Query about privileges in oracle - oracle

How to invoke privileges to create a view in oracle 10g enterprise edition from the user scott? I am getting insufficient privilege error message while trying to create a view for an existing table

To give privileges to create a view, You need to grant CREATE VIEW to Scott user from sysdba user as follows:
GRANT CREATE ANY VIEW TO Scott;
-- OR --
GRANT CREATE VIEW TO Scott;

TL/DR: you need CREATE VIEW system privilege and SELECT object privilege on the related table.
Actually any user having been granted CREATE VIEW with admin option can grant CREATE VIEW this include SYSDBA and SYSTEM users but also any user having DBA role. To able to create a view on a table you generally also need SELECT privilege on the table.
Example with CREATE VIEW WITH ADMIN OPTION:
SQL> --
SQL> show user;
USER is "SYS"
SQL> --
SQL> create user scott identified by "tiger";
User created.
SQL> grant create session to scott;
Grant succeeded.
SQL> --
SQL> create user myadmin identified by "myadmin" quota unlimited on users;
User created.
SQL> grant create session to myadmin;
Grant succeeded.
SQL> grant create table to myadmin;
Grant succeeded.
SQL> grant create view to myadmin with admin option;
Grant succeeded.
SQL> --
SQL> connect myadmin/myadmin
Connected.
SQL> grant create view to scott;
Grant succeeded.
SQL> create table t(x int);
Table created.
SQL> insert into t values(4);
1 row created.
SQL> commit;
Commit complete.
SQL> grant select on t to scott;
Grant succeeded.
SQL> --
SQL> connect scott/tiger
Connected.
SQL> create view v as select * from myadmin.t;
View created.
SQL> select * from v;
X
----------
4

Related

How can i restrict a user from creating tables in their own schema?

My user only has the privilege to create session, manage scheduler. But I can create tables in the schema, can I change that?
Thank you.
The if the user is able to create a table, then he has more privs than you claim. Here I create a user, grant him ONLY the privs you say, then connect as that user and try to create a table:
SQL> show user
USER is "SYSTEM"
SQL> create user beetle identified by bailey;
User created.
SQL> grant create session to beetle;
Grant succeeded.
SQL> grant manage scheduler to beetle;
Grant succeeded.
SQL> select privilege
2 from dba_sys_privs
3 where grantee='BEETLE';
PRIVILEGE
----------------------------------------
MANAGE SCHEDULER
CREATE SESSION
2 rows selected.
SQL> select granted_role
2 from dba_role_privs
3 where grantee='BEETLE';
no rows selected
SQL> select owner ||'.'||table_name,
2 privilege
3 from dba_tab_privs
4 where grantee='BEETLE';
no rows selected
SQL> -- -------- create the tables
SQL> conn beetle/bailey#pdb01
Connected.
SQL> create table my_test(dob date);
create table my_test(dob date)
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> -- -------- load tables
SQL> -- -------- Do the query
SQL> -- -------- clean up
SQL> conn system/halftrack#pdb01
Connected.
SQL> drop user beetle cascade;
User dropped.

How to fix "ORA-01031" while creating view on "SYS.CDEF$" from another user Oracle Database 19c

Starting from Oracle Database 19c "O7_DICTIONARY_ACCESSIBILITY" parameter has been de-supported. Now our code creating view on SYS.CDEF$ (from another user )is failing with ORA-01031 insufficient privileges error.
The user has the following privileges SELECT CATALOGUE ROLE, EXECUTE CATALOGUE ROLE, SELECT ANY DICTIONARY, CREATE VIEW and CREATE ANY VIEW.
sample:
create view v_Cdef$ as select * from sys.cdef$
ORA-01031 error while creating view on SYS.CDEF$
Can you give us the full script, I can't reproduce
SQL> conn /#db19_pdb1 as sysdba
Connected.
SQL> drop user demo cascade;
User dropped.
SQL> create user demo identified by demo;
User created.
SQL> grant SELECT ANY DICTIONARY, CREATE VIEW , create session to demo;
Grant succeeded.
SQL> conn demo/demo#db19_pdb1
Connected.
SQL> create view v_Cdef$ as select * from sys.cdef$;
View created.

How do I connect as newly created user through SQL Developer on Oracle Autonomous?

