View + stored function + synonym for other user

Dear All!
I've got a quite strange problem which I cannot decide whether it's caused by my lack of knowledge on the appropriate topic or by an Oracle bug. I'm already after some heavy googling on the topic and I was unable to track any valuable answers neither in forums nor in the Oracle documentation. I'll try to be as short and specific as possible.
Database: Oracle 10g
Result of "SELECT BANNER FROM V$VERSION":
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bi
PL/SQL Release 10.2.0.4.0 - Production
"CORE     10.2.0.4.0     Production"
TNS for Solaris: Version 10.2.0.4.0 - Production
NLSRTL Version 10.2.0.4.0 - Production
I have two users in the database for a single Web application: UAPP01, which is the owner of application DB objects and UAPP02 which is the application user connecting to the DB. The application runs for quite many years by now and DB structure layout has always been following a simple logic: for each DB object used by the app. (tables, views, packages and stored procedures/functions) and found in the UAPP01 there exists a synonym in the UAPP02 schema. For the privileges to be set correctly a role is created: RL_MY_APPL which is granted the necessary privileges on objects of UAPP01 (CRUD on tables, SELECT on views, EXECUTE on procedures, etc..). This role is granted to UAPP02.
In the previous days I was about to extend the DB with a view that invokes a stored function. This pattern has already occured in the DB previously so I kept following existing conventions: I've created the stored function and the view in the UAPP01 schema, granted SELECT on the view to RL_MY_APPL and created the synonym for it in the UAPP02 schema. This is where the entire functionality began to act strange. I'll try to explain with a simplified example that was sufficient to reproduce the problem:
REM ========================================
REM Execute below code as UAPP01 user.
REM ========================================
REM Test function.
CREATE OR REPLACE FUNCTION testfunction(p_param NUMBER) RETURN NUMBER IS
BEGIN
RETURN p_param *2;
END;
REM Testview version 1. causing trouble.
CREATE OR REPLACE VIEW testview AS
WITH testdata AS
SELECT /*+ materialize*/ LEVEL AS d
FROM dual CONNECT BY LEVEL <= 100
SELECT a, b, c, SUM(d) AS sum_d
FROM
SELECT FLOOR(dbms_random.VALUE(1, 100)) a, FLOOR(dbms_random.VALUE(1, 100)) b, FLOOR(dbms_random.VALUE(1, 100)) c, testfunction(d) AS d
FROM testdata
GROUP BY CUBE(a, b, c)
REM Testview version 2. not causing trouble.
CREATE OR REPLACE VIEW testview AS
SELECT a, b, c, SUM(d) AS sum_d
FROM
SELECT FLOOR(dbms_random.VALUE(1, 100)) a, FLOOR(dbms_random.VALUE(1, 100)) b, FLOOR(dbms_random.VALUE(1, 100)) c, testfunction(d) AS d
FROM
SELECT LEVEL AS d FROM dual CONNECT BY LEVEL <= 100
GROUP BY (a, b, c)
REM Synonym.
CREATE OR REPLACE SYNONYM UAPP02.testview FOR UAPP01.testview;
REM Grants.
GRANT SELECT ON testview TO RL_MY_APPL;
When creating TESTVIEW with the 1 ^st^ version I cannot query it using the UAPP02 user, I'm constantly getting the error: ORA-00904: : invalid identifier. However, when I use the 2 ^nd^ version everything runs perfectly. What is common in the two cases is that both versions use the TESTFUNCTION function. I have not granted the EXECUTE rights on TESTFUNCTION to the RL_MY_APPL since it was never needed previously (for other views using stored functions) and as far as I know it's not necessary (as both the view and the function are owned by UAPP01). The strange thing in the above behaviour is that the function is used by both versions, however only one of them fails. This is where I thought it's not a granting issue, otherwise neither of the versions would have worked and I think I would have received a different error stating that UAPP02 lacks the necessary privileges on underlying objects of the view.
As I further digged into the problem by examining the EXPLAIN PLAN output for the two versions I found that version 1. leads to a TEMP TABLE TRANSFORMATION and to MULTI TABLE INSERTs, whereas version 2. simply executes the query without doing such things. In my setup I presume the MULTI TABLE INSERTs were caused by the GROUP BY CUBE. When I simply removed the CUBE and used only GROUP BY the TEMP TABLE TRANSFORMATION remained in place but the MULTI TABLE INSERTs disappeared. As a result of this small modification the view again began to work when I executed it through the synonym and using the UAPP02 user.
With the original DB objects of our application the behaviour is even more strange: the error comes up if I select from the view and filter for a column that is grouped in the query whereas it works correctly if I filter for the aggregated columns. However, I couldn't reproduce this with the above simplified example.
No problem occurs with any of the versions if I query the view using the UAPP01 user.
This hectic behaviour made me suspect that the TEMP TABLE TRANSFORMATION + MULTI TABLE INSERT + synonym + stored function combo appears to bring a strange Oracle bug to the surface...
As a final note: when executing GRANT EXECUTE ON TESTFUNCTION TO RL_MY_APPL everything works fine in all cases. I know I could simply live with this but I'd really like to get to the bottom of this. Although this extra GRANT appears to solve the problem I don't really trust it. I'd really like to avoid the bug emerging again in Production in case this extra GRANT were not sufficient due to some unknown misteries.
Excuse me, the post has become a bit lengthy. Thanks in advance for anyone who's willing to read through and answer it!
Regards,
Krisztian Balazs Szaniszlo

