Priveleges in a role

Hi,
Could anyone please let me give the view/query to get the privileges included in a ROLE...
Thanks,
kr

@Florian W.
SQL> desc dba_role_role_privs
ERROR:
ORA-04043: obiekt dba_role_role_privs nie istnieje
SQL> desc dba_role_sys_privs
ERROR:
ORA-04043: obiekt dba_role_sys_privs nie istnieje
SQL> desc dba_role_tab_privs
ERROR:
ORA-04043: obiekt dba_role_tab_privs nie istnieje
SQL>Names of these views are without DBA_ prefix

Similar Messages

Trying to assign User to ADS-Group

Hi,
i'm trying to assign a User to an ADS group using the script "sap_getGroupDN".
Unfortunately the mskey given to that method is the mskey from the user and not from the group.
Any suggestions or ideas?
How managed you that case?
Kind regards,
Achim Heinekamp
CONET Solutions GmbH

Hi folks,
it seems I'm having a very similar problem to Achim, although the sympton is a little different. When I run the task to assign a role (1 AS ABAP, 1 AS Java and 1 AD OU) on the task AssignUserToADSGroupI get an error message that reads:
PrivDN: !ERROR:No such attribute
I've assigned the privelege to the role, and it seems to recognize that and create the user, however...the groups don't get assigned.
The full output s below:
<?xml version="1.0" encoding="UTF-8"?>
<mx:EMSLOG xmlns:mx="http://www.maxware.com/EMS">
<mx:GENERAL>
<mx:DATE>21.07.2009 20:57:41</mx:DATE>
<mx:VERSION>DSE.JAR version: 7.10.02.0 Built: 01.07.2009 15:49:23 (c) Copyright 2008 SAP AG. All rights reserved.</mx:VERSION>
<mx:MACHINE>clklabvm3-disp01</mx:MACHINE>
<mx:JOBID>045EB0C2-E35B-4AD7-8D0A-84B51594EAAF</mx:JOBID>
<mx:WORKAREA>C:/Program Files (x86)/SAP/IdM/Identity Center/Jobs/045EB0C2-E35B-4AD7-8D0A-84B51594EAAF</mx:WORKAREA>
<mx:JOB>jdbc:sqlserver://clklabvm3\idm:1988;responseBuffering=full;encrypt=false;databaseName=mxmc_db;selectMethod=direct;trustServerCertificate=false;lastUpdateCount=true; - MACHINE:clklabvm3-disp01</mx:JOB>
<mx:PRODUCT>Provisioning</mx:PRODUCT>
<mx:CUSTOMER>SAP customer : f9c1c5cd66189d133765ac44ea6c127a</mx:CUSTOMER>
<mx:TIMEUSED>5</mx:TIMEUSED>
<mx:NERRORS>0</mx:NERRORS>
<mx:NWARNINGS>3</mx:NWARNINGS>
<mx:NENTRIES adds="3" mods="0" dels="0" noops="0" markdels="0">3</mx:NENTRIES>
</mx:GENERAL>
<mx:PASSES>
<mx:PASS name="Job Initialization" title="Messages that occurred before the job was loaded" type="init" seq="0">
<mx:MESSAGES>
<WARNING seq="1">
<mx:TEXT>Failed loading JDBC Driver class com.microsoft.jdbc.sqlserver.SQLServerDriver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: com.microsoft.jdbc.sqlserver.SQLServerDriver</mx:TEXT>
</WARNING>
<WARNING seq="2">
<mx:TEXT>Failed loading JDBC Driver class com.sap.dbtech.jdbc.DriverSapDB</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: com.sap.dbtech.jdbc.DriverSapDB</mx:TEXT>
</WARNING>
<WARNING seq="3">
<mx:TEXT>Failed loading JDBC Driver class org.gjt.mm.mysql.Driver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: org.gjt.mm.mysql.Driver</mx:TEXT>
</WARNING>
<WARNING seq="4">
<mx:TEXT>Failed loading JDBC Driver class oracle.jdbc.driver.OracleDriver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: oracle.jdbc.driver.OracleDriver</mx:TEXT>
</WARNING>
<WARNING seq="5">
<mx:TEXT>Failed loading JDBC Driver class COM.ibm.db2.jdbc.app.DB2Driver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: COM.ibm.db2.jdbc.app.DB2Driver</mx:TEXT>
</WARNING>
<WARNING seq="6">
<mx:TEXT>Failed loading JDBC Driver class COM.ibm.db2.jcc.DB2Driver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: COM.ibm.db2.jcc.DB2Driver</mx:TEXT>
</WARNING>
<WARNING seq="7">
<mx:TEXT>Failed loading JDBC Driver class COM.ibm.db2.jdbc.net.DB2Driver</mx:TEXT>
<mx:TEXT>java.lang.ClassNotFoundException: COM.ibm.db2.jdbc.net.DB2Driver</mx:TEXT>
</WARNING>
</mx:MESSAGES>
</mx:PASS>
<mx:PASS name="6D5485D1-2CF6-4E5B-9972-7141CB9051EA" title="AssignUserToADSGroup" type="ToLDIF" seq="1">
<mx:MESSAGES>
<mx:WARNING seq="1">
<mx:TEXT>PrivDN: !ERROR:No such attribute</mx:TEXT>
<mx:ENTRY/>
</mx:WARNING>
<mx:WARNING seq="2">
<mx:TEXT>PrivDN: !ERROR:No such attribute</mx:TEXT>
<mx:ENTRY/>
</mx:WARNING>
<mx:WARNING seq="3">
<mx:TEXT>PrivDN: !ERROR:No such attribute</mx:TEXT>
<mx:ENTRY/>
</mx:WARNING>
</mx:MESSAGES>
<mx:DELTA>0</mx:DELTA>
<mx:TIMEUSED>2</mx:TIMEUSED>
<mx:NENTRIES adds="3" mods="0" dels="0" noops="0" markdels="0">3</mx:NENTRIES>
<mx:NERRORS>0</mx:NERRORS>
<mx:NWARNINGS>3</mx:NWARNINGS>
</mx:PASS>
</mx:PASSES>
</mx:EMSLOG>