I have created a user(new_user) with a password.
I have granted create session to that user.
I still cannot connect to database as new_user.
ORA-01017.
I can connect as admin.
I can see the user(new_user) in the other users menu in SQL Developer.
When I go to create a table like CREATE TABLE new_user.SALES, I get ORA-01918: user 'NEW_USER' does not exist.
I can right-click and create a table.
I know I have the right password.
Sounds very much like the double quotes issue.
Here's how it is supposed to be done:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL>
SQL> create user new_user identified by new_user
2 default tablespace users
3 temporary tablespace temp
4 quota unlimited on users;
User created.
SQL> grant create session, create table to new_user;
Grant succeeded.
SQL> connect new_user/new_user
Connected.
SQL> create table test (id number);
Table created.
This is what I suspect you did: drop the old user first:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> drop user new_user cascade;
User dropped.
SQL>
Now, start over. Pay attention to all double quotes in the following code:
SQL> create user "new_user" identified by new_user
2 default tablespace users
3 temporary tablespace temp
4 quota unlimited on users;
User created.
SQL> grant create session, create table to new_user;
grant create session, create table to new_user
*
ERROR at line 1:
ORA-01917: user or role 'NEW_USER' does not exist
SQL> grant create session, create table to "new_user";
Grant succeeded.
SQL> connect new_user/new_user
ERROR:
ORA-01017: invalid username/password; logon denied
Warning: You are no longer connected to ORACLE.
SQL> connect "new_user"/new_user
Connected.
SQL> create table new_user.test (id number);
create table new_user.test (id number)
*
ERROR at line 1:
ORA-01918: user 'NEW_USER' does not exist
SQL> create table "new_user".test (id number);
Table created.
SQL>
See? If you created it using double quotes, every time you reference it, you must use double quotes.
I suggest you get rid of them (double quotes) when working with Oracle. That includes users, table names, column names, procedure names, everything.

grant privileges to role

The question is:
Create a "UnivUser" role, and give this role the privileges of select, update, insert, delete, and execute pl / sql packages and sequences. This user will not be able to do anything other than these actions, to help you, you can search in the dialog of SqlDevelopp privileges for a user.
the execute, select and delete work for me using these commands:
GRANT select_catalog_role to UnivUser
GRANT execute_catalog_role to UnivUser
GRANT delete_catalog_role to UnivUser
but for insert and update it does not work for me I don't know how to do it or maybe I did not understand the question.
I don't know whether you misunderstood the question, but I know that I'm not sure whether you wrote the whole question.
Privileges you granted are related to access to SYS-owned objects, and I really can't tell whether that's what you should do.
From my point of view, you should stick to object privileges, i.e. grant what you specified on your own objects to that role. For example (created in my 11g XE database):
Grant Scott privilege to create roles:
SQL> connect sys/pwd#xe as sysdba
Connected.
SQL> grant create role to scott;
Grant succeeded.
Create a role and grant certain privileges to it:
SQL> connect scott/tiger
Connected.
SQL> create role univuser identified by univuser;
Role created.
SQL> grant select, update, insert, delete on emp to univuser;
Grant succeeded.
SQL> create or replace procedure p_test is begin null; end;
2 /
Procedure created.
SQL> grant execute on p_test to univuser;
Grant succeeded.
SQL> create sequence seq_test;
Sequence created.
SQL> grant select on seq_test to univuser;
Grant succeeded.
List of privileges UNIVUSER has:
SQL> select table_name, privilege from role_tab_privs where role = 'UNIVUSER';
TABLE_NAME PRIVILEGE
------------------------------ ----------------------------------------
EMP DELETE
EMP INSERT
EMP UPDATE
EMP SELECT
P_TEST EXECUTE
SEQ_TEST SELECT
6 rows selected.
Now, grant that role to another user in my database:
SQL> grant univuser to mike;
Grant succeeded.
Let's see whether Mike can (or can not) do something with Scott's objects; don't forget to SET ROLE:
SQL> connect mike/lion
Connected.
SQL> set role univuser identified by univuser;
Role set.
SQL> select count(*) from scott.emp;
COUNT(*)
----------
12
SQL> select scott.seq_test.nextval from dual;
NEXTVAL
----------
2
SQL> exec scott.p_test;
PL/SQL procedure successfully completed.
SQL>
Seems to be OK.
[EDIT: write SQL that writes SQL]
SQL> select 'grant select, insert, update, delete on ' || table_name || ' to univuser;'
2 from user_tables;
'GRANTSELECT,INSERT,UPDATE,DELETEON'||TABLE_NAME||'TOunivuser;'
-------------------------------------------------------------------------------
grant select, insert, update, delete on EMP to univuser;
grant select, insert, update, delete on BONUS to univuser;
grant select, insert, update, delete on SALGRADE to univuser;
grant select, insert, update, delete on DEPT to univuser;
SQL>
SQL> select 'grant execute on ' || object_name || ' to univuser;'
2 from user_objects
3 where object_type in ('PROCEDURE', 'FUNCTION', 'SEQUENCE');
'GRANTEXECUTEON'||OBJECT_NAME||'TOUNIVUSER;'
--------------------------------------------------------------------------------
grant execute on EMPTY_TABLE to univuser;
grant execute on SIEROT to univuser;
grant execute on P_RC to univuser;
grant execute on F_RC to univuser;
grant execute on MYFUNCTION to univuser;
grant execute on F_RET to univuser;
grant execute on F_REGNUM to univuser;
grant execute on F_COUNT_OF_SUNDAYS to univuser;
grant execute on P_TEST to univuser;
grant execute on F_TEST to univuser;
grant execute on MTJ_ID_SEQ to univuser;

