I've got such case.
I've got 3 users on 2 DBs:
A#DBDEV
A#DBPROD
B#DBPROD - read only user for busines user to get some data.
User A#DBPROD has SYNONYM:
CREATE SYNONYM S_TAB FOR TAB#DBLINK_2_DEV; --(DBLINK_2_DEV created using A#DBDEV password)
Now I want to:
GRANT SELECT ON S_TAB TO B#DBPROD;
but getting ORA-02021...
What is the best solution for that?
You can't use a DB link in a grant statement.
grant select on s_tab to b;
Related
--I'm using a view named V_AREA and it's SYNONYM: AREA
However, when I try to grant select permissions to my role, I get the following error:
GRANT SELECT ON AREA TO MY_ROLE
ERROR at line 1: ORA-02225: only EXECUTE and DEBUG privileges are valid for procedures
I'm not using a procedure, what can I do?
I've tryed to use the following grants:
Grant select on area to my_role; --this one gives the above error
Grant select on 'area' to my_role; --this gives other error
Grant select on "area" to my_role; --this gives the same error as 'area'
EDIT:
I have 2 synonyms created named AREA: one to my view V_AREA and other to OGC_AREA. No procedures involved
grant references to the user on all the base tables used in the view using this
Grant references on your_schema.tablename to target_schema or user;
I am sorry for a newbie question. I am creating a readonly user in oracle. I want to limit him just to view and execute a function or procedure. I dont want him to modify those func or proc. Please help me on how to achieve this.
Thanks a lot
-- As sysdba:
-- 1) create an user account
create user <username> identified by <password>;
-- 2) allow user to log in
grant create session to <username>;
-- 3) allow user to execute a single procedure in other schema
grant execute on <other_schema.procedure_name> to <username>;
From SYSDBA user login (from where you created the user), give the following grant :
GRANT EXECUTE ANY PROCEDURE TO user;
GRANT SELECT ANY TABLE TO user;
where user = the username you just created.
Then ,to ensure the user has only read priviledges, check from session_privs that he doesnot have any other priviledge, specifically any "CREATE" prviledge. To do this , run :
select * from session_privs;
from the user you just created.
I have 3 schema's in my database:
Colldesk - Main account
Local_it - Local account for developments
User - User account
Now I am writing a procedure to grant people access based on their job. Depending on their job, they need select, or select, update, insert and delete privileges on certain tables.
I know that usually you create roles for this, but I can't (DBA's are external, and they don't like roles.......)
When running the procure, I am inserting the new user, and which department they belong to. If the department is IT_SUPPORT for example, they will need to be able to update tables in the account account and the local_it account. My procedure is located in the local_it account.
Now, when I am trying to run a script like:
for x in (select *
from all_objects
where owner in ('COLLDESK','LOCAL_IT')
and object_type in ('TABLE','VIEW')
and object_name not in ('IFM_letter_data','IFM_letter_data_V2')
order by owner asc)
loop
execute immediate 'grant update on ' || x.owner || '.' || x.object_name || ' to ' || v_user;
end loop;
I am getting an error, saying that I have insufficient privileges. Is it possible to grant update privileges on a table in a different schema? I am able to grant select privileges.
Thanks a lot in advance
Look at this: You have a friend that you trust and you gave him a key to your appartment.
Are you OK if your friend will give a copy of your key to his friend?
It might be NO, it might be YES.
When you want to grant permissions to a user you may say that it is OK for that user to share access with the others.
So, in your case:
User with tables should grant you access to her tables, with permissions to share:
grant update on my_table to you with grant option
Then you can manage access to that table.
In my oracle DB, i have a user named test this user has DML_ROLE in the DB. And, i have provided insert/update/delete/select access to DML_ROLE on a table named hdr_detail.
But, when user test execute an update query on hdr_detail table its getting error message as Returned error: ORA-01031: insufficient privileges. It works fine when i provide the access directly to the user.
I'm confused why this error shows up only when i provide the access through role.
Table structure:
COLUMN NAME DATA TYPE
PERIOD NUMBER
HDR_ID VARCHAR2(50)
Query i use to update:
update test_sch.hdr_detail set period=201108 where hdr_id = 'check';
Statement i use to grant:
grant insert,select,update,delete on test_sch.hdr_detail to dml_role;
select * from dba_role_privs where grantee like 'TEST' returns the following result
GRANTEE GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE
TEST DML_ROLE NO NO
select * from dba_tab_privs where table_name like 'HDR_DETAIL' returns the following result
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRANTABLE HIERARCHY
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH DELETE NO NO
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH INSERT NO NO
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH SELECT NO NO
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH UPDATE NO NO
Please help me in resolving this issue. Reply in comment if any more information is needed about this issue.
Try setting the role as the users default role:
ALTER USER test DEFAULT ROLE dml_role;
It could be an issue with how you are accessing the databse object HDR_DETAIL.
From Don burleson (http://www.dba-oracle.com/concepts/roles_security.htm):
Oracle roles have some limitations. In particular object privileges are granted through Oracle roles can not be used when writing PL/SQL code. When writing PL/SQL code, you must have direct grants to the objects in the database that your code is accessing.
If your user is issuing the UPDATE through an application or PL/SQL block then it will not use the role-based permissions. If this is the case you will have to grant the permissions directly.
That seems impossible.
Are you sure that your user connect to correct DB, schema, and query the right table?
I'm stunned.
Pls try
select * from test_sch.hdr_detail
wiht test user.
I have two users Bob and Alice in Oracle, both created by running the following commands as sysdba from sqlplus:
create user $blah identified by $password;
grant resource, connect, create view to $blah;
I want Bob to have complete access to Alice's schema (that is, all tables), but I'm not sure what grant to run, and whether to run it as sysdba or as Alice.
Happy to hear about any good pointers to reference material as well -- don't seem to be able to get a good answer to this from either the Internet or "Oracle Database 10g The Complete Reference", which is sitting on my desk.
AFAIK you need to do the grants object one at a time.
Typically you'd use a script to do this, something along the lines of:
SELECT 'GRANT ALL ON '||table_name||' TO BOB;'
FROM ALL_TABLES
WHERE OWNER = 'ALICE';
And similar for other db objects.
You could put a package in each schema that you need to issue the grant from which will go through all call each GRANT statement via an EXECUTE IMMEDIATE.
e.g.
PROCEDURE GRANT_TABLES
IS
BEGIN
FOR tab IN (SELECT table_name
FROM all_tables
WHERE owner = this_user) LOOP
EXECUTE IMMEDIATE 'GRANT SELECT, INSERT, UPDATE, DELETE ON '||tab.table_name||' TO other_user';
END LOOP;
END;
There are many things to consider. When you say access, do you want to prefix the tables with the other users name? You can use public synonyms so that you can hide the original owner, if that is an issue. And then grant privs on the synonym.
You also want to plan ahead as best you can. Later, will you want Frank to be able to access Alice's schema as well? You don't want to have to regrant privileges on N number of tables. Using a database role would be a better solution. Grant the select to role "ALICE_TABLES" for example and when another user needs access, just grant them privilege to the role. This helps to organize the grants you make inside the DB.
Another solution if you have different owner:
BEGIN
FOR x IN (SELECT owner||'.'||table_name ownertab
FROM all_tables
WHERE owner IN ('A', 'B', 'C', 'D'))
LOOP
EXECUTE IMMEDIATE 'GRANT SELECT ON '||x.ownertab||' TO other_user';
END LOOP;
END;