Priveleges to create procedures/functions in schemas
Greetings,
I have a default schema associated with my user account. Can permissions be given for my user account to create functions and procedures in another schema without giving that user priveleges to create in ANY schema.
Our default schema for HTMLDB is not the schema associated with my user account. I want to be able to create my functions inside that schema, but our DBA's havent been able to find out how to give the privelege without opening up all schemas to that account.
hope this made sense,
Cliff Moon
Okay Cliff, no problem.
Now, Michael, I don't know of any prepared docs specifically about this but fwiw, I'll try to recap how it works.
1. HTML DB uses a public account to create (or reclaim) a distinct database session to service each page request. The connection is configured with the modplsql DAD and the database user (schema) that owns the session is HTMLDB_PUBLIC_USER. (The exception to this is when you configure a DAD for basic authentication.)
2. The public packages (like wwv_flow) and procedures (like f) invoked through each HTTP request are owned by schema FLOWS_xxxxxx. Packages like wwv_flow use definers rights. This means, among other things, that they can execute any other packages owned by the FLOWS_xxxxxx schema, including the highly privileged, non-public packages that execute user code.
3. The more privileged non-public packages do all the real work of rendering pages and processing POSTed pages. During these phases, your application code is executed (your report region queries, your DML operations, your page processes, validations, condition evaluation, your API calls, everything). All of this code is "parsed as" the database user (schema) assigned to your application. (Only one schema is assigned to a given application, although the assigned schema can be changed using the builder whenever you like.) The HTML DB engine can execute all of your application code as the "parse as" schema because it has SYS privileges to do so.
4. Any of your code that HTML DB executes dynamically runs with the security privileges of your application schema. These privileges must have been granted explicitly and not through roles. So if your report query does 'select * from emp' it's necessary for emp (or a synonym for it) to exist in your application schema and for that schema to have select privilege on emp.
5. The SQL Workshop works the same way, except things happen there at a workspace level, not at an application level. A workspace has one or more database schemas mapped to it. This means only that a conscious decision has been made (by an admin) to allow each workspace to access specific schemas. The list of schemas mapped to a given workspace appears in LOVs in various places, such as the SQL Command Processor. Selecting a schema from this LOV allows you to perform operations in that schema. You can perform operations in any of the other mapped schemas by selecting them from the LOV in turn.
Note: so far we've said nothing about who the authenticated user is using your application (or the SQL Workshop application), because it has absolutely no bearing on anything so far.
6. HTML DB allows developers to specify a plan to be used by the engine at the start of every page request to perform the chores of authentication, initial session registration and session management. This plan is called an authentication scheme. HTML DB provides standard schemes that are used by most developers, but developers can also design and build custom authentication schemes over which developers have complete control.
7. During the execution of the authentication scheme for a page view (show) or page processing (accept) request, it is common for the scheme to cause a branch/redirect to a login page if it determines that no valid session yet exists. The operation of the login page results in the user being challenged for credentials and for those credentials to be verified. If they check out, related housekeeping tasks are performed such as recording the session ID in a table and session cookie creation. And a token is established to be used to identify the authenticated user for the duration of the HTML DB session. This value is stored in APP_USER and can be queried by developer-owned code and HTML DB-owned code as required.
8. The credentials verification step is where user accounts come into play. It doesn't matter to HTML DB whether your application uses custom tables, an LDAP directory, an SSO infrastructure, or database accounts to verify credentials -- the verification takes place, usually once per HTML DB session, and that's that. The authentication scheme determines the exact method used.
9. One example of an application that uses its own custom tables to hold account information (usernames/passwords) is HTML DB itself. You get the first account created for you during product installation and then you create administrator and developer accounts as you create multiple workspaces for developers at the site. These accounts are just rows in tables, a username, a password, an email address, the ID of the workspace, basic stuff like that. They are not database user accounts (schemas). And with these accounts, you can authenticate to HTML DB and use the Builder, the SQL Workshop, and the administration functions. Just remember, the database knows nothing of these accounts (they are like Oracle Applications user accounts).