Which privelegs having role.

Hi,
How can we know which priveleges are having in role.
Thanks,
Srini...

Srini wrote:
Hi,
How can we know which priveleges are having in role.
Thanks,
Srini...Use following to know privildge on object
SQL> desc role_tab_privs;
Name               Null?    Type
ROLE               NOT NULL VARCHAR2(30) --User to whom the privilege was granted.
OWNER              NOT NULL VARCHAR2(30) --User who owns the object.
TABLE_NAME         NOT NULL VARCHAR2(30) --Name of the object on which privilege was granted.
COLUMN_NAME                 VARCHAR2(30) --Name of the column (if applicable).
PRIVILEGE          NOT NULL VARCHAR2(40) --Privilege on the object.
GRANTABLE                   VARCHAR2(3)   --Whether the privilege was granted with the GRANT option. Equal to YES or NO. Also check
SQL> desc DBA_TAB_PRIVS
Name                                      Null?    Type
GRANTEE                                   NOT NULL VARCHAR2(30)
OWNER                                     NOT NULL VARCHAR2(30)
TABLE_NAME                                NOT NULL VARCHAR2(30)
GRANTOR                                   NOT NULL VARCHAR2(30)
PRIVILEGE                                 NOT NULL VARCHAR2(40)
GRANTABLE                                          VARCHAR2(3)
HIERARCHY                                          VARCHAR2(3)and for sys you can use
SQL> desc ROLE_SYS_PRIVS
Name                                      Null?    Type
ROLE                                      NOT NULL VARCHAR2(30)
PRIVILEGE                                 NOT NULL VARCHAR2(40)
ADMIN_OPTION                                       VARCHAR2(3)

Backend BW roles for users needed when running reports in infoview?

