Privileges through roles

Similar Messages

• Granting privilege through role not working for PL/SQL

  Version: 11.2.0.2
  In our shop, we don't grant privileges directly to a user, we grant it to a role and grant that role to the intended grantee.
  Granting privileges through a role seems to be fine with SQL Engine. But it doesn't work from PL/SQL engine.
  In the below example GLS_DEV user is granted SELECT access on SCOTT.pets table through a role called tstrole. GLS_DEV can select this table from SQL. But PL/SQL Engine doesn't seem to know this.
  Reproducing the issue:
  SQL> show user
  USER is "SCOTT"
  SQL> select * from pets;
  NAME
  PLUTO
  SQL> conn / as sysdba
  Connected.
  SQL> create user GLS_DEV identified by test1234 default tablespace TSTDATA;
  User created.
  SQL> alter user GLS_DEV quota 25m on TSTDATA;
  User altered.
  SQL> grant create session, resource to GLS_DEV;
  Grant succeeded.
  --- Granting SELECT privilege on scott.pets to tstrole and then grant this role to GLS_DEV.
  SQL> conn / as sysdba
  Connected.
  SQL>
  SQL> create role tstrole;
  Role created.
  SQL> grant select on scott.pets to tstrole;
  Grant succeeded.
  SQL> grant tstrole to GLS_DEV;
  Grant succeeded.
  SQL> conn GLS_DEV/test1234
  Connected.
  SQL>
  SQL> select * From scott.pets;
  NAME
  PLUTO
  ---- All fine till here. From SQL engine , GLS_DEV user can SELECT scott.pets table.
  --- Now , I am going to create a PL/SQL object in GLS_DEV which tries to refer scott.pets
  SQL> show user
  USER is "GLS_DEV"
  create or replace procedure my_proc
  is
  myvariable varchar2(35);
  begin
       select name into myvariable from scott.pets ;
       dbms_output.put_line(myvariable);
  end my_proc;
  Warning: Procedure created with compilation errors.
  SQL> show errors
  Errors for PROCEDURE MY_PROC:
  LINE/COL ERROR
  6/2      PL/SQL: SQL Statement ignored
  6/41     PL/SQL: ORA-01031: insufficient privileges
  SQL>
  SQL> 6
    6*    select name into myvariable from scott.pets ;
  --- PL/SQL Engine doesn't seem to know that GLS_DEV has select privilege on scott.pets indirectly granted through a role
  --- Fix
  --- Instead of granting privilege through a role, I am granting the SELECT privilege on scott.pets to GLS_DEV directly.
  --- The error goes away, I can compile and execute the procedure !!
  SQL> conn / as sysdba
  Connected.
  SQL>
  SQL> grant select on scott.pets to GLS_DEV;
  Grant succeeded.
  SQL> conn GLS_DEV/test1234
  Connected.
  SQL>
  SQL> create or replace procedure my_proc
  is
  myvariable varchar2(35);
  begin
          select name into myvariable from scott.pets ;
          dbms_output.put_line(myvariable);
  end my_proc;  2    3    4    5    6    7    8    9   10
  11  /
  Procedure created.
  SQL> set serveroutput on
  SQL> exec my_proc;
  PLUTO
  PL/SQL procedure successfully completed.Has anyone encountered the same issue ?

  You really should start your own new thread for this question instead of resurrecting an old one, but to answer your question.
  There are two things going on here. First, there are a number of aler session commands that can be used by any user regardless of what privileges they are granted. Although I do not have the entire list at hand, things like nls_date_format and current_schema are available to all users, sort of like the grants to public in the data dictionary.
  Second, when you use execute immediate, the PL/SQL engine never really sees the statement, as far as the compiler is concerned it is just a string. It is only when the string is passed to the sql engine that permissions are checked, and there roles are not enabled.
  SQL> create role t_role;
  Role created.
  SQL> grant select on ops$oracle.t to t_role;
  Grant succeeded.
  SQL> create user a identified by a default tablespace users;
  User created.
  SQL> grant create session, create procedure to a;
  Grant succeeded.
  SQL> grant t_role to a;
  Grant succeeded.
  SQL> connect a/a
  Connected.
  SQL> select * from ops$oracle.t;
          ID DESCR
           1 One
           1 Un
  SQL> create function f (p_descr in varchar2) return number as
    2     l_num number;
    3  begin
    4     select id into l_num
    5     from ops$oracle.t
    6     where descr = p_descr;
    7     return l_num;
    8  end;
    9  /
  Warning: Function created with compilation errors.
  SQL> show error
  Errors for FUNCTION F:
  LINE/COL ERROR
  4/4      PL/SQL: SQL Statement ignored
  5/20     PL/SQL: ORA-00942: table or view does not exist
  SQL> create or replace function f (p_descr in varchar2) return number as
    2     l_num number;
    3  begin
    4     execute immediate 'select id from ops$oracle.t where descr = :b1'
    5                       into l_num using p_descr;
    6     return l_num;
    7  end;
    8  /
  Function created.
  SQL> select f('One') from dual;
  select f('One') from dual
  ERROR at line 1:
  ORA-00942: table or view does not exist
  ORA-06512: at "A.F", line 4John