10. These HTML DB user accounts exist primarily to allow developers to use HTML DB. But they can also be used to allow end users to authenticate to applications created using HTML DB. That relieves each developer of having to "reinvent the wheel" and set up account repository tables and to have to write APIs to store/manage passwords, the work we did for HTML DB itself. Your application can simply use the built-in HTML DB authentication scheme which uses the account repository for credentials verification. It's not the only way for your application to verify credentials. In fact it's best suited for experimental applications, small workgroup applications, prototypes, apps on that scale. Applications that are slated for actual production deployment should be fitted with enterprise-level identity management solutions.
11. Finally, HTML DB provides a very, very basic group-membership model that allows developer accounts (not database schemas) to be assigned to arbitrarily organized named groups. There is a supporting API for queries against these groups and an admin UI to create/maintain these groups. The same caveats given for using developer accounts for production applications apply to this facility.
Recap:
Database accounts: HTML DB does not use these accounts, their roles, or their privileges except to dynamically execute application code using these schemas as the "parsing schema".
HTML DB user accounts: No relation to database schemas (*). They exist in custom tables owned by the HTML DB product. Accounts can be created and used by application developers as an out-of-the-box credentials verification method for authentication.
*Exception: The "default schema" associated with an HTML DB user account is the name of a schema used to prime an LOV when the user sees a list-of-schemas LOV in places like the SQL Workshop.
Scott
Similar Messages
-
Create procedure/functions under Custom Public Transformations using OMB
Hello,
I need to create a global procedure under Public Transformations. How do i do so?
I am able to create them under specific projects, but not as global.
I tried creating it after OMBCC 'PUBLIC_PROJECT' , but it says i need to change my context...
Can some one please help me with this.
Thanks in advance..check these links for references.
http://download.oracle.com/docs/cd/B31080_01/doc/owb.102/b28225/omb_appendix.htm
http://mis3nt.gsnu.ac.kr/PublicData/Oracle11gDoc/owb.111/b31279/omb_appendix.htm -
Do you have any procedure/function to get parent child relation ship logic?
I am in great need. I have developed one but its has many cursor. Actually to get final leaf node, I have to keep on using cursor until last leaf found.
Note: CONNECT BY PRIOR not to be used with this requirement. So need to create procedure/function only.Note the name of this forum is "SQL Developer *(Not for general SQL/PLSQL questions)*", so only for issues with the SQL Developer tool. Please post these questions under the dedicated SQL And PL/SQL forum (you've posted there before).
Additionally, this seems to be a duplicate of your other thread at How to get Number of NESTED CHILD on this requirement? please use the same thread instead of duplicating.
Regards,
K. -
How can I create packages procedure & function in user-define Library
hi.
i am already created packages procedure & function in database and use so on.
now i would like to create these in library file.
please anyone give me example of any procedure or function to store in library.
thanks
Ali<FONT FACE="Arial" size=2 color="2D0000">> please send me one simple example for create library
then create any function in library.
2nd is any package can be create in library or not??
Thanks S.K
AliHave you checked the link?
A simple example is provided.
I think What I understood from your post is that, you want to put function/ Proc and want to call that as Library ..
Which is not possible.
For exampel an external routine is a third-generation language procedure stored in a
dynamic link library (DLL), registered with PL/SQL, and called by the DBA to perform
special-purpose processing.
In Unix a dynamic link library is known as a shared object (so).
At run time, PL/SQL loads the library dynamically, then calls the routine as if it were a
PL/SQL subprogram. To safeguard our database, the routine runs in a separate address
space, but it participates fully in the current transaction. Furthermore, the routine can
make a call back to the database to perform SQL operations.
To identify a DLL we have to use CREATE LIBRARY command.
The CREATE LIBRARY command is used to create a schema object, library, which
represents an operating-system shared library, from which SQL and PL/SQL can call
external third-generation-language (3GL) functions and procedures.
