Schema Permissions

Hi,
I have an automated process which runs on an Oracle 8i database server as user abc.
This process creates views/tables in other schemas, on the same database server, which point to objects owned by the abc user.
The issue I'm getting is that when I try to execute GRANT SELECT ON xyz.view123 TO PUBLIC as the abc user, I get an insufficient privileges.
I should add that the abc user created the xyz.view123 table/view.
What grants/priviliges or whatever do I have to do to the abc schema?

Hi Syed,
Thanks for your fast reply.
We have a new application that was written and uses a *10g Oracle* database to store all of its data.
The legacy application, that this application is replacing, stores all of its data in a *8i Oracle* database.
Many other application/reports, which we cannot modify right now, still use the data stored in the *8i Oracle* database so we have to still feed them live data :(
The old system created new schemas as they were needed and then created objects in those schemas. Since the list of possible schemas that will need data in *8i* is dynamic, we don't want to manually apply grants to each of the possible schemas as that will require developer intervention once-in-a-while :(
Task Details*
I had to create a system which will make data in our *10g Oracle* server accessible to our *8i Oracle* server.
We have several old applications (+which we cannot modify+) that directly connect to *8i Oracle*.
Basically we decided to use views as the data sets are not terribly large and they do change often.
We have a scheduled process that runs on a regular schedule to see if anything has changed and needs to be updated in *8i*.
If something is found our code, as described below, kicks off and creates the views.
We've created a DB_LINK in the abc schema which points to the *10g Oracle* server. Using this DB_LINK, our system creates temporary views in the abc schema which point to the *10g Oracle* server.
Once those views are created, and select grant has been made to public, our system then creates a view in the "+final destination+" schema to the view in the abc schema.
Our main reason for all of this linking is that we would only need one DB_LINK and we could then create views in many different *8i* schemas using just that one DB_LINK.
Application Flow:*
1) CREATE OR REPLACE VIEW abc.viewName AS SELECT * FROM newTable@10gDatabaseLink
2) GRANT SELECT ON abc.viewName TO PUBLIC
3) CREATE OR REPLACE VIEW xyz.legacyViewName AS SELECT * FROM abc.viewName
4) GRANT SELECT ON xyz.legacyViewName TO PUBLIC
We run the above code as user abc; the above steps only break on step 5 with "*Error: ORA-01031: insufficient privileges*".
Sorry for the long-winded explanation :(
Edited by: MattWeiler on Sep 30, 2011 9:19 AM

Similar Messages

  • Calling procedure dynamically, from different schema, permissions issue

    Hi,
    I have a 'master_user' schema that needs to run DDL on a 'secondary_user' schema.
    There appears to be some kind of permissions subtlety that I'm missing. Here are the simplified steps to create, test and troubleshoot:
    Secondary schema has a procedure defined:
    -- Run as SYSTEM (at build time)
    CREATE OR REPLACE PROCEDURE secondary_user.execute_immediate(p_sql_statement IN VARCHAR2)
    IS
    BEGIN
        EXECUTE IMMEDIATE p_sql_statement;
    END;
    GRANT EXECUTE ON secondary_user.execute_immediate TO master_user;
    I then want to call this procedure from master_user to execute DDL dynamically in secondary_user.
    - Run as master_user
    BEGIN
        EXECUTE IMMEDIATE ' BEGIN secondary_user.execute_immediate(''DROP TABLE test1''); END;';
    END;
    ERROR at line 1:
    ORA-00942: table or view does not exist
    ORA-06512: at SECONDARY_USER.EXECUTE_IMMEDIATE", line 5
    ORA-06512: at line 1
    ORA-06512: at line 2
    TROUBLESHOOTING SO FAR:
    Now I can call this procedure directly:
    -- As master_user
    EXEC secondary_user.execute_immediate('drop table test1')
    PL/SQL procedure successfully completed.
    I can call the wrapped procedure as different users:
    -- As secondary_user
    BEGIN
        EXECUTE IMMEDIATE ' BEGIN secondary_user.execute_immediate(''DROP TABLE test1''); END;';
    END;
    PL/SQL procedure successfully completed.
    -- As SYSTEM
    BEGIN
        EXECUTE IMMEDIATE ' BEGIN secondary_user.execute_immediate(''DROP TABLE test1''); END;';
    END;
    PL/SQL procedure successfully completed.
    Can you shed any light on this behaviour? The master_user clearly has permission to run the procedure, but it cannot see it from within an anonymous block. However SYSTEM can so what permission does SYSTEM have that master_user does not?
    Much appreciated,
    Si

