Privileges and role
I use CS_ADMIN to login DB, querying its role
select * from dba_role_privs where grantee = 'CS_ADMIN';
GRANTEE GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE
CS_ADMIN RESOURCE NO YES
CS_ADMIN CONNECT NO YES
CS_ADMIN DBA NO YES
Then I query the DBA'S privilege
select * from role_sys_privs rsp WHERE rsp.privilege LIKE '%TABLESPACE%' AND rsp.role = 'DBA'
ROLE PRIVILEGE
DBA DROP TABLESPACE
DBA ALTER TABLESPACE
DBA CREATE TABLESPACE
DBA MANAGE TABLESPACE
Then, We can know that CS_ADMIN user has DBA role and DBA role can create tablespace
But I use CS_ADMIN to create a procedure to run statement in the package
EXECUTE IMMEDIATE ‘create tablesapce...’;
The procedure will throw a error, ORA-01031 :insufficient privileges
But I can directly run the ‘create tablesapce...’ statement in the command pattern.
Why?
Thanks.
I recommend before you post you always search for the error.
There have been questions in this forum on this very error really more than a million times, just because most people don't like to put effort in resolving their own issues.
That said, the cause is always the same: roles are disabled during compilation of pl/sql.
However, I think creating a tablespace in pl/sql is fundamentally evil, as it makes you loose control over the database.
Sybrand Bakker
Senior Oracle DBA
Similar Messages
-
Privileges and Roles Based Views
Hello,
I have been confguring Roles based Views with Windows radius authentication on our 2960's and 3750's and it is working great. I have 2 users, one with a Roles Base View called "priv3" and the other is for admins of login as the "root" view. I have one Windows Active Directory group for "priv3" users and the other for admins using "root".
Now I have to configure this on our 2955 switches and to my horror they don't seem to support Roles Based Views!! fI you know if they can then all this would be solved, I've using the latest IOS c2955-i6k2l2q4-mz.121-22.EA13.bin.
How can convert the Roles Base Views to privileges and use radius and not effect the other switches,as I've never used privilges.
I hope someone can help with the config:
Below is the config I use on the 2960's and 3750's and also what I use on the radius servers. I guess I would need ot use a priv 15 setup and a custom view called priv3?
Priv3 radius user settings
cisco av-pair cli-view-name=priv3
Priv 15 or root user settings
cisco av-pair shell:priv-lvl=15
cisco av-pair shell:cli-view-name=root
Config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname 3750
boot-start-marker
boot-end-marker
logging buffered 64000
logging console informational
logging monitor informational
enable secret 5 $1$1UGK$kHB.S2UwMVXaG3C0
username admin privilege 15 secret 5 $1$BsaS$cLHllovL2ZFb1
username priv3users view priv3 secret 5 $1$JfnH$vUu.B.natnyB.
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default line
aaa authorization console
aaa authorization exec default group radius local
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 3:00
switch 1 provision ws-c3750g-12s
switch 2 provision ws-c3750g-12s
system mtu routing 1500
udld aggressive
no ip domain-lookup
ip domain-name CB-DI
login on-failure log
login on-success log
crypto pki trustpoint TP-self-signed-3817403392
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3817403392
revocation-check none
rsakeypair TP-self-signed-3817403392
crypto pki certificate chain TP-self-signed-3817403392
certificate self-signed 01
removed
quit
archive
log config
logging enable
logging size 200
notify syslog contenttype plaintext
hidekeys
spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 10 priority 8192
vlan internal allocation policy ascending
ip ssh version 2
interface GigabitEthernet1/0/1
interface GigabitEthernet1/0/24
interface Vlan1
description ***Default VLAN not to be used***
no ip address
no ip route-cache
no ip mroute-cache
shutdown
interface Vlan10
description ****
ip address 10.10.150.11 255.255.255.0
no ip route-cache
no ip mroute-cache
ip default-gateway 10.10.150.1
ip classless
no ip http server
ip http secure-server
logging trap notifications
logging facility local4
logging source-interface Vlan10
logging 10.10.21.8
logging 172.23.1.3
access-list 23 permit 10.10.1.65
snmp-server community transm1t! RO
snmp-server trap-source Vlan10
radius-server host 10.10.1.33 auth-port 1645 acct-port 1646 key 7 090D7E080D37471E48
radius-server host 10.10.1.34 auth-port 1645 acct-port 1646 key 7 08607C4F1D2B551B51