Hello all,
We are using SAP BI Queries as the sources of our universes, the user is going to logon to infoview to run report in webi. We have created some access levels in CMC to restrict users, the question is - the user will still need some kind of backend BW roles to have access to the BI query that is developed in BW system right? That way the user can fetch data?
Let me know
Thanks in advance.

Hi,
If you are using SAP Authentication and Single sign on option in universe connection, the users must have sufficient roles to access SAP BW database.
if not, the only user login which you create during connection creation having roles to access to BW database is enough. In this case, the user can login to Infoview using any user and can access the report if he has priveleges to the report.
Hope this helps!

Issue while changing validity date for assigned roles: SAP IDM 7.2 SP8

Hello Experts
I assigned the Task on repository for validity modification for Roles as in below screenshot:
When I modify the role validity, Task defined for Validity modification doesnt get triggered and IDM executes the tasks defined as Modify Task and fails with below errors:
1. Could not obtain repository name from Pending object.
2. Error ! Audit id , Variable doesnt exist in MXPT_GET_ENTRYTYPE.
I tried checking provisioning audit logs but could'nt find any Audit ID created for validity modification and I guess due to this tasks are getting cancelled.
Why the task defined in Modify Valdity tasks doesnt get triggered when I modify the Role assignment validity ?
Am I doing anything wrong with the SAP Standard way of working ?
Regards
Deepak Gupta

Hi Deepak/Chris,
We are also facing a similar issue in our project where modifying validity of the role does not trigger any task. We then changed the Modify attribute(in task tab) on the priveleges to "inhereted".
The modify task is now triggered and completes successfully. However, no changes occur in backend.
We need unedrstand where do we maintain the setting to define which attributes(if changed) will trigger an event task in the provisioning framework. the "check attributes modification" task within the provisioning framework executes the below query:
select COUNT(VarName) from mxpv_audit_variables where AuditID=%AUDITID% and VarValue='%MSKEY%' and VarName='MARK_EXEC_MODIFY_ATTR%MSKEY%'
The query gives the result as "False" in case we only modify the validity of the role assigned to user. Thus no event tasks are executed for the same.
Can anyone please share where do we define the attributes for this query to give "True" as result for role validity modification.
regards,
Nits

How to give amadmin the role:Top-level Admin Role?

hi,
To the user amAdmin , i cancel the role:Top-level Admin Role,as a result, amadmin becomes a common user without the priveleges such as creating users!how to restore the role for amAdmin?thanks in advace

HI,
Check if this can help you.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/dae78be4-0601-0010-c9ab-c0b8d86fac07
Regards,
Harini S

Discoverer 4i error msg "A database role exists which confilcts with this username"

When I try to open workbooks -> from database, I get a Discoverer 4i error msg "A database role exists which confilcts with this username" with only an "OK" button in the window. The database works fine for Discoverer 3.1. After clicking on the OK button, I get an empty list of workbooks to open. If I create a new workbook & try to save it, I see the list of dozens of workbooks in the database.
Which role is it complaining about? How can I fix this?
null

What you will have to do is log into the database as a user with DBA priveleges, query the DBA_ROLES table (SELECT * FROM DBA_ROLES) and see what role exists that has the same name as the user you are logging in as... that should give you a direction to either rename the role, or the drop the user and recreate with a unique name... Good Luck!
<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:</font><HR>Originally posted by William Sheridan ([email protected]):
When I try to open workbooks -> from database, I get a Discoverer 4i error msg "A database role exists which confilcts with this username" with only an "OK" button in the window. The database works fine for Discoverer 3.1. After clicking on the OK button, I get an empty list of workbooks to open. If I create a new workbook & try to save it, I see the list of dozens of workbooks in the database.
Which role is it complaining about? How can I fix this?
<HR></BLOCKQUOTE>
null

