Trying to auto generate roles and privileges

Greetings All,
Oracle Enterprise 11g v11.2.0.1.0 on Windows Server 2008
I have a database with many schemas. One of the schemas is referred to as the CM_MASTER schema in that it has been granted the following: dba, create user, drop user, alter user, create any table, select any table, and a few others, all with the “with admin option” clause.
We have developers that need select only access to the tables and views of the non-master schemas. My plan was to create a unique ROLE for each schema, then grant select on each table and view in that schema to that unique role. Then grant the appropriate role(s) to each developer hence giving them read only access.
I can accomplish the above manually while logged on as the CM_MASTER schema.
I am trying to create a procedure owned and executed only by the CM_MASTER schema that creates a new role and then grants to that role. The procedure accepts a parameter containing the user name of the target schema. The procedure is able to create the role (create role scott_r) successfully.
However, I am getting an insufficient privileges error (see below) after the role has been created, when trying to issue the “grant select on scott.some_table to scott_r” command via "execute immediate".
Any ideas what privilege(s) the CM_MASTER user needs in order to be able to issue the grant(s) to the role?
Error message below:
exec gen_schema_role('scott');
Error report:
ORA-01031: insufficient privileges
ORA-06512: at "CM_MASTER.GEN_SCHEMA_ROLE", line 30
ORA-06512: at line 1
01031. 00000 - "insufficient privileges"
The procedure code is below:
The utl_file.put_line commands were added for debugging but nothing gets output.
When the "execute immediate" lines are commented out, the output from the utl_file.put_line commands displays the correct SQL create and grant statements.
create or replace
procedure gen_schema_role(p_db_user in varchar)
as
v_role_name varchar2(30);
v_bat_out utl_file.file_type;
cursor get_object_names is
select object_name from dba_objects
where owner = upper(p_db_user)
and object_type in ('TABLE','VIEW')
and status = 'VALID'
and object_name not like 'DR$%'
and object_name not like 'XT%';
begin
v_bat_out := utl_file.fopen('SR_BACKUP', 'Create_Roles.sql', 'W');
v_role_name := substr(p_db_user,1,28) || '_r';
utl_file.put_line(v_bat_out, ' ');
utl_file.put_line(v_bat_out, 'create role '||v_role_name);
execute immediate 'create role '||v_role_name; <<-- This seems to work, the role gets created
for a in get_object_names
loop
utl_file.put_line(v_bat_out,' grant select on ' || p_db_user || '.' || a.object_name || ' to ' || v_role_name);
execute immediate 'grant select on ' || p_db_user || '.' || a.object_name || ' to ' || v_role_name;
end loop;
utl_file.fclose(v_bat_out);
end gen_schema_role;
Thanks,
Snyds

sb92075,
I just tried, and YES the SQL is able to apply the "grant select" statements to the newly created role.
I wanted to call this new procedure from the procedure that creates a new user by scheduling a job to perform an IMPDP job to import a base schema (using the remap schema clause).
Any suggestions how to automate generating this role?
Thanks,
Snyds

Similar Messages

  • Error in reconcilation Function - Job "Reconcile roles and privileges"

    SAP NW 7.0 SP2 Patch 3
    Roles contain Privileges
    Help file says: "If you are using roles and privileges, you will need to perform a reconciliation of the roles/privileges assigned to the users in the identity store after the roles are modified. "
    Job imported as described.
    When I let the job run on the ID-Store, for each entry, the following error message occurs:
    runFunctionsInString($FUNCTION.reconcile( MSKEY )$$) got exception
    org.mozilla.javascript.NotAFunctionException: reconcile( MSKEY )
    ...where MSKEY is, of course, the MSKEY of the entry.
    If I let run the job with the Windows-Dispatcher and as a VB-script, it produces no error; however, in the output file, there are a lot of Messages like
    "!ERROR: Invalid use of Null"
    Only some entries (of Type MX_PERSON) show the "Priviliege added: (...)" output. But the job does not add the Privileges assigend to the role, as it should.
    So, I would suggest that one redefines the SQL-Query of the Job so that it runs only on MX_PERSONS. But then, still, in my case, it does nothing.
    Has anyone better experiences with the Job?
    Edited by: Thomas P. Felder on Sep 25, 2008 10:32 AM

    The job when imported by default uses java runtime engine but the script is written in vbscript syntax so you have to change the engine or the script syntax.
    When you did your select statement did you use SELECT DISTINCT.  That will also cause errors.  I do not narrow the entry type to MX_PERSON.
    I'm installing the patch now;  I will see if I get any errors.

