VIEW AND INDIRECT PRIVILEGES BY ROLE

Good Evening,
Is there a way to avoid error message "ORA-00942 table or view does not exist" during the creation of a view on another user's table with the SELECT ANY TABLE system privilege granted through a role ?
Reading ORACLE's books it seem impossible, but perhaps ...
It'll be very useful
I appreciate your help
Regards
Sergio

Is there really no other way to grant privileges indirectly to a user by using roles? Yes there is. The way you describe. I suspect you missed out a bit of the process. You didn't make the role one of the user's default roles, so it was not enabled when they logged on. You may find reading the documentation helps you to understand how to manage security through roles.
Your problem is not quite the same as the one described above. You simply want to grant your user SELECT on somebody's database object through a role; you can do this providing you either make the role default or get the user to enable the role when they need that access (the former is preferable unless you want to password-project that specific role). The problem described above is wanting to build new database objects on other people's objects; this cannot be done with privileges granted through roles.
Cheers, APC

Similar Messages

DFD diagram and ER crossmatrix for role definitions and role's privileges on objects

Hello,
Having the question on derivative use of combination of DFDs and ER diagrams ( let us be more fixes and focus on Relational model ).
In DFD there are defined external entities and functions, data flows and data stores that are forming processes.
Functions represents procedures, transactions, transformations.
Dataflows presents procedures parameters, intermediate reports, temporary table data, data that is passed , retrieved/written, signals, triggers/events that controle or trigger function...
Context of my question is focused on external entities.
External entity suppose to denote the sourced or destinationed system ( for example Archiving system ) or operator, system that is out of scope of the DFD and it is mentioned just as target or destination or source of dataflow or control flow.
In context of these understandings I am using external entitiy also for types of users of the system: staff that is triggering functions or schedulers or job managers, or reporting systems ( or components of reporting systems like for example business intelligence extraction processes ).
What is my problem that on basis of external entity definitions and E/R model also define roles and privilege classes for access to data objects.
And from those generating ddls for database roles, privileges on entitities to those roles.
But in privileges granting to role having two different kind of privileges on data objects:
- privileges that are granted on various schema objects
For example role1 has grant on tab1, view2, procedure1, package3,
- the other type of privilega is based on the scope or range of semantically defined scope or semantic area.
Semantic area is scattered through tables because of normalisation and using semantic area as entity of which primary key is
partitioning the table data through many semantic areas.
So this privilege should be granted on basis of the rows in table not column ( more semantically then structurally ...row oriented more than column ).
Both privileges that are granted to roles are also basis for functional roles
( privilege that is granted that functional role has grant to trigger or execute some function or process ).
My question is?
How do you handle modeling technology for analysis and design for role privileges and consolidation between database and functional roles ?
Grateful for any idea, experience and suggestions.

Hello,
Guess I was looking for the formal sequence of steps that would bring me to the
ddls for "create role ..." and "grant privileges to role".
You can do that.
1) I assume you have logical model and it's engineered to relational model, also you have data flow diagram created
2) You need to define information structures for flows connecting "Information store" to primitive process - attribute usage of particular entities should be defined for those "information structures" processed in flows
3) You need to define create, update and delete operation for flow going from primitive process to store - read is assumed in opposite direction
4) create a role in Process model and assign primitive processes to it - list of available processes to add depends on current data flow diagram
5) You need an open physical model for your relational model
6) Select "transfer process model roles to physical model roles" from context menu of top level DFD - select roles, relational and physical model there - roles with related permissions will be created in physical model
Entity1 is divided in several subtypes for different business areas.
And account manager for business_area1 is allowed to work on subtype1 ( view on prime table )...
Different implementation of entity hierarchies are not processed correctly in that wizard - i.e to get permissions to table corresponding to child entity - that entity should be used in information structure and flow.
Philip

Impact of revoking APEX_040000 view and privileges from public ?

Forum...
We are in an integration scenario where we do not want to have a user connecting through SQL see the apex product database objects to which apex has granted public access show up. ( As per the "Granted Priviliges" of the Apex documentation - specifically the views and tables for which public synonyms are created)
Does anyone have an idea of what the impact of revoking these public privileges would be on apex users and applications ?
Thanks
Pierre

Hi Pierre,
I'm just curious - can you give a couple examples of objects for which you wish to revoke privileges from PUBLIC?
Joel

User Roles and System Privilegies????

