Privileges through roles
We have the following scenario:
Schema A owns some tables
Schema B builds views on A's tables
Schema A grants select permissions on the tables to role C
Schema B grants select permissions on the views to role C
User D has been assigned role C but gets the ORA-01031 Insufficient privileges error when trying to select from B's views.
Why should that be the case? A grants select on the underlying tables to D and things are fine.
Regards,
Steve
Hi Orawiss,
Hmm - what roles are you giving to d?
Here's my example
SQL*Plus: Release 10.2.0.4.0 - Production on Fri Jul 30 14:10:52 2010
Copyright (c) 1982, 2007, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> create role c;
Role created.
SQL> create user a identified by a;
User created.
SQL> create user b identified by b;
User created.
SQL> create user d identified by d;
User created.
SQL> alter user a quota unlimited on users;
User altered.
SQL> create table a.test(col1 number);
Table created.
SQL> grant select on a.test to b;
Grant succeeded.
SQL> create view b.test as select * from a.test;
View created.
SQL> grant create session to d;
Grant succeeded.
SQL> grant select on b.test to c;
Grant succeeded.
SQL> grant c to d;
Grant succeeded.
SQL> conn d/d
Connected.
SQL> select * from b.test;
select * from b.test
ERROR at line 1:
ORA-01031: insufficient privileges
So it fails - but then.........
SQL>
SQL> conn / as sysdba
Connected.
SQL> grant select on a.test to b with grant option;
Grant succeeded.
SQL> conn d/d
Connected.
SQL> select * from b.test;
no rows selected
SQL>And it now works!
Cheers,
Harry
Similar Messages
-
Granting privilege through role not working for PL/SQL
Version: 11.2.0.2
In our shop, we don't grant privileges directly to a user, we grant it to a role and grant that role to the intended grantee.
Granting privileges through a role seems to be fine with SQL Engine. But it doesn't work from PL/SQL engine.
In the below example GLS_DEV user is granted SELECT access on SCOTT.pets table through a role called tstrole. GLS_DEV can select this table from SQL. But PL/SQL Engine doesn't seem to know this.
Reproducing the issue:
SQL> show user
USER is "SCOTT"
SQL> select * from pets;
NAME
PLUTO
SQL> conn / as sysdba
Connected.
SQL> create user GLS_DEV identified by test1234 default tablespace TSTDATA;
User created.
SQL> alter user GLS_DEV quota 25m on TSTDATA;
User altered.
SQL> grant create session, resource to GLS_DEV;
Grant succeeded.
--- Granting SELECT privilege on scott.pets to tstrole and then grant this role to GLS_DEV.
SQL> conn / as sysdba
Connected.
SQL>
SQL> create role tstrole;
Role created.
SQL> grant select on scott.pets to tstrole;
Grant succeeded.
SQL> grant tstrole to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> select * From scott.pets;
NAME
PLUTO
---- All fine till here. From SQL engine , GLS_DEV user can SELECT scott.pets table.
--- Now , I am going to create a PL/SQL object in GLS_DEV which tries to refer scott.pets
SQL> show user
USER is "GLS_DEV"
create or replace procedure my_proc
is
myvariable varchar2(35);
begin
select name into myvariable from scott.pets ;
dbms_output.put_line(myvariable);
end my_proc;
Warning: Procedure created with compilation errors.
SQL> show errors
Errors for PROCEDURE MY_PROC:
LINE/COL ERROR
6/2 PL/SQL: SQL Statement ignored
6/41 PL/SQL: ORA-01031: insufficient privileges
SQL>
SQL> 6
6* select name into myvariable from scott.pets ;
--- PL/SQL Engine doesn't seem to know that GLS_DEV has select privilege on scott.pets indirectly granted through a role
--- Fix
--- Instead of granting privilege through a role, I am granting the SELECT privilege on scott.pets to GLS_DEV directly.
--- The error goes away, I can compile and execute the procedure !!
SQL> conn / as sysdba
Connected.
SQL>
SQL> grant select on scott.pets to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> create or replace procedure my_proc
is
myvariable varchar2(35);
begin
select name into myvariable from scott.pets ;
dbms_output.put_line(myvariable);
end my_proc; 2 3 4 5 6 7 8 9 10
11 /
Procedure created.
