Roles privileges question

Version Info: Oracle version 11gR2 running on windows server 2008.
I have a question on something that i didnt understand with regards to a role.
I have a table called abc owned by a schema called MainSchema. I created a role in this schema called updateweb which has an update privilege granted to abc table.
grant update on MainSchema.abc to updateweb; I granted the update privilege on the above role to another schema called webusers.
grant updateweb to webusers; However when i run an update statement on behalf of the schema webusers on the table abc, from an asp.net webpage, i get an ora-1031 insufficient privileges.
However if i directly grant like this
grant update on mainschema.abc to webusers; (from mainschema) it works.
Why doesnt it work if used from a role???
Thanks.

I don't understand why almost everyone here
- refuses to read documentation
- refuses to use Google
- refuses to use the 'Search' link
- doesn't read about the Etiquette in this Forum, which includes you should consult documentation prior to posting
Assuming the context of your unknown update statement is a stored procedure
this question has been asked a gazillion times by people as equally lazy as you.
It has also been answered a gazillion times by people called 'volunteers'.
The answer has always been the same
As roles are volatile, they are disabled during compilation of stored procedures etc.
What works is
- the stored procedure is in the same schema as the affected table, execute privilege can be given to a role
- the procedure is created with 'authid current_user'
- the worst solution: access is granted directly
What is so special about you you think you are the only one with this non-issue?
Sybrand Bakker
Senior Oracle DBA

Similar Messages

How does Azure Compute Emulator (or the Azure one) determine if a role is web project or something else ("The Web Role in question doesn't seem to be a web application type project")?

I'm not sure if this is F# specific or something else, but what could cause the following error message when trying to debug locally an Azure cloud service:
The Web Role in question doesn't seem to be a web application type project.
I added an empty F# web api Project to a solution (which adds Global.asax etc., I added an OWIN startup class Startup etc.) and then from an existing
cloud service project I picked Roles and
chose Add
-> Web Role Project in solution, which finds the F# web project (its project type guids are 349C5851-65DF-11DA-9384-00065B846F21 and F2A71F9B-5D33-465A-A702-920D77279786),
of which the first one seem to be exactly the GUID that defines a web application type.
However, when I try to start the cloud project locally, I get the aforementioned error message. I have a C# Web Role project that will start when I remove the F# project. I also have F# worker
role projects that start with the C# web role project if I remove this F# web role project. If I set the F# web project as a startup project,
it starts and runs as one would expect, normally.
Now, it makes me wonder if this is something with F# or could this error message appears in C# too, but I didn't find anything on Google. What kind of checks are there when starting the emulator and which one needs
failing to prompt the aforementioned message? Can anyone shed light into this?
Sudet ulvovat -- karavaani kulkee

Sudet,
Yeah you are right, the GUID mentioned seems to be correct and the first one i.e. {349C5851-65DF-11DA-9384-00065B846F21} means the web application project which compute emulator uses to determine while spawning up role instances.
You might want to compare the csproj of your C# and F# web projects which might give some pointers.
Are you able to run your F# web project locally in IIS? If yes then you will definitely be able to run it on azure so I will recommend to test it in IIS Express first.
Here are some other tips which you can refer or see If you are yet to do those settings
1. Turn on the IIS Express - You can do it by navigating to project properties
2. Install Dependent ASP.NET NuGets / Web Api dependencies (If there are any missing), Reference System.Web assembly
Also I will suggest to refer this nice article about how to create a F# web Api project
http://blog.ploeh.dk/2013/08/23/how-to-create-a-pure-f-aspnet-web-api-project/
Hope this helps you.
Bhushan | http://www.passionatetechie.blogspot.com | http://twitter.com/BhushanGawale

Java Database User Role Privileges Framework

Hello
I am looking Java Framework which automatic generates Java Code for
Database User Role Privileges Administration.
Like in database we have a table of Users
Now we have table of Author, Book etc. (Related to Library)
Now i want to give insert permission to user1
update and delete permission to user2 etc.
Is there any framework related
Remeber i do not need User Role Privileges in database.
I need a framework to do this job.
Thanks in Advance.

There are tables created under the SAPSR3DB or SAP<SID>DB schema with extension .UME, such as SAPSR3DB.UME.ACL_ACL or SAPSR3DB.UME_ACL_ACLENTRY for AS-JAVA.
There are other tables with the UME extension too.
Regards,
Anwar

Right role/privileges for KVM Access only in UCS

Hi
I am making some locally Authenticated Users for some people at work.
They only need to access KVM and do things there.
What role/privileges do I need to set on the user?