The error is thrown at run-time and only for the UAPP02 (second) user.
The problem is that the appearance of errors is independent of whether the query contains the call to the stored function or not.
So far I thought that if I use a stored function indirectly, like in this setup: UAPP02.synonym -> UAPP01.view -> UAPP01.stored function, then I don't need the grant. Of course, I understand that if I had used it directly, like :UAPP02.synonym -> UAPP01.stored function then I'd need the GRANT EXECUTE.
Shall I just ignore the strange behaviour and go on by adding GRANT EXECUTE privilege on all the functions used indirectly through views? It seems to solve the problem, but this behaviour is disturbing me quite and I fear the real root cause of the problem can emerge later in a different fashion.

Similar Messages

  • How to view the output submitted by other user

    Product : EBS R12.0.4
    Plateform : RHEL AS 4.6
    I want to view the output submitted by other users. I have tested it for responsiblity level in which sysadmin can view the other users request but it is labour work. Can anyone suggest to view it with less work.
    Regards,

    Hi,
    you need to understand the new RBAC concept and the involved objects. Just to mention that Grants are here specific EBS-RBAC objects you have to deal with. You need to be sysadmin and functional Administrator to define and assign those objects. I know that the metalink note is short and could be longer, but all steps are right.
    If you ask mainly what you are doing by utilizing this notes, you are defining additional where clauses, internally added to the basic object (here concurrent requests) and additionally you are granting rights to get buttons enabled (log / out).
    If you need something else, just let me know.
    Regards
    Volker

  • 3 user profiles on mac book pro.  cant see one account in time machine - has it backed up? and for other users ''no permission'' to open folders - i just want to know that stuff IS backed up (before attempting upgrade to lion)

    We have 3 user profiles on mac book pro.  want to upgrade to lion but want to be sure that all users are backed up to ext hard drive via Time Machine.  When I go into Time Machine - I cant find anywhere my user account (1 of the 3) - loads of photos and documents. For other user accounts - if i go to open a folder i cant ''no permission'' is the message.  All I want to be sure of is that there is a back up and for these 2 reasons I am far from sure.

    famfran wrote:
    When I go into Time Machine - I cant find anywhere my user account (1 of the 3) - loads of photos and documents.
    Be sure they're not excluded in Time Machine Preferences > Options.
    Also, if iPhoto is open while a backup is running, Time Machine may not be able to back up the changes in the iPhoto Library. It will "catch up" the next time, if it can.
    For other user accounts - if i go to open a folder i cant ''no permission'' is the message.  All I want to be sure of is that there is a back up and for these 2 reasons I am far from sure.
    That's correct; one user, even an Admin user, doesn't normally have access to another user's files.  You should see the same behavior if you try to look at their data on your Mac.
    Log on as the other users (or have them do it) to see their backups.

  • Purchase iCloud storage for other users

    Can I buy iCloud storage for other users?
    Thank you.

