights and Triggers

  Let's say that a procedure is created with invoker rights which updates a table named Table_1. If table_1 has a trigger on it which updates another table named Table_2: Will the trigger update Table_2 if the user does not have rights on Table_2? Will the initial procedure fail in its update of Table_1? Thanks
  -Jeff

  The trigger itself has "owner rights", so it will always execute without error
  when someone updates table_1.
  The procedure will only fail if your user doesn't have the rights to modify
  table_1.

• How to invoke right keyboad (Finnish) for DOS-progs

  Now my DOS-programs (in my new Win7 34bit ThinkPad) get AMERICAN keyboard (like "/" and no "äö"), whereas in the preinstalled Cmd-Prompt the keyboard is correctly FINNISH. How can I change (keyboard driver of DOS) into a (DOS-Cmd-Prompt and Windows similar) FINNISH keyboard (driver). Does this require some setting into a "Config.nt" and/or "Autoexec.nt"? And how is that "Config.nt" entered into my DOS-program's short-cut?
  Thanks for help   
  Moderator edit: Removed email so SPAMbots don't get it.

  The robot class looks promising.
  The command line might be useful if I can find out a way to choose the printer using the printDialog.
  I wouldn't have to do any of this if I can get the JEditorPane to give me back the correct size. I know it IS the correct size because I can make it visible and look at it. But then when I print it the height is way off.
  Thanks for all your help. I've been pounding on this for a week now.

• Invoker rights problem

  I loaded a java class X as user A.
  I publish a spec for class X and grant
  execute on the spec to user B.
  Executing X as user A poses no problem
  But when I execute X (as user B)...Oracle
  spits out this dummy:
  oracle.jdbc.driver.OracleSQLException: ORA-00942: table or view does not exist
  I already granted SELECT on all possible tables that the java class would have accessed in its code
  Any ideas...pls help !
  null

  Create Your plsql wrapper with
  AUTHID DEFINER
  and granting EXECUTE on the wrapper package will be sufficient!
  null

• Generating PL/SQL with invoker's rights?

  When will this functionality be available in Designer? We are currently running Designer 10g (9.0.4.3.14) and this functionality is not supported yet.
  We would very much like to be able to generate packages with "AUTHID CURRENT_USER" from the server model.
  There is a forum in which the following is stated: " The BUG 884671 - PROCEDURE/FUNCTION NEEDS INVOKER RIGHTS (AUTHID)
  is not yet fixed. Please follow the bug from Metalink."
  Bug 884671 does not exist or is not viewable by ordinary MetaLink users like me.
  Regards Thomas Kirchhoff

  Thomas,
  We have no plans to add this functionality to Designer. Please read the latest Tools Statement of Direction on the Designer pages on OTN (http://otn.oracle.com/products/designer/index.html) There is also a Designer maintenance release cycle document which details our plans for Designer and a related FAQ.
  Regards
  Sue Harper
  Designer Product Management

• ValueChangeListener not invoked inside h:dataTable h:inpuText

  Hi,
  I'm creating a simple dataTable with an inputText in each row. Each inputText has a valueChangeListener that is never invoked.
  Does anyone know why this is happening ?
  Thanks in advance,
  - Juan

  Thanks for your answer.
  First option is excluded.
  Third option also, because we are using RichFaces dataTable components.
  You are saying that getter method for dataTable value attribute needs to return exactly the same object list which was returned in the request before when the list was populated for the first time, in order for commandButton in dataTable action method to be invoked, right?
  In my case loading managed bean fields in constructor is excluded, because we are using EJB dependency injection, so our EJB's from which we are getting data aren't available in managed bean constructors. They are available in other methods. That leaves me to the field initialization in dataTable value getter method, when the list is populated for the first time. Which is the most elegant way to preserve this list between requests, and retrieve this list in later requests? Is saving object list in FacesContext session possible solution?

• ORA-22285 Loadclobfromfile and definer rights

  I've create a directory D in schema A.
  Schema A has read permissions on the directory.
  Created a stored procedure X that reads a clob from a file in this directory.
  Running the procedure as user A works ok.
  Granted execute rights on procedure X to user B
  When user B tries to run procedure X I get error: ORA-22285: non-existent directory or file for FILEOPEN operation.
  It turns out I have to grant B read permission on the directory D.
  I don't understand why this is necessary. Procedure X runs with definer rights by default.
  Maybe someone can shed a bit of light on this ?

  // ACEs where r u ?!Oh don't Re: Needs another simple fix ! (Its been over 24hrs, nobody tried! Strange) Alex, I thought you were one of the good guys.
  Anyway, I expect a lot of the Aces are in the air right now, heading for 'Frisco.
  To your question:
  which one of the two above is the best one?It depends. Is John a developer or a user? If John is a developer then the DBA should grant him privileges explicitly. If John is a user then it is appropriate to use a role for his privileges and thus use the AUTHID CURRENT_USER approach.
  Note, I think this example is flawed because I would not expect a user to have a procedure which dynamically creates a table. Certainly I wouldn't expect John as a user to be creating procedures or to know about invoker rights. But the same model applies if the privilege is say SELECT access on another user's tables.
  the question that emerges is why do we have roles anyway if we can't truly rely on them (?)In my view ROLES are intended for managing users rather than developers. Generally I think this means granting table privileges to roles but not system privileges (although CREATE SESSION is an obvious exception). We should not use Roles for managing the privileges of developers, or for application owner accounts come to that. If the account has a schema it probably should have individually granted system privileges; as with most generalisations there is a grey area.
  Cheers, APC
  Message was edited by: inserting the crucial NOT that makes the sentence make sense
  APC