radius-server vsa send accounting
radius-server vsa send authentication
line con 0
exec-timeout 60 0
logging synchronous
line vty 0 4
access-class 23 in
exec-timeout 60 0
logging synchronous
transport input ssh
line vty 5 14
access-class 23 in
no exec
transport input ssh
parser view priv3
secret 5 $1$XSCo$feyS.YaFlakfGYUgKHO/
! Last configuration change at 16:34:56 BST Fri Apr 13 2012
commands interface include shutdown
commands interface include no shutdown
commands interface include no
commands configure include interface
commands exec include configure terminal
commands exec include configure
commands exec include show ip interface brief
commands exec include show ip interface
commands exec include show ip
commands exec include show arp
commands exec include show privilege
commands exec include show interfaces status
commands exec include show interfaces Vlan10 status
commands exec include show interfaces Vlan1 status
commands exec include show interfaces GigabitEthernet2/0/12 status
commands exec include show interfaces GigabitEthernet2/0/11 status
commands exec include show interfaces GigabitEthernet2/0/10 status
commands exec include show interfaces GigabitEthernet2/0/9 status
commands exec include show interfaces GigabitEthernet2/0/8 status
commands exec include show interfaces GigabitEthernet2/0/7 status
commands exec include show interfaces GigabitEthernet2/0/6 status
commands exec include show interfaces GigabitEthernet2/0/5 status
commands exec include show interfaces GigabitEthernet2/0/4 status
commands exec include show interfaces GigabitEthernet2/0/3 status
commands exec include show interfaces GigabitEthernet2/0/2 status
commands exec include show interfaces GigabitEthernet2/0/1 status
commands exec include show interfaces GigabitEthernet1/0/12 status
commands exec include show interfaces GigabitEthernet1/0/11 status
commands exec include show interfaces GigabitEthernet1/0/10 status
commands exec include show interfaces GigabitEthernet1/0/9 status
commands exec include show interfaces GigabitEthernet1/0/8 status
commands exec include show interfaces GigabitEthernet1/0/7 status
commands exec include show interfaces GigabitEthernet1/0/6 status
commands exec include show interfaces GigabitEthernet1/0/5 status
commands exec include show interfaces GigabitEthernet1/0/4 status
commands exec include show interfaces GigabitEthernet1/0/3 status
commands exec include show interfaces GigabitEthernet1/0/2 status
commands exec include show interfaces GigabitEthernet1/0/1 status
commands exec include show interfaces Null0 status
commands exec include show interfaces
commands exec include show configuration
commands exec include show
commands configure include interface GigabitEthernet1/0/1
commands configure include interface GigabitEthernet1/0/2
commands configure include interface GigabitEthernet1/0/3
commands configure include interface GigabitEthernet1/0/4
commands configure include interface GigabitEthernet1/0/5
commands configure include interface GigabitEthernet1/0/6
commands configure include interface GigabitEthernet1/0/7
commands configure include interface GigabitEthernet1/0/8
commands configure include interface GigabitEthernet1/0/9
commands configure include interface GigabitEthernet1/0/10
commands configure include interface GigabitEthernet1/0/11
commands configure include interface GigabitEthernet1/0/12
commands configure include interface GigabitEthernet2/0/1
commands configure include interface GigabitEthernet2/0/2
commands configure include interface GigabitEthernet2/0/3
commands configure include interface GigabitEthernet2/0/4
commands configure include interface GigabitEthernet2/0/5
commands configure include interface GigabitEthernet2/0/6
commands configure include interface GigabitEthernet2/0/7
commands configure include interface GigabitEthernet2/0/8
commands configure include interface GigabitEthernet2/0/9
commands configure include interface GigabitEthernet2/0/10
commands configure include interface GigabitEthernet2/0/11
commands configure include interface GigabitEthernet2/0/12
ntp logging
ntp clock-period 36028961
ntp server 10.10.1.33
ntp server 10.10.1.34
end
Thanks!!!!DBelt --
Hopefully this example suffices.
Setup
SQL> CREATE USER test IDENTIFIED BY test;
User created.
SQL> GRANT CREATE SESSION TO test;
Grant succeeded.
SQL> GRANT CREATE PROCEDURE TO test;
Grant succeeded.
SQL> CREATE ROLE test_role;
Role created.
SQL> GRANT CREATE SEQUENCE TO test_role;
Grant succeeded.