  • Export and Import of Roles and Privileges

    Hi,
    We're nearing the end of our development phase and are now preparing for initial load in our QA / Test environment.
    Is there a way to export the Roles and Privilege metadata from one environment to import them into the other. The Staging guide states you need to create them before importing your Identity Stores. I was hoping we didn't need to do this as it's a time consuming task to create them manually.
    Thanks
    Paul

    What I've seen is Business Role Export / Import functionality. It is pretty straight-forward to do, just export the Business Roles in a job (limit what to export in the source SQL) to a CSV-file, then read it back in to different environment in similar job.
    When we were exporting the Business Roles we expored the privilege-references as MSKEYVALUEs not MSKEYs. Note how you have named your repositories in different environments (as you know the name of the MX_PRIVILEGE differs if your ERP repository in development is eg ERP100 and in Q/A ERP200), you may need to convert the privilege names accordingly in export or import.
    One more thing you need to keep in mind is to pay attention whether your data has CR+LFs, which will break the CSV, we tackled this by encrypting/decrypting the data that had line feeds (DESCRIPTION-attribute).

  • Role and privilege used by JDBC

    Is there any reqiured role and privilege used by JDBC?
    I use Oracle JDBC9203 for Oracle to connect Oracle8163, when executing certion codes, the JDBC raise a exception as below:
         at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:134)
         at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:179)
         at oracle.jdbc.dbaccess.DBError.throwSqlException(DBError.java:269)
         at oracle.jdbc.oracore.OracleTypeCOLLECTION.initCollElemTypeName(OracleTypeCOLLECTION.java:1026)
         at oracle.jdbc.oracore.OracleTypeCOLLECTION.getAttributeType(OracleTypeCOLLECTION.java:1056)
         at oracle.jdbc.oracore.OracleNamedType.getFullName(OracleNamedType.java:110)
         at oracle.jdbc.oracore.OracleTypeADT.createStructDescriptor(OracleTypeADT.java:2262)
         at oracle.jdbc.oracore.OracleTypeADT.unpickle81(OracleTypeADT.java:1656)
         at oracle.jdbc.oracore.OracleTypeUPT.unpickle81UPT(OracleTypeUPT.java:466)
         at oracle.jdbc.oracore.OracleTypeUPT.unpickle81rec(OracleTypeUPT.java:416)
         at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody_elems(OracleTypeCOLLECTION.java:979)
         at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81_imgBody(OracleTypeCOLLECTION.java:923)
         at oracle.jdbc.oracore.OracleTypeCOLLECTION.unpickle81(OracleTypeCOLLECTION.java:743)
         at oracle.jdbc.oracore.OracleTypeCOLLECTION._unlinearize(OracleTypeCOLLECTION.java:242)
         at oracle.jdbc.oracore.OracleTypeCOLLECTION.unlinearize(OracleTypeCOLLECTION.java:208)
         at oracle.sql.ArrayDescriptor.toJavaArray(ArrayDescriptor.java:963)
    I decompile "OracleTypeCOLLECTION.class", in funtion "initCollElemTypeName", i see a SQL as "select elem_type_name, elem_type_owner from all_coll_types where ....", this sql raise the error.
    Since all_coll_types is a system view of Oracle, i think the user connect to Oracle must have some role and privilege, it has connect role and execution privileges on some user-defined packages, is there any other role and privilege it needs? I don't like to grant DBA role to it for security reason.
    Very thanks for your reply.