• Definer rights vs. user rights

  I must be having a senior moment .... ;-)
  Trying to demo definer rights vs. user rights on execution of a procedure.. With apologies to Daniel, I created this test, and then in trying to find the answer to my question I found his nearly identical example at psoug.
  SQL> --
  SQL> conn system/halftrack@vmora01
  Connected.
  SQL> drop user bert cascade;
  User dropped.
  SQL> drop user ernie cascade;
  User dropped.
  SQL> drop role ernies_role;
  Role dropped.
  SQL> --
  SQL> create user bert identified by bert
    2  default tablespace users
    3  temporary tablespace temp
    4  quota 10m on users;
  User created.
  SQL> --
  SQL> grant create session, create table, create procedure to bert;
  Grant succeeded.
  SQL> --
  SQL> create table bert.berts_table (empid varchar2(15));
  Table created.
  SQL> --
  SQL> CREATE OR REPLACE PROCEDURE bert.user_test  AUTHID current_user IS
    2  v_empcnt number;
    3  BEGIN
    4   select count(*)
    5   into v_empcnt
    6   from bert.berts_table;
    7  END user_test;
    8  /
  Procedure created.
  SQL> --
  SQL> CREATE OR REPLACE PROCEDURE bert.definer_test  AUTHID DEFINER IS
    2  v_empcnt number;
    3  BEGIN
    4   select count(*)
    5   into v_empcnt
    6   from bert.berts_table;
    7  END definer_test;
    8  /
  Procedure created.
  SQL> --
  SQL> create user ernie identified by ernie
    2  default tablespace users
    3  temporary tablespace temp
    4  quota 10m on users;
  User created.
  SQL> --
  SQL> create role ernies_role;
  Role created.
  SQL> --
  SQL> grant create session to ernies_role;
  Grant succeeded.
  SQL> grant select on bert.berts_table to ernies_role;
  Grant succeeded.
  SQL> grant execute on bert.definer_test to ernies_role;
  Grant succeeded.
  SQL> grant execute on bert.user_test to ernies_role;
  Grant succeeded.
  SQL> grant ernies_role to ernie;
  Grant succeeded.
  SQL> --
  SQL> conn ernie/ernie@vmora01
  Connected.
  SQL> --
  SQL> -- this should succeed
  SQL> --
  SQL> execute bert.user_test;
  PL/SQL procedure successfully completed.
  SQL> --
  SQL> -- this should fail --
  SQL> --
  SQL> execute bert.definer_test;
  PL/SQL procedure successfully completed.
  SQL> spo offOk, the only rights ernie has are via ernies_role. So I would expect his execution of bert.definer_test to fail, but it didn't.

  mbobak wrote:
  Hi Ed,
  In the definer rights case, as long as ernie can execute the procedure owned by bert, he'll be able to successfully execute it, cause definer rights mean that the object (owned/defined by bert) executes w/ bert's rights, and the only object access in the procedure is on bert's objects. So, no problem there.
  In the invoker rights case, it works cause even though the proc is owned by bert, ernie is executing and so, rights have to be granted to ernie, and they are.
  I don't see a problem in either case. Am I missing something?
  My guess is, what you're overlooking is the fact that, in the case of invokers rights, it's ok for necessary privileges to be granted via a role. The restriction against roles, is only on a definers rights procedure.
  -Mark
  PS See here for more info:
  http://download.oracle.com/docs/cd/E11882_01/network.112/e10574/authorization.htm#DBSEG50010
  Ok, as I read the explanation in the linked reference, that makes sense. So now I'm having a hard time imagining the situation where inheriting privs via a role comes into play as a problem in dealing with pl/sql blocks.

• Is there a way to turn on right clicking on my trackpad?

  This is my first Mac and its driving me crazy that I can't right click. I know there's a way to turn right clicking on, but i can't remember how. Anybody know?

  Go into System Preferences, Trackpad. It's all there. Under Secondary Click you can invoke right-click with three different gestures of your choice.
  In total, OS X gives you many ways to right-click:
  Turn on and configure secondary click in Trackpad preferences (two-finger click, bottom left corner click, bottom right corner click).
  Control-click.
  Use a right-button mouse, or the secondary button on a stylus/trackball/external trackpad

• Refreshing listview when we invoke an operation in server-initiated workflo

  Hi,
  we are developing a server-initiated workflow where we have scenario like user will get a notification from server and we are showing a listview of tasks ready  for approve/reject. After approval/rejection operation, listview should be reflected by ignoring approved/rejected tasks.
  can you please help me regarding this...
  Thanks,
  ram

  There's a couple of different ways you can do this.
  You can configure your application so that the approve/reject operations are sent as a batch.  In this scenario, you would take the individual approve/reject operation menuitem and make it of type Delete Listview Row/Delete Key Collection (what its named depends on what release you are using). This marks the row as having been deleted, and thus it will be removed from the listview when you go back to it.  Then, put a Submit Workflow menuitem on the listview screen and have it do a Parent Update.  This will then, asynchronously, send to the server a request to go through the listview and, for each row, visible or not, invoke the corresponding operation on each row, depending on what the state of that row is ("add", "update", or "delete").  In this case, you'll have mapped the "delete" state to your approve/reject operation.
  In the other scenario, you want the approve/reject operations to be invoked right away, as online request (necessitating an active connection to the server).  To support this, you'll want to write custom code to mark the current message value collection's state as "delete", which will be a cue to the listview not to display it.