I need to know âMY_USERâ Roles and System Privilegies.
What query do I have to execute?
Thanks!

Querying DBA_ROLE_PRIVS will give you the roles a user has been assigned. Querying DBA_SYS_PRIVS will give you the system privileges a user has been assigned.
Justin
Distributed Database Consulting, Inc.
http://www.ddbcinc.com/askDDBC

Granting privilege through role not working for PL/SQL

Version: 11.2.0.2
In our shop, we don't grant privileges directly to a user, we grant it to a role and grant that role to the intended grantee.
Granting privileges through a role seems to be fine with SQL Engine. But it doesn't work from PL/SQL engine.
In the below example GLS_DEV user is granted SELECT access on SCOTT.pets table through a role called tstrole. GLS_DEV can select this table from SQL. But PL/SQL Engine doesn't seem to know this.
Reproducing the issue:
SQL> show user
USER is "SCOTT"
SQL> select * from pets;
NAME
PLUTO
SQL> conn / as sysdba
Connected.
SQL> create user GLS_DEV identified by test1234 default tablespace TSTDATA;
User created.
SQL> alter user GLS_DEV quota 25m on TSTDATA;
User altered.
SQL> grant create session, resource to GLS_DEV;
Grant succeeded.
--- Granting SELECT privilege on scott.pets to tstrole and then grant this role to GLS_DEV.
SQL> conn / as sysdba
Connected.
SQL>
SQL> create role tstrole;
Role created.
SQL> grant select on scott.pets to tstrole;
Grant succeeded.
SQL> grant tstrole to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> select * From scott.pets;
NAME
PLUTO
---- All fine till here. From SQL engine , GLS_DEV user can SELECT scott.pets table.
--- Now , I am going to create a PL/SQL object in GLS_DEV which tries to refer scott.pets
SQL> show user
USER is "GLS_DEV"
create or replace procedure my_proc
is
myvariable varchar2(35);
begin
     select name into myvariable from scott.pets ;
     dbms_output.put_line(myvariable);
end my_proc;
Warning: Procedure created with compilation errors.
SQL> show errors
Errors for PROCEDURE MY_PROC:
LINE/COL ERROR
6/2      PL/SQL: SQL Statement ignored
6/41     PL/SQL: ORA-01031: insufficient privileges
SQL>
SQL> 6
6*    select name into myvariable from scott.pets ;
--- PL/SQL Engine doesn't seem to know that GLS_DEV has select privilege on scott.pets indirectly granted through a role
--- Fix
--- Instead of granting privilege through a role, I am granting the SELECT privilege on scott.pets to GLS_DEV directly.
--- The error goes away, I can compile and execute the procedure !!
SQL> conn / as sysdba
Connected.
SQL>
SQL> grant select on scott.pets to GLS_DEV;
Grant succeeded.
SQL> conn GLS_DEV/test1234
Connected.
SQL>
SQL> create or replace procedure my_proc
is
myvariable varchar2(35);
begin
        select name into myvariable from scott.pets ;
        dbms_output.put_line(myvariable);
end my_proc; 2    3    4    5    6    7    8    9   10
11 /
Procedure created.
SQL> set serveroutput on
SQL> exec my_proc;
PLUTO
PL/SQL procedure successfully completed.Has anyone encountered the same issue ?

You really should start your own new thread for this question instead of resurrecting an old one, but to answer your question.
There are two things going on here. First, there are a number of aler session commands that can be used by any user regardless of what privileges they are granted. Although I do not have the entire list at hand, things like nls_date_format and current_schema are available to all users, sort of like the grants to public in the data dictionary.
Second, when you use execute immediate, the PL/SQL engine never really sees the statement, as far as the compiler is concerned it is just a string. It is only when the string is passed to the sql engine that permissions are checked, and there roles are not enabled.
SQL> create role t_role;
Role created.
SQL> grant select on ops$oracle.t to t_role;
Grant succeeded.
SQL> create user a identified by a default tablespace users;
User created.
SQL> grant create session, create procedure to a;
Grant succeeded.
SQL> grant t_role to a;
Grant succeeded.
SQL> connect a/a
Connected.
SQL> select * from ops$oracle.t;
        ID DESCR
         1 One
         1 Un
SQL> create function f (p_descr in varchar2) return number as
2     l_num number;
3 begin
4     select id into l_num
5     from ops$oracle.t
6     where descr = p_descr;
7     return l_num;
8 end;
9 /
Warning: Function created with compilation errors.
SQL> show error
Errors for FUNCTION F:
LINE/COL ERROR
4/4      PL/SQL: SQL Statement ignored
5/20     PL/SQL: ORA-00942: table or view does not exist
SQL> create or replace function f (p_descr in varchar2) return number as
2     l_num number;
3 begin
4     execute immediate 'select id from ops$oracle.t where descr = :b1'
5                       into l_num using p_descr;
6     return l_num;
7 end;
8 /
Function created.
SQL> select f('One') from dual;
select f('One') from dual
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "A.F", line 4John