    Something doesn't add up:
    SCOTT@orcl > create user secondary_user
      2  identified by secondary_user
      3  default tablespace users
      4  quota unlimited on users
      5  /
    User created.
    SCOTT@orcl > grant create session to secondary_user
      2  /
    Grant succeeded.
    SCOTT@orcl > create user master_user
      2  identified by master_user
      3  default tablespace users
      4  quota unlimited on users
      5  /
    User created.
    SCOTT@orcl > grant create session to master_user
      2  /
    Grant succeeded.
    SCOTT@orcl > CREATE OR REPLACE PROCEDURE secondary_user.execute_immediate(p_sql_statement IN VARCHAR2)
      2
      3  IS
      4
      5  BEGIN
      6
      7      EXECUTE IMMEDIATE p_sql_statement;
      8
      9  END;
    10
    11  /
    Procedure created.
    SCOTT@orcl > GRANT EXECUTE ON secondary_user.execute_immediate TO master_user;
    Grant succeeded.
    SCOTT@orcl >
    SCOTT@orcl > create table secondary_user.test1(n number)
      2  /
    Table created.
    SCOTT@orcl > connect master_user@orcl
    Enter password:
    Connected.
    MASTER_USER@orcl > BEGIN
      2
      3      EXECUTE IMMEDIATE ' BEGIN secondary_user.execute_immediate(''DROP TABLE test1''); END;';
      4
      5  END;
      6
      7  /
    PL/SQL procedure successfully completed.
    MASTER_USER@orcl >
    Make sure table secondary_user.test1 exists when you run SP. And, as you can see, neither secondary_user nor master_user have any privs besides create session.
    SY.

  • List schema permissions

    Hi,
    Is there a way to list permissions on a schema granted to a user? Not objects in the schema, but schema itlself?
    I tried using
    SELECT * FROM fn_my_permissions('MySchemaName', 'SCHEMA')
    but return is not what I need. For example, it lists permission SELECT, but not whether permission was granded, revoked, or denied. It is the latter I am interested about.
    Any help would be apreciated.
    Thank you.
    Peter Battelino
    BTE Corporation
    PMBT

    I may be misunderstanding what you are asking for, but when I tested Rick's script, it seems to me that it returns more or less exactly what you are asking for. There is no place to plug in the permission - it lists all permissions denied or granted, see
    the script below.
    However, REVOKE is missing and will always be missing since REVOKE just removes whatever there used to be.
    CREATE DATABASE listschema
    go
    USE listschema
    go
    CREATE SCHEMA TestSchema
    go
    CREATE USER TestUser WITHOUT LOGIN
    go
    GRANT SELECT ON SCHEMA::TestSchema TO TestUser
    DENY INSERT ON SCHEMA::TestSchema TO TestUser
    go
    SELECT state_desc, permission_name, 'ON', class_desc,
    SCHEMA_NAME(major_id),
    'TO', USER_NAME(grantee_principal_id)
    FROM sys.database_permissions AS Perm
    JOIN sys.database_principals AS Prin
    ON Perm.major_ID = Prin.principal_id AND class_desc = 'SCHEMA'
    WHERE major_id = SCHEMA_ID('TestSchema')
    AND grantee_principal_id = user_id('TestUser')
    --AND permission_name = 'SELECT'
    go
    USE tempdb
    go
    DROP DATABASE listschema
    Erland Sommarskog, SQL Server MVP, [email protected]

