Viewing privileges for a Role

Similar Messages

• Find out operator privilege for a role

  Hi,
  How to find out targets missing operator privilege for a role in OEM?

  From the backend you should use EMCLI
  Check http://download.oracle.com/docs/cd/B16240_01/doc/em.102/b40004/cli_verb_ref.htm#BABFGJBG

• How to grant  view privilege for Instant Portal to public users?

  How to grant view privilege for Instant Portal to public users?

  Oracle Instant Portal was designed to offer secure access to company and departmental information, and it isn't currently possible to make instant portal pages public.

• "Create" Datasource Privilege for Deployer Role

  Hi,
  We want to enable the "create" datasource privilege for the Deployer Role, after reading some information for this role looks like they are only allow to modify or delete datasources, but not create them. Admin privilege is not a good option for this group.
  Any ideas or suggestions...

  BoopathyVasagam wrote:
  Thank you for your answer. So should I issue the below statement? (Since I dont have dba privs i couldn't test this)
  GRANT CREATE VIEW to P_ETL_TEST_VIEW;
  I doubt that above will prevent the error from being thrown.
  prior to running anonymous block again; just do as below
  SET ROLE NONE;
  doing so should result in same error being thrown when invoking
  BEGIN 
     p_etl_test_view; 
  END; 

• Campaign - Need to provide 2 different View Configurations for same Role

  Hello,
  I need to provide for the same role config key 2 different view configurations for campaigns. Initially I wanted to do that with transaction types, but then I found out that there are no transaction types for campaigns.
  Does anyone know a way to do that? I don'T want to use a BADI for it, best would be a standard way.
  Thanks!

  You use Object Types to distinguish between views of same RoleConfigKey. In SPRO 'UI Framework Definition', you create object types and they would be available when you create a view config. Just select the object type as it forms part of the 'key' that idenitifies that particular view. In DO_CONFIG_DETERMINATION method of that view, you call a config based on this Object Type. So same view can produce two or more configs for same user in different scenarios.

• Why Oracle removed "Create View" privilege from "Resource" role?

  Seems like a silly question, but does anyone know why?

  >
  Hm.. deprciated and replaced by what? I know they trimmed CONNECT a lot but only create view seemed missing from RESOURCE.
  >
  Replaced by NOTHING. They didn't just 'trim' CONNECT; it only has the CREATE SESSION privilege now.
  The only published info I've seen are these two notes in the Oracle is this from the Database Security Guide.
  http://docs.oracle.com/cd/B28359_01/network.111/b28531/authorization.htm
  >
  Note:
  Each installation should create its own roles and assign only those privileges that are needed, thus retaining detailed control of the privileges in use. This process also removes any need to adjust existing roles, privileges, or procedures whenever Oracle Database changes or removes roles that Oracle Database defines. For example, the CONNECT role now has only one privilege: CREATE SESSION. Both CONNECT and RESOURCE roles will be deprecated in future Oracle Database releases.
  Note:
  Customers should discontinue using the CONNECT and RESOURCE roles, as they will be deprecated in future Oracle Database releases. The CONNECT role presently retains only the CREATE SESSION privilege.