SQL> GRANT test_role TO test;
logged on as Test
SQL> CREATE OR REPLACE PACKAGE definer_rights_test
2 AS
3 PROCEDURE test_sequence;
4 END definer_rights_test;
5 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY definer_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END definer_rights_test;
9 /
Package body created.
SQL> CREATE OR REPLACE PACKAGE invoker_rights_test
2 AUTHID CURRENT_USER
3 AS
4 PROCEDURE test_sequence;
5 END invoker_rights_test;
6 /
Package created.
SQL> CREATE OR REPLACE PACKAGE BODY invoker_rights_test
2 AS
3 PROCEDURE test_sequence
4 AS
5 BEGIN
6 EXECUTE IMMEDIATE 'CREATE SEQUENCE test_seq';
7 END;
8 END invoker_rights_test;
9 /
Package body created.
SQL> EXEC definer_rights_test.test_sequence;
BEGIN definer_rights_test.test_sequence; END;
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "TEST.DEFINER_RIGHTS_TEST", line 7
ORA-06512: at line 1
SQL> EXEC invoker_rights_test.test_sequence;
PL/SQL procedure successfully completed.
SQL> SELECT test_seq.NEXTVAL from dual;
NEXTVAL
1 -
System Privileges, Object Privileges and Roles in Oracle 10g r2
Hello,
I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
Thanks,
RRich V wrote:
Hello,
I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
Thanks,
RHi, you can use dba_role_privs,role_sys_privs views,for more information see
http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/admusers.htm
http://www.cuddletech.com/articles/oracle/node36.html -
ValidTo and ValidFrom for privileges and roles (since SP2) - no effect
Hi IDM Community,
has anybody tried the new functionality that you can enter validfrom and validto values for role assignments and privilege assignments in business roles?
In my case I can define these values in a workflow but I don't see any effect. There are no values for these attributes written to the database. I think that normally there should be some MX_PENDING_VALUE objects created in which the validfrom, validto should be stored. But nothing happens. When I define a validfrom, validto value for a privilege in a business role and submit the change and view the details of the role again there is no validto or validfrom assigned for this privilege.
Has anybody encountered the same problem?
BR
Jörn KaplanHello,
I am testing the abap -- initial load (SP2)"WriteABAPUsersRolePrivilegeAssigments"-pass with the ValidTo and ValidFrom and the "sap_getTimeDependentPrivilege"- Jscript.
There is always an error:
"putNextEntry failed storingXXXXXXX
Exception from Modify operation:java.lang.IllegalArgumentException: Entry does not exist - entry: XXXXXXX
The logonuid XXXXXXX is stored in sap%$rep.$NAME%roleAssign and sap%$rep.$NAME%role.
SP1 is running!
But I dont want to lose TimeDependentPrivilege like in Initial Load (SP1)
Who can help me?
BR Chris -
Hi All
I did a queries
SELECT GRANTEE, PRIVILEGE,GRANTABLE FROM DBA_TAB_PRIVS
WHERE TABLE_NAME='TABLE1' AND GRANTEE IN ('USER1', 'USER_ROLE');
GRANTEE PRIVILEGE GRANTABLE
USER1 SELECT NO
USER1 INSERT NO
USER1 DELETE NO
USER1 UPDATE NO
USER_ROLE SELECT YES
USER_ROLE INSERT YES
USER_ROLE DELETE YES
USER_ROLE UPDATE YES
SELECT 'ROLE' TYP, GRANTEE, GRANTED_ROLE, ADMIN_OPTION FROM DBA_ROLE_PRIVS WHERE GRANTEE ='USER1';
TYP GRANTEE GRANTED_ROLE ADMIN_OPTION
ROLE USER1 CONNECT NO
ROLE USER1 RESOURCE NO
ROLE USER1 USER_ROLE NO
My question is since the USER1 is granted the role of USER_ROLE, will it cause conflict to the table privilege?
Because I can't perform Insert when I'm using USER1. It give me an error of ORA-01031L insufficent privileges SQL source: ..Since you did not mention how you are performing the Inserts/DML's on the TABLE1, and you are facing privileges issues, I presume you are performing it from a PL/SQL Block. However, the priviliges acquired via a Role are not valid in Function/Procedure. You need to have explicit privileges to perform an action in Function/Procedure.
Even without the privilege, you would be able to perform the Inserts/DML's as in static SQL statements that are not contained in PL/SQL blocks.
Try:
grant insert on table1 to user1; -
Users, privileges and roles problem!