  • Reporting Schema Permissions

    I would like to share the data model with my developers (who have SQL Developer) and was going to use the Report Repository/Schema.  I was following the instructions on the OTN website (Working with the SQL Developer Data Modeler Reporting Repository) until I got to the line that read "Select the Granted, Admin and Default check boxes for DBA and click Apply."  In the environment I work in granting DBA to a schema is very restricted and since the developers will be connecting using the DM1 schema (following the example) it just won't be allowed.  What is the minimal set of grants necessary for the Reporting Schema to work?  I just can't believe that the Reporting Schema needs every single system privilege (like EXP_FULL_DATABASE).
    So far I have a schema (DM1) that has CONNECT and RESOURCE.  I need to add more privs (assuming CREATE TABLE, CREATE VIEW) but would like a consise list if possible.
    Thanks
    Rick Anderson

    Hi Rick,
    Check these files
    \datamodeler\reports\Reporting_Schema_Permissions.sql
    \datamodeler\reports\CreateExtraUserForReporting.sql

  • Schema Permissions error

    When I am logged into the HTMLDB development environment as the user admin, and I enter the SQL workshop and click the tables link in the data browser section, I am presented with the error:
    ORA-20000: User ADMIN has no privs on the HTMLDB schema.
    User Admin is setup as a developer and an Administrator with access to all schemas.
    Other HTMLDB functions such as building apps work fine.
    Can anyone provide some insight on how to fix this problem?
    thanks,
    -Tony

    Tony,
    I've seen that error when my user account's default schema was set to a schema name that was not one of the schemas currently assigned to the workspace. However, I can't seem to reproduce it exactly as you showed unless I assign 'HTMLDB' as a user's default schema. Can you investigate that angle and let us know?
    Scott

  • Which Schema Permissions are needed for EF Beta?

    If a developer is not the tables / views owner, which minimal permissions are required to get the Server Explorer populated so an EF model can be created?

    You can't install Access Manager without full control on the base organization.
    You need the Directory Manager user (maybe with a temporary password) or a user with full permissions on the Access Manager root DN.
    Hope It Helps
    Saludos!!

  • URGENT!!!!! Schema design help

    Iam trying to design a schema with ActiveDirectory Application mode with the following requirements:
    Profile1: CM_VIEW  view equipment, search equipment
    Profile 2: CM_USR  All operations possible by CM_VIEW + create equipment objects, modify inventory, create and modify facilities attributes
    Profile 3: CM_FULL  All operations possible by CM_USR + delete equipment , facilities
    Profile 4: CM_ADM  All operations possible by CM_FULL + admin privilege for security management
    There are a list of user groups. This level is more like a container and no privilege is controlled at this level
    User Group1 : Admin
    User Group2: Manager
    User Group3: Operator
    Now this list of User groups can have one or more subgroups. The profiles need to be assigned at this level.
    Admin group: Admin1
    Manager group: NW Manager , Area1 Manager, Area2 Manager etc�
    Operator Group: NW Operator, Area1 Operator, Area2 Operator
    There is a single network which is divided into 5 area centers. User groups are given access to the whole network or specific area center.
    Whole NW access : Admin1, NW Manager with whatever profiles assigned to them
    Area1 access : Area1 Manager, Area1 Operator with whatever profiles assigned to them
    As Iam a novice with ADAM, I seek some help to get my schema designed. Iam very confused about
    - whether the default AD schema would suffice
    - do I need to create my own class
    - do I need to add my own attributes to existing classes
    - If so, should I consider all the operations defined in the profile as user defined attributes?
    I could not get specific information for the stuff Iam searching for and Iam struggling to get the shema designed. It is quite urgent and Any help in this area would be greatly appreciated