Thank you for your answer.
I have looked into the thread, and was thinking about method #4.
I have created a user under Locally Authenticated Users and if I set the role Operations I get this message after pressing launch under KVM launch manager.
If I type the same username and password, I get login failed.
If I add the role Server-profile to the user, I can login with no issue. But then I am afraid that I give to much privileges to the user.
I'm using a Management IP Pool, so I don't know if the other methods works better. I think it is difficult to know the IP address, and maybe the adress can change.
The best is, when I add a server to UCS, the user can find the server KVM by himself, and I don't need to find the IP address and give it to him.
Maybe I am way off here, so please help me:)

Roles/Privileges

I am creating a new repository for OEM on 8i. I first created a sysdba user to manage the repository. When attempting to use the configuration assistant I run into the error that the user I created for the repository does not have the roles or privileges necessary to create the oem repository. Can anyone please tell me what roles/privileges the sysdba user is lacking to create this repository? Thank you.

select * from dba_sys_privs where grantee='ROLENAME';
select * from dba_role_privs where grantee='ROLENAME';
select * from dba_tab_privs where grantee='ROLENAME';

General Questions about Oracle Roles/Privileges

Hi,
I have a few questions I'm hoping to get clarification on:
1 - Is there a view similar to DBA_SYS_PRIVS/DBA_TAB_PRIVS that shows which system privileges have been assigned to users/accounts ONLY, filtering out roles? If not, how would one go about obtaining this list?
2 - Is there a view similar to DBA_ROLE_PRIVS that shows also just shows which users have been assigned to which roles ONLY, again filtering out roles? If not, how would one go about obtaining this list? I assume some type of recursion has to be done here to flatten out the roles.
My end goal is this:
- List of all users and directly assigned system privileges only
- List of all users and directly assigned table/object privileges only
- List of all users and all roles (if role X contains role Y, this list should show user has role X and Y)
Many thanks!

1 - Is there a view similar to DBA_SYS_PRIVS/DBA_TAB_PRIVS that shows which system privileges have been assigned to users/accounts ONLY, filtering out roles? If not, how would one go about obtaining this list?
it's simple:
select grantee, privilege from dba_sys_privs where grantee in (select username from dba_users);
select grantee, owner, table_name, privilege from dba_tab_privs where grantee in (select username from dba_users);
2 - Is there a view similar to DBA_ROLE_PRIVS that shows also just shows which users have been assigned to which roles ONLY, again filtering out roles? If not, how would one go about obtaining this list? I assume some type of recursion has to be done here to flatten out the roles.
select grantee, granted_role from dba_role_privs where grantee in (select username from dba_users);
select grantee, granted_role from dba_role_privs where grantee in (select role from dba_roles);Hope this helps...

Account role, privileges

related to "User access to OEM" thread (but removing the OEM element )
Using 10.2.0.1.0.
I want to create a user account (user A) that has limited 'DBA' permission. This user must have permission to modify 1 other schema (user B). I do not want 'user A' to modify ANY other schema (i.e. user C, user D)
Is this possible?
So far, I've created the account, and provided the following:
Roles:
connect
resource
exp_full_database
imp_full_database
gather_system_statistics
java_admin
xdbadmin
xdbwebservices
Sys Privileges:
select any dictionary
alter session
Object Privileges:
Grant object privileges to objects in 'user B' schema.
Quotos:
gave 'unlimited' quotos for 'user A' tablespace and 'user B' tablespace.
***Problem: When I log in as ‘user A’, I can create/delete tables, objects… in schemas other than ‘user A’ and ‘user B’.
Message was edited by:
user511512

okay, basically same question, but I removed the OEM part.
related to "User access to OEM" thread (but removing
the OEM element )
Using 10.2.0.1.0.
I want to create a user account (user A) that has
limited 'DBA' permission. This user must have
permission to modify 1 other schema (user B). I do
not want 'user A' to modify ANY other schema (i.e.
user C, user D)
Is this possible?
So far, I've created the account, and provided the
following:
Roles:
connect
resource
exp_full_database
imp_full_database
gather_system_statistics
java_admin
xdbadmin
xdbwebservices
Sys Privileges:
select any dictionary
alter session
Object Privileges:
Grant object privileges to objects in 'user B'
schema.
Quotos:
gave 'unlimited' quotos for 'user A' tablespace and
'user B' tablespace.
***Problem: When I log in as ‘user A’, I can
create/delete tables, objects… in schemas other than
‘user A’ and ‘user B’.
Message was edited by:
user511512

