We are running Oracle database 19c and we have got a strange error for ORA-01031: insufficient privileges
There are two users/schemas, for short, I call them mgr and user here.
So on mgr, I have created this view:
CREATE OR REPLACE FORCE EDITIONABLE VIEW "MGR"."EVENT" (...) AS
SELECT ... FROM c_interfaces.c_event et
LEFT JOIN event_module em ON (...)
LEFT JOIN event_location cl ON (...)
LEFT JOIN users u ON (...)
WHERE ... ORDER BY ...;
GRANT SELECT ON "MGR"."EVENT" TO "USER" WITH GRANT OPTION;
Using mgr, I can SELECT this view without problem.
Then when I used user to call:
select * from "MGR"."EVENT";
I got this error:
ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to perform a database operation without
the necessary privileges.
*Action: Ask your database administrator or designated security
administrator to grant you the necessary privileges
I don't know what went wrong.
When I used user for debugging and I tried to cut out the select part and run:
SELECT ... FROM c_interfaces.c_event et
LEFT JOIN event_module em ON (...)
LEFT JOIN event_location cl ON (...)
LEFT JOIN users u ON (...)
WHERE ... ORDER BY ...;
I got no error at all. Data is displayed correctly on my screen.
So what could be wrong?
Related
In Ora11g I used to grant all privileges to a user as follows.
create user xx identified by psw;
grant create session, grant any privilege to xx;
grant all privileges to xx;
But in Ora 12c when I execute grant privileges, I'm getting the below ERROR.
Error starting at line : 2 in command - grant create session, grant
any privilege to xx Error report - ORA-00604: error occurred at
recursive SQL level 1 ORA-20997: "GRANT ANY PRIVILEGE" grants not
allowed ORA-06512: at "RDSADMIN.RDSADMIN", line 79 ORA-06512: at line
2
00604. 00000 - "error occurred at recursive SQL level %s"
*Cause: An error occurred while processing a recursive SQL statement
(a statement applying to internal dictionary tables).
*Action: If the situation described in the next error on the stack
can be corrected, do so; otherwise contact Oracle Support.
I have tried the answer suggested in 1 and it does not seems work.
1. Regarding Users in Oracle 12c
It is getting the below ERROR.
GRANT All PRIVILEGE TO name Error report - ORA-00922: missing or
invalid option
00922. 00000 - "missing or invalid option"
*Cause:
*Action
Your help on "grant all privileges to a user in ora12c this is much appreciated.
Thanks!
Yes. I was able to grant privileges with a namespace.
Create user xx identified by psw account unlock;
grant connect to xx;
grant create session, create table, create sequence, create trigger to
xx;
alter user xx quota 5M on USERS;
commit;
if you need to give unlimited quota, you use this.
ALTER USER xx quota unlimited on USERS;
commit;
As system user, I created a new user and grant him dba privileges : GRANT dba TO user_bdda_adminProjet
I'm trying to look into the DBA_ROLE_PRIVS table into a trigger (I didn't paste all my code, feel free to tell me if it's necessary) :
CREATE OR REPLACE TRIGGER my_trigger
INSTEAD OF
INSERT ON vueEnquete
FOR EACH ROW
DECLARE
tmp int;
BEGIN
SELECT COUNT(*) INTO tmp FROM DBA_ROLE_PRIVS;
...
...
END;
/
But when I try to execute this script, I got the following errors :
Erreur(6,3): PL/SQL: SQL Statement ignored
Erreur(6,39): PL/SQL: ORA-00942: table or view does not exist
Looking at different forums, I found that the problem is in general that the user don't have rights to the table.
But when I execute, as my user user_bdda_adminProjet the following line alone (out of a trigger), it works perfectly
SELECT COUNT(*) FROM DBA_ROLE_PRIVS;
Moreover, if I just comment the line in my trigger, it executes without any errors, so I guess the error is specifically at this line.