• Problem creating Network ACL for a ROLE in Oracle 11gR2

  According to Oracle Documentation when you create a new Network ACL you can add privileges to a user or role.  I need to create a new ACL for the UTL_SMTP package for a specific role, but when I granted it the users who have that role are still getting the "ORA-24247: network access denied by access control list (ACL)" error when they try to send an email.  If I grant the ACL privilege to the same users directly it works fine.  Is there any step I'm missing?  This is the test I have made on my Solaris 10 - Oracle 11gR2 (11.2.0.3) Standard Edition server:
  SQL*Plus: Release 11.2.0.1.0 Production on Wed Aug 21 09:31:52 2013
  Copyright (c) 1982, 2010, Oracle.  All rights reserved.
  SQL> CONNECT system/******@testdb
  Connected.
  SQL> SET LINES 1000
  SQL> SELECT * FROM v$version;
  BANNER
  Oracle Database 11g Release 11.2.0.3.0 - 64bit Production
  PL/SQL Release 11.2.0.3.0 - Production
  CORE    11.2.0.3.0      Production
  TNS for Solaris: Version 11.2.0.3.0 - Production
  NLSRTL Version 11.2.0.3.0 - Production
  SQL> COLUMN host FORMAT A20
  SQL> COLUMN lower_port FORMAT 99999
  SQL> COLUMN upper_port FORMAT 99999
  SQL> COLUMN acl FORMAT A40
  SQL> COLUMN acl FORMAT A40
  SQL> COLUMN principal FORMAT A15
  SQL> COLUMN privilege FORMAT A10
  SQL> COLUMN is_grant FORMAT A8
  SQL> COLUMN status FORMAT A10
  SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
  no rows selected
  SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
  no rows selected
  SQL> CREATE USER testacl IDENTIFIED BY testacl;
  User created.
  SQL> GRANT CONNECT TO testacl;
  Grant succeeded.
  SQL>
  SQL> BEGIN
    2     dbms_network_acl_admin.create_acl('test_smtp.xml','TEST SMTP ACL','TESTACL',true,'connect');
    3     dbms_network_acl_admin.assign_acl('test_smtp.xml','localhost',25);
    4     commit;
    5  END;
    6  /
  PL/SQL procedure successfully completed.
  SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
  HOST                 LOWER_PORT UPPER_PORT ACL
  localhost                    25         25 /sys/acls/test_smtp.xml
  SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
  ACL                                      PRINCIPAL       PRIVILEGE  IS_GRANT
  /sys/acls/test_smtp.xml                  TESTACL         connect    true
  After creating this ACL I test it like this:
  SQL> CONNECT testacl/testacl@testdb
  Connected.
  SQL> SELECT host, lower_port, upper_port, privilege, status FROM user_network_acl_privileges;
  HOST                 LOWER_PORT UPPER_PORT PRIVILEGE  STATUS
  localhost                    25         25 connect    GRANTED
  SQL> DECLARE
    2     c utl_smtp.connection;
    3  BEGIN
    4     c := utl_smtp.open_connection('localhost', 25); -- SMTP on port 25
    5     utl_smtp.helo(c, 'localhost');
    6     utl_smtp.mail(c, 'Oracle11.2');
    7     utl_smtp.rcpt(c, '[email protected]');
    8     utl_smtp.data(c,'From: Oracle'||utl_tcp.crlf||'To: [email protected]'||utl_tcp.crlf||'Subject: UTL_SMTP TEST'||utl_tcp.crlf||'');
    9     utl_smtp.quit(c);
  10  END;
  11  /
  PL/SQL procedure successfully completed.
  SQL>
  This works fine and I receive the email correctly.  Now if I try to do the same thing for a role:
  SQL> CONNECT system/******@testdb
  Connected.
  SQL> BEGIN
    2     dbms_network_acl_admin.drop_acl('test_smtp.xml');
    3     commit;
    4  END;
    5  /
  PL/SQL procedure successfully completed.
  SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
  no rows selected
  SQL> CREATE ROLE testacl_role;
  Role created.
  SQL> GRANT testacl_role TO testacl;
  Grant succeeded.
  SQL> ALTER USER testacl DEFAULT ROLE ALL;
  User altered.
  SQL>
  SQL> BEGIN
    2     dbms_network_acl_admin.create_acl('test_smtp.xml','TEST SMTP ACL','TESTACL_ROLE',true,'connect');
    3     dbms_network_acl_admin.assign_acl('test_smtp.xml','localhost',25);
    4     commit;
    5  END;
    6  /
  PL/SQL procedure successfully completed.
  SQL> SELECT host, lower_port, upper_port, acl FROM dba_network_acls;
  HOST                 LOWER_PORT UPPER_PORT ACL
  localhost                    25         25 /sys/acls/test_smtp.xml
  SQL> SELECT acl,principal,privilege,is_grant FROM dba_network_acl_privileges;
  ACL                                      PRINCIPAL       PRIVILEGE  IS_GRANT
  /sys/acls/test_smtp.xml                  TESTACL_ROLE    connect    true
  SQL>
  And now I test it again with the same user:
  SQL> CONNECT testacl/testacl@testdb
  Connected.
  SQL>
  SQL> SELECT host, lower_port, upper_port, privilege, status FROM user_network_acl_privileges;
  no rows selected
  SQL> DECLARE
    2     c utl_smtp.connection;
    3  BEGIN
    4     c := utl_smtp.open_connection('localhost', 25); -- SMTP on port 25
    5     utl_smtp.helo(c, 'localhost');
    6     utl_smtp.mail(c, 'Oracle11.2');
    7     utl_smtp.rcpt(c, '[email protected]');
    8     utl_smtp.data(c,'From: Oracle'||utl_tcp.crlf||'To: [email protected]'||utl_tcp.crlf||'Subject: UTL_SMTP TEST'||utl_tcp.crlf||'');
    9     utl_smtp.quit(c);
  10  END;
  11  /
  DECLARE
  ERROR at line 1:
  ORA-24247: network access denied by access control list (ACL)
  ORA-06512: at "SYS.UTL_TCP", line 17
  ORA-06512: at "SYS.UTL_TCP", line 267
  ORA-06512: at "SYS.UTL_SMTP", line 161
  ORA-06512: at "SYS.UTL_SMTP", line 197
  ORA-06512: at line 4
  SQL>
  I'm aware that role privileges doesn't apply inside procedures, functions or packages by default, but this is an anonymous block so it should use the active roles for the user.  I also tried adding a "dbms_session.set_role('TESTACL_ROLE');" at the beggining of the anonymous PL/SQL block but I got the same access error.
  Thanks in advance for any help you can give to me on this question, it would be very hard to grant the ACL to all the individual users as they are more than 1000, and we create more regularly.