Learn something more on External Procedures
-SK
</FONT> -
Sql Developer - View source code of procedures, functions & packages in another schema
Our developers need the ability to view procedures, function, packages etc. in the production database (using SQL DEVELOPER). They don't have access to sign on as the owner of these
objects in Production. They must use their own limited access UserID for this purpose.
This limited access UserID has been granted select privilege on DBA_SOURCE & DBA_OBJECTS. The developers need the ability to view the source of these object via
the tree view in SQL DEV. They should be able to click on "other users" in the SQL DEV tree view and see a listing of the owner schema objects. Then they should
be able to select the desired object and view the source code. These developers are used to using GUI interfaces. Selecting from DBA_SOURCE would not be an
option for them.
I understand that if the limited user is granted SELECT ANY DICTIONARY or SELECT_CATALOG_ROLE then this functionality will work. The problem is those
privileges/roles provide much more access than should be granted to these limited access users. Granting DBA to these users is also not an option.
In TOAD and other end-user tools this functionality works when only select privilege on DBA_SOURCE & DBA_OBJECTS has been granted. We need this same functionality
in SQL DEV.
While searching this forum and the internet, I see that other installations have this same issue.
Please enhance SQL Developer with this functionality.
Thank you, ellenJust to double check that I'm interpreting the problem correctly, is the following true:
select * from all_objects where object_name = 'DBA_SOURCE'
returns nothing
select * from dba_source where name = your PL/SQL module
returns all the code -
How to create a function/procedure which can take optional parameter?
Hi,
I want to create a function or a procedure which can take optional parameters. For example, I want to create fun1() or fun1(param1) like this. Only one function will act differently when different number of parameters are passed to it. Something like the substr() function in oracle. It can be called with 2 parameters, as well as three parameters.
Thanks in advance,
KiranThere are two ways of doing this. The regular way would be to add a DEFAULT clause to your function declaration:
-- Function can be called with 1 or 2 parameters
FUNCTION xxxx
( param_one NUMBER
, param_two VARCHAR2 DEFAULT NULL )
RETURN VARCHAR2;Or, if your functions are declared in a package you can do some over-loading:
PACKAGE yyyy
IS
-- Function with 1 parameter
FUNCTION xxxx
( param_one NUMBER )
RETURN VARCHAR2;
-- Function with 2 parameters
FUNCTION xxxx
( param_one NUMBER
, param_two VARCHAR2 )
RETURN VARCHAR2;
END;If you are calling server-side functions from client-side tools (like OracleForms) you may need to use this second method. -
How to create a procedure function with a return value of ref cursor?
Can anybody provide a sample about how to create a procedure function with a return value of REF CURSOR?
I heard if I can create a function to return a ref cursor, I can use VB to read its recordset.
Thanks a lot.http://osi.oracle.com/~tkyte/ResultSets/index.html
-
How Create procedure or function with ADO ?
Hello,
How Create procedure or function with ADO?It's my question.
Thanks.
