I have got this error statement for update in trigger-
Same update statement outside trigger is working as expected.
Setup
Schema - B
Table - B.Tab1
B_Write_Role is having privileges to update table in B.Tab1
Schema - A
A schema has B_Write_Role
For A schema there is no direct role, it's through _Write_Role.
When executing the updating statement for Table - B.Tab1 is working as expected.
However, when the same statement is getting executed through a trigger it throws an error.
Note : When assigned direct update privileges to schema A for B.Tab1 trigger is working fine.
Why this behavior ? Is there any way to handle this without assigning direct privileges to schema and handle through role ?
That's expected. Privileges acquired via roles won't work in named PL/SQL programs (such as functions, procedures, or triggers (which is your case)).
What can you do? Nothing; grant privileges directly.
Related
I am unable to create the DB link as it's throwing ORA - 01031 insufficient privileges error.
Let's say I have database DB1 and schema name as s1 and second database as DB2 with schema t1.
I am trying to create the DB link by sysdba user by running below -
alter session set current_schema=s1;
Create database_link dblinkname connect to t1 identified by password using DB2;
But this is giving me error. I tried giving privileges also to s1 but no luck. Any leads. I don't have the schema password for s1 and I can't reset it as it's production environment.
I had the same issue a several years ago.
Assuming, you don't want to create a public database link...
You can do this:
Grant privilege create database link to target schema.
Create a stored procedure in your target schema, which creates database link per execute immediate
Call this procedure
Finally drop this procedure.
I am trying to create a read-only user for an Oracle 11g Database that will be used by SQLAlchemy to query the database.
I was using an existing DBA user with SQLAlchemy and wasn't having any problems, but now with the new user, I am unable to reflect database tables.
Could not reflect: requested table(s) not available in Engine
Note that I can SELECT the tables, just not reflect them.
I am wondering what kind of permissions I need to give to the new user for it to able to reflect through SQLALchemy.
I tried copying all roles from the existing DBA to the new user, but still get the same error
I even tried some advanced roles that weren't used before (I plan on deleting and adding the user correctly again later.
DBACONSULTA is the new user I am creating.
GRANT DBA TO DBACONSULTA
GRANT EXECUTE ANY EVALUATION CONTEXT TO DBACONSULTA
GRANT ANALYZE ANY TO DBACONSULTA
GRANT SELECT ANY TABLE TO DBACONSULTA
GRANT EXECUTE ANY PROGRAM TO DBACONSULTA
With Python I use the following code:
engine=create_engine('oracle+cx_oracle://...')
metadata = MetaData()
metadata.reflect(engine, only=['tablename'])
Get the error:
Could not reflect: requested table(s) not available in Engine
I want to be able to reflect tables, without using the Declarative form from SQLAlchemy
Thanks in advance.
I believe I have found the answers.
Two things that are important:
the table name had to be in lowercase (didn't work using uppercase)
the schema was not defined (turn out it was working because the user I was using was the owner of the schema of the tables)
So, when i declare the schema and use lowercase for the tablename the reflection works.
I have 2 schemas:
ARIEL
ARIEL_APEX
All the tables in ARIEL are accessible to ARIEL_APEX and the queries run OK from the ARIEL_APEX schema.
For example,
SELECT * FROM ARIEL.DIM_REGISTRATION_SET
works fine from the ARIEL_APEX schema.
When I try to create a view in ARIEL_APEX:
CREATE VIEW TEST_VIEW AS
SELECT * FROM ARIEL.DIM_REGISTRATION_SET
I get this:
Error at Command Line : 465 Column : 23
Error report -
SQL Error: ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to change the current username or password
without the appropriate privilege. This error also occurs if
attempting to install a database without the necessary operating
system privileges.
When Trusted Oracle is configure in DBMS MAC, this error may occur
if the user was granted the necessary privilege at a higher label
than the current login.
*Action: Ask the database administrator to perform the operation or grant
the required privileges.