    There would be several ways to solve this problem.
    First of all, the schema. You have threee choices;
    1. Extend an existing class.This is when the existing class meets your requirements (searching, differentiation) but needs a few more attributes
    2. Derive a new subclass from an existing class. This is when you want to differentiate your class, but inherit features from an existing class.
    3. Create a new class, when no existing class meets your requirements
    For option 1, best way to do this is create an auxilliary class and add it to the existing class. (Eg. create an auxilliary class called clothing sizes, add attributes height, waist, hat size,shoe size,and then add the class to the existing user class)
    For option 2, you may want a class called football player, so you create a new class called footballplayer, derived fromthe existing user class.You may add new attributes such as football team, playing position.
    For option 3, you may want to create an entirely newclass to represent a football stadium, with both existing attributes such as address, city and new attributes such as seating capacity
    So in your case, users & administrators would normally just be user or inetOrgPerson class objects. Equipment & facilities may require their own classes.
    Next thing is to use organisationaUnits (OU's) as the boundaries for delegating administrative permissions. For each area, Area 1, Area 2, ...,Area n, create an organizational unit.
    Then you have two methods to enforce role based access control.
    The first is to use is to use the Windows security model to enforce the object access.
    Create groups to represent CM_VIEW, CM_USR, CM_FULL, CM_ADM roles, perhaps even groups such as Area_1_CM_USR
    Then grant the following permissions on the OU.
    CM_VIEW - read/list eqpt class objects
    CM_USR - read/write/list/create/delete eqpt class objects, read/list/write/create facilities
    CM_FULL - read/write/list/create/delete eqpt class objects, read/list/write/create/delete facilities
    CM_ADM - full permissions on the OU.
    You can either define these ACL's on the OU's so the permissions apply to all objects in the OU, or define them on the schema definitions so that as new objects are instantiated they have the default permissions applied. As you want to differentiate access at the OU level, don't worry about the default schema permissions, just set the ACL's on each OU.
    The problem you would have is using Java/JNDI to manage the ACL's (writing the security descriptors on the OU or object classes.).Far easier to use either the WIndows API's, Windows scripting interfaces (ADSI), LDIF files or Windows UI components (ADSIEdit).
    You may want to do all the schema extension and ACL's with Windows tools,coz they're easier and use Java/J2EE for your application development.
    The second approach is to apply the role based access controls within your application. The security risk with this approach is that it may be possible for someone to subvert the security in your application by accessing the directory directly.

  • Set_User procedure

    I logged in my application as User A.
    In page 1 i use a process like
    htmldb_custom_auth.set_user ('UserB'). i checked the :APP_USER global variable , it is set correctly to User B. Then i submit the page and go to Page 2. In page 2 i check the :APP_USER again, it has reverted back to User A.
    Why is this happening?

    Jimmy,
    Changing APP_USER using that API call affects the global variable for the duration of the page request, which is sometimes useful to adjust the displayed value based on the authenticated username. It's normally only used in an authentication scheme to establish the desired value prior to session registration, which establishes a persistent user identification token for the duration of the session. What are you trying to accomplish? You cannot change the identity of the user after session registration, unless you write that component yourself, but why would you want to? That value has nothing do do with database accounts or schema permissions or the user value associated with the connected database session for your page request.
    Scott

  • Insert error on unfamiliar database

    I am running Oracle 10.2.0.4 on a 3-node RAC with Windows Server 2008. I am a newbie that has taken over a database that has been left unattended for months. I am running through the configuration and making sure all the nodes are healthy and trying to tackle tasks as they come.
    I need to insert a row and ran this script on development just fine:
    insert into table_name(a, b, c)
    values (1, 2, 3)
    commit;
    Once I moved it over to production I get this:
    ERROR at line 1:
    ORA-00942: table or view does not exist
    I have checked the schema permissions of my user. I have alter, select, and update any table. The table is owned by my schema. I looked for synonyms but have none under my user. I checked views and have 43. I also have 129 triggers. I don't know anything about either the views or triggers but can start to try to go through them if that may be my issue.
    Am I missing something simple here?
    To add another question on here (sorry). How would you go about discerning all the triggers/views/synonyms in a database you are not familiar with? I have 3751 views, 161 triggers, and 20141 synonyms! I don't know where to start with that or what are the pertinent things that I need to know that I will have time to go through along with everything else?
    Thanks for any help or suggestions!