HenriThis message if post by Taiwan-ChangHaw-Oracle-Stored-Procedure-For-Business-Rule-Club
public bool ConnectDatabase()
try
{ string strConnectionString =
"Provider=OraOLEDB.Oracle" +";"+
"Data Source=" + ConnectionParams.Datasource +";"+
"User Id =" + ConnectionParams.Username +";"+
"Password =" + ConnectionParams.Password;
m_conn=new ADODB.Connection();
m_conn.ConnectionString=strConnectionString;
m_conn.Open("","","",0); //i_"YYAOl Open the connection
catch(Exception e)
{ System.Windows.Forms.MessageBox.Show(e.Message);
return false;
return true; //YYAOl_B>3I9&connected successfully
public void InsertDescription(string p_product,string p_language,string p_tname,string p_tdescription)
{ string sql="{Call inserttranslateddescription(?,?,?,?,?)}";
try
{ ADODB._Command cmd=new ADODB.Command();//Create a command object
cmd.ActiveConnection=m_conn; //Set its active connection to open connection
ADODB.Properties properties=cmd.Properties;//Get the command properties into ADODB Properties object
IEnumerator ienum=properties.GetEnumerator();//Get an enumerator on above properties
ADODB.Property singleprop;
while(ienum.MoveNext()) //iterate through the enumerator
{singleprop=(ADODB.Property)ienum.Current;//Get the current property from enumerator
string propname= singleprop.Name; //Get the name of current property
if(propname.Equals("NDatatype")) //if the property is 'NDatatype' set its value to true
singleprop.Value=true;
cmd.CommandType=ADODB.CommandTypeEnum.adCmdText;
int pid=Int32.Parse(p_product);
ADODB._Parameter langid =cmd.CreateParameter("langid", ADODB.DataTypeEnum.adChar,ADODB.ParameterDirectionEnum.adParamInput, 100,p_language);
ADODB._Parameter productid =cmd.CreateParameter("productid", ADODB.DataTypeEnum.adNumeric,ADODB.ParameterDirectionEnum.adParamInput, 100,pid);
ADODB._Parameter tname =cmd.CreateParameter("tname", ADODB.DataTypeEnum.adBSTR,ADODB.ParameterDirectionEnum.adParamInput, 50,p_tname);
ADODB._Parameter tdescription=cmd.CreateParameter("tdescription",ADODB.DataTypeEnum.adBSTR,ADODB.ParameterDirectionEnum.adParamInput, 50,p_tdescription);
ADODB._Parameter check =cmd.CreateParameter("check", ADODB.DataTypeEnum.adNumeric,ADODB.ParameterDirectionEnum.adParamOutput,100,0);
cmd.Parameters.Append(langid);
cmd.Parameters.Append(productid);
cmd.Parameters.Append(tname);
cmd.Parameters.Append(tdescription);
cmd.Parameters.Append(check);
cmd.CommandText=sql;
//Execute the command to insert product details in database
object recs;
object param=p_language;
cmd.Execute(out recs,ref param,1);
ienum.Reset();
while(ienum.MoveNext()) //iterate through enumerator
{ singleprop=(ADODB.Property)ienum.Current;//Get the current property in to Property object
string propname= singleprop.Name; //Get the name of current property
if(propname.Equals("NDatatype")) //if it is 'NDatatype' set its value to true
singleprop.Value=false;
IEnumerator iprop=cmd.Parameters.GetEnumerator();//Get the enumerator for command parameters
while(iprop.MoveNext()) //loop through enumerator
{ //Get the current parameter in enumerator
ADODB._Parameter checkval=(ADODB._Parameter)iprop.Current;
if(checkval.Name.Equals("check")) //if the parameter is 'check'
if(checkval.Value.ToString().Equals("0")) //If check's value is zero data was inserted
System.Windows.Forms.MessageBox.Show("Product details Inserted successfully");
else
System.Windows.Forms.MessageBox.Show("Product Details Updated");//else data was updated
catch(Exception e)
System.Windows.Forms.MessageBox.Show(e.Message);//Display any error message
} -
Why thr r 2 options Is/As while creating procedure or function
why there are 2 options avialable IS/AS while creating procedure or function ?
Like
create or replace procedure test (p_nbr NUMBER) AS
create or replace procedure test (p_nbr NUMBER) IS
tried both the options observed same result..
Is thr any differnce between IS and AS ?SShubhangi wrote:
why there are 2 options avialable IS/AS while creating procedure or function ?
Like
create or replace procedure test (p_nbr NUMBER) AS
create or replace procedure test (p_nbr NUMBER) IS
tried both the options observed same result..
Is thr any differnce between IS and AS ?Technically... there is no difference.
In terms of the English language, it would depend what you're describing...
[ do some action ] AS follows...
[ this object ] IS defined like this...