SQL> set serveroutput on
SQL> exec my_proc;
PLUTO
PL/SQL procedure successfully completed.Has anyone encountered the same issue ?You really should start your own new thread for this question instead of resurrecting an old one, but to answer your question.
There are two things going on here. First, there are a number of aler session commands that can be used by any user regardless of what privileges they are granted. Although I do not have the entire list at hand, things like nls_date_format and current_schema are available to all users, sort of like the grants to public in the data dictionary.
Second, when you use execute immediate, the PL/SQL engine never really sees the statement, as far as the compiler is concerned it is just a string. It is only when the string is passed to the sql engine that permissions are checked, and there roles are not enabled.
SQL> create role t_role;
Role created.
SQL> grant select on ops$oracle.t to t_role;
Grant succeeded.
SQL> create user a identified by a default tablespace users;
User created.
SQL> grant create session, create procedure to a;
Grant succeeded.
SQL> grant t_role to a;
Grant succeeded.
SQL> connect a/a
Connected.
SQL> select * from ops$oracle.t;
ID DESCR
1 One
1 Un
SQL> create function f (p_descr in varchar2) return number as
2 l_num number;
3 begin
4 select id into l_num
5 from ops$oracle.t
6 where descr = p_descr;
7 return l_num;
8 end;
9 /
Warning: Function created with compilation errors.
SQL> show error
Errors for FUNCTION F:
LINE/COL ERROR
4/4 PL/SQL: SQL Statement ignored
5/20 PL/SQL: ORA-00942: table or view does not exist
SQL> create or replace function f (p_descr in varchar2) return number as
2 l_num number;
3 begin
4 execute immediate 'select id from ops$oracle.t where descr = :b1'
5 into l_num using p_descr;
6 return l_num;
7 end;
8 /
Function created.
SQL> select f('One') from dual;
select f('One') from dual
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "A.F", line 4John -
VIEW AND INDIRECT PRIVILEGES BY ROLE
Good Evening,
Is there a way to avoid error message "ORA-00942 table or view does not exist" during the creation of a view on another user's table with the SELECT ANY TABLE system privilege granted through a role ?
Reading ORACLE's books it seem impossible, but perhaps ...
It'll be very useful
I appreciate your help
Regards
SergioIs there really no other way to grant privileges indirectly to a user by using roles? Yes there is. The way you describe. I suspect you missed out a bit of the process. You didn't make the role one of the user's default roles, so it was not enabled when they logged on. You may find reading the documentation helps you to understand how to manage security through roles.
Your problem is not quite the same as the one described above. You simply want to grant your user SELECT on somebody's database object through a role; you can do this providing you either make the role default or get the user to enable the role when they need that access (the former is preferable unless you want to password-project that specific role). The problem described above is wanting to build new database objects on other people's objects; this cannot be done with privileges granted through roles.
Cheers, APC -
What privileges or role is required for user to acces the explain plan?
Hi mates,
Can anyone pls tell me what privileges or roles(grants) are requred for a user to access the explain plan in oORACLE 8i 8174..
I think the select any dictionary is not valid for explain plan accessibility in 8i.
Cheers.I already had that... Just that a user (not a dba) requires access to the explain plan and I dont want to grant him a dba role.
Are you aware of any other grant I can give to the user? -
How to check granted privileges on role.
Hi,
Can any one explain how to check granted privileges on role.
I have created one role called ALL_SYSPRIVS
but I forgot what privileges granted to this role
Thank you...Hi Vijay,
Last week i saw the following thread:
Finding the privileges assigned to a user
Re: Finding the privileges assigned to a user
From there, you'll be able to find a few scripts that will provide you with an overview of grants assigned to user, or role....
HTH,
Thierry -
Hi,
I have two password policies in my LDAP, mapped to the users through roles. One for active users and the other for inactive users. when i change the status from active to inactive, some times inactive password policy gets enabled, and some times it does not. The nsroles attribute in the user profile gets updated according to the role always, but the password policy subentry attribute is not getting updated sometimes.
Can Anyone help me on this.
Thanks in advance,
NavanidhiThis is probably a cache synchronization pb. Not something that I ever heard before though.