    I believe you are logged in as the user you say. However what I believe does not count, only what Oracle says.
    Does the table_name show up in the ALL_TABLES query?
    How about USER_TABLES then?
    Can you run a DESCRIBE in Sqlplus ?
    Can you SELECT from this table?
    On the views, triggers, and synonyms questions. Why do you need to know these details? A view is just an in-line query, you can run infinate numbers of SQL combinations againist the database. Trying to know all of them is unreasonable in my humble opinion. Unless the trigger is invalid or you want to disable it for say a special update I would not worry much about these. Know what tables have triggers is probably enough. Synonyms are not a concern unless you have a ton of invalid ones, then I would clean them up.
    SELECT
      A.OWNER,
      A.OBJECT_NAME,
      A.OBJECT_TYPE,
      A.STATUS,
      B. SYNONYM_NAME,
      B.TABLE_OWNER
    FROM
      DBA_OBJECTS  A,
      DBA_SYNONYMS B
    where
      A.status='INVALID'
    AND
      A.OBJECT_TYPE='SYNONYM'
    AND
        B. SYNONYM_NAME = A.OBJECT_NAME;Best Regards
    mseberg
    Edited by: mseberg on Dec 30, 2011 1:29 PM

  • Reader 9.3.2, uncodumented SchemePerms value for javascript of "4"?

    In reader 9.3.2's "reader_prefs" file, the DefaultLaunchURLPerms block changed to add
    a "javascript" Scheme permissions value of "4":
    /DefaultLaunchURLPerms
      [ /c
        <<
          /FlashContentSchemeWhiteList [/t (http|https|ftp|rtmp|rtmpe|rtmpt|rtmpte|rtmps|mailto)]
          /SchemePerms [/t (version:2|shell:3|hcp:3|ms-help:3|ms-its:3|ms-itss:3|its:3|mk:3|mhtml:3|help:3|disk:3|af p:3|disks:3|telnet:3|ssh:3|acrobat:2|mailto:2|file:1|javascript:4)]
        >>
    Please indicate what this value means.
    (i believe these values are taken from Table 9 of:
    http://learn.adobe.com/wiki/download/attachments/64389123/AcrobatApplicationSecurity.pdf
    but please correct me if i'm wrong)
    thanks,
    --stephen

    I tried to find the download for 9.5.5, but my OS is not in the list. I'm on a non-intel PPC mac. I tried finding that version on the web, but most of the links lead me back to Adobe, where it doesn't seem to want to be found. It obviously exists somewhere, but Adobe isn't making it easy to access!

  • Repository manipulations

    Hi,
    I am interested in manipulating HTML DB repository directly in database using PL/SQL or JAVA. Is it possible?
    I would like to integrate HTML DB application with ADF JFACES and sometimes I will have to manipulate HTML DB repository from ADF JAVA code. Can it be done?
    regards,
    Cezary

    Ok about "data" but I am talking about for instance
    definition of master-detail form.
    Can it be changed ? Not from HTML DB wizards but by
    something like API?As John said, the HTMLDB applications you create (page definitions, report definitions, etc, etc...) are all stored in the database as regular data in regular tables in the FLOWS_XXXXXX schema. So, yes, it can be changed. As long as the application trying to do it is given appropriate schema permissions.
    Is it JAVA API to manipulate that can change a
    master-detail form?That's up to you. You can use Java or any other tool that can do DML in Oracle.
    Earl

  • [mdm].[udpSecurityMemberQueueActivate] proc issue

    I have an MDS instance where security is not being correctly applied. I've changed the member processing security interval, ensured that the SSB_USER account has the correct schema permissions, checked that there are no disabled service broker queues, and
    followed the instructions to reset the timers here. The only difference I see between this and the other instances I have running on the same server are these messages in the SQL / event logs, which lead me to believe that the proc is running correctly. If
    I run the procedure to manually update the permissions it works. What am I missing?
    Event ID:     
    9724
    The activated proc '[mdm].[udpSecurityMemberQueueActivate]' running on queue 'MDS.mdm.microsoft/mdm/queue/securitymembertimer' output the following: 
    'Creating member security items for Entity_ID: 20 and Version_ID: 5 finished at: 15:25:16'

    This is solved! To answer Nithesh's question, this is the query that needed to run manually:
    https://msdn.microsoft.com/en-us/library/ff486978.aspx?f=255&MSPPError=-2147217396
    To resolve the issue first thing I did was to check the DMVs per this post:
    https://social.msdn.microsoft.com/Forums/sqlserver/en-US/5ec767a5-d534-47c8-b69d-ff802f56350e/activated-proc-not-firing?forum=sqlservicebroker
    That didn't show any errors, and it verified service broker was working. Next, i disabled and enabled all of the service broker queues associated with the MDS database. Once that was complete, I restarted the instance. Some combination of those steps resolved
    the issue and we have no need to continue running the manual query to update permissions.