  Thanks for your quick reply... I don't have a problem creating the basic ACL with the privileges granted for a user.  The problem appears when I try to create an ACL with privileges for a ROLE.  You can see here http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_networkacl_adm.htm#BABIGEGG than the official Oracle documentation states that you can assign the ACL principal to be a user or role:
  Parameter
  Description
  acl
  Name of the ACL. Relative path will be relative to "/sys/acls".
  description
  Description attribute in the ACL
  principal
  Principal (database user or role) to whom the privilege is granted or denied. Case sensitive.
  My issue is that when I try to create the ACL for a role it doesn't work.
  Have you ever created an ACL for a role? if so please send me an example or let me know which step I might be missing.  Cheers.

• Privilege for creating a View from a Stored Procedure

  Hi,
                       I need to create a view from a procedure. I could do it from an anonymous block whereas I am unable to do that from a Stored Procedure. Should I need a specific privilege for performing this operation? If so what would be the reason behind it? Will that privilege be given in production databases?
  Code to replicate:
  CREATE TABLE t11 AS SELECT * FROM DUAL;
  CREATE OR REPLACE PROCEDURE p_etl_test_view
  AS
  BEGIN
     EXECUTE IMMEDIATE 'CREATE OR REPLACE VIEW v_t11 AS SELECT * FROM t11';
  END;
  PROCEDURE P_ETL_TEST_VIEW compiled
  Elapsed: 00:00:00.131
  BEGIN
     EXECUTE IMMEDIATE 'CREATE OR REPLACE VIEW v_t11 AS SELECT * FROM t11';
  END;
  anonymous block completed
  Elapsed: 00:00:00.069
  BEGIN
     p_etl_test_view;
  END;
  Error starting at line 13 in command:
  BEGIN
     p_etl_test_view;
  END;
  Error report:
  ORA-01031: insufficient privileges
  ORA-06512: at "OCCSS_ENTMT_HK_DEV_01.P_ETL_TEST_VIEW", line 4
  ORA-06512: at line 2
  01031. 00000 -  "insufficient privileges"
  *Cause:    An attempt was made to change the current username or password
             without the appropriate privilege. This error also occurs if
             attempting to install a database without the necessary operating
             system privileges.
             When Trusted Oracle is configure in DBMS MAC, this error may occur
             if the user was granted the necessary privilege at a higher label
             than the current login.
  *Action:   Ask the database administrator to perform the operation or grant
             the required privileges.
             For Trusted Oracle users getting this error although granted the
             the appropriate privilege at a higher label, ask the database
             administrator to regrant the privilege at the appropriate label.
  Elapsed: 00:00:00.100
  The privileges I am having:
  SELECT   *
      FROM dba_sys_privs
     WHERE grantee = 'OCCSS_ENTMT_HK_DEV_01'