SSO and how to Managing User Roles/Privileges with Forms using Oracle db

We are in the process of implementing Oracle Application Server SSO with our custom Forms application using Oracle database -- all 10.2.0.1.0 version.
In our Forms Applications, we have about a dozen roles we have assigned to various users. We need to identify each user using our Forms because we are using the GLOBAL USER throughout the application.
Questions:
-- Do we have to create users/passwords in both OID and application database?
-- Is there a way to easily manage the user and passwords between SSO and Forms App/database in one place? For example, how does a user change their password once, but actually change it in both the database and SSO?
Any advice and/or direction would be greatly appreciated.
Thank you,
Mika
Edited by: user11846198 on Sep 1, 2009 1:41 PM
Edited by: user11846198 on Sep 1, 2009 1:53 PM

Yes, you can have global roles in the DB and assign this roles to specific OID users, and the will heritage the privilages, you can do this using Oracle Identity Management Web Tool http://hostname:7777/oiddas is not complicated.
Greetings.

System and Object privileges question

hello everyone.
I was really making it a priority to really understand both system and object privileges for users. I have setup a couple of 'sandboxes' at home and have done lots of testing. So far, it has gone very well in helping me understand all the security involved with Oralce (which, IMHO, is flat out awesome!).
Anyway, a couple of quick questions.
As a normal user, what view can I use to see what permissions I have in general? what about permissions on other schemas?
I know I can do a:
select * from session_privs
which lists my session privileges.
What other views (are they views/data dictionary?) that I can use to see what I have? Since this is a normal user, they don't have access to any of the DBA_ views.
I'll start here for now, but being able to see everything this user has, would be fantastic.
Cheers,
TCG

Sorry. should have elaborated more.
In SQLPLUS, (logged in while logged into my Linux OS), I am working to try and get sqlplus to display the results of my query so it is easy to read. Right now, it just displays using the first 1/4 or 1/3 of the monitor screen to the left. Make sense? So it does not stretch the results out to utilize the full screen. it is hard to break down and read the results because they are "stacked" on top of each other.
Would be nice if I could adjust sqlplus so the results are easier to read.
HTH.
Jason

SAP HCM Business analyst Support role Interview Questions and answers required..

Hello Experts,
I have applied for the role Business Analyst supporting SAP HR and GB Payroll. I need to prepare for the interview.
I would like to have any material or link with regards to issues/tickets raised for SAP HCM /payroll. my email ID [email protected]
Could you please provide me Interview Questions and answers for SAP HCM and Payoll support.
Thanks in Advance
Regards
Nivedita

we can not assume any interview questions .better you can search in google.if your in supporting then you should be able to rectivie the day tod day issues and the change request. for this you should have all modules experince to answer the interview questions. all the questions will be the real time and the process real time scenario kind of questions.
For the GB payrol,. look at all statutory deduction and payment like payee tax and the NI-(National insurenve) deduction. and also the returns (monthly anualy). and also the config of SSP (statutory sick pay )and SMP (Statutory Maternity Pay), factoring process , retro, posting and automatic file transfer to HMRC,etc.

SQL query won't compile based on DB role privileges

Can someone give me an explanation why the SQL query in a report won't compile if an object is owned by another schema and the parsing schema is given privileges to the table via a role grant?
Or to phrase it another way, why do we have to make direct grants on tables to the parsing schema for reports based on SQL queries that access tables in other schemas?
Thanks in advance,
Paul

Paul - In Oracle, roles are not enabled during the execution of definer's rights stored procedures which is the environment in which all Application Express application code is parsed/executed. There are scads of posts about this topic in this forum.
Scott

OID First Time Full Reconciliation - group/role reconciliation question

My client has some roles/groups created in OID. The initial set of users lies over there. I have to bring the initial load of users into OIM. The existing set of users is around 5000. But some users belong to different groups/roles. Now if I want to do a first time reconciliation to bring all these initial set of user profiles and accounts into OIM; where do I need to specify the groups/roles in OID resource object?
I went through the OID connector guide. But in there, in the section "3.1 Performing First-Time Reconciliation", it doesn't mention anywhere to create any multivalued attribute/child form or anything. What are the steps that are needed to be taken? If I just reconcile the group/role lookup values, will it populate those values within the user process form? If so, which fields will co-relate with that?
Thanks,
- oidm.