    To the best of my knowledge, purchased storage stays with Apple id it is purchased to. To the best of my knowledge, it is unlike itunes store, and is not obligated to comply with local laws/regulations for downloads.
    I wish sometimes that people like you could create tips on do's and don'ts internationally, since we are all a bit shortsighted when it comes to Non our country situation. Unfortunately that tip here will die in the dark.
    BTW, I think your switching store may backfire for you, but I am sure you were informed of that on the phone.
    Question:
    Is it possible to pay in EU for iCloud accounts valid in China (RMB) and in the US (USD)
    They do not care( they will charge in acceptable units and card will take care of exchange rate), as long as card is accepted by corresponding store ( it is if it is on your file, and if not on file -you will find out as soon as you try to put it on it )
    As in the end they will end up back in the EU.
    What happens if you extend the storage in 1 country and then move to another country with a different currency and extend it again?
    I think I already answered that one.

  • I created a form with Single Choice fields, 4 days with times listed. But, I want the user to only be able to choose one time, and the time chosen to be unavailable for other users. How do I do this?

    I created a form with Single Choice fields, 4 days with times listed. But, I want the user to only be able to choose one time, and the time chosen to be unavailable for other users. How do I do this? I have 4 blocks of Single Choice fields in order for the summary page to give me each day in the final report. But, I need the user to be able to make a selection of any day and time and that apointment to no longer be available to future users when they log in. Plus, when the user clicks on the time, they are unable to change their mind and choose another time. Here's the link if you want to see what I'm talking about: 2015-2016 Workload Apportionment Review

    I'm afraid not.    It's not rocket science but you need to do some coding. 
    You'll need to find a script (php) and save it to your local site folder.  Then reference the script in your form's action attribute like so.
         <form action="path/form-to-email-script.php" >
    The input fields in your HTML form need to exactly match the script variables. 
    I'm  assuming you're hosted on a Linux server which uses PHP code.  Linux servers are also case sensitive, so upper case names are not the same as lower case names.  It's usually best to use all lower case names in your form and script to avoid confusion.
    Related Links:
    Formm@ailer PHP from DB Masters
    http://dbmasters.net/index.php?id=4
    Tectite
    http://www.tectite.com/formmailpage.php
    If this is all a bit beyond your skill set, look at:
    Wufoo.com (on-line form service)
    http://wufoo.com/
    Nancy O.

  • Problem in Scheduling trace for other user

    Hi,
      I scheduled SAT/SE30 trace for other user(From user X, I scheduled for user Y). I executed the corresponding program in background in Y Login. Then, if I see the traces in X as well as Y Login, Nowhere I am getting the trace. The status is "In Process" only. What is the right procedure to do this?
    Thanks and regards,
    Venkat

    It was configuration issue.

  • Mac is freezing no programs running yet no trouble for other user

    My mac keeps freezing yet no trouble for other user. No program's run without 5 mins of coloured wheel rotating. Also time machine not operating properly as computer is not recognising it. Apple support centre not much help as it took them 10 mins just to get my details straight! Anyone with similar problem and successful solution?
    Thanks.

    Tried Mac HD utility first aid but advised it can't repair disk.
    It's possible you have directory damage.  You will need to get that repaired asap by using/purchasing a stronger 3rd party utility.  The more you use the computer, the worse it will get. 
    Utilities are best run from the CDs  to avoid system interference & false readings/reports.  You must use the versions that are compatible w/your OS system & keep the utilities updated to avoid damaging/harming/trashing your system. You need to make your own decision on which to purchase.  Read up on them on their websites because each do something a little different.
    DiskWarrior (Highly Recommended for Directory Damage Repair)
    Techtool Pro
    Drive Genius

  • IBot user not receiving dashboard alert/email not the case for other users

    Hi,
    I have a user who can create iBots and is able to deliver them to other users. However the user themselves cannot receive any iBot alerts on the dashboard or via email, even for iBots that they create themselves.
    I've checked their account setting and their email is configured, they are part of the correct user groups etc. This user has never been able to receive any iBot alerts or any iBot content.
    Can you let me know what else I can check as iBots are working for other users?
    Regards,
    AT

    Thanks Jay,
    They are part of the same group (in fact thety are part more groups as well) as other users for whom alerts and iBots work. They have the relevant priviliges under Delivers, their email is correct.
    They have access to the relevant Subject Area as it is ther user themselves who create the report and try to send it out using and iBot, other users receive the report apart from themselves. They themselves don't receive any alerts or emails.
    Rregards,
    AT

  • Message no visibility for other users

    Since I started working with Message Beta my account visibility for other users is offline.
    With 'the old'  iChat my online status was visible to other users.
    With Message however non of my chatfriends can see that i'm online even if my status shows online and visible in Message.
    The only thing other friends see is that i'm offline!
    Who knows the answere?