        OR grantee IN (SELECT granted_role
                         FROM dba_role_privs
                        where grantee = 'OCCSS_ENTMT_HK_DEV_01')
  ORDER BY 1;
  GRANTEE
  PRIVILEGE
  ADMIN_OPTION
  EXP_FULL_DATABASE
  ADMINISTER RESOURCE MANAGER
  NO
  EXP_FULL_DATABASE
  ADMINISTER SQL MANAGEMENT OBJECT
  NO
  EXP_FULL_DATABASE
  BACKUP ANY TABLE
  NO
  EXP_FULL_DATABASE
  CREATE SESSION
  NO
  EXP_FULL_DATABASE
  CREATE TABLE
  NO
  EXP_FULL_DATABASE
  EXECUTE ANY PROCEDURE
  NO
  EXP_FULL_DATABASE
  EXECUTE ANY TYPE
  NO
  EXP_FULL_DATABASE
  READ ANY FILE GROUP
  NO
  EXP_FULL_DATABASE
  RESUMABLE
  NO
  EXP_FULL_DATABASE
  SELECT ANY SEQUENCE
  NO
  EXP_FULL_DATABASE
  SELECT ANY TABLE
  NO
  OCCSS_ENTMT_HK_DEV_01
  CREATE DATABASE LINK
  NO
  OCCSS_ENTMT_HK_DEV_01
  CREATE TABLE
  NO
  OCCSS_ENTMT_HK_DEV_01
  DEBUG CONNECT SESSION
  NO
  OCCSS_ENTMT_HK_DEV_01
  SELECT ANY DICTIONARY
  NO
  SCB_SCHEMA_ROLE
  ALTER SESSION
  NO
  SCB_SCHEMA_ROLE
  CREATE CLUSTER
  NO
  SCB_SCHEMA_ROLE
  CREATE DIMENSION
  NO
  SCB_SCHEMA_ROLE
  CREATE INDEXTYPE
  NO
  SCB_SCHEMA_ROLE
  CREATE JOB
  NO
  SCB_SCHEMA_ROLE
  CREATE MATERIALIZED VIEW
  NO
  SCB_SCHEMA_ROLE
  CREATE OPERATOR
  NO
  SCB_SCHEMA_ROLE
  CREATE PROCEDURE
  NO
  SCB_SCHEMA_ROLE
  CREATE SEQUENCE
  NO
  SCB_SCHEMA_ROLE
  CREATE SESSION
  NO
  SCB_SCHEMA_ROLE
  CREATE SYNONYM
  NO
  SCB_SCHEMA_ROLE
  CREATE TABLE
  NO
  SCB_SCHEMA_ROLE
  CREATE TRIGGER
  NO
  SCB_SCHEMA_ROLE
  CREATE TYPE
  NO
  SCB_SCHEMA_ROLE
  CREATE VIEW
  NO

  BoopathyVasagam wrote:
  Thank you for your answer. So should I issue the below statement? (Since I dont have dba privs i couldn't test this)
  GRANT CREATE VIEW to P_ETL_TEST_VIEW;
  I doubt that above will prevent the error from being thrown.
  prior to running anonymous block again; just do as below
  SET ROLE NONE;
  doing so should result in same error being thrown when invoking
  BEGIN 
     p_etl_test_view; 
  END; 

• Customize SharePoint Page view for different roles

  Hi,
  We have a
  SharePoint
  site for the project team. When a user logs into SharePoint we
  would like the user to see a page that is customized for his role in the project. The project roles are Developer, Tester, Business Analyst and Project Manager. Each role would have a customized dashboard
  page that shows data/charts relevant to the role.
  Please let me know how can this be done. Thanks in advance.

  Hi,
  We have a
  SharePoint
  site for the project team. When a user logs into SharePoint we
  would like the user to see a page that is customized for his role in the project. The project roles are Developer, Tester, Business Analyst and Project Manager. Each role would have a customized dashboard
  page that shows data/charts relevant to the role.
  Please let me know how can this be done. Thanks in advance.
  EDIT : The site is in SharePoint 2013.