Hi everyone,
I am using oracle 10.2.0.
I have a user (dba1) who is the owner of tables in my database. I have connected to sqlplus as sysdba and created the role <b>admin</b> and granted the admin all the privileges.
SQL> grant all privileges to admin;
Grant succeeded.
SQL>Then I granted the <b>admin</b> role to the user dba1:
SQL> grant admin to dba1;
Grant succeeded.I have created another role, sel_role and given that role the privileges to select tables. For example:
SQL> grant select on kund to sel_role;
Grant succeeded.Now I have created another user, Anton, and have given that user the role sel_role:
grant sel_role to Anton;
Grant succeeded.Now when I try to log in as anton and try to use the select statement which is given to Anton by sysdba, using the sel_role, to select the table kund, I got an error:
SQL> connect anton/oracle
Connected.
SQL> select * from kund;
select * from kund
ERROR at line 1:
ORA-00942: table or view does not existWhat could be the solution to this problem?
Thanks in advanceSolomon Yakobson wrote:
Connect as sysdba and issue:
ALTER USER anton DEFAULT ROLE ALL;SY.Same problem!
SQL> alter user anton default role all;
User altered.
SQL> connect anton/oracle
Connected.
SQL> select * from kund;
select * from kund
ERROR at line 1:
ORA-00942: table or view does not exist -
Advanced Group Policy Management - On privileges and roles
Hello!
We are rolling out AGPM 4.0 SP2. Seems to work well enough.
We currently have more than one set of standard permissions. For example, our Citrix team controls GPOs for Citrix, our Desktop team controls GPOs for desktops, etc.
Is there no way to delineate this in AGPM?
My first thought was that I could use PowerShell to rapidly set, and regularly audit and auto-correct these privileges. True to Group Policy form, there is limited PowerShell support - in this case, none at all.
My second thought was that templates might include AGPM roles. So I could say 'Group X has privileges to Template A,' 'Group Y and Z have privileges to Template B,' and so forth. When I create a template, it would include those permissions.
Nope.
I'm all for opening up access, but this might be a tough sell. Am I the only one who has disparate security boundaries around group policies? Am I overlooking a solution to this?
Thanks!
RCMHave you thought about multiple AGPM Servers, one for each group? Each AGPM store could utilize separate standard permissions and control the subset of policies which are within the scope of the
group. You can even
use Group Policy itself to manage a multiple AGPM Server environment.
Brandon
MDOP on the Springboard Series on TechNet -
DFD diagram and ER crossmatrix for role definitions and role's privileges on objects
Hello,
Having the question on derivative use of combination of DFDs and ER diagrams ( let us be more fixes and focus on Relational model ).
In DFD there are defined external entities and functions, data flows and data stores that are forming processes.
Functions represents procedures, transactions, transformations.
Dataflows presents procedures parameters, intermediate reports, temporary table data, data that is passed , retrieved/written, signals, triggers/events that controle or trigger function...
Context of my question is focused on external entities.
External entity suppose to denote the sourced or destinationed system ( for example Archiving system ) or operator, system that is out of scope of the DFD and it is mentioned just as target or destination or source of dataflow or control flow.
In context of these understandings I am using external entitiy also for types of users of the system: staff that is triggering functions or schedulers or job managers, or reporting systems ( or components of reporting systems like for example business intelligence extraction processes ).
What is my problem that on basis of external entity definitions and E/R model also define roles and privilege classes for access to data objects.
And from those generating ddls for database roles, privileges on entitities to those roles.
But in privileges granting to role having two different kind of privileges on data objects:
- privileges that are granted on various schema objects
For example role1 has grant on tab1, view2, procedure1, package3,
- the other type of privilega is based on the scope or range of semantically defined scope or semantic area.
Semantic area is scattered through tables because of normalisation and using semantic area as entity of which primary key is
partitioning the table data through many semantic areas.
So this privilege should be granted on basis of the rows in table not column ( more semantically then structurally ...row oriented more than column ).
Both privileges that are granted to roles are also basis for functional roles
( privilege that is granted that functional role has grant to trigger or execute some function or process ).
My question is?
How do you handle modeling technology for analysis and design for role privileges and consolidation between database and functional roles ?
Grateful for any idea, experience and suggestions.Hello,
Guess I was looking for the formal sequence of steps that would bring me to the
ddls for "create role ..." and "grant privileges to role".
You can do that.