    Can you post the code (Java and PL/SQL) that is being executed when this error is thrown? You don't need any particular privilege to execute PL/SQL via JDBC-- just the privileges you'd need to execute it in SQL*Plus or anywhere else.
    Justin
    Distributed Database Consulting, Inc.
    www.ddbcinc.com/askDDBC

  • Create new user same as a existing roles and Privileges

    Hi Team,
    I am a junior DBA. New user Joined in Application team. So, Client requested me.....
    Crerate new user with same privileges as like as existing user.
    As of now i am creating user like "create user username identified by "password". Then grant privileges to that user. earliar I never comapare or copied users.
    Please suggest any one how to create new user as like as existing user roles and privileges.
    Thanks,
    Venkat

    For basic cloning:
    select dbms_metadata.get_ddl('USER', '...') FROM DUAL;
    SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT','...') FROM DUAL;
    SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT','...') FROM DUAL;
    SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT','...') FROM DUAL;
    SELECT DBMS_METADATA.GET_granted_DDL(‘TABLESPACE_QUOTA’, ‘...’) FROM dual;
    Then just replace the username with the new one you want to create.

  • Role and Privileges for OLAP metadata

    Hi,
    Is there any document which specifies what all roles and privileges are required for creating any OLAP meta data ( Dimension, Cube, Measure and Catalog etc)?
    I think these are impt roles:-
    SELECT_CATALOG_ROLE
    EXECUTE_CATALOG_ROLE
    DELETE_CATALOG_ROLE
    RECOVERY_CATALOG_OWNER
    OLAP_DBA
    OLAP_USER
    Through system/manager I created one user TEST_BI_OLAP and granted CONNECT.
    After login as TEST_BI_OLAP I am able to create dimension. Why it is possible whereas doc says user should have OLAP_USER or OLAP_DBA role associated with it.
    OR only CONNECT is sufficient for creating OLAP metadata!!!!!
    regds
    P

    The difference is in what the end user sees. Say you want to deploy an analytical workspace based off of a ROLAP dimensional cube. Here is how I've been approaching the problem:
    1. Create a new user with the OLAP_USER role to hold the AW (say "AW_USER")
    2. Now log in with a userid that has OLAP_DBA role, and create the AW utilizing the ROLAP cube - but direct the AW to be stored in the AW_USER schema. Note that because it is in a separate schema from the ROLAP cube, you will not need to append characters to the dimension or measure names.
    3. Have end users log in using the AW_USER name. Then they will see the AW information, but they will not have access to the ROLAP cube data.
    Hope this helps,
    Scott

  • Roles and Privileges for 10g AWR and ASH reports

    Are there specific roles and privileges are required for one to run AWR and ASH reports for users who don't have DBA roles? If so, I would like to know about them.

    I think sysdba privilege need to run AWR report.
    Also check, how privilege is granted to PERFSTAT user in $ORACLE_HOME/rdbms/admin/spcuser.sql, you might get some clue!!!
    Cheer,
    Virag

  • Mapping a user's role and privilege to another

    Hi all,
    Is there a command/way to map the role and privileges of a current user to a new user? I am new to oracle, I did read through the online docs but was not able to figure it out.
    Thank you very much!

    Check this link would help: Check the part where they are copying roles and grants for the users using dbms_metadata. You can limit this to one user you want by adding additional where clause like "where username = <username>
    Copying Oracle Users

  • Auto generated types and ps1xml formatting files

    Hello,
    I'm using New-WebServiceProxy to work with a web service... when I call methods of the web service powershell auto generates types, for example, things like "Microsoft.PowerShell.Commands.NewWebserviceProxy.AutogeneratedTypes.WebServiceProxy1_webservices_awebservicepage_asmx.TheMethodReturnObjectType"
    1. should I just use that type name in my ps1xml formatting file? I'm wondering if that will be fragile... seems fragile like 'webServiceProxy1' for example, what if there is some scenario it uses '2'? Not sure if I can count on that being consistent?
    2. I started creating custom objects and adding my own type name to them so that type name could be used in the ps1xml file. This works fine. However so far it was for web service methods that returned single instance results.. now I hit a point where I'm
    calling a web service method that will return a collection... so I'm wondering if it would be better to just use the auto generated type name  in the ps1xml or, as I would need to do in this case, actually enter a foreach loop to create a new custom object
    for every object in the returned collection? In other words, for the web service methods I've used so far for this, I simply created my custom object and write-output... for the case of the collection, I would be new-object'ing and write-output'ing within
    that foreach loop.. wondering about performance issues, or if it's just overkill when I could just put that auto generated type name in the ps1xml file and be done with it... 
    not sure if I've asked that very clearly...
    essentially, I'm wondering if it's overkill (from a resource usage perspective) to be creating these custom objects in the case of when there will be a collection, with potentially hundreds of items, when the only reason I'm doing it is for display purposes...
    if it were not an autogenerated type I would simply use the type name in the ps1xml, I'm just not sure if I can do that in this case as I don't know if that typename will *always* be the same?
    any input would be appreciated, thanks