• VIEW AND INDIRECT PRIVILEGES BY ROLE

  Good Evening,
  Is there a way to avoid error message "ORA-00942 table or view does not exist" during the creation of a view on another user's table with the SELECT ANY TABLE system privilege granted through a role ?
  Reading ORACLE's books it seem impossible, but perhaps ...
  It'll be very useful
  I appreciate your help
  Regards
  Sergio

  Is there really no other way to grant privileges indirectly to a user by using roles? Yes there is. The way you describe. I suspect you missed out a bit of the process. You didn't make the role one of the user's default roles, so it was not enabled when they logged on. You may find reading the documentation helps you to understand how to manage security through roles.
  Your problem is not quite the same as the one described above. You simply want to grant your user SELECT on somebody's database object through a role; you can do this providing you either make the role default or get the user to enable the role when they need that access (the former is preferable unless you want to password-project that specific role). The problem described above is wanting to build new database objects on other people's objects; this cannot be done with privileges granted through roles.
  Cheers, APC

• What privileges or role is required for user to acces the explain plan?

  Hi mates,
  Can anyone pls tell me what privileges or roles(grants) are requred for a user to access the explain plan in oORACLE 8i 8174..
  I think the select any dictionary is not valid for explain plan accessibility in 8i.
  Cheers.

  I already had that... Just that a user (not a dba) requires access to the explain plan and I dont want to grant him a dba role.
  Are you aware of any other grant I can give to the user?

• How to check granted privileges on role.

  Hi,
  Can any one explain how to check granted privileges on role.
  I have created one role called ALL_SYSPRIVS
  but I forgot what privileges granted to this role
  Thank you...

  Hi Vijay,
  Last week i saw the following thread:
  Finding the privileges assigned to a user
  Re: Finding the privileges  assigned to a user
  From there, you'll be able to find a few scripts that will provide you with an overview of grants assigned to user, or role....
  HTH,
  Thierry

• Password policy through roles

  Hi,
  I have two password policies in my LDAP, mapped to the users through roles. One for active users and the other for inactive users. when i change the status from active to inactive, some times inactive password policy gets enabled, and some times it does not. The nsroles attribute in the user profile gets updated according to the role always, but the password policy subentry attribute is not getting updated sometimes.
  Can Anyone help me on this.
  Thanks in advance,
  Navanidhi

  This is probably a cache synchronization pb. Not something that I ever heard before though.
  How quick do you check the password policy after changing the user status ?
  Have you tried checking a minute or more after the change ?
  Ludovic.

• Insert,update, del not working while assigned to users through role

  Dears,
  I created a role ABC
  Assigned select insert update and delete privileges to role ABC on a table MY_SEC_TABLE
  Later I assigned this role to a user TEST
  Connected to database with this user TEST
  and
  Try to edit any row in table MY_SEC_TABLE but receive ORA-01031: insufficient privileges
  Edited by: FarhatKayani on Mar 17, 2013 11:03 PM

  Hi,
  OK,
  Try to edit any row in table MY_SEC_TABLE but receive ORA-01031: insufficient privilegesCould you select MY_SEC_TABLE by this user??
  Regards,

• User can not inherited privilege from Role

  DD1 is a new user, CT_GROUP_USER is a role with all tables access right.
  1)First, check the privilege of role CT_GROUP_USER
  select table_name,privilege from dba_tab_privs where grantee='CT_GROUP_USER'
  we can see CT_GROUP_USER have ALL tables' privilege.
  2)Second, grant CT_GROUP_USER role to user DD1
  GRANT ct_group_ADMINISTRATOR to DD1 with admin option
  GRANT ct_group_USER to DD1 with admin option
  select * from dba_role_privs where grantee='DD1'
  we can see CT_GROUP_USER role here
  3)
  USE DD1 to access table ct_user, it looks DD1 did not have privilege inherited from  CT_GROUP_USER
  4) Do additional operation, grant a table privilege to DD1
  grant select,insert,update,delete on CT_ACLENTRY     to DD1 WITH GRANT OPTION
  select table_name,privilege from dba_tab_privs where grantee='DD1'
  DD1 ONLY have CT_ACLENTRY  privilege.
  USE DD1 to access ct_aclentry, it is succeed.
  5) RUN below script on Oracle 10g and Oracle 11g, User DD3 can access tables on 10g but failed on 11g.
  CREATE USER DD3 IDENTIFIED BY DD3
  GRANT CREATE SESSION TO DD3
  GRANT CT_GROUP_ADMINISTRATOR TO DD3
  GRANT CT_GROUP_USER TO DD3
  Question: Is there any setting for GRANT on Oracle 11g?
  Additional: ALTER USER DD3 DEFAULT ROLE CT_GROUP_USER
  Above command can not let DD3 access tables, DD1 neither