    Hi,
    If you have multiple accounts/Buddy lists go to the Messages Menu > Preferences > General Section and use the item to unlink the Buddy Lists
    Now check each one and also the setting to make them all the same.
    If that does not work try Deleting the Account and then re-adding it/them
    10:22 PM      Friday; April 13, 2012
    Please, if posting Logs, do not post any Log info after the line "Binary Images for iChat"
      iMac 2.5Ghz 5i 2011 (Lion 10.7.3)
     G4/1GhzDual MDD (Leopard 10.5.8)
     MacBookPro 2Gb (Snow Leopard 10.6.8)
     Mac OS X (10.6.8),
    "Limit the Logs to the Bits above Binary Images."  No, Seriously

  • SubArea not visible for other users in ESS

    Hi All,
    I have created a new subarea (having few services) and assigned it to a Benefits and payments Area.
    Now the issue is its only displaying to Administrator Role not for other users.
    if iam giving SAP_ALL  to other user then we are able to see this.
    Please let me know if iam missing anything .
    Thanks,
    Santosh

    to the role assigned to the user, you need to select end user visible in the role.
    note Number              939412
    ssign the following permissions to an End user.
       o  Goto Content Administrator ->Portal content ->Content Provided by
          SAP ->End User Content -> Employee Self Service
       o  Right click on  Employee Self Service. select open-> Permissions
       o  Assign read authorization to default user group "everyone".
       o  Check the 'EndUser' checkbox
       o  Save the Assigned permissions
       o  Goto System administration -> Permissions.
                                                                    Page 2
       o  Goto  Portal content ->Content Provided by SAP ->srvconfig
       o  Assign read authorization to default user group "everyone".
       o  Check the 'EndUser' checkbox
       o  Save the Assigned permissions.

  • I want to secure my email account for other users of the i-pad. Is this possible?

    I want to secure my e-mail account for other users of the i-pad....
    Is this possible???

    no.
    The only way is if you use a webmail app - not the included e-mail app - so you can password protect it online.
    The iPad is meant to be a single user device so it has no protocols to partition off any part of it (beyond what restrictions allow)

  • Setup iPad for other user when iCloud pw is unknown.

    I'm a tech director for a school district with ~450 iPads. Often, I get students or staff who move out and leave their iPads logged into iCloud as themselves. I need to get these iPads setup for other users. How can I setup an iPad if the previous user is long gone?
    Nobody is going to give me their Apple ID password and I wouldn't expect them to. Recovery mode lets me wipe it but I still need to enter the previous user's Apple ID and pw to proceed.
    I don't use Configurator; I prefer iTunes.

    Might be some help on this link, but you may need the password.
    How to Safely Delete an iCloud Account
    http://9to5mac.com/2013/07/13/how-to-safely-delete-an-icloud-account-from-your-m ac-or-ios-device/
     Cheers, Tom

  • Setting OOF for other users using EWS

    Hello everyone,
    I try to set the OOF for other users using EWS in an Exchange 2010 SP2 environment.
    I use this code:
    ExchangeService service = new ExchangeService(ExchangeVersion.Exchange2010_SP2);
    service.Credentials = new NetworkCredential("username", "password", "domain");
    service.TraceEnabled = true;
    service.TraceFlags = TraceFlags.All;
    service.AutodiscoverUrl("[email protected]");
    OofSettings OOFSettings = new OofSettings();
    OOFSettings.ExternalAudience = OofExternalAudience.All;
    OOFSettings.ExternalReply = "Test";
    OOFSettings.State = OofState.Enabled;
    service.SetUserOofSettings("[email protected]", OOFSettings);
    The account I use is a Service Account our Exchange Team set up. I can see all service properties, so I would assume that the connection to the ExchangeService works fine.
    However when SetUserOofSettings executes, I receive a ServiceResponseException “Connection did not succeed. Try again later”.
    What am I missing? Unfortunately, the error message does not provide any helpful informations.
    Thank you and best regards
    Julian