Grant Privilege to Role instead of Direct grant doesn't work

Hi all
My scenario is sas follow:
create user a identified by a;
create user b identified by b;
grant connect,resource to a ;
grant connect,resource to b ;
conn a/a
create table tbl( c1 number(10));
conn system/sys
create role roll;
grant roll to b;
conn a/a
grant select on tbl to roll;
conn b/b
set role roll;
create or replace procedure b.pr
as
v number(10);
begin
select a into v
from a.tbl
where a=0;
end;
show error
Errors for PROCEDURE B.P:
LINE/COL ERROR
6/1 PL/SQL: SQL Statement ignored
7/6 PL/SQL: ORA-00942: table or view does not exist
This happen because i granted the SELECT privilege to user b through the role ROLL but if i granted the user b the SELECT privilege directly it work properly
Why???
And how could I grant the privilege from within a role, Because i don't want to grant it directly
Thank in advance
Bassil

There is no other way. The owner of stored code must have been directly granted all necessary (used in code) select, insert, update, or delete privileges. The code owner cannot just have the referenced privileges granted to them via a role. There is no workaround, nor should there be as this is a security feature. Just because you have been granted insert or delete to another user's tables does not mean you should be able to grant that access to some other user. This is exactly what you do when you grant execute to stored code that referenced another user's objects.
The referenced article is by Tom Kyte and there are few people who understand how to use Oracle to better effect than Tom. The same information can be found in the official documentation and is referenced by the article.
You can write packages that use the privileges of the executing person. Perhaps for the specific problem you are writing the code to handle this is the route you want to take. See the manuals for the details.
Note - If user A grants insert to user B on table_a then user B can write a procedure, proc_b, and grant execute to a role and anyone with the role can perform inserts into table_a via proc_b, without having any grants on table_a. You do not need to grant privileges on the objects referenced in stored code that runs as the code owner if this is what you are worried about. The users just need execute on the package, procedure, or function that performs the DML operations in this case and they can get that from a role.
If you still do not understand you need to state exactly what it is you either do not understand or want to know how to do.
HTH -- Mark D Powell --

Tracing all users and their privileges

Hi everbody!
I want to trace all users(online/offline) and those user's given privileges as a system dba. Are there any data dictionary views to trace it ?
i.e.
we have 3 users and 3 of them have connect,resource. How can we know who have which privs ?
i checked dba_role_privs, nothing to solve my prob.
thanks.

You should never assign CONNECT or RESOURCE to anyone.
Determine what privileges each connected user requires and create a role that contains the actual privs required.
System and Object privileges may be granted explicitly or in roles and roles can be granted to roles. Check here too:
all_tab_privs_made
all_tab_privs_recd
all_col_privs_made
all_col_privs_recd