Thanks in advance for your help and feel free to tell me if you need any further info.
dba is a role, not a privilege.
Privileges obtained through a role are not "active" in PL/SQL. You need to grant the select privilege on the DBA_ROLE_PRIVS directly to the user.
This works:
(connect to some_db)
INSERT INTO some_schema.some_table(id) VALUES (some_schema.some_table.nextval);
THis works too:
(connect to some_other_db)
SELECT some_schema.some_table.nextval#some_db FROM DUAL;
This does not work:
(connect to some_other_db)
INSERT INTO some_schema.some_table#some_db(id) VALUES (some_schema.some_table.nextval#some_db);
The error I get is ORA-01031: insufficient privileges ORA-02063: preceding line from SOME_DB. The insert privilege for some_schema.some_table is granted through a default role.
What could be the problem here?
Update: adding select right for the table made the remote query work.
If you insert in the local database the insert privilege is sufficient, if you insert into the remote database, you need select and the inset privilege as it will do a select during the parse phase.
I have a package that compiles fine in another 11g environment.
When I try to compile it in my XE 10g environment w/ a DBA User, I get the ORA-00942 error.
FOR r IN (SELECT DISTINCT job_name jname
FROM dba_scheduler_jobs
^
WHERE job_name LIKE p_job_prefix || '%')
LOOP
...
When I execute a direct select on the table there is no issue.
Select * from dba_scheduler_jobs;
Error Text:
Line: 34 Column: 34 Error: PL/SQL: ORA-00942: table or view does not exist
In order to reference an object in a definer's rights stored procedure (the default), the owner of the procedure has to have direct access to the object. The privilege cannot be granted through a role, even a very powerful role like SYSDBA.
You probably want to grant the owner of this procedure the SELECT ANY DICTIONARY privilege
GRANT select any dictionary
TO <<owner of procedure>>
You could also grant the privileges on each object (i.e. DBA_SCHEDULER_JOBS) individually but if you've already granted this user the SYSDBA privilege, you're probably not overly concerned with restricting grants.
In my oracle DB, i have a user named test this user has DML_ROLE in the DB. And, i have provided insert/update/delete/select access to DML_ROLE on a table named hdr_detail.
But, when user test execute an update query on hdr_detail table its getting error message as Returned error: ORA-01031: insufficient privileges. It works fine when i provide the access directly to the user.
I'm confused why this error shows up only when i provide the access through role.
Table structure:
COLUMN NAME DATA TYPE
PERIOD NUMBER
HDR_ID VARCHAR2(50)
Query i use to update:
update test_sch.hdr_detail set period=201108 where hdr_id = 'check';
Statement i use to grant:
grant insert,select,update,delete on test_sch.hdr_detail to dml_role;
select * from dba_role_privs where grantee like 'TEST' returns the following result
GRANTEE GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE
TEST DML_ROLE NO NO
select * from dba_tab_privs where table_name like 'HDR_DETAIL' returns the following result
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRANTABLE HIERARCHY
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH DELETE NO NO
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH INSERT NO NO
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH SELECT NO NO
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH UPDATE NO NO
Please help me in resolving this issue. Reply in comment if any more information is needed about this issue.
Try setting the role as the users default role:
ALTER USER test DEFAULT ROLE dml_role;
It could be an issue with how you are accessing the databse object HDR_DETAIL.
From Don burleson (http://www.dba-oracle.com/concepts/roles_security.htm):
Oracle roles have some limitations. In particular object privileges are granted through Oracle roles can not be used when writing PL/SQL code. When writing PL/SQL code, you must have direct grants to the objects in the database that your code is accessing.
If your user is issuing the UPDATE through an application or PL/SQL block then it will not use the role-based permissions. If this is the case you will have to grant the permissions directly.
That seems impossible.
Are you sure that your user connect to correct DB, schema, and query the right table?
I'm stunned.
Pls try
select * from test_sch.hdr_detail
wiht test user.