Execute Immediate fails even with CREATE table grant

I have a problem where I am creating a table using the execute immediate command in the stored procedure. However I get the error of "insufficient privileges". I checked other threads and made sure that the user has "CREATE TABLE" privilege granted to it. However I still keep seeing the same error.
SQL> select * from USER_SYS_PRIVS;
USERNAME PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
MYUSER CREATE VIEW NO
MYUSER UNLIMITED TABLESPACE NO
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE CLUSTER
CREATE VIEW
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
CREATE TYPE
CREATE OPERATOR
CREATE INDEXTYPE
11 rows selected.
The Dummy procedure I created is :
create or replace procedure sp_dummy
as
begin
execute immediate 'Create table Dummy99_99 (Dummy_Field number)';
end sp_dummy;
/
Detailed error :
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "MYUSER.SP_DUMMY", line 4
ORA-06512: at line 1
Is there something wrong I am doing ?
You only have create view granted directly to your user. The other system privileges you can see are coming from a role, and roles are disabled in definer's-rights stored procedures. Look in user_role_privs to see while roles you've been granted, and you can see which privileges each role gives you in role_sys_privs (with the role name as the grantee). There could be several layers of roles too.
You would see the same error if you did set role none before trying to create a table statically. Demo with minimal set-up:
create role myrole;
grant create session, create table, create procedure to myrole;
create user myuser identified by mypasswd;
grant myrole to myuser;
grant create view, unlimited tablespace to myuser;
Then as that user:
SQL> connect myuser/mypasswd
Connected.
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
MYUSER UNLIMITED TABLESPACE NO
MYUSER CREATE VIEW NO
2 rows selected.
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE VIEW
CREATE PROCEDURE
5 rows selected.
SQL> Create table Dummy99_99 (Dummy_Field number);
Table created.
SQL> drop table Dummy99_99 purge;
Table dropped.
SQL> set role none;
Role set.
SQL> Create table Dummy99_99 (Dummy_Field number);
Create table Dummy99_99 (Dummy_Field number)
*
ERROR at line 1:
ORA-01031: insufficient privileges
And with your stored procedure version:
SQL> connect myuser/mypasswd
Connected.
SQL> create or replace procedure sp_dummy
2 as
3 begin
4 execute immediate 'Create table Dummy99_99 (Dummy_Field number)';
5 end sp_dummy;
6 /
Procedure created.
SQL> exec sp_dummy;
BEGIN sp_dummy; END;
*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "MYUSER.SP_DUMMY", line 4
ORA-06512: at line 1
To be able to create the table dynamically from a stored procedure, your DBA will need to grant create table directly to your user:
grant create table to myuser;
Then trying the procedure again:
SQL> connect myuser/mypasswd
Connected.
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
MYUSER UNLIMITED TABLESPACE NO
MYUSER CREATE TABLE NO
MYUSER CREATE VIEW NO
SQL> exec sp_dummy;
PL/SQL procedure successfully completed.
SQL> desc Dummy99_99
Name Null? Type
----------------------------------------- -------- ----------------------------
DUMMY_FIELD NUMBER
Notice that user_sys_privs now shows that create table has been granted directly, which it didn't before, or in the question.
However, it is very unlikely you would ever really want to create objects dynamically, as the schema should be well defined and stable - changes of this type should be controlled and be part of a release process. But as an exercise, you need the direct grant.
When using execute immediate, procedure must explicitly tell oracle that it must run with privileges of a particular user.
AUTHID CURRENT_USER, to use the privileges of user running the procedure.
AUTHID DEFINER, to use the privileges of owner of the procedure.
This is done using AUTHID option while creating a procedure.
CREATE OR REPLACE PROCEDURE PROC_NAME AUTHID CURRENT_USER
IS
.....
I faced a similar issue and got the understanding from:
Execute Immediate within a stored procedure keeps giving insufficient priviliges error
If you are connected as myuser user, you should be able to create the procedure, and execute it to create the table.
The only privileges required to do the task are:
CREATE SESSION
CREATE TABLE
CREATE PROCEDURE
And then execute the procedure after connecting to the user:
SQL> CREATE USER TEST IDENTIFIED BY TEST;
User created.
SQL> GRANT CREATE SESSION, CREATE TABLE, CREATE PROCEDURE TO TEST;
Grant succeeded.
SQL> conn TEST/TEST#pdborcl;
Connected.
SQL> show user
USER is "TEST"
SQL> CREATE OR REPLACE PROCEDURE sp_dummy
2 AS
3 BEGIN
4 EXECUTE immediate 'Create table Dummy99_99 (Dummy_Field number)';
5 END sp_dummy;
6 /
Procedure created.
SQL> EXEC sp_dummy;
PL/SQL procedure successfully completed.
SQL> select * from dummy99_99;
no rows selected
The necessary concessions are as follows:
GRANT CREATE TABLE TO "USER";
GRANT EXECUTE ANY PROCEDURE TO "USER" ;

Resources