How quick do you check the password policy after changing the user status ?
Have you tried checking a minute or more after the change ?
Ludovic. -
Insert,update, del not working while assigned to users through role
Dears,
I created a role ABC
Assigned select insert update and delete privileges to role ABC on a table MY_SEC_TABLE
Later I assigned this role to a user TEST
Connected to database with this user TEST
and
Try to edit any row in table MY_SEC_TABLE but receive ORA-01031: insufficient privileges
Edited by: FarhatKayani on Mar 17, 2013 11:03 PMHi,
OK,
Try to edit any row in table MY_SEC_TABLE but receive ORA-01031: insufficient privilegesCould you select MY_SEC_TABLE by this user??
Regards, -
User can not inherited privilege from Role
DD1 is a new user, CT_GROUP_USER is a role with all tables access right.
1)First, check the privilege of role CT_GROUP_USER
select table_name,privilege from dba_tab_privs where grantee='CT_GROUP_USER'
we can see CT_GROUP_USER have ALL tables' privilege.
2)Second, grant CT_GROUP_USER role to user DD1
GRANT ct_group_ADMINISTRATOR to DD1 with admin option
GRANT ct_group_USER to DD1 with admin option
select * from dba_role_privs where grantee='DD1'
we can see CT_GROUP_USER role here
3)
USE DD1 to access table ct_user, it looks DD1 did not have privilege inherited from CT_GROUP_USER
4) Do additional operation, grant a table privilege to DD1
grant select,insert,update,delete on CT_ACLENTRY to DD1 WITH GRANT OPTION
select table_name,privilege from dba_tab_privs where grantee='DD1'
DD1 ONLY have CT_ACLENTRY privilege.
USE DD1 to access ct_aclentry, it is succeed.
5) RUN below script on Oracle 10g and Oracle 11g, User DD3 can access tables on 10g but failed on 11g.
CREATE USER DD3 IDENTIFIED BY DD3
GRANT CREATE SESSION TO DD3
GRANT CT_GROUP_ADMINISTRATOR TO DD3
GRANT CT_GROUP_USER TO DD3
Question: Is there any setting for GRANT on Oracle 11g?
Additional: ALTER USER DD3 DEFAULT ROLE CT_GROUP_USER
Above command can not let DD3 access tables, DD1 neither1)
we can see CT_GROUP_USER have ALL tables' privilege.
Can we? You don't post results of this statement, you I can only assume you can see it, but I can't
And granting ALL privileges is a bad idea anyway.
2) Why 'with admin'?
3)
USE DD1 to access table ct_user, it looks DD1 did not have privilege inherited from CT_GROUP_USER.
For you maybe, but as you don't post any failing SQLs and any error messages, who can tell?
5) 'but failed' on 11g.
Please keep in mind this is a discussion room, not a chat room, and we can't see what you are doing.
You need all these lines to ask 'My car is broke, please fix my car'. I can't see any car from here.
Sybrand Bakker
Senior Oracle DBA -
Grant Privilege to Role instead of Direct grant doesn't work
Hi all
My scenario is sas follow:
create user a identified by a;
create user b identified by b;
grant connect,resource to a ;
grant connect,resource to b ;
conn a/a
create table tbl( c1 number(10));
conn system/sys
create role roll;
grant roll to b;
conn a/a
grant select on tbl to roll;
conn b/b
set role roll;
create or replace procedure b.pr
as
v number(10);
begin
select a into v
from a.tbl
where a=0;
end;
show error
Errors for PROCEDURE B.P:
LINE/COL ERROR
6/1 PL/SQL: SQL Statement ignored
7/6 PL/SQL: ORA-00942: table or view does not exist
This happen because i granted the SELECT privilege to user b through the role ROLL but if i granted the user b the SELECT privilege directly it work properly
Why???
And how could I grant the privilege from within a role, Because i don't want to grant it directly
Thank in advance
BassilThere is no other way. The owner of stored code must have been directly granted all necessary (used in code) select, insert, update, or delete privileges. The code owner cannot just have the referenced privileges granted to them via a role. There is no workaround, nor should there be as this is a security feature. Just because you have been granted insert or delete to another user's tables does not mean you should be able to grant that access to some other user. This is exactly what you do when you grant execute to stored code that referenced another user's objects.