For Trusted Oracle users getting this error although granted the
the appropriate privilege at a higher label, ask the database
administrator to regrant the privilege at the appropriate label.
This works absolutely fine in the test and production environment, this is development. DBA saying all is well at their end.
ARIEL_APEX having below privileges.
GRANTEE PRIVILEGE
------------------------------ ----------------------------------------
ARIEL_APEX CREATE JOB
ARIEL_APEX CREATE MATERIALIZED VIEW
ARIEL_APEX CREATE TABLE
ARIEL_APEX CREATE OPERATOR
ARIEL_APEX CREATE VIEW
ARIEL_APEX CREATE TYPE
ARIEL_APEX CREATE SYNONYM
ARIEL_APEX CREATE CLUSTER
ARIEL_APEX CREATE DIMENSION
ARIEL_APEX CREATE TRIGGER
ARIEL_APEX CREATE SESSION
ARIEL_APEX CREATE INDEXTYPE
ARIEL_APEX CREATE PROCEDURE
ARIEL_APEX CREATE SEQUENCE
And we know the grants are OK on the ARIEL objects to ARIEL_APEX as we can execute the query manually.
This is Oracle 12. Never had the issue before we upgraded, but suspect this is related to accessing objects from another schema within a view.
ARIEL_APEX is a member of the ANALYTICS_ROLE, the ANALYTICS_ROLE grants select on all tables in the ARIEL schema, which can be seen to working below.
Works in upper environments, only difference is grants provided by a role...in other environments SELECT grants provided directly on objects.
As noted in the documentation (emphasis added):
The owner of the schema containing the view must have the privileges necessary to either select (READ or SELECT privilege), insert, update, or delete rows from all the tables or views on which the view is based. The owner must be granted these privileges directly, rather than through a role.
If you only have the select privileged on the underlying table granted through a a role then you cannot create a view against it. Even if you move to role generally, you'll have to keep explicit grant on top for any views you want to create.
I imagine this is to do with how roles work. With a direct grant Oracle knows whether you can see the table in the other schema. If you grant select on your view to someone else then when they query the view Oracle knows that the chain of privileges is there. If your direct grant on the table is revoked then there are mechanisms to invalidate dependent objects. But what should happen the role's select privilege on the table is revoked; or your access to the role is revoked; or just within your own session, what should happen if you disable that role - can you still access the view? It's a bit more complicated that it seems at first glance.
Fortunately creating views should be relatively rare and controllable. Most people accessing the table via the role won't need to create a view on it (I assume!).
Another option here is create the view in the ARIEL schema, and then grant privileges to APEX_ARIEL and/or a role. Whether that is appropriate depends on your real view query and your motivation for creating the view.
I want to create the user and the database within that user. But when I tried to create database its giving the warning message as
ERROR at line 1:
ORA-01501: CREATE DATABASE failed
ORA-01100: database already mounted
Then I tried
STARTUP NOMOUNT;
Its giving the warning message for insufficient privileges even I have given all the permission to that particular user.
Can any one please help in finding the solution for this?
You don't create a database under a user in Oracle; I believe you're using terminology from another database poduct. The equivalent is a schema, which is a logical container for a group of objects. User and schema are essenentially synonymous in Oracle - when you create a user is automatically has its own schema.
You create the database once (which you already seem to have done, or had done for you), then create as many schemas/users as your application needs. You don't ever rerun the create database under normal circumstances - you certainly wouldn't as a normal user.
If you connect as that user you will be able to create tables, views, packages etc., assuming it has really been granted all the necessary privileges.
I have access on tables but when I run the same query in Anonymous block it fails with
ORA-00942: table or view does not exist
The Oracle security model means that we cannot build database objects (views, stored procedures, etc) using privileges granted to our account through a role. The privileges have to be explicitly granted to our named account.
This applies to anonymous blocks as well.
So, if you want to build PL/SQL which runs against database objects in other schemas you will have to ask the schema owner - or the DBA - to grant you the privileges you need.