    Hi DJC,
    I haven't rexperienced this, however, to create a .ps1xml file, these examples may be helpful for you:
    Creating a module for powershell with a format file
    discutils / utils / DiscUtils.PowerShell / DiscUtils.Format.ps1xml
    about_Format.ps1xml
    I hope this helps.

  • Util to auto-generate getters and setters...

    Does anyone know of a utility that automatically generate getters and setter classes from a list of variable names???
    Might stop me getting RSI!

    i gave up on gets/sets about 2weeks after mylecturer
    introduced them to us :/Giving up on gets/sets is a mistake... take it from an
    EXPERIENCED programmer.you assume 2 much. Uni was a long time ago 4 me.
    >
    if a var can be modified, then make it public.Though
    adding a get/set method does provide encapsulation,it
    also requires more typing, bloats code and is alsoa
    fraction slower.Adding get/set methods provide more then just the
    encapsulation. It provides you easier debug not to
    mention easier way to read the code.Encapsulation encapsulates the idea of ezier debuggin :]
    gets/sets do not automatically give you code readability, and badly named gets/sets can detract from readability.
    >
    Sometimes gets/sets serve a purpose, but most ofthe
    time theyre just a waste of time.If you think set/get is a waste of time your attitude
    will get you into trouble. Consider code with a full
    set of public variables in a 'complex' system (well,
    lets just say 1500 classes).ok, you've applied my philosophy to your field, now let me apply yours to mine.
    I write games for Java enabled mobile phones(J2ME MIDP1.0), on this platform code size (and memory usage) is a SERIOUS concern.
    FYI. the Nokia 6310i mobile phone has approx. 140k of heap, and a jar size limited of 30k.
    EVERY line of code has to be optimal, in both space and time,
    The cost of gets/sets; inheritance; interfaces and all the other wonderful OO design features of java are serious performance inhibitors, and consequently are used only when absolutly necessary.
    >
    During development a bug is discovered and you realize
    that the bug is due to a change in a specific
    variable. How do you, quickly and simply, find out
    what classes are changing the variable. It could be
    anywhere; but by having a get and set method for that
    variable you could add a simple code like "new
    Exception().printStackTrace();" into the set method
    and get a trace when the bug happens. This way you
    would know within secondes what object is changing the
    variable making the debugging easy. don't write buggy code ;] (that was a j/k btw)
    btw, im curious how exactly do u realise that the bug is related to a specific variable? gets/sets help debugging, but they are not the magic bullet of debugging techniques.
    >
    What if you would like to override a class and to
    something before or after a variable is manipulated?
    This would be impossible if all variables are public.
    You will loose all control of you code.you are still argueing a different point to me - the abstraction of gets/sets do serve a purpose, however they also impose a cost.
    >
    There are many more reasons for adding the get/set
    methods but it will take me all day to write them all
    here.
    I say: "have all variables protected, GET OFF YOUR
    ASS, and add the 200 lines of code" if not for you
    then for the one that later will be using or fixing
    the code.
    Its quite funny watching a newbie programmer start
    writing a class, they identify the classes required
    attributes, then write 200lines of gets and sets
    before they even consider tackling the 'hard'bit[s]
    of the class :]What do think of code guidlines that are forced by
    most software companies? This is more important then
    most NEWBIES think; wait a few years and you will get
    the point..
    my point here, is that training programmers to follow guidelines before you have taught them the fundamentals of problem solving is futile.
    What about comments? Do you find them funny and
    useless? hope you don't...for your sake.no, all good code should be commented. But I have to admit, I don't waste time commenting code as i write it, i find it slows down my coding. However I will always go back and comment any code if it is to be used by some1 else.
    >
    Thinking it funny that people take the time and effort
    to make their code more readable, understandable,
    accessable, flexible and over all more pretty makes
    you the newbie.hmm, unprovoked flaming - now whos the newbie :/
    >
    It scares me to think that the new breed of
    programmers will think it funny to write GOOD code.
    bopen, bwise, bbetter...
    What frustrates me, is why good design always means slower performance.
    It shouldn't, and until Java progresses to the point where the runtime cost of good design is not significant, I will still regard Java as a primitive language.