The referenced article is by Tom Kyte and there are few people who understand how to use Oracle to better effect than Tom. The same information can be found in the official documentation and is referenced by the article.
You can write packages that use the privileges of the executing person. Perhaps for the specific problem you are writing the code to handle this is the route you want to take. See the manuals for the details.
Note - If user A grants insert to user B on table_a then user B can write a procedure, proc_b, and grant execute to a role and anyone with the role can perform inserts into table_a via proc_b, without having any grants on table_a. You do not need to grant privileges on the objects referenced in stored code that runs as the code owner if this is what you are worried about. The users just need execute on the package, procedure, or function that performs the DML operations in this case and they can get that from a role.
If you still do not understand you need to state exactly what it is you either do not understand or want to know how to do.
HTH -- Mark D Powell -- -
Error when updating through "Role import"
Hi all
I get this error when I update through Home > Authentication > SAP > Role Import:
"An error occurred while communicating with the CMS.
The following error message was returned:
Error occurred in CSAPSecHttpRolePage::OnCommitRoles. Return value = -2147213817 (0x80041e07)j Failed to commit objects to server : Duplicate object name in the same folder."
Does this mean that I have duplicate users or groups? If this is the case, how come I get the error even if I remove all roles, update, and then add a role and update again? Then everything should have been cleared?
And the funny part is that the import of users seems to work, because I can log on to the InfoView using SAP authentication... But I don't like this error, and would like to get rid of it.
Best regards,
Martin SøgaardHi Sogaard,
when you remove all roles can you verify that all the user groups and users are being removed from the system ?
after removing the roles could you also delete the entitlement system and re-create it ?
Ingo -
System Privileges, Object Privileges and Roles in Oracle 10g r2
Hello,
I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
Thanks,
RRich V wrote:
Hello,
I am looking for a comprehensive details about each and every role, privileges(both object and system) that are available in standard Oracle EE 10g r2.
I have visited administrator reference manual and other documents from docs.oracle.com but could not fine this information.
Can anyone redirect me to an appropriate URL or documentation that details whats and hows of each and every roles and privileges?
Thanks,
RHi, you can use dba_role_privs,role_sys_privs views,for more information see
http://download.oracle.com/docs/cd/B19306_01/network.102/b14266/admusers.htm
http://www.cuddletech.com/articles/oracle/node36.html -
AD Group Membership revoked on adding new group through role and acespolicy
Hi all,
when a user is created in OIM, it is provisioned with Default Role say CONTRACTS which will provision AD Account and a default AD group membership.
when I assign a new role membership say BILLING, to assign additional AD group memberships through access policies, it is removing the default AD group membership from the user. But still the user is having both the roles CONTRACTS and BILLING.
The ootb AD task, remove user from group is triggered.
The problem is happening only in Testing environment.
In development envi it is working fine.
it is not removing the default group memberships.
any ideas? thoughts? which I need to check.
my oim server is 11.1.1.3.0, with weblogic setup.
Edited by: Venu on Dec 2, 2011 1:06 PMDo one thing:
Take New User
Assign First BILLING
Assign Second Group
And then ASSIGN CONTRACT
Update the results.
It is happening in one env so you might have done some configuration or it could be env issue as well. -
ValidTo and ValidFrom for privileges and roles (since SP2) - no effect
Hi IDM Community,
has anybody tried the new functionality that you can enter validfrom and validto values for role assignments and privilege assignments in business roles?
In my case I can define these values in a workflow but I don't see any effect. There are no values for these attributes written to the database. I think that normally there should be some MX_PENDING_VALUE objects created in which the validfrom, validto should be stored. But nothing happens. When I define a validfrom, validto value for a privilege in a business role and submit the change and view the details of the role again there is no validto or validfrom assigned for this privilege.
Has anybody encountered the same problem?
BR
Jörn KaplanHello,
I am testing the abap -- initial load (SP2)"WriteABAPUsersRolePrivilegeAssigments"-pass with the ValidTo and ValidFrom and the "sap_getTimeDependentPrivilege"- Jscript.