1) I assume you have logical model and it's engineered to relational model, also you have data flow diagram created
2) You need to define information structures for flows connecting "Information store" to primitive process - attribute usage of particular entities should be defined for those "information structures" processed in flows
3) You need to define create, update and delete operation for flow going from primitive process to store - read is assumed in opposite direction
4) create a role in Process model and assign primitive processes to it - list of available processes to add depends on current data flow diagram
5) You need an open physical model for your relational model
6) Select "transfer process model roles to physical model roles" from context menu of top level DFD - select roles, relational and physical model there - roles with related permissions will be created in physical model
Entity1 is divided in several subtypes for different business areas.
And account manager for business_area1 is allowed to work on subtype1 ( view on prime table )...
Different implementation of entity hierarchies are not processed correctly in that wizard - i.e to get permissions to table corresponding to child entity - that entity should be used in information structure and flow.
Philip -
Automatic Creation of Roles and Role Mappings in GRC
Hi,
we are planning to use SAP Identity Management and SAP GRC Access Management.
In SAP IDM we have defined several business roles that contain privilieges in SAP systems. When a user is requesting a role, the request will first be sent to SAP GRC for approval and risk checking.
In order to get this to work, we need to load the business roles of SAP IDM into SAP GRC and we also need to configure the role mapping between the business roles and the technical SAP privileges.
From what I understood, this could be implemented by loading the required information via Excel filles into SAP IDM.However, this is a quite cumbersome and error-rpone approach an we would like to automate this.
Is there a way to use e.g. web service calls to create/delete roles and role mappings in SAP GRC?
BTW: is a documentation of all available GRC web service calls and their parameters available?
Thanks for your help in advance!
Best regards
TomHi Tom,
as stated before, the web service description is in the config guide.
Unfortunately there is no web service to create roles or even mappings in CUP - this is one of many I would also like to se created
I don't think in your context you will be able to directly send Business Roles to CUP. The role mapping only happens after you send the request, so I'm not sure if that's in time for risk analysis - you will need to try that.
Are you a customer or a consultant - anyway, feel free to contact me if you need further help integrating CUP and IdM. This is an evolving interface with many possible scenarios, so it's not easy to give you good advise without seeing the full picture.
Frank. -
What privileges or role is required for user to acces the explain plan?
Hi mates,
Can anyone pls tell me what privileges or roles(grants) are requred for a user to access the explain plan in oORACLE 8i 8174..
I think the select any dictionary is not valid for explain plan accessibility in 8i.
Cheers.I already had that... Just that a user (not a dba) requires access to the explain plan and I dont want to grant him a dba role.
Are you aware of any other grant I can give to the user? -
SAP IDM : Master privilege and Grouping
Hi Guys,
I am using SAP IDM 7.1 SP5 Patch2. I am tyrying to user master privilege and grouping but it does not seem to work or i did not get the concepts.
Anyone who is familiar with these two concepts.
Example : Master privilege:
i define one in Active Directory repository and i suppose that when i provision, all other privileges will wait until this one is provisioned. This is not what happens.
As soon as i assign a role with five privileges to a user, the five privileges start executing.
So create user executes five times.
Any help is appreciatedHi Anup,
Please have a look at the schema document, if you do not have it i can send you a copy.
Here is the paragraphe for the MX_PRIVILEGE ENTRY TYPE
In the schema document, i cannot see MXMEMEBER_MX_PRIVILEGE as allowed for the MX_PRIVILEGE ENTRY TYPE:
Entry type MX_PRIVILEGE
Description
This entry type is to hold privileges.