  • DFD diagram and ER crossmatrix for role definitions and role's privileges on objects

    Hello,
    Having the question on derivative use of combination of DFDs and ER diagrams ( let us be more fixes and focus on Relational model ).
    In DFD there are defined external entities and functions, data flows and data stores that are forming processes.
    Functions represents procedures, transactions, transformations.
    Dataflows presents procedures parameters, intermediate reports, temporary table data, data that is passed , retrieved/written, signals, triggers/events that controle or trigger function...
    Context of my question is focused on external entities.
    External entity suppose to denote the sourced or destinationed system ( for example Archiving system ) or operator, system that is out of scope of the DFD and it is mentioned just as target or destination or source of dataflow or control flow.
    In context of these understandings I am using external entitiy also for types of users of the system:  staff that is triggering functions or schedulers or job managers, or reporting systems ( or components of reporting systems like for example business intelligence extraction processes ).
    What is my problem that on basis of external entity definitions and E/R model also define roles and privilege classes for access to data objects.
    And from those generating ddls for database roles, privileges on entitities to those roles.
    But in privileges granting to role having two different kind of privileges on data objects:
    - privileges that are granted on various schema objects
       For example role1 has grant on tab1, view2, procedure1, package3,
    - the other type of privilega is based on the scope or range of semantically defined scope or semantic area.
    Semantic area is scattered through tables because of normalisation and using semantic area as entity of which primary key is
    partitioning the table data through many semantic areas.
    So this privilege should be granted on basis of the rows in table not column ( more semantically then structurally ...row oriented more than column ).
    Both privileges that are granted to roles are also basis for functional roles
    ( privilege that is granted that functional role has grant to trigger or execute some function or process ).
    My question is?
    How do you handle modeling technology for analysis and design for role privileges and consolidation between database and functional roles ?
    Grateful for any idea, experience and suggestions.

    Hello,
    Guess I was looking for the formal sequence of steps that would bring me to the
    ddls for "create role ..." and "grant privileges to role".
    You can do that.
    1) I assume you have logical model and it's engineered to relational model, also you have data flow diagram created
    2) You need to define information structures for flows connecting "Information store" to primitive process - attribute usage of particular entities should be defined for those "information structures" processed in flows
    3) You need to define create, update and delete operation for flow going from primitive process to store - read is assumed in opposite direction
    4) create a role in Process model and assign primitive processes to it - list of available processes to add depends on current data flow diagram
    5) You need an open physical model for your relational model
    6) Select "transfer process model roles to physical model roles" from context menu of top level DFD - select roles, relational and physical model there - roles with related permissions will be created in physical model
    Entity1 is divided in several subtypes for different business areas.
    And account manager for business_area1 is allowed to work on subtype1 ( view on prime table )...
    Different implementation of entity hierarchies are not processed correctly in that wizard - i.e to get permissions to table corresponding to child entity - that entity should be used in information structure and flow.
    Philip

  • Sql to show all roles object privileges owned by a specific schema

    maybe this is simple but i'm just not getting it...
    i need sql to show me all of the distinct roles that have privileges granted against objects in a specific schema.
    thanks in advance.