So in programming language terms you could say that:
create or replace procedure test (p_nbr NUMBER) AS...reads more naturally than
create or replace procedure test (p_nbr NUMBER) IS...because it is an "action" of creating or replacing something.
whereas, for example, a procedure in a package...
procedure test (p_nbr NUMBER) IS...is more clear than
procedure test (p_nbr NUMBER) AS...because this is stating what the procedure IS, rather than an action of creating it. (the package itself would be "create package ... AS")
As far as Oracle is concerned though, it doesn't care, they are both interchangable. For me personally, I like to use the one that makes it clearly readable. -
Is is possible to create Socket using Java Stored Procedures/Function(Ora)?
Hello Friends,
Is is possible to create Socket using Java Stored Procedures/Function in Oracle?
OR
How I can send a message from oracle to Java Desktop Application which is working like server program?
Please Guide !!J3Ganesh wrote:
Hello Friends,
Is is possible to create Socket using Java Stored Procedures/Function in Oracle?No, Oracle was very careful to take that feature out of the JDK provided in Oracle 10/11, but you can buy that feature back for, if I remember correctly, about 5000 dollars. (I actually raised a service request on this and then told my rep what I thought about the answer I received--some thing along the line of money grubbing so and so....)
How I can send a message from oracle to Java Desktop Application which is working like server program?You can make a table and poll it from time to time from the Java side and write and commit what ever you want to the table. I do not know any way to send a signal from Oracle DB an external Java application--Java or PL/SQL stored procedure. -
How to create procedure having delete statement with between function?
I am very new in SQL Development, I want to create a procedure having two date variable start and end and these two variable i want to use in procedure body to delete data from a specific table between two date duration.
Please guide
Thanks,create procedure some_proc (start_date date, end_date date)
as
begin
delete from your_table
where your_date_column between start_date and end_date;
end some_proc;
/ -
Read access to procedures,function,packages and triggers
Hi,
I created a user with CREATE SESSION,SELECT ANY TABLE privilege. My objective is to create a user with read only access to other schemas. But the newly created user is not able to read procedures,function,packages and triggers. The new user need read access to procedures,function,packages and triggers. What is the priviege required for this access? Please help me to resolve this issue.
Regards,
Mat.Hi,
Grant select all will give select privileges to all schema level objects except procedures,function,packages and triggers. But I need to grant read privileges on these objects to newly created user.
Regards,
Mat. -
Hi all,
I would like to understand what is my errors in this procedure :
* I get : Warning: Procedure created with compilation errors.
Anyone could help me please?
* This procedure drop all the objects in the current schema.
CREATE OR REPLACE PROCEDURE DROPOBJECTS
AS
cursor c_get_objects is
select object_type,'"'||object_name||'"'||decode(object_type,'TABLE' ,' cascade constraints',null) obj_name from user_objects
where object_type in ('TABLE','VIEW','PACKAGE','SEQUENCE','PROCEDURE','FUNCTION',
'SYNONYM', 'MATERIALIZED VIEW') AND (object_name NOT LIKE '%BIN$%')
order by object_type;
cursor c_get_objects_type is select object_type, '"'||object_name||'"' obj_name from user_objects where object_type in ('TYPE');
begin
for object_rec in c_get_objects loop
execute immediate ('drop '||object_rec.object_type||' ' ||object_rec.obj_name);
end loop;
for object_rec in c_get_objects_type loop
execute immediate ('drop '||object_rec.object_type||' ' ||object_rec.obj_name);
end loop;
END
thanks to all.The statis is INVALID
When I compile the procedure, I get :
SQL> ALTER PROCEDURE jim.dropobjects COMPILE;
Warning: Procedure altered with compilation errors.
I'm able to run the script by command line :
------------ original script -------------------
declare
cursor c_get_objects is
select object_type,'"'||object_name||'"'||decode(object_type,'TABLE' ,' cascade constraints',null) obj_name from user_objects
where object_type in ('TABLE','VIEW','PACKAGE','SEQUENCE','PROCEDURE','FUNCTION',
'SYNONYM', 'MATERIALIZED VIEW') AND (object_name NOT LIKE '%BIN$%')
order by object_type;
cursor c_get_objects_type is select object_type, '"'||object_name||'"' obj_name from user_objects where object_type in ('TYPE');
begin
for object_rec in c_get_objects loop
execute immediate ('drop '||object_rec.object_type||' ' ||object_rec.obj_name);
end loop;
for object_rec in c_get_objects_type loop
begin execute immediate ('drop '||object_rec.object_type||' ' ||object_rec.obj_name);
end;
end loop;
end;
But, I have to create a function available to some developper users. so, I try to convert the script into a procedure.