Attributes
The entry type contains the following attributes:
Attribute Mandatory (Yes/No) Available as of version
DESCRIPTION No 7.1 SP1
DISPLAYNAME Yes 7.1 SP1
MSKEYVALUE Yes 7.1 SP1
MX_ACCESS_CONTROL No 7.1 SP1
MX_ADD_MEMBER_TASK No 7.1 SP1
MX_ADDMEM_DISABLE_POLICY No 7.1 SP2
MX_APPLICATION_ID No 7.1 SP4
MX_APPROVAL_TASK No 7.1 SP1
MX_APPROVERS No 7.1 SP1
MX_AUDIT_FLAGS No 7.1 SP1
MX_DEL_MEMBER_TASK No 7.1 SP1
MX_DELMEM_DISABLE_POLICY No 7.1 SP2
MX_DEPROVISIONTASK No 7.1 SP1
MX_EDIT_ATTRIBUTES No 7.1 SP1
MX_EDIT_MEMBERSHIP No 7.1 SP1
MX_ENTRYTYPE Yes 7.1 SP1
MX_GROUPING_DISABLED No 7.1 SP3 Patch 1
MX_INACTIVE No 7.1 SP1
MX_INHERIT No 7.1 SP1
MX_MANAGER No 7.1 SP1
MX_MODIFYTASK No 7.1 SP1
MX_MODIFYTASK_ATTR No 7.1 SP1
MX_OWNER No 7.1 SP1
MX_PRIVILEGE_TYPE No 7.1 SP1
MX_PROVISIONTASK No 7.1 SP1
MX_RBAC_DIRECT_PRIVILEGE No 7.1 SP1
MX_RBAC_REVERSE_PRIVILEGE No 7.1 SP1
MX_REPOSITORYNAME No 7.1 SP1
MX_REQ_PRIV No 7.1 SP2
MX_REQ_PRIV_INTERVAL No 7.1 SP2
MX_REQ_PRIV_NOMASTER_TASK No 7.1 SP2
MX_REQ_PRIV_PCYADD_MISSING No 7.1 SP2
MX_REQ_PRIV_PCYADD_PENDING No 7.1 SP2
MX_REQ_PRIV_PCYADD_REMOVING No 7.1 SP2
MX_REQ_PRIV_TIMEOUT No 7.1 SP2
MX_SEMAPHORE No 7.1 SP1
MX_TARGET_ALL No 7.1 SP1
MX_TARGET_DYNAMIC_GROUP No 7.1 SP1
MX_TARGET_SELF No 7.1 SP1
MX_VALID_MEMBERS No 7.1 SP1
MX_VIEW_ATTRIBUTES No 7.1 SP1
MXAC_ENTRY No 7.1 SP1
MXAC_MEMBERS No 7.1 SP1
MXMEMBER_MX_GROUP No 7.1 SP1
MXMEMBER_MX_PERSON No 7.1 SP1
MXMEMBER_MX_ROLE No 7.1 SP1
MXREF_MX_APPLICATION No 7.1 SP1
MXREF_MX_ROLE No 7.1 SP1
Relations
One MX_PRIVILEGE object can reference multiple MX_GROUP, MX_PERSON and
MX_ROLE objects. One MX_GROUP/MX_PERSON/MX_ROLE object can reference more
than one MX_PRIVILEGE object.
MX_PRIVILEGE object can be referenced to from MX_APPLICATION object. -
User can not inherited privilege from Role
DD1 is a new user, CT_GROUP_USER is a role with all tables access right.
1)First, check the privilege of role CT_GROUP_USER
select table_name,privilege from dba_tab_privs where grantee='CT_GROUP_USER'
we can see CT_GROUP_USER have ALL tables' privilege.
2)Second, grant CT_GROUP_USER role to user DD1
GRANT ct_group_ADMINISTRATOR to DD1 with admin option
GRANT ct_group_USER to DD1 with admin option
select * from dba_role_privs where grantee='DD1'
we can see CT_GROUP_USER role here
3)
USE DD1 to access table ct_user, it looks DD1 did not have privilege inherited from CT_GROUP_USER
4) Do additional operation, grant a table privilege to DD1
grant select,insert,update,delete on CT_ACLENTRY to DD1 WITH GRANT OPTION
select table_name,privilege from dba_tab_privs where grantee='DD1'
DD1 ONLY have CT_ACLENTRY privilege.
USE DD1 to access ct_aclentry, it is succeed.
5) RUN below script on Oracle 10g and Oracle 11g, User DD3 can access tables on 10g but failed on 11g.
CREATE USER DD3 IDENTIFIED BY DD3
GRANT CREATE SESSION TO DD3
GRANT CT_GROUP_ADMINISTRATOR TO DD3
GRANT CT_GROUP_USER TO DD3
Question: Is there any setting for GRANT on Oracle 11g?
Additional: ALTER USER DD3 DEFAULT ROLE CT_GROUP_USER
Above command can not let DD3 access tables, DD1 neither1)
we can see CT_GROUP_USER have ALL tables' privilege.
Can we? You don't post results of this statement, you I can only assume you can see it, but I can't
And granting ALL privileges is a bad idea anyway.
2) Why 'with admin'?
3)
USE DD1 to access table ct_user, it looks DD1 did not have privilege inherited from CT_GROUP_USER.