  • The SELECT permissions was denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'.(Microsoft SQL Server, Error:229

    I have a SQL Server connected intro a Windows Server 2003 Domain Active Directory, the server holds a default instance with a single Database, the SQL Server is 2005 Std Edition, and is using mix mode Authentification, then I able to create SQL Native Users
    and Invoque Windows Domain Users also.
    The Goal of this project is remove the sysadmin Server role for all the Windows Domain Users, to give then a more granular secure model but at the moment is this only way to connect at the Data Base Server.
    I already create Native SQL Servers users without any problem!, they respect Securable Setting, Server Roles, User Mapping, everything...Just when I create a Login Profile form a Domain Users and apply the same setting, I get this error...
    The SELECT permissions was denied on the object 'extended_properties', database 'mssqlsystemresource', schema 'sys'.(Microsoft SQL Server, Error:229)
    But if the user have sysadmin Server Rol he can sing over the server without any issue, I review the .sys view extended_properties and "Public" is the only Database Role placed.
    Any Idea if I need change any Setting in the Secure in SQL Master DataBase? or which is the issue witjh this matter?
    Thank in advance for your help!

    Since there are so many possibilities for what might be wrong.  Here's another possibility to look at.  I ran into something where I had set up my own roles on a database.  (For instance, "Administrator", "Manager", "DataEntry",
    "Customer", each with their own kinds of limitations)  The only ones who could use it were "Manager" role or above--because they were also set up as sysadmin because they were adding users to the database (and they were highly trusted). 
    Also, the users that were being added were Windows Domain users--using their domain credentials.  (Everyone with access to the database had to be on our domain, but not everyone on the domain had access to the database--and only a few of them had access
    to change it.)
    Anyway, this working system suddenly stopped working and I was getting error messages similar to the above.  What I ended up doing that solved it was to go through all the permissions for the "public" role in that database and add those permissions
    to all of the roles that I had created.  I know that everyone is supposed to be in the "public" role even though you can't add them (or rather, you can "add" them, but they won't "stay added").
    So, in "SQL Server Management Studio", I went into my application's database, in other words (my localized names are obscured within <> brackets): "<Computername> (SQL Server <version> - sa)"\Databases\<MyAppDB>\Security\Roles\Database
    Roles\public".  Right-click on "public" and select "Properties".  In the "Database Role Properties - public" dialog, select the "Securables" page.  Go through the list and for each element in the
    list, come up with an SQL "Grant" statement to grant exactly that permission to another role.  So, for instance, there is a scalar function "[dbo].[fn_diagramobjects]" on which the "public" role has "Execute" privilege. 
    So, I added the following line:   
    EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @RoleName + '];' )
    Once I had done this for all the elements in the "Securables" list, I wrapped that up in a while loop on a cursor selecting through all the roles in my roles table.  This explicitly granted all the permissions of the "public" role to
    my database roles.  At that point, all my users were working again (even after I removed their "sysadmin" access--done as a temporary measure while I figured out what happened.)
    I'm sure there's a better (more elegant) way to do this by doing some kind of a query on the database objects and selecting on the public role, but after about half and hour of investigating, I wasn't figuring it out, so I just did it the brute-force method. 
    In case it helps someone else, here's my code.
    CREATE PROCEDURE [dbo].[GrantAccess]
    AS
    DECLARE @AppRoleName AS sysname
    DECLARE AppRoleCursor CURSOR LOCAL SCROLL_LOCKS FOR
    SELECT AppRoleName FROM [dbo].[RoleList];
    OPEN AppRoleCursor
    FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
    WHILE @@FETCH_STATUS = 0
    BEGIN
    EXEC ( 'GRANT EXECUTE ON [dbo].[fn_diagramobjects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_alterdiagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_creatediagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_dropdiagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagramdefinition] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_helpdiagrams] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT EXECUTE ON [dbo].[sp_renamediagram] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_objects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_sql_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[all_views] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[allocation_units] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assemblies] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_files] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_references] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[assembly_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[asymmetric_keys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[certificates] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[change_tracking_tables] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[check_constraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[column_type_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[column_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[computed_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[conversation_endpoints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[conversation_groups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[conversation_priorities] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[crypt_properties] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[data_spaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_audit_specification_details] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_audit_specifications] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_files] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_permissions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_principal_aliases] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_principals] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[database_role_members] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[default_constraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[destination_data_spaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[event_notifications] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[events] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[extended_procedures] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[extended_properties] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[filegroups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[foreign_key_