SqlPlus does not indicates the specific error. -
Idea for package/procedure/function distribution ??
Hi all
We have multilple databases (10.2.0.3). And we have a lot of "utility" packages for both appl. util and for DBA utils.
We have created a XXXUTIL schema on each database.
How do we keep those schemas in sync automatically - apart from doing export/import? We will name on "master" and all other should be in sync with this one schema (packages/procedures/functions/views)
Is there a smarter way of doing this, a pull or push replication solotiuon. We are on the 10g Enterprise verison.
Ideas appreciated
best regards
MetteHi,
As you said you got a lot of utility Packages, I think you can directly compile those scripts one you changed in the master DB, there won't be any thing to Sync the Procedures from One DB to another DB.
If it is a data then, you might gone for DB Link, Streams etc., for replicating the data.
In order to automate your need to write a script for logging into DB and running set of scripts and disconnecting - a shell script.
Just think is that your requirement.!!
Pavan Kumar N -
Grant Permission to create/drop functions only
I have to grant permissions to a user to drop/create/execute functions owned by several schemas. How do I do it without giving away the keys?
ThanksAFAIK ALTER SCHEMA + CREATE FUNCTION does not allow to do anything with a table.. in fact the user can't even select from the function he creates. - Unless he_owns_ the schema already..
The second is correct, the first is not:
CREATE PROCEDURE somesp AS PRINT 'Created by dbo'
go
CREATE TABLE sometable (a int NOT NULL, b int NOT NULL)
go
CREATE USER funcuser WITHOUT LOGIN
GRANT CREATE FUNCTION TO funcuser
GRANT ALTER ON SCHEMA::dbo TO funcuser
go
EXECUTE AS USER = 'funcuser'
go
CREATE FUNCTION funky_user() RETURNS nvarchar(23) AS
BEGIN
RETURN 'Created by funcuser'
END
go
SELECT dbo.funcuser()
go
ALTER PROCEDURE somesp AS PRINT 'Altered by funcuser'
go
ALTER TABLE sometable DROP COLUMN b
go
REVERT
go
EXEC somesp
SELECT b FROM sometable
go
DROP PROCEDURE somesp
DROP TABLE sometable
DROP FUNCTION funky_user
DROP USER funcuser
Also, what do you man by "without giving away the keys" - what "keys"? Do you have some form of data encryption in place?
I interpreted this pictorially. That is, how do I give out this permission without permitting the user to take over the database. As seen from above, ALTER on SCHEMA does not give away the entire key-ring, but more keys that may be desired.
Erland Sommarskog, SQL Server MVP, [email protected]
Maybe you are looking for
-
Hello There Can any of you advise on the below? Tried to connect Mac mini with a 30" display through a DVI dual link mini display port adapter. For the first try Mac mini go connected to the display, then i've chosen the highest resolution (2560x1600
-
HT2688 how can i put my husband's itunes playlist on my ipad?
I received an ipad mini for Christmas, and want to add a playlist from my husband's itunes library to my ipad. Is this possible? If yes, how would I do this?
-
I just got my Mac back from Apple repair and I can't burn a disc. What do I need to do to make that happen?
-
Windows update 80072efd error on Satellite A200
Hello Windows update doesnt work on my Satellite A200. When I try to search for new updates, after about 10 minutes appears error 80072efd. Of course Ive made all suggested solutions, but no results. Operating System is Vista Home Premium and there i
-
What is the safe mode key for 875p neo board
can you please tell me what the safe mode key is for this board as F8 key in xp pro wont do? regards, bunter