For you maybe, but as you don't post any failing SQLs and any error messages, who can tell?
5) 'but failed' on 11g.
Please keep in mind this is a discussion room, not a chat room, and we can't see what you are doing.
You need all these lines to ask 'My car is broke, please fix my car'. I can't see any car from here.
Sybrand Bakker
Senior Oracle DBA -
Difference between Groups and roles?
Hi All,
What is the difference between groups and roles?
Thanks for your time and help.Oracle does not have anything called a 'group'.
A role is a named object that can contain a set of privileges. The members of the set can be individual privileges or can be another role that contains its own set of privileges. Roles can then be granted to users (or to other roles) so that those users (or roles) have the specified privileges.
See the SQL Language reference - http://docs.oracle.com/cd/B28359_01/server.111/b28286/toc.htm
Read the topics for CREATE ROLE, GRANT and REVOKE -
Oracle Profile and Role scripts
RDBMS :Oracle 10.2
Hi,
I have several Profile and Roles on my server.
Can I extract sql to create those Profile and Roles ?
e.g. I have role datareader, I want to extract its creation script and it include all the privileges assigned to that role
thankstry
SELECT dbms_metadata.get_ddl('ROLE', 'datareader') FROM dba_roles;
SELECT dbms_metadata.get_granted_ddl('ROLE_GRANT', 'datareader) FROM dual;
SELECT dbms_metadata.get_granted_ddl('SYSTEM_GRANT','datareader') FROM dual;
SELECT dbms_metadata.get_granted_ddl('OBJECT_GRANT','datareader') FROM dual;
datareader should be in CAPS -
Background job fails for BDC profile creation and role assignment
Hi Experts,
I have created a BDC Function module for Tcode 'PFCG' for profile creation and role assignment, and called this FM in my zprogram. the problem is that when i run this program in foreground it executes succesfully, but if i schedule it in background it fails throwing error in job log 'Role 'Z...' does not contain any active authorizations'. But i have created one more program to create authorization objects which runs before this zprogram.I have also checked the authorization object in 'RSECADMIN', it reflects active. I dont understand whats happening exactly when it runs background.
Below is the process of job
1. ZMIS_AUTH_OBJECT_CREATE
Variant : auth-create
2. ZMIS_AUTH_ASSIGN_TO_ROLE
Variant : auth-assign
The problem is in second program, runs in foreground but fails in background.
Code which i have written in my second program
***BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
***Generation of Profile created
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14 .
Experts please help me out its very urgent. your help is appreciated and rewarded. Thanking you in advance.
Regards,
ChetanHi Praveen,
Yeah definately, my requirement is that I have to access of some BI reports to certain users, so contract data will be downlaoded from ECC on application server, need to read that file from application server and for the each contract i ahould create a authorization object, role creation and assigning of role to the user and profile generation and activation.
To achieve this i have written two programs
1) ZMIS_AUTH_OBJECT_CREATE- This program will create the Authorization Object using BDC and Role creation Using the BAPI
"" Creation of Authorization Object
CALL FUNCTION 'ZAUTHOBJ'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
g_authname_001 = 'ZDUMMY_MIS'
g_targetauth_002 = wa_tab-auth
g_authtxt_003 = wa_tab-short_desc
g_authtxtmd_004 = wa_tab-med_desc
marked_04_005 = 'X'
g_authtxt_006 = wa_tab-short_desc
g_authtxtmd_007 = wa_tab-med_desc
tctiobjnm_04_008 = 'ZBUS_UNIT'
g_authtxt_009 = wa_tab-short_desc
g_authtxtmd_010 = wa_tab-med_desc
marked_05_011 = ''
opt_01_012 = 'EQ'
low_01_013 = wa_tab-bu
g_authtxt_014 = wa_tab-short_desc
g_authtxtmd_015 = wa_tab-med_desc
marked_04_016 = 'X'
g_authtxt_017 = wa_tab-short_desc
g_authtxtmd_018 = wa_tab-med_desc
tctiobjnm_04_019 = 'ZCONTRCT'
g_authtxt_020 = wa_tab-short_desc
g_authtxtmd_021 = wa_tab-med_desc
marked_05_022 = ''
opt_01_023 = 'EQ'
low_01_024 = lv_contract
g_authtxt_025 = wa_tab-short_desc
g_authtxtmd_026 = wa_tab-med_desc
g_authtxt_027 = wa_tab-short_desc
g_authtxtmd_028 = wa_tab-med_desc
g_authname_029 = wa_tab-auth
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message.