How to view the privilages inside the role

Hi,
How can i view the definition of a role on sqlplus screen
Thanks
Bcj

Want to try something neat -- at least I think so. Put this in a sql script and run it against a user who has table privileges granted to him and through a role, and through roles two levels deep.
set termout on
set feedback off
set verify   off
set linesize 128
set pagesize 35
Accept USER_ID CHAR Prompt 'Enter User ID: ';
COLUMN table_name FORMAT a41 HEADING 'Resource'
COLUMN privilege FORMAT a11 HEADING 'Privilege'
COLUMN grantable FORMAT a9 HEADING ' '
COLUMN via_role   FORMAT a60 HEADING 'Via Role?'
BREAK ON table_name SKIP 1 NODUPLICATES
TTITLE Center 'Tables and Proc. Priveleges Granted to &USER_ID..' skip 2
SELECT LOWER(y.owner || '.' || y.table_name) table_name,
       y.privilege,
       DECODE(y.grantable,'NO','No Grant','Grantable') grantable,
       x.role_granted as via_role
FROM (SELECT CASE SIGN(LEVEL - 1)
               WHEN 0
                    THEN granted_role
                    ELSE granted_role||' ['||grantee||']'
               END as role_granted,
               granted_role
          FROM dba_role_privs
        CONNECT
             BY PRIOR granted_role=grantee
                START WITH grantee = UPPER('&USER_ID')) x,
       dba_tab_privs y
WHERE y.grantee = x.granted_role
UNION ALL
SELECT LOWER(owner || '.' || table_name) table_name,
       privilege,
       DECODE(grantable,'NO','No Grant','Grantable') grantable,
FROM dba_tab_privs
WHERE grantee = UPPER('&USER_ID')
ORDER
    BY 1, 2
TTITLE OFF
BTITLE OFF
REPFOOTER OFF
TTITLE OFF
BTITLE OFF
REPFOOTER OFF
SET FEEDBACK ON
SET PAGESIZE   40
SET LINESIZE   96
SET VERIFY     ON
SET UNDERLINE '-'
SET HEADING    ON
SET TERMOUT    ON

System and Object privileges question

hello everyone.
I was really making it a priority to really understand both system and object privileges for users. I have setup a couple of 'sandboxes' at home and have done lots of testing. So far, it has gone very well in helping me understand all the security involved with Oralce (which, IMHO, is flat out awesome!).
Anyway, a couple of quick questions.
As a normal user, what view can I use to see what permissions I have in general? what about permissions on other schemas?
I know I can do a:
select * from session_privs
which lists my session privileges.
What other views (are they views/data dictionary?) that I can use to see what I have? Since this is a normal user, they don't have access to any of the DBA_ views.
I'll start here for now, but being able to see everything this user has, would be fantastic.
Cheers,
TCG

Sorry. should have elaborated more.
In SQLPLUS, (logged in while logged into my Linux OS), I am working to try and get sqlplus to display the results of my query so it is easy to read. Right now, it just displays using the first 1/4 or 1/3 of the monitor screen to the left. Make sense? So it does not stretch the results out to utilize the full screen. it is hard to break down and read the results because they are "stacked" on top of each other.
Would be nice if I could adjust sqlplus so the results are easier to read.
HTH.
Jason

I have recently transferred data from my old Mac to my new one. The result was good, but I have 2 users now, whose data I want to merge into 1 single user, so to avoid having to switch from one user to the other to view and use certain files. How to do it

I have recently transferred data from my old Mac to my new one. The result was good, but I have 2 users now, whose data I want to merge into 1 single user, so to avoid having to switch from one user to the other to view and use certain files. How to do it?

Here's an easy way:
Pick the user that you want to eliminate (making sure that the remaining user has administrator privileges) and move all of the data that you want to keep into the Shared folder. Reboot or log out and login to the user you want to keep. Copy all the data from the Shared folder into your account - placing it neatly in folders (Documents, Music, Movies, etc.).
Once the data is moved, log into the account you want to delete just once more to make certain that you've grabbed all the data you want to keep. Log out and log back into your admin account and go to System Preferences>Users & Groups and delete the 'old' user.
That should do it.
Clinton

Track changes on indirect assignment of roles to users

Hi Experts,
We have been facing an issue where users have roles assigned indirectly(position/job/org unit).
I have checked the relationship between position/org unit and job to find if there are any roles assigned to these position(HRP 1001).
To my surprise there are no roles assigned to any of the position,org unit or job.
Our production system is linked with CUA(Solman) and role assignment is selected as Global.
I have checked both the systems and couldn't find any roles assigned to the position/org unit/job.
These roles are assigned to the users in the year 2005?
I would like to know
1.) How these roles got assigned to the system? Any logs are there to track it down?
2.) either we have to change the CUA setting to local and to run the RHAUTUPD_NEW in production system?
or to run the report RHAUTUPD_NEW in CUA system? am i following the right approach?
Kindly advise and let us know suggestions on this?
Thanks a lot in advance for your help.