    Feel free to modify the script to reduce the rows to only what you need.
    In terms of Oracle users, roles and privileges, it is just that complicated. Internally, a user and role exist in the same structure (user$). And privileges can be granted to users or roles. Roles can be granted to users and other roles. This means that a privilege (object or system) may have been granted to a user multiple times. USER1 can have 'SELECT' on 'TABLEA' that has been granted directly or via ROLE1, ROLE2 and ROLE3 (since ROLE1 is granted to ROLE3).

  • Roles and Security

    I have setup a 11g Oracle database.
    Can I please have some help to create some user accounts (3 levels, eg. Administrator, Power User, and Guest style users) as well as setting up appropriate levels of security implemented via ROLES and PRIVILEGES for Roles.
    Thanks in advance

    996403 wrote:
    I am wanting the Administrator to have control over everything, the Power User to be a User who also has the ability to create tables, triiggers etc, and the Guest to just be able to view data in the database without changing anything.
    Can you correct me if I am wrong with the following suitable roles for the users:
    Administrator
    - All roles
    Power User
    - Connect
    - Resource
    Guest
    - ConnectYou have to get out of this Administrator/Power User/Guest Windows security group paradigm. Windows security groups cannot be directly correlated to Oracle security groups, and that is why you are having so much trouble doing so. I recommend that you:
    -stop comparing Oracle to Windows
    -learn what security rights your database users need
    -fully understand the predefined roles, and then assign users to those roles only if they require every right that those roles grant
    -create your own application roles for any users that have requirements that do not align exactly with the predefined groups
    We are only encouraging you to do things in a manner that follows best practices, and doing so will keep your headaches to a minimum later on down the road.

  • Roles and priviliges

    hiii
    how can i know that what are the roles and privileges that are given to a user
    say i created a user and have given some privileges and after then i gave him certain roles now i dont know what are the roles that i have given to him. How can i get to know about this??
    thks

    One way:
    You can connect as that user, and then query SESSION_ROLES and SESSION_PRIVS (or let him/her query them, if you cannot connect as that user).

  • LMS 4.1 - Roles and Portlet

    Role management in LMS 4 is a nightmare.
    Is there a documentation which map the tasks and the portlets ?
    For exemple, which tasks do i need to view device availability portlet ?

    It helped me to copy the existing system generated roles and use those as a template for my own role generation.  For example, I wanted to have a role that could view all configuration and device information for a select group of devices, but could not write any changes to the devices.  The HelpDesk role almost does this but even some of the performance reporting was unavailable to them.  The HelpDesk and Network Operator roles combined had just a bit too much authority, but I started with those two roles as a template and then removed configuration capabilities from the new role and had my own role with View only capability.  It's a bit time consuming, but much easier if you start with the roles they give you.

Maybe you are looking for

  • Sound toggles on and off when I hit the "0" key on a 2010 Mac Mini.

    Whenever I hit the zero key on an Apple keyboard using a 2010 Mac Mini, the sound toggles on and off.  It does not happen when I use the keyboard with a 2012 Macbook Pro.  There can be times when the sound toggles when I am not even typing. I upgrade

  • QT 7 Pro crashes when trying to export

    I just installed QT 7 Pro (win-xp). It crashes whenever I try to export. I'm a long time user of QT 6 Pro and never had a problem. I soon I select the "export" dropdown menu the application crashes and the windows error reporter. AppName: quicktimepl

  • Newly created Co. Code found under the old co.code

    Dear Mentors,     Please help me in sortingout the below problem:      Have cteated a Company code: 1001 (Bharath Clothing Co.) which is copied from Company Code: 2200 and later modified according to my requirement.     When i have cross-checked the

  • Desktop Administrator - VoIP Monitor Error in UCCX 4.5(2) Server

    When i run the desktop administrator and then select the VoIP Monitor under the Enterprise Data Configuration, i got this pop up message "Could not get devices from Sync Service". Then, i click "OK" and the "Default VoIP Monitor Server" filed got dim

  • Cannot seem to complete the IPad 4.2 software upgrade

    The upgrade keeps stalling mid-way. Always talking about network. Network is good and ITunes is up to date. Tried for two days!!!!