"" Creation of role
LOOP AT it_role INTO wa_role.
CLEAR wa_text.
wa_text-text = wa_role-desc.
wa_text-langu = 'E'.
APPEND wa_text TO it_text.
wa_jobrole-agr_name = wa_role-role_name.
wa_parentrole-agr_name = 'ZM_CT_DUMMY_MIS'.
wa_method-usmethod = 'CHANGE'.
CALL FUNCTION 'ZBAPI_JOBROLE_CLONE'
EXPORTING
jobrole = wa_jobrole
parent = wa_parentrole
method = wa_method
TABLES
* RETURN =
shorttext = it_text
* LONGTEXT =
* MENU_NODES =
* MENU_TEXTS =.
ENDLOOP.
2) ZMIS_AUTH_ASSIGN_TO_ROLE - This program will generate the profile created assign it to the role.
""*BDC for Profile creation and assignment to Roles
CALL FUNCTION 'ZROLE'
EXPORTING
ctu = 'X'
mode = p_mode
UPDATE = 'L'
* GROUP =
* USER =
* KEEP =
* HOLDDATE =
nodata = '/'
agr_name_neu_001 = wa_role-role_name
text_002 = wa_role-desc
text_003 = wa_role-desc
text_004 = wa_role-desc
value_01_005 = 'T-ML330881'
h_fval_low_01_006 = wa_role-auth
profn_007 = lv_profile
ptext_008 = lv_text1
* IMPORTING
* SUBRC =
TABLES
messtab = temp_message .
COMMIT WORK AND WAIT.
""*Generation of Profile created
LOOP AT it_role INTO wa_role.
CALL FUNCTION 'PRGN_AUTO_GENERATE_PROFILE_NEW'
EXPORTING
activity_group = wa_role-role_name
* PROFILE_NAME =
* PROFILE_TEXT =
no_dialog = ' '
rebuild_auth_data = ''
org_levels_with_star = ' '
fill_empty_fields_with_star = 'X'
template = ' '
check_profgen_tables = 'X'
generate_profile = 'X'
authority_check_pfcg = 'X'
EXCEPTIONS
activity_group_does_not_exist = 1
activity_group_enqueued = 2
profile_name_exists = 3
profile_not_in_namespace = 4
no_auth_for_prof_creation = 5
no_auth_for_role_change = 6
no_auth_for_auth_maint = 7
no_auth_for_gen = 8
no_auths = 9
open_auths = 10
too_many_auths = 11
profgen_tables_not_updated = 12
error_when_generating_profile = 13
OTHERS = 14
IF sy-subrc <> 0.
MESSAGE ID sy-msgid TYPE sy-msgty NUMBER sy-msgno
WITH sy-msgv1 sy-msgv2 sy-msgv3 sy-msgv4.
ENDIF.
ENDLOOP.
For creating authorization objects, role & profile i have created one dummy auth, dummy role & dummy profile respectively.
i have created dummy objects to copy the roles from dummy object and assign the same to new Auth obj, role & profile.
Let me know what needs to be done. because these both the programs run perfectly in foreground, but fails in background.
Regards,
Chetan
Maybe you are looking for
-
I have a pop up reminder on the PC for the first time today to "register product and enjoy a host of benefits" - how can I get rid of it please - I've already registered and I thought it would be as simple as deleting the product registration link fr
-
Configuration - Item Category - How do I change the imcompletion procedure?
For an existing Sales Item Category, I want to change from one incompletion procedure to another existing incompletion procedure. However the field is greyed out in SPRO. How do I change this setting?
-
Ejb-jar.xml not using fully qualified class names
HI, I am trying yo upgrade my application from weblogic 8.1 to weblogic 9.2.3. My application has both session and enitybeans. I updated weblogic related jars with 9.x version. But while running ejbgen, i am getting the following exception. *[java] w
-
Dual monitors on the ATI Radeon 9600 XT black screen on 2nd monitor
i have problem on second monitor , it always turn black during my work, and in a second it turn back to work well again, about 20-30 minutes a time . can anyone here give me some help ? it really make me go crazy.... Thanks! POWER MAC G5 DUAL 2.5 +AT
-
Unable to move songs on Ipod shuffle
Having a problem moving my songs around on my ipod. Not the itunes library but the actual ipod. Please help.