Our DBA team created a role (standardRole) to easily managed the minimum system privileges in our organization, this role is having one system privilege currently which is the 'Create Session' privilege.
I created a user and grant him this role (standardRole), the user try to connect using Toad but he failed and this error message appeared - ORA-01045: user user1 lacks CREATE SESSION privilege; logon denied.
Then, I granted him the 'Create Session' Privilege directly this time in addition to the role that he is having already and he successfully connected to the database.
So, I am a little confused, why the 'Create Session' granted through the role in not working, but if its granted directly its working fine??!!
I tried to search about this topic in google, and I found some interesting information in Oracle Help Center, but to be honest I didn't understand it 100%.
We must to specify the role when granted to be Default, if the role is default the database will set the role automatically when the user create his session.
The user can also make the role enabled by using this command:
set role (role name)
You need to make the role as default.
To do this, run
ALTER USER DEFAULT ROLE CONNECT;
If there are several roles, then you need to execute
ALTER USER DEFAULT ROLE ALL;
Related
I have created a user, let's call him C##USER from sysdba. Now, I'm trying to create another user from C##USER. Problem is I keep getting the following error:
ORA-01031: insufficient privileges
I have granted C##USER all privileges and have set the default role to ALL. Nothing works yet...
Any ideas? Thanks in advance.
You just need a CREATE USER system privilege BUT don't forget to use CONTAINERclause which should be set to ALL, if you omit this clause then the grantee will have CREATE USER system privilege on the current container.
Specify CONTAINER = ALL to commonly grant a system privilege, object privilege on a common object, or role, to a common user or common role
GRANT
When a common user account is created, the account is created in all of the open pluggable databases. So the user who is creating this new user must have CREATE USER system privilege on all containers.
SQL> grant create user to c##user container=all;
Grant succeeded.
SQL> conn c##user
Enter password:
Connected.
SQL> create user c##user2 identified by user2;
User created.
So, I need to implement SSO in our Oracle databases (using Standard Edition only) and I'm nearly there but I have one annoying problem.
Here's the basic run down of how the user is created. This all works beautifully and I can connect without usernames or passwords. No error are thrown when I GRANT the role of assign it as default
CREATE USER "OPS$DOMAIN\USER" IDENTIFIED EXTERNALLY;
GRANT create session TO "OPS$DOMAIN\USER";
GRANT my_awesome_role TO "OPS$DOMAIN\USER";
ALTER USER "OPS$DOMAIN\USER" DEFAULT ROLE my_awesome_role;
But when i log in, the role doesn't appear when running
SELECT * FROM session_roles
and I need to specifically run the SET ROLE command to bring it to life
SET ROLE my_awesome_role
So my question is, do I need to do something different with roles when using external authentication in Oracle? The documentation is a little vague, or at least my reading of it is ;-)
Good morning,
I'm trying to understand one thing in Oracle database Roles and privileges:
So, i am trying to create two Roles: Programmer and Manager.
The idea for Programmer role users, is to create and insert into tables.
The idea for Manager role users, is to have acess to Programmer role privileges, PLUS update records.
And i thought that if i granted the Programmer role to Manager role, this last one could:
Create a table (from programmer role);
Insert into a table (from programmer role);
Update a record in the table (privilege set to the Manager role);
But through SQL developer, i grant Programmer role to Manager role, and when i connect to the database using a Manager User, i can't find tables created on SYSTEM.A (for example).
Do i need to grant explicity on Manager role also can create and insert? If so, what's the point of the inheritance?
SOLUTION
Programmer role: Insert && create table privileges;
Manager role: Update && Select any table privileges;
Since my goal was to put Manager users inherit Programmer role privileges, this can be achieved like this:
(After setting the roles and privileges):
DBA > ROLES > EDIT MANAGER ROLE > GRANTED ROLES > SELECT PROGRAMMER ROLE.
Disconnect any manager session, and re-connect.
Open a Manager SQL sheet and try to create a table and select, insert and update it. You'll see that Manager has adopter privileges from "programmer" role.
SQL is a non-procedural language. Having that said,you don't need to think about inheritance here. Instead, Grant create,insert and update privileges on manager role explicitly.
Here's what you can do:
1- Create programmer and manager role:
SQL> CREATE ROLE role_name IDENTIFIED by pass_word;
2- Then GRANT privileges (your requirement here) to each role:
SQL> GRANT privilege TO role_name;
3- Grant users(programmers & managers) privileges by granting each user(depends whether he is a manager or a programmer) to a particular role.
SQL> GRANT role_name TO user_name;
You may find the following link useful for more details:
http://docs.oracle.com/cd/B10501_01/server.920/a96521/privs.htm#21065
I would like to create a role connected as SYSTEM. But because I have a lot of schemas with a lot of roles and all of them will be created this way, I don't want the created roles to be granted to SYSTEM (otherwise it eventually will exceed the 148-roles limit).
=> Is that possible to disable the automatic grant on the creator?
NB: for now I work on Oracle 9i but it will soon be upgraded to 11g
There are 2 parts to my answer:
Roles in Oracle are a bit like keys on your keyring: just because they're on the keyring doesn't mean your using them all the time. Oracle has the concept of default roles: these roles are activated automatically when the session is created. The other roles can be enabled later if the user so desires.
The 148 role limit applies to active roles, see for example this documentation link for oracle 10g: http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6012.htm#sthref7227
To disable roles from being default, use ALTER USER ... DEFAULT ROLE ..., see http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4003.htm#sthref5717
Don't create any objects, even roles, when connected as SYSTEM. Instead you should be using an ordinary user to create a role and adding objects to it that is appropriate for that user's schema's objects. You will need to grant the CREATE ROLE system privilege to those users that need to own objects and have roles for them, but that's all part of the Oracle security model.
The maximum number of user-defined roles that can be enabled for a
single user at one time is 148.
You can pretty much create as many roles as you like - just don't enable them all at once.
When you create a role (other than a user role), it is granted to you
implicitly and added as a default role. You receive an error at login
if you have more than MAX_ENABLED_ROLES. You can avoid this error by
altering the user's default roles to be less than MAX_ENABLED_ROLES.
Thus, you should change the DEFAULT ROLE settings of SYS and SYSTEM
before creating user roles.
http://docs.oracle.com/cd/B10500_01/server.920/a96521/privs.htm#15539
e.g.
ALTER USER SYSTEM DEFAULT ROLE DBA
Currently, playing around with Oracle DB 11g on Windows XP. Logged in as scott user (not sysdba) with granted DBA role. According to Oracle docs "DBA = All system privileges WITH ADMIN OPTION". Why then creation of a new user gives error "ORA-01031 insufficient privileges..."? Here's DDL command executed using SQL Developer:
CREATE USER john identified by 123
Check out document for SET ROLE and default role
To enable all roles granted to you for the current session, issue the following statement:
SET ROLE ALL;
Or modify user default role
ALTER USER scott DEFAULT ROLE ALL;