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[foreign_keys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_catalogs] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_catalog_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_index_fragments] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_stoplists] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[fulltext_stopwords] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[function_order_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[identity_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[index_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[internal_tables] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[key_constraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[key_encryptions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[message_type_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[module_assembly_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[numbered_procedure_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[numbered_procedures] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[objects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[parameter_type_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[parameter_xml_schema_collection_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_functions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_range_values] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partition_schemes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[partitions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[plan_guides] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[procedures] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[remote_service_bindings] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[routes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[schemas] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_contract_message_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_contract_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_contracts] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_message_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_queue_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[service_queues] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[services] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[spatial_index_tessellations] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[spatial_indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sql_dependencies] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sql_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[stats] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[stats_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[symmetric_keys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[synonyms] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[syscolumns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[syscomments] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysconstraints] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysdepends] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysfilegroups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysfiles] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysforeignkeys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysfulltextcatalogs] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysindexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysindexkeys] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysmembers] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysobjects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[syspermissions] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysprotects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysreferences] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_columns] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_objects] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_parameters] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_sql_modules] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[system_views] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[systypes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[sysusers] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[table_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[tables] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[transmission_queue] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[trigger_events] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[triggers] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[type_assembly_usages] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[views] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_indexes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_attributes] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_collections] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_component_placements] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_components] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_elements] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_facets] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_model_groups] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_namespaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_types] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcard_namespaces] TO [' + @AppRoleName + '];' )
    EXEC ( 'GRANT SELECT ON [sys].[xml_schema_wildcards] TO [' + @AppRoleName + '];' )
    FETCH NEXT FROM AppRoleCursor INTO @AppRoleName
    END
    CLOSE AppRoleCursor
    RETURN 0
    GO
    Once that is in the system, I just needed to "Exec GrantAccess" to make it work.  (Of course, I have a table [RoleList] which contains a "AppRoleName" field that contains the names of the database roles.)
    So, the mystery remains: why did all my users lose their "public" role and why could I not give it back to them?  Was this part of an update to SQL Server 2008 R2?  Was it because I ran another script to delete each user and add them back
    so to refresh their connection with the domain?  Well, this solves the issue for now.
    One last warning: you probably should check the "public" role on your system before running this to make sure there isn't something missing or wrong, here.  It's always possible something is different about your system.
    Hope this helps someone else.

  • Select permissions for different schemas

    I am trying to create an application that is tied to a schema (ISR_CAT) with full permissions in another schema (ISR). When I try to run a query from ISR_CAT that selects tables in ISR, I get a "Table or View not found" error. The query works fine if I run it from ISR.
    The permissions are all correct, and the query works if I run it in Toad, so it must be something with HTML DB.
    Does anyone have some ideas of what could be wrong?
    Thanks,
    Scott

    Scott,
    Make sure that the object permissions are granted directly to ISR_CAT and not through a role. Roles are not enabled within stored procedures which is the context in which everything in HTML DB happens.
    Scott

  • Permissions issue - schema assignment?