  1)
  we can see CT_GROUP_USER have ALL tables' privilege.
  Can we? You don't post results of this statement, you I can only assume you can see it, but I can't
  And granting ALL privileges is a bad idea anyway.
  2) Why 'with admin'?
  3)
  USE DD1 to access table ct_user, it looks DD1 did not have privilege inherited from  CT_GROUP_USER.
  For you maybe, but as you don't post any failing SQLs and any error messages, who can tell?
  5) 'but failed' on 11g.
  Please keep in mind this is a discussion room, not a chat room, and we can't see what you are doing.
  You need all these lines to ask 'My car is broke, please fix my car'. I can't see any car from here.
  Sybrand Bakker
  Senior Oracle DBA

• Grant Privilege to Role instead of Direct grant doesn't work

  Hi all
  My scenario is sas follow:
  create user a identified by a;
  create user b identified by b;
  grant connect,resource to a ;
  grant connect,resource to b ;
  conn a/a
  create table tbl( c1 number(10));
  conn system/sys
  create role roll;
  grant roll to b;
  conn a/a
  grant select on tbl to roll;
  conn b/b
  set role roll;
  create or replace procedure b.pr
  as
  v number(10);
  begin
  select a into v
  from a.tbl
  where a=0;
  end;
  show error
  Errors for PROCEDURE B.P:
  LINE/COL ERROR
  6/1 PL/SQL: SQL Statement ignored
  7/6 PL/SQL: ORA-00942: table or view does not exist
  This happen because i granted the SELECT privilege to user b through the role ROLL but if i granted the user b the SELECT privilege directly it work properly
  Why???
  And how could I grant the privilege from within a role, Because i don't want to grant it directly
  Thank in advance
  Bassil

  There is no other way. The owner of stored code must have been directly granted all necessary (used in code) select, insert, update, or delete privileges. The code owner cannot just have the referenced privileges granted to them via a role. There is no workaround, nor should there be as this is a security feature. Just because you have been granted insert or delete to another user's tables does not mean you should be able to grant that access to some other user. This is exactly what you do when you grant execute to stored code that referenced another user's objects.
  The referenced article is by Tom Kyte and there are few people who understand how to use Oracle to better effect than Tom. The same information can be found in the official documentation and is referenced by the article.
  You can write packages that use the privileges of the executing person. Perhaps for the specific problem you are writing the code to handle this is the route you want to take. See the manuals for the details.
  Note - If user A grants insert to user B on table_a then user B can write a procedure, proc_b, and grant execute to a role and anyone with the role can perform inserts into table_a via proc_b, without having any grants on table_a. You do not need to grant privileges on the objects referenced in stored code that runs as the code owner if this is what you are worried about. The users just need execute on the package, procedure, or function that performs the DML operations in this case and they can get that from a role.
  If you still do not understand you need to state exactly what it is you either do not understand or want to know how to do.
  HTH -- Mark D Powell --

• Error when updating through "Role import"

  Hi all
  I get this error when I update through Home > Authentication > SAP > Role Import:
  "An error occurred while communicating with the CMS.
  The following error message was returned:
  Error occurred in CSAPSecHttpRolePage::OnCommitRoles. Return value = -2147213817 (0x80041e07)j Failed to commit objects to server : Duplicate object name in the same folder."
  Does this mean that I have duplicate users or groups? If this is the case, how come I get the error even if I remove all roles, update, and then add a role and update again? Then everything should have been cleared?
  And the funny part is that the import of users seems to work, because I can log on to the InfoView using SAP authentication... But I don't like this error, and would like to get rid of it.
  Best regards,
  Martin Søgaard

  Hi Sogaard,
  when you remove all roles can you verify that all the user groups and users are being removed from the system ?
  after removing the roles could you also delete the entitlement system and re-create it ?
  Ingo

• System Privileges, Object Privileges and Roles in Oracle 10g r2

  Hello,
  I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
  I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
  Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
  Thanks,
  R

  Rich V wrote:
  Hello,
  I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
  I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
  Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
  Thanks,
  RHi, you can use dba_role_privs,role_sys_privs views,for more information see
  http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/admusers.htm
  http://www.cuddletech.com/articles/oracle/node36.html

• AD Group Membership revoked on adding new group through role and acespolicy

  Hi all,
  when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
  when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
  The ootb AD task, remove user from group is triggered.
  The problem is happening only in Testing environment.
  In development envi it is working fine.
  it is not removing the default group memberships.
  any ideas? thoughts? which I need to check.
  my oim server is 11.1.1.3.0, with weblogic setup.
  Edited by: Venu on Dec 2, 2011 1:06 PM

  Do one thing:
  Take New User
  Assign First BILLING
  Assign Second Group
  And then ASSIGN CONTRACT
  Update the results.
  It is happening in one env so you might have done some configuration or it could be env issue as well.

