I have an oracle package with a procedure that create table, than it grant priviliges on it.
The code is just similar to this:
Begin
Execute immediate 'create table SU.temp_tbl...';
...
...
Dbms_stats.gather_table_stats('SU', 'TEMP_TBL');
End;
The owner of the procedure is user with DBA role.
This role has
create any table privilege
Such as
Analyze any table privilege
So why when I'm running this procedure, I'm getting an exception of 'no privileges' on the gather table command,
But the 'create' just executed ok?
And what is the solution ? Do I need the SU user to grant explicit privilege of analyze to the DBA?
I'm using oracle 11g version.
Thanks.
The privileges have to be granted directly to the owner of the procedure/package, not indirectly by a role.
Of course the EXECUTE ON owner.name_of_procedure is necessary, too.
From the usage notes of the GATHER_TABLE_STATS Procedure
To invoke this procedure you must be owner of the table, or you need the ANALYZE ANY privilege.
Related
I use windows 7 and oracle 11g , so when i created user test and give an him create table privilege:
grant create table to test;
I notice that this user can also do select,insert,delete on the table that he created but i don't give him any object privileges.
is create table privilege mean all object privileges are granted?
Table owner can do everything with that table - all DML and DDL actions (selects, inserts, updates, deletes, alters, drops, ... everything).
If you want to let other users do something with your tables, then you'll have to grant those privileges to them.
I have dbms_scheduler jobs in an oracle database (11.2) in a schema (schema1), I would like to grant a system privilege to alter jobs from another schema (schema2) to schema1. How can I achieve this ?
There's not an easy way to grant privileges for all objects in another schema. But you have two other options I can think of:
GRANT ALTER myjob1 TO schema1; - you can grant schema1 alter privileges for individual jobs in schema2.
GRANT SCHEDULER_ADMIN TO schema1; - this is a powerful DBA privilege allowing schema1 to create/alter any scheduler job (which allows them to execute code as any other user).
I would recommend option 1.
Besides the two options mentioned by #kfinity, there is the third option of creating a PL/SQL stored procedure in schema2 that changes it's own jobs (just a wrapper around calls to DBMS_SCHEDULER), and then grant execute on this procedure to schema1.
In Oracle you can grant system privileges like
GRANT CREATE TRIGGER TO MY_USER;
But you can as well grant privileges this way
GRANT CREATE ANY TRIGGER TO MY_USER;
As system privileges are system-wide, where is the difference between the 2 statements above. Does the additional ANY-keyword grant anything else more than system? If I add a Grant ... ON SCHEMA ... it's no system privilege anymore, is it?
Assumption is that there are multiple schemas/objects in the database from different users one cannot access without these privileges.
EDIT:
SELECT *
FROM DBA_SYS_PRIVS
WHERE grantee = 'MY_USER';
returns
GRANTEE PRIVILEGE
------------ -------------
MY_USER CREATE ANY TRIGGER
MY_USER CREATE TRIGGER
(I omitted the columns ADMIN_OPTION and COMMON)
And the result is the same when querying this with MY_USER, MY_USER2 or any other user. I see no connection to a schema here. And it is also possible to only have the CREATE ANY TRIGGER-privilege.
In most cases, the trigger owner is also the owner of the table (or view) on which the trigger is based. In those cases, the table owner, with CREATE TRIGGER can create create triggers on their own table.
CREATE ANY TRIGGER allows the user to create a trigger owned by any user on any table. It is a big security hole because they can create a trigger owned by a privileged user on a table that they own or can insert into. Because they can insert into that table, they can force the trigger to execute and the trigger executes with the privileges of the trigger owner. The effect is that a user with CREATE ANY TRIGGER privilege can create and execute code as a privileged user (similar to having CREATE ANY PROCEDURE plus EXECUTE ANY PROCEDURE).
Limit to as few as people as possible and audit appropriately.
The first statements grants the right to create triggers in the schema of MY_USER. The owner will always by MY_USER.
The second statements grants the right to create triggers in ANY schema. The owner of the trigger can then be any user.
The last option is usually not wanted because it gives user MY_USERS the possibility to corrupt the data model.
I am new with Sql Developer and I got this problem. I make connection but when I try to create table it shows me error:
ORA-01031: Insufficient Privileges.
I try to find answer but I did not succeed.
Please help
you or your dba should logon sys, and issue :
SQL> grant create any table to anonymous;
OR
SQL> grant create table to anonymous;
OR
SQL> grant resource to anonymous;
to have creating table privilege.
the difference between create table and create any table is that
if you have create table privilege then you can create a table in your
own schema.but if you have create any table system privilege then you
can create table in any schema.also to create an external table the
valid privilege is create any table if you use create table then it
will show an error.
I tried the chosen answer and it didn't work.
When you ask questions just wait until you recieve at least 3 answers and then give it green thick.
Try this instead(run it with sys or system user):
'GRANT RESOURCE to my_user; '
Source & already answered link:
Insufficient Privileges when creating tables in Oracle SQL Developer
Hi I have this question.
Is posibble GRANT ANY privileges excluding some tables of the same schema.
For Example:
EXECUTE IMMEDIATE
'CREATE USER USREJECUTA_SUI_ABAS
IDENTIFIED BY VALUES ''test''
DEFAULT TABLESPACE USERS
TEMPORARY TABLESPACE TEMP
PROFILE DEFAULT
ACCOUNT UNLOCK';
-- 2 Roles for USREJECUTA_SUI
EXECUTE IMMEDIATE 'GRANT CONNECT TO USREJECUTA_SUI_ABAS';
EXECUTE IMMEDIATE 'GRANT RESOURCE TO USREJECUTA_SUI_ABAS';
EXECUTE IMMEDIATE 'ALTER USER USREJECUTA_SUI_ABAS DEFAULT ROLE ALL';
-- 1 System Privileges for USREJECUTA_SUI
EXECUTE IMMEDIATE 'GRANT SELECT ANY TABLE TO USREJECUTA_SUI_ABAS';
EXECUTE IMMEDIATE 'GRANT UPDATE ANY TABLE TO USREJECUTA_SUI_ABAS';
EXECUTE IMMEDIATE 'GRANT INSERT ANY TABLE TO USREJECUTA_SUI_ABAS';
EXECUTE IMMEDIATE 'GRANT UNLIMITED TABLESPACE TO USREJECUTA_SUI_ABAS';
Now revoke the permissions from some tables
REVOKE INSERT,UPDATE ON VELITTDA.TAPROVEEDORESXPAIS FROM USREJECUTA_SUI';
but the system launch this error:
ORA-01927: cannot REVOKE privileges you did not grant.
Do you kow some wat to do this? I will apreciate a lot your help.
No, you can't. If you give someone SELECT ANY TABLE, you've given them the ability to query any table in the database. You can't revoke object-level privileges when you haven't granted object-level privileges.
The proper approach is almost always to create a role that has object-level privileges on the actual set of objects that the user needs access to. Grant the role to the user (and any other users that need a similar set of privileges). The various ANY roles are really only appropriate for folks like DBAs.
Granting the SELECT ANY TABLE (or any other ANY TABLE) privilege is generally the wrong thing to do and is almost as bad as granting DBA to arbitrary schema users.
If you are trying to avoid issuing a lot of grant statements, then use the simple trick of generating your DDL from the data dictionary.
set head off
set pagesize 0
spool grant_foo.sql
select 'GRANT SELECT ON '||table_name||' TO FOO_ROLE;'
from all_tables where owner = 'FOO'
order by table_name
;
spool off
Then edit grant_foo.sql as needed before executing.