Priveleges to create procedures/functions in schemas

Greetings,
I have a default schema associated with my user account. Can permissions be given for my user account to create functions and procedures in another schema without giving that user priveleges to create in ANY schema.
Our default schema for HTMLDB is not the schema associated with my user account. I want to be able to create my functions inside that schema, but our DBA's havent been able to find out how to give the privelege without opening up all schemas to that account.
hope this made sense,
Cliff Moon

Okay Cliff, no problem.
Now, Michael, I don't know of any prepared docs specifically about this but fwiw, I'll try to recap how it works.
1. HTML DB uses a public account to create (or reclaim) a distinct database session to service each page request. The connection is configured with the modplsql DAD and the database user (schema) that owns the session is HTMLDB_PUBLIC_USER. (The exception to this is when you configure a DAD for basic authentication.)
2. The public packages (like wwv_flow) and procedures (like f) invoked through each HTTP request are owned by schema FLOWS_xxxxxx. Packages like wwv_flow use definers rights. This means, among other things, that they can execute any other packages owned by the FLOWS_xxxxxx schema, including the highly privileged, non-public packages that execute user code.
3. The more privileged non-public packages do all the real work of rendering pages and processing POSTed pages. During these phases, your application code is executed (your report region queries, your DML operations, your page processes, validations, condition evaluation, your API calls, everything). All of this code is "parsed as" the database user (schema) assigned to your application. (Only one schema is assigned to a given application, although the assigned schema can be changed using the builder whenever you like.) The HTML DB engine can execute all of your application code as the "parse as" schema because it has SYS privileges to do so.
4. Any of your code that HTML DB executes dynamically runs with the security privileges of your application schema. These privileges must have been granted explicitly and not through roles. So if your report query does 'select * from emp' it's necessary for emp (or a synonym for it) to exist in your application schema and for that schema to have select privilege on emp.
5. The SQL Workshop works the same way, except things happen there at a workspace level, not at an application level. A workspace has one or more database schemas mapped to it. This means only that a conscious decision has been made (by an admin) to allow each workspace to access specific schemas. The list of schemas mapped to a given workspace appears in LOVs in various places, such as the SQL Command Processor. Selecting a schema from this LOV allows you to perform operations in that schema. You can perform operations in any of the other mapped schemas by selecting them from the LOV in turn.
Note: so far we've said nothing about who the authenticated user is using your application (or the SQL Workshop application), because it has absolutely no bearing on anything so far.
6. HTML DB allows developers to specify a plan to be used by the engine at the start of every page request to perform the chores of authentication, initial session registration and session management. This plan is called an authentication scheme. HTML DB provides standard schemes that are used by most developers, but developers can also design and build custom authentication schemes over which developers have complete control.
7. During the execution of the authentication scheme for a page view (show) or page processing (accept) request, it is common for the scheme to cause a branch/redirect to a login page if it determines that no valid session yet exists. The operation of the login page results in the user being challenged for credentials and for those credentials to be verified. If they check out, related housekeeping tasks are performed such as recording the session ID in a table and session cookie creation. And a token is established to be used to identify the authenticated user for the duration of the HTML DB session. This value is stored in APP_USER and can be queried by developer-owned code and HTML DB-owned code as required.
8. The credentials verification step is where user accounts come into play. It doesn't matter to HTML DB whether your application uses custom tables, an LDAP directory, an SSO infrastructure, or database accounts to verify credentials -- the verification takes place, usually once per HTML DB session, and that's that. The authentication scheme determines the exact method used.
9. One example of an application that uses its own custom tables to hold account information (usernames/passwords) is HTML DB itself. You get the first account created for you during product installation and then you create administrator and developer accounts as you create multiple workspaces for developers at the site. These accounts are just rows in tables, a username, a password, an email address, the ID of the workspace, basic stuff like that. They are not database user accounts (schemas). And with these accounts, you can authenticate to HTML DB and use the Builder, the SQL Workshop, and the administration functions. Just remember, the database knows nothing of these accounts (they are like Oracle Applications user accounts).
10. These HTML DB user accounts exist primarily to allow developers to use HTML DB. But they can also be used to allow end users to authenticate to applications created using HTML DB. That relieves each developer of having to "reinvent the wheel" and set up account repository tables and to have to write APIs to store/manage passwords, the work we did for HTML DB itself. Your application can simply use the built-in HTML DB authentication scheme which uses the account repository for credentials verification. It's not the only way for your application to verify credentials. In fact it's best suited for experimental applications, small workgroup applications, prototypes, apps on that scale. Applications that are slated for actual production deployment should be fitted with enterprise-level identity management solutions.
11. Finally, HTML DB provides a very, very basic group-membership model that allows developer accounts (not database schemas) to be assigned to arbitrarily organized named groups. There is a supporting API for queries against these groups and an admin UI to create/maintain these groups. The same caveats given for using developer accounts for production applications apply to this facility.
Recap:
Database accounts: HTML DB does not use these accounts, their roles, or their privileges except to dynamically execute application code using these schemas as the "parsing schema".
HTML DB user accounts: No relation to database schemas (*). They exist in custom tables owned by the HTML DB product. Accounts can be created and used by application developers as an out-of-the-box credentials verification method for authentication.
*Exception: The "default schema" associated with an HTML DB user account is the name of a schema used to prime an LOV when the user sees a list-of-schemas LOV in places like the SQL Workshop.
Scott