Julius,
What change log says about these role assignments?
I think ,Having the system in part of CUA (SCUM setting :role assignment global) and maintaining postion based role assignment is contradictory.
So better to detach the system and perform PFUD(comparison type :HR org mgmet) to make the role assignments up to date and connect it back .
Thanks,krishna

Materialized view and policies

Hello,
We created an materialized view and on this view why created a policy.
SYS.DBMS_RLS.ADD_POLICY
Now we added some values to the MV via drop MV and create MV.
The policy on this MV is gone after the drop statement.
Is there away to secure this?
Thanks,
Remco

Why are you dropping and re-creating the materialized view in the first place? That's not something that should ever happen in a live system. You should just be refreshing the data in the materialized view, in which case the privileges & policies associated with the materialized view would be retained. It's no different than dropping and re-creating a table that has a policy associated with it-- you'd have to re-apply the policy after re-creating the table.
Theoretically, I suppose you could create a DDL trigger that would throw an error if you tried to drop an object with an associated policy. Fixing your approach, though, so that you're not dropping & re-creating objects is going to be the better long-term solution.
Justin

Differences Between Object And System Privileges

Hi,
Whats the difference between object and system privileges in oracle?
Cheers
Paul

System Privileges
A system privilege is the right to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the privileges to create tablespaces and to delete the rows of any table in a database are system privileges.
Schema Object Privileges
A schema object privilege is a privilege or right to perform a particular action on a specific schema object:
For example, the privilege to delete rows from the departments table is an object privilege.
Some schema objects, such as clusters, indexes, triggers, and database links, do not have associated object privileges. Their use is controlled with system privileges. For example, to alter a cluster, a user must own the cluster or have the ALTER ANY CLUSTER system privilege.
A schema object and its synonym are equivalent with respect to privileges. That is, the object privileges granted for a table, view, sequence, procedure, function, or package apply whether referencing the base object by name or using a synonym.
Granting object privileges on a table, view, sequence, procedure, function, or package to a synonym for the object has the same effect as if no synonym were used. When a synonym is dropped, all grants for the underlying schema object remain in effect, even if the privileges were granted by specifying the dropped synonym.

What privileges or role is required for user to acces the explain plan?

Hi mates,
Can anyone pls tell me what privileges or roles(grants) are requred for a user to access the explain plan in oORACLE 8i 8174..
I think the select any dictionary is not valid for explain plan accessibility in 8i.
Cheers.

I already had that... Just that a user (not a dba) requires access to the explain plan and I dont want to grant him a dba role.
Are you aware of any other grant I can give to the user?

Authorization objects for transaction, one to view, and one to maintain

Hi all,
My requrement is to create two authorization objects for transaction, one to view, and one to maintain.
I know how to create objetcs vai sm21, but i donot know how to crate objects with activity codes.
Please suggest how to create object where i can asign activity codes.
regards
manish

The Authorization Concept
R/3 uses authorization objects to assign authorizations to users. An authorization object is a template for an authorization. For example, authorization object F_SKA1_BUK - G/L Account: Authorization for company codes requires the specification of two field values: Company Code and Activity. To allow a General Ledger supervisor to create a general ledger master record, he/she must be assigned an authorization to create (Activity 1) accounts for a specific company code (eg. Company Code 2000). Such an authorization is created using the object F_SKA1_BUK by assigning these field values and naming the authorization following an appropriate convention (eg. Z_SCC20001).
Authorizations may be classified as general authorizations, organizational authorizations or functional authorizations. General authorizations specify the functions a user may perform. Authorization object F_SKA1_BUK has been assigned to the function for creating general ledger master records. The system checks for the useru2019s authorization to create general ledger accounts (Activity 1) in at least one company code. The system then checks whether the user is permitted to create accounts for the specified organizational unit (company code) and has the required functional authorizations. Authorizations in this case may restrict the user to certain Charts of Accounts. In addition, an authorization group may be defined in certain authorization objects to protect individual master records.
Profiles relating to an organizational role (eg. General Ledger Supervisor) are defined consisting of a list of authorizations and other profiles. Such profiles are then assigned to users with that role and stored in their user master record along with other data (eg. password).
Do check this link as well.
http://articles.techrepublic.com.com/5100-10878_11-5110893.html

VIEW AND INDIRECT PRIVILEGES BY ROLE

Similar Messages

Maybe you are looking for