• SAP HANA Privileges for Frontend Tools

  Hello,
  I am pretty new to HANA and having problems to access my created views from Frontend Tools like Design Studio or Lumira.
  I have created several tables and on top created an Analytic View. Tables and views are in the same schema, but I assigned the view to a package. If I want to access the view via Design Studio there are no views or packages shown.
  My User has the following privileges and roles:
  Roles:
  CONTENT_ADMIN
  USER
  MODELING
  MONITORING
  PUBLIC
  Object Privileges:
  _SYS_REPO
  REPOSITORY_REST (SYS)
  Analytical Privileges:
  _SYS_BI_CP_ALL
  Package Privileges:
  package to which the View was assigned
  If I want to Data Preview myView I get an error: inssuficient privileges.
  Has anybody an Idea? Is there an tutorial for granting privileges for reporting purpose? The Admin Guide is very general and I thought by using the standrad roles are sufficient for my sceanrio.
  Help would be appreciated.
  Thanks
  Waldemar

  So as the trace is saying did you give "Grant" option? And hence you are able to preview the data in HANA. It means:
  1) You are able to see the package from "myUser"
  2) You were able to do data preview from HANA on the analytic view
  Right?
  If it is "myUser" who created the tables, then i don't think you need to grant again.
  I was mentioning you to grant SYS_BI (SELECT) ,_SYS (SELECT) to "myUser"
  And after all this your issue currently is "myUser" cant see the views in Design studio? Could you confirm that you are logging into Design studio using "myUser"?
  Regards,
  Krishna Tangudu

• Task Privileges for Existing Users - Looking for a global update solution

  After some reading I understand that if you set the task privileges for the PUBLIC user in the Privileges section of Discoverer Administrator (10g), any new user created in the system will pick up the privileges you have assigned to the PUBLIC user.
  I currently have 4000+ users who have access to Discoverer Plus and the ability to create/edit queries. I want to limit who can access Discoverer Plus functionality to approximately 150 users.
  I have changed my PUBLIC user to NOT have privileges but this will only affect new users. Is there any way to restrict 4000+ users without having to go through each user individually and set the privileges.
  I am looking for a global update solution. I am wondering if this can be done through the back-end.

  Hi Mezzobella
  If you change the rights for the public user then other users, who have not been manually adjusted in any way, will automatically pick up the public rights. Therefore, if you have a lot of users that are not changing this means that at some point in their life you will have clicked OK or Apply on the screen with a user displayed. This now assigns the rights to that user as opposed to inheriting them from the public user.
  What you are describing is the perfect reason why you should not administer Discoverer using user accounts but to use roles or responsibilities instead.
  In your case you are now somewhat stuck. The programatic way to revoke these rights is to drop rows from the EUL5_ACCESS_PRIVS table but this could take longer than doing inside Discoverer. Basically, when a user has been granted privileges one row per privilege is inserted into this table. The column AP_EU_ID contains the ID of the user. The column GP_APP_ID is the one that tells you what privilege a user has. Here is a list of the privileges:
  1000 Desktop / Plus Privilege (U)
  1001 Create / Edit Query (U)
  1002 Item Drill (U)
  1003 Drill Out (U)
  1004 Grant Workbook (aka Sharing) (U)
  1005 Collect Query Statistics (U)
  1006 Admin Privilege (A)
  1007 Set Privilege (A)
  1008 Create / Edit Business Area (A)
  1009 Format Business Area (A)
  1010 Create / Edit Summaries (A)
  1011 Not used as far as can be determined
  1012 Schedule (U)
  1013 User is never required to schedule workbooks (U)
  1014 Save workbooks to database (U)
  1015 Managed scheduled workbooks (A)
  1016 This is an apps mode EUL
  1017 This is the user's assigned language
  1018 User is allowed to change password
  1019 to 1023 Not used as far as can be determined
  1024 Create Link (U)
  Note: A = Admin privilege, U = User privilege
  Theoretically you could manually delete rows from this table and that will revoke the rights. In reality, Oracle do not like it when inexperienced users manually the EUL as you could corrupt it. Therefore, any manual updates must be done with utmost caution after making sure you back up or have a copy of the table you will be updating - just in case.
  Try running this query to see the content:
  SELECT DECODE( AP_EU_ID, 104198, 'Viewer', 103697, 'Plus', 'Other' ) "Who" , AP_ID, AP_TYPE, AP_EU_ID, AP_PRIV_LEVEL, GP_APP_ID, GBA_BA_ID, GD_DOC_ID, AP_ELEMENT_STATE
  FROM EUL5_ACCESS_PRIVS
  Best wishes
  Michael

• READ privileges for *all the databases*

  Is it possible to grant READ privileges for all the databases objects (tables, schema, triggers, procedures, view and etc)

  SHANOJ wrote:
  Is it possible to grant privileges to all objects in one time?It depends on what you mean by 'in one time'. In one single SQL statement? No. But there's nothing stopping you issuing a billion grants one after the other in your session.
  Roles are probably better suited for this task. But are you sure you really want to grant SELECT privileges on all the tables in the database? It's more common to grant SELECT on all the 'MARKAPP' tables to the 'MARKAPP_READ_ONLY' role...