Authorization in Basis Roles

The scenario is; there is a single client but two different companies.
We are planning to develop a separate Basis Administration roles for each company.
To restrict Organizational levels (Company code, controlling area...) I use "S_USER_VAL" Authorization object. it works fine with org. levels but I have to define all possible Field Names along with their Authorization values and it seems very difficult.
Is it possible "S_USER_VAL" works according to the values I maintained but for rest of other values it may goes to * ?. In other word it should not by pass the maintained values.

Jurjen Heeck wrote:>
>... something else to make a part of SAP_ALL not work?
2 ideas:
- If the regeneration of SAP_ALL could check that the user running it does not have any SAP_ALL authorizations? Meaning, they would need to know exactly which non-SAP role authorizations (their technical names) have that authority in it. Many folks who only work with SAP_ALL don't know how to do that
- If there were some way to isolate the program parts which are required to change SCC4 such that they can only be run with root priveleges, then you do not need to give your SAP system (with SAP_ALL) root access...?
Disclaimer: Just ideas! Complete overkill!!
=> Does restricting the user's access sound like a much easier idea now?
Cheers,
Julius

Roles and Functions

We currently use roles to set our database permissions. What is the best way to grant SELECT priv's for functions without having to set them for each table within the function?

< We tried this but still gave us the error. >
Strange. The owner should have priveleges, and EXECUTE on the program should grant access to the owner's privileges while the program is running.
Besides AUTHID CURRENT_USER I have seen privilege weirdness by use of the alter schema command.
More information is needed. What error is being generated? Is the program using AUTHID CURRENT_USER, which will cause it to use the user's privileges and not the owners?
Message was edited by:
riedelme