There is always an error:
"putNextEntry failed storingXXXXXXX
Exception from Modify operation:java.lang.IllegalArgumentException: Entry does not exist - entry: XXXXXXX
The logonuid XXXXXXX is stored in sap%$rep.$NAME%roleAssign and sap%$rep.$NAME%role.
SP1 is running!
But I dont want to lose TimeDependentPrivilege like in Initial Load (SP1)
Who can help me?
BR Chris -
Error when attempting to assign privilege to role
We've used the SAP Prov Framework to do AS ABAP Initial Load jobs on two different SAP systems, one SRM and one HR. Both load jobs finish with a variety of errors, mostly to do with ValidFrom and ValidTo dates on the WriteABAPUsersRolePrivilegeAssigments job.
Nonetheless, the user and privilege data is loaded into the temp tables and the IS, and seems to be valid.
However, when we attempt to assign one of the privileges - from either system - to one of our roles, we get the following error:
Method: Save Identity store privilege
Source: clsEmcDb
Error: FFFFFFFFh (-1)
Description: IS_SetEntryAttribute failed : No Such task
Can anyone offer any assistance on this please?Hello Geoff,
although the issue has already been solved, here is the link to the
landscape configuration guide. you find some important information
on how to configure the provisioning framework here .. e.g. also
including the setting of the mentioned repository constants.
https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/706065c4-3564-2a10-2382-a52fcbd7eefb
Best Regards,
Steffen Baumann -
Hi All
I did a queries
SELECT GRANTEE, PRIVILEGE,GRANTABLE FROM DBA_TAB_PRIVS
WHERE TABLE_NAME='TABLE1' AND GRANTEE IN ('USER1', 'USER_ROLE');
GRANTEE PRIVILEGE GRANTABLE
USER1 SELECT NO
USER1 INSERT NO
USER1 DELETE NO
USER1 UPDATE NO
USER_ROLE SELECT YES
USER_ROLE INSERT YES
USER_ROLE DELETE YES
USER_ROLE UPDATE YES
SELECT 'ROLE' TYP, GRANTEE, GRANTED_ROLE, ADMIN_OPTION FROM DBA_ROLE_PRIVS WHERE GRANTEE ='USER1';
TYP GRANTEE GRANTED_ROLE ADMIN_OPTION
ROLE USER1 CONNECT NO
ROLE USER1 RESOURCE NO
ROLE USER1 USER_ROLE NO
My question is since the USER1 is granted the role of USER_ROLE, will it cause conflict to the table privilege?
Because I can't perform Insert when I'm using USER1. It give me an error of ORA-01031L insufficent privileges SQL source: ..Since you did not mention how you are performing the Inserts/DML's on the TABLE1, and you are facing privileges issues, I presume you are performing it from a PL/SQL Block. However, the priviliges acquired via a Role are not valid in Function/Procedure. You need to have explicit privileges to perform an action in Function/Procedure.
Even without the privilege, you would be able to perform the Inserts/DML's as in static SQL statements that are not contained in PL/SQL blocks.
Try:
grant insert on table1 to user1;
Maybe you are looking for
-
BPEL Scheduling in SOA Suite 11g
Hi, I am new to Oracle SOA. I have come across of multiple ways of scheduling in BPEL (Using Servelts with Quartz, DBMS_JOB, Enterprise Scheduler, Wiat activity etc). Can any one suggest best approach to handle various scenarios in scheduling. What i
-
Thunderbird opens in Windows 8.1 then stops responding. Why?
I cannot use Thunderbird and have reverted to Windows Live Mail which I hate. I can open Thunderbird. It will show any new emails but if I attempt to click on any thing else the program stops responding. I have tried to uninstall without success so t
-
Can anyone help get rid of a system.argumentoutofrangeexception error
Can anyone please help me fix this error. A website that is bookmarked and I use regularly is giving me this error message. Description: An unhandled exception occurred during the execution of the current web request. Exception Details: Ayste.Ar
-
Apple claims that this model hold about 2,000 songs. Mine's at 900 and is full. Any suggestions
-
Why does maverick show download on purchases after it has been installed
installed maverick os from app store, completes download, after restart, when i go back into app store purchases, it has download in the right hand side column, anyone else had the same problem.