• How To Modify Privileges For APEX Objects Granted To PUBLIC?

  I have searched this forum but couldn't any threads relating to this...
  We have APEX 3.0.1 installed in some 10g (10.2.0.2) databases that host GIS data. I was informed by a GIS administrator that when using ESRI tool to search for data, the objects that belongs to FLOWS_030000 schema and ones that were granted to PUBLIC are shown. He would like to know if there is a way to hide these objects so they don't show up on the list? There are about 176 objects granted to public from the flows_030000 schema.
  Could we establish a different security scheme that could accomplish the same thing? Maybe we need to create a new account and a role. Grant all of the privileges for flows_030000 to public to the new role. Then grant the role to the new account and the flow_files schema?
  Our goal here is to make the flows_030000 objects hidden from the ESRI tools and still have APEX working properly.

  If you look at the grants, you'll see that there are over 170 objects from the FLOWS_030000 granted to PUBLIC:
  SQL> select count(*) from dba_tab_privs where owner= 'FLOWS_030000' and grantee = 'PUBLIC';
  173
  If we were go grant these privileges to a role, called APEX_APP_RU, and grant this role to APEX_PUBLIC_USER and any schemas an application is linked to (Workspace to Schema), would that be a workable solution?
  The only problem I see right off hand that this might not work is that PUBLIC has synonyms created for the FLOWS_030000 objects. If we revoke the underlying privileges, because of the synonyms, this might not work.
  SQL> select COUNT(*) from dba_synonyms where table_owner = 'FLOWS_030000' and owner = 'PUBLIC';
  176
  Does anyone else have any ideas?

• Account Creation - Badi for Default values for BP Role and Sales Area

  Hi all,
  my requirement regards the possibility to create a new prospect (a link should be available in the navigation bar or create section).
  Logically, a bp role as "Prospect" and particoular sales area should be created automatically.
  I created an implementation for the BADI definition "BADI_CRM_BP_UIU_DEFAULTS". But don't know how to create the default values for BP role and Sales area:
  In my code
  assign cr_me->('VIEW') to <lv_view_name>.
    if sy-subrc ne 0.
      exit.
    endif.
    lv_viewname = <lv_view_name>.
    case lv_viewname.
      when 'AccountDetails.htm'.
  I obtain the viewname "AccountDetails" , the related context "Header". After I don't know how to proceed to obtain the related entities through the relationship BuilRolesRel and BuilSalesArrangementRel.
  Am I following the right way? Is there another solution to prepare the output for default values?
  Any kind of suggestion will be appreciated.
  Regards, Roberto

  go to spro>cross-application components>sap busines partner>business partner> basic settings>field groupings>Configure Field Attributes per BP Role
  Double click the business role which you want to customaze (e.g. 'A') and change the proper settings.
  Regards.

• I am trying to synced my iphone but I get an error message "the iphone cannot be synced you do not have enough access privileges for this operation"

  I have just installed itune on a windows 8 OS and am am trying to sync my iphone but it cannot import photos and come up with the error message "you do not have enough access privileges for this operation"

  Hey there Opal4,
  It sounds like you are unable to use iTunes due to this error message about not having enough access privileges. According to the following article you may need to change the permissions on the file directly:
  These messages occur if permissions are incorrect on your designated music folder or on a folder inside your designated music folder. Permissions are settings that determine who can read, write to, or execute a file or folder on your computer. Every file and folder on your hard disk has an associated set of permissions.
  Example: If permissions are correct on your Music folder, but incorrect on the U2 folder inside your Music folder, you would be able to add other music to your iTunes library, but not that new U2 album.
  Windows XP:
  How to set, view, change, or remove file and folder permissions in Windows XP
  From: Trouble adding music to iTunes library or importing audio CD
            http://support.apple.com/kb/ts1387
  Thank you for using Apple Support Communities.
  Regards,
  Sterling