How to view the privilages inside the role

Hi,
How can i view the definition of a role on sqlplus screen
Thanks
Bcj

Want to try something neat -- at least I think so. Put this in a sql script and run it against a user who has table privileges granted to him and through a role, and through roles two levels deep.
set termout on
set feedback off
set verify   off
set linesize 128
set pagesize 35
Accept USER_ID CHAR Prompt 'Enter User ID: ';
COLUMN table_name FORMAT a41 HEADING 'Resource'
COLUMN privilege FORMAT a11 HEADING 'Privilege'
COLUMN grantable FORMAT a9 HEADING ' '
COLUMN via_role   FORMAT a60 HEADING 'Via Role?'
BREAK ON table_name SKIP 1 NODUPLICATES
TTITLE Center 'Tables and Proc. Priveleges Granted to &USER_ID..' skip 2
SELECT LOWER(y.owner || '.' || y.table_name) table_name,
       y.privilege,
       DECODE(y.grantable,'NO','No Grant','Grantable') grantable,
       x.role_granted as via_role
FROM (SELECT CASE SIGN(LEVEL - 1)
               WHEN 0
                    THEN granted_role
                    ELSE granted_role||' ['||grantee||']'
               END as role_granted,
               granted_role
          FROM dba_role_privs
        CONNECT
             BY PRIOR granted_role=grantee
                START WITH grantee = UPPER('&USER_ID')) x,
       dba_tab_privs y
WHERE y.grantee = x.granted_role
UNION ALL
SELECT LOWER(owner || '.' || table_name) table_name,
       privilege,
       DECODE(grantable,'NO','No Grant','Grantable') grantable,
FROM dba_tab_privs
WHERE grantee = UPPER('&USER_ID')
ORDER
    BY 1, 2
TTITLE OFF
BTITLE OFF
REPFOOTER OFF
TTITLE OFF
BTITLE OFF
REPFOOTER OFF
SET FEEDBACK ON
SET PAGESIZE   40
SET LINESIZE   96
SET VERIFY     ON
SET UNDERLINE '-'
SET HEADING    ON
SET TERMOUT    ON

What is the query to check the priveleges of a certain view ?

Is there a query to check the Priveleges that have been assigned to a specific view or table? Please let me know. Thank You.

DBA_TAB_PRIVS will contain information about what privileges individual database users have been granted on a particular view. ROLE_TAB_PRIVS will contain information about what privileges various roles have been granted on a particular view.
If you have roles granted to other roles, default and non-default roles granted to users, etc., it can be somewhat hairy to trace back what end users are able to query a particular view based on grants made to one or more views. In that case, you'll need to shop around for more sophisticated scripts.. I remember that Pete Finnigan had such a script on his site (http://www.petefinnigan.com) but I'll be darned if I can find it now.
Justin

Granting priveleges

Hi
How can I grant view only privelege to user on packages,procedures,functions.
I dont want user to execute the packages....I need only view only...
I've granted the user select privs on particular schema ,but she is not able to view packages....
Message was edited by:
vik121583

Definetly ....
I have user who runs conversion processes every night.
So we had that process running well on QA while in production that process takes long time to finish.
The volume of data in QA and PROD are same.
So the user is requesting me to grant permissions on that particular packages and procedures on production as view only .
i.e she could only see the package(no execution or editing) and troubleshoot the issue on QA.
I cannot allow her to neither execute or edit or create a package in PROD
I can't give her execute priveleges on those packages in PROD.
Is their any other way to access the packages in read only mode.
I've read Oracles roles and privs document I couldn't find any such priveleges.

Impact of assigning dbowner privelege to a user/login

Hello,
If I assign dbowner privelege to a login/user would that user be able to access all the objects in that specific database or the objects owned by the user only.
Best regards,
Vishal

Hello,
If I assign dbowner privelege to a login/user would that user be able to access all the objects in that specific database or the objects owned by the user only.
Best regards,
Vishal
Hi Vishal,
Members of the db_owner fixed database role can perform all configuration and maintenance activities on the database, and can also drop the database. For more information regarding Server and database roles in SQL Server, please see:
http://technet.microsoft.com/en-us/library/bb669065(v=vs.110).aspx
Regards,
Elvis Long
TechNet Community Support

Error while generating a role

Hi SAP Techies,
I am getting the following error while generating a role,
"18 field value(s) for object K_CCA were not entered in the profile"
Can you please provide me a solution to fix this problem.
Thanks.
Regards,
Agustuss

How many cost centres are you putting in the role? Do you have cost centre set as an org level?
From your User Name I assume that you are at the BBC...Do you still use a program to populate the cost centres in the role based on the cost centre group names? If so it is possible that you are trying to put too many cost centres in the field and the the profile will not generate because of this (we had it back in 2001 when I was working there).
Do you have the technical error message details?

Priveleges in a role

Similar Messages

Maybe you are looking for