    Hi,
    Running application express 2, Oracle 9i (I know!)
    I'm looking into using apex as an alternative to crystal reports for some of our staff, they only use crystal to generate xls documents so apex should work fine for them. However I'm running into a permissions issue, most likely due to my lack of understander of how workspaces and schemas really work together.
    We have some internal tools written in APEX which I don't want these new developers to be able to mess with, so I've created a new workspace called "crystal", I've also created a schema "crystal_apex" which has been assigned to the crystal workspace. This schema/user has been granted select access on the various tables it needs to access in other tables via a role, "crystal_role" (this is pre-existing and gets granted to anyone who needs to log in via crystal).
    So, if I log into sqlplus as crystal_apex, I can happily run queries against the tables this user has access to via the role, however, access via the SQL Commands tool, any sql run against tables not in the crystal_apex schema fails. Even if I add another schema to the workspace, I can only query against that schema by changing the "schema" dropdown in the SQL Commands tool. If I do switch to using the other schema, the workspace now has full access to that schema, something I do not want, the crystal users have a very restricted level of access.
    Is it possible to query/create reports against schemas other than the one apex is connected as? If not, how can you do any cross schema queries (something very common in our database). I'm sure I have done this before in our other workspace, however I cannot recall how I set it up.
    It seems if I grant the rights directly to the schema (apex_crystal) rather than via a Role, then the permissions work fine, however only the schemas explicitly granted in apex show up in the query builder/object browser. Is there any way around this, or is this different in newer versions of apex?
    Any help in the right direction would be greatly appreciated.
    Edited by: nib000 on Aug 12, 2009 2:49 PM
    Edited by: nib000 on Aug 12, 2009 2:56 PM

    Hi,
    Since this is a somewhat related topic I am cross posting from another thread.
    I have successfully made a policy using dbms_fga, however am having trouble viewing the audit view based on dba_fga_audit_trail. I had the dba create a view based on the dba_fga_audit_trail limited to my schema--call it 'my_audit_view'. So she granted all on 'my_audit_view' to 'my_schema'. She also did same grants to my userid in Apex. I still cannot see the view in the Workspace -- 'table or view does not exist'. What does she need to do to make this audit view available to an apex user in this workspace? Does the grant actually have to be done to apex_public_user (hope not)?? It is interesting that I was able to create the policy from the Apex workspace SQL Worksheet:
    begin
    dbms_fga.add_policy(
    object_schema => 'my_schema',
    object_name => 'my_table',
    policy_name => 'my_table_audit',
    audit_condition => null,
    statement_types => 'insert, update,delete');
    end;
    And she showed me that the view does exist and shows the inserts, updates I performed subsequent to the execution of the above, but I cannot run the view myself at this point within my Apex workspace -- which has only 1 schema -- 'my_schema'
    Secondly, assuming I get beyond this issues of being able to see the view as a developer, if I want to create a report based on 'my_audit_view' in an application that an 'admin' type user can run on a page in an application (assuming the authorization is set up for the page), is there some other security step that has to be done to make audit view available to the application report??
    Thanks,
    Pat

Maybe you are looking for

  • SSO to R3 4.6c

    Hi, I have done the following (Like written in the Course Manual EP200):  Downloaded verify.der file from Portal. Imported the verify.der file with strustsso and added it to the PSE and ACL. Set the two 4.6c parameters to login/accept_sso2_ticket = 1

  • Startup Disk out of Memory, what to do?

    Good Day Everyone, and thank you all for taking the time and energy to consider this most nefarious situation.  I'm not a frequent poster as I find that many out there are far more skillful than I at solving gthe problems and I am incredibly grateful

  • Acrobat X - File double click launch

    Since i upgraded to 10.8 I've noticed my pdf files dont open when double clicking, it just launches Acrobat. The only way to launch the file is to go to File>open and manually selecting the file. Also when i right click the acrobat icon on the dock a

  • What does "DBSNMP" user do??( 10g)

    Hi, all. I created a db with Enterprise Manager option by using DBCA. After creating the db, I did nothing. DBSNMP tables contain NO data, but I can see dbsnmp session in v$session. except the following 2 tables. -->T_BSLN_METRICS contains 15 rows. -

  • Page_Not_Found error encounter in GP Runtime

    Hi guys, I encountered PAGE_NOT_FOUND error in the GP RUNTIME when the user click on the his task listed in the "Processes which  I Own". This user has its role assigned to the owner in the GP. Do you guys know what is wrong and how to resolve? Thank