Thanks Raj. But I think I am a bit lost over here.
So you mean to say I don't need to run the scheduled tasks which are related to populating the groups/roles lookups for first time full reconciliation? And also you mean to say that we only need these lookups at the time of provisioning user profiles to target system?
I have to create identities within OIM from OID so I have to run the 'OID User Trusted Recon Task' and not 'OID User Target Recon Task'.
Basically, my question is how will the roles/groups be depicted in the user account when I will do a trusted source reconciliation? If so, which fields in process form will hold those values? Do I need to run the lookup reconciliation tasks for the same or not?
Thanks,
- oidm.

ESS Business Package role authorization question

Hi,
We are going live in a few weeks with the ESS BP in EP7 SP12. All we are planning to use right now are two of the Benefits webdynpro's (Benefits Participation Overview and Enrollment).
My question is this; Do I have to give all users the Employee-Self-Service role or can I simply just add the everyone group to the two benefits webdypro's?
Any insight to this would be greatly appreciated.
Regards,
Rick
Points always awarded for helpful answers!

Rick,
best solution would be to create a new role (for example "myESS") and add the two iViews to it. then assign the role to a group that includes all employees (I wouldn't use "Everyone"...). This keeps you the best flexibility and structures your content from the beginning.
kr, achim

Disaster Recovery / HA server role count question

We are currently working on a disaster recovery plan for our on-premise Exchange 2010 environment. As of today, have a DR Office 365 site is not an option for us. Our primary datacenter that houses our Exchange 2010 SP3 servers is setup as follows.
North America
4 servers (HUB/CAS)
1 CAS Array (F5 load balanced)
4 servers (mailbox)
1 DAG, public/private networks (2 nics)
2 servers (UM)
====================================
In our secondary datacenter we currently have built out 4 servers, OS Only. My question is which roles should I place on these servers so that we don't take down our production environment if the secondary site goes offline. The secondary site
may go down from time to time for testing and I don't want our production databases to unmount because of quorum and failed votes.
I was thinking installing HUB/CAS/MB on all 4 and UM on only 1 of them. Does this work? I have read through some technet articles about the (n/2) + 1 rule, but need a little more assurance. Thanks everyone!
d

Thanks yea, I used it. I says if I have 4 mailbox servers in the primary then I should have 4 mailbox servers in the secondary. Also, not sure if this matters, but we have an even number of databases. Basically I don't want our pimrary
databases to dismount if we lose the WAN connection, temporarily, to the secondary site. Do I need an odd number of databases/servers or is 4 and 4 could for servers and 12 active/passive in the primary and 12 passive in the secondary good. Thanks
again for the information, much appreciated.
d

Granting Privileges question

This is not a duplicate post. User Wilhem posted it in the wrong forum.
In the below mentioned link, user CD has provided a quick way to grant privileges to another user. But it didn't work for me. Is there something wrong with with the DECODE expressions?
Re: Granting Privileges question

Instead of granting privileges to a user, i wanted to grant these privileges to a role. So i created a role
CREATE ROLE jenrole;
And then i tried the below mentioned script. But i am getting error
DECLARE
v_sql VARCHAR2(4000);
BEGIN
FOR obj IN (SELECT object_name
, object_type
, DECODE (OBJECT_TYPE,
'PROCEDURE','EXECUTE',
'FUNCTION' ,'EXECUTE',
'PACKAGE' ,'EXECUTE',
'SYNONYM' ,'SELECT' ,
'SELECT, INSERT, UPDATE, DELETE') rights
FROM user_objects)
LOOP
v_sql := 'GRANT '|| obj.rights ||' ON '|| obj.object_name ||' TO JENROLE' ;
dbms_output.put_line(v_sql);
EXECUTE IMMEDIATE v_sql; END LOOP;
END;
ERROR at line 1:
ORA-00911: invalid character
ORA-06512: at line 16
Why am i getting error? The error line is boldened

Roles privileges question

Similar Messages

Maybe you are looking for