• ValidTo and ValidFrom for privileges and roles (since SP2) - no effect

  Hi IDM Community,
  has anybody tried the new functionality that you can enter validfrom and validto values for role assignments and privilege assignments in business roles?
  In my case I can define these values in a workflow but I don't see any effect. There are no values for these attributes written to the database. I think that normally there should be some MX_PENDING_VALUE objects created in which the validfrom, validto should be stored. But nothing happens. When I define a validfrom, validto value for a privilege in a business role and submit the change and view the details of the role again there is no validto or validfrom assigned for this privilege.
  Has anybody encountered the same problem?
  BR
  Jörn Kaplan

  Hello,
  I am testing the abap -- initial load (SP2)"WriteABAPUsersRolePrivilegeAssigments"-pass with the ValidTo and ValidFrom and the  "sap_getTimeDependentPrivilege"- Jscript. 
  There is always an error:
  "putNextEntry failed storingXXXXXXX
  Exception from Modify operation:java.lang.IllegalArgumentException: Entry does not exist - entry: XXXXXXX
  The logonuid XXXXXXX is stored in sap%$rep.$NAME%roleAssign and sap%$rep.$NAME%role.
  SP1 is running!
  But I dont want to lose TimeDependentPrivilege like in Initial Load (SP1)
  Who can help me?
  BR Chris

• Error when attempting to assign privilege to role

  We've used the SAP Prov Framework to do AS ABAP Initial Load jobs on two different SAP systems, one SRM and one HR.  Both load jobs finish with a variety of errors, mostly to do with ValidFrom and ValidTo dates on the WriteABAPUsersRolePrivilegeAssigments job.
  Nonetheless, the user and privilege data is loaded into the temp tables and the IS, and seems to be valid.
  However, when we attempt to assign one of the privileges - from either system - to one of our roles, we get the following error:
  Method: Save Identity store privilege
  Source: clsEmcDb
  Error: FFFFFFFFh (-1)
  Description: IS_SetEntryAttribute failed : No Such task
  Can anyone offer any assistance on this please?

  Hello Geoff,
  although the issue has already been solved, here is the link to the
  landscape configuration guide. you find some important information
  on how to configure the provisioning framework here .. e.g. also
  including the setting of the mentioned repository constants.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/706065c4-3564-2a10-2382-a52fcbd7eefb
  Best Regards,
  Steffen Baumann

• Privilege and roles Question

  Hi All
  I did a queries
  SELECT GRANTEE, PRIVILEGE,GRANTABLE FROM DBA_TAB_PRIVS
  WHERE TABLE_NAME='TABLE1' AND GRANTEE IN ('USER1', 'USER_ROLE');
  GRANTEE        PRIVILEGE       GRANTABLE
  USER1 SELECT NO
  USER1 INSERT NO
  USER1 DELETE NO
  USER1 UPDATE NO
  USER_ROLE SELECT YES
  USER_ROLE INSERT YES
  USER_ROLE DELETE YES
  USER_ROLE UPDATE YES
  SELECT 'ROLE' TYP, GRANTEE, GRANTED_ROLE, ADMIN_OPTION FROM DBA_ROLE_PRIVS WHERE GRANTEE ='USER1';
  TYP      GRANTEE   GRANTED_ROLE   ADMIN_OPTION
  ROLE USER1 CONNECT NO
  ROLE USER1 RESOURCE NO
  ROLE USER1 USER_ROLE NO
  My question is since the USER1 is granted the role of USER_ROLE, will it cause conflict to the table privilege?
  Because I can't perform Insert when I'm using USER1. It give me an error of ORA-01031L insufficent privileges SQL source: ..

  Since you did not mention how you are performing the Inserts/DML's on the TABLE1, and you are facing privileges issues, I presume you are performing it from a PL/SQL Block. However, the priviliges acquired via a Role are not valid in Function/Procedure. You need to have explicit privileges to perform an action in Function/Procedure.
  Even without the privilege, you would be able to perform the Inserts/DML's as in static SQL statements that are not contained in PL/SQL blocks.
  Try:
  grant insert on table1 to user1;