    >The account I use is a Service Account our Exchange Team set up. I can see all service properties, so I would assume that the connection to the ExchangeService works fine.
     What rights have they given the account, giving an Account Exchange Admin permissions won't give you any rights to access the Mailbox content. For this to work the account you using would need to be either have been granted Full Access via Add-MailboxPermission
    or been given Application Impersonation rights (if its the later you need to make sure you use impersonation in your code).
     I would suggestion you try using the EWSEditor
    http://ewseditor.codeplex.com/ to test this out eg try connecting to the users folders and then try the OOF operation via the EWSEditor option to see if this works.
     Other things to check is if this is a Brand new mailbox that has never been connected to before then the Mailbox folders won't be initialized (you can check this using Get-Mailboxstatistics) and you would get an error trying to perform any of
    the EWS operations. If it works on some users and not others the possibly your getting throttled.
    Cheers
    Glen

  • Make queries available for other users

    Hello,
    I have created a query in SQVI (quickviewer) and I am trying to make it available for other users.  How can I do that?  Do I need to create an infoset in SQ02?
    Thx,
    Alex

    Hi Alex,
    Though I have not worked using T.code SQVI, I had done the ABAP Query using "SAP Query". The procedure in it is in T.Code SQ03, we create a User Group and assign the users in the same, so that the users can access the Query. Hope this might help you. If you require I can send you the documentation on the same.
    Regards
    Sridhar

  • While using skype on my iphone 4s i found after an hour or so the iphone was very warm and actually bit hot. Is this normal for other users too?

    While using Skype on my iphone 4s i found the phone was heated up. It was very warm. I had used for 1 hour or so. Is this normal for other users aswell ?
    And also sometimes when i get the call no matter how much i try to slide the cursor, it doesn't move. I miss those calls. It looks like it is freezed. Has this
    happened to others too?

    *Update*
    I thought I had found the offending 'app' namely "Songpop."
    I regularly use "Songpop" on my phone late at night via my wifi connection.
    All enteries on my phonebill are at midnight (even though I have a data allowance it was excluded from allowance). I switched 3G off on Friday, played "Songpop" at midnight and at the exact time I got a "Server Error" message.
    I posted a message on the "Songpop" support forum.At first they said this was a problem relating to my ISP.
    I have spoken to my ISP and asked if there are connection drops at the time I have been billed (ie to establish if my wifi dropped and 3G kicked in without my knowledge) and have been advised that there aren't any connection drops at that time.
    "Songpop" have now responded that "This is an issue to take up with Apple Support"  see: http://support.songpop.fm/songpop/topics/playing_songpop_on_phone_via_wifi_but_i ncurring_download_data_charges_for_3g_useage?utm_content=topic_link&utm_medium=e mail&utm_source=reply_notification
    Hopefully someone at Apple can respond ....

Maybe you are looking for

  • Right way to configure TC

    Hi, I recently bought a TC 3rd gen with 2 TB HD. I have a wi-fi router (d-link dir 635) pluged into my brother's room wich is connected to the cable modem. The TC is located in my room and intend to extend my wirelless conection. What is the best set

  • How to find text in a button on the page

    When viewing a page containing a form, and the form has a button with a label, how do I search for the label to find the button?

  • Open password protected pdf using c

    open password protected pdf using c#... we will be providing a pdf path & also its password.. we need to open it in browser without it asking for password.. Can this be done.??

  • Firefox 6.02 crashes randomly

    Firefox 6.02 crashes or just disappears/closes randomly all the time after it is open for a while. It crashes randomly at any website. Firefox also never generates any crash reports after it crashes or disappears even though I have the option to gene

  • Have a opening triangle to alias folders as to real folders?

    hello. Would there be a way to get opening triangles to alias folders in the list view (like to real folders)? (They works like that in column view, but not in list view.) thanks