Everytime I create a new view I have to change the permissions to all, and it's quite painfully to do a lot of times the same thing.
I also ask if is possible to change some default options in the database I create the view in order the permissions to be set to public.
Thanks
It sounds like you are using SQL naming. Use System naming instead, this will grant public authority according to the QCRTAUT system value. See Birgitta Hauser's article.
System naming has the added advantage of using the job's library list to resolve unqualified object references. By not hard-coding schema names, but allowing the system to find them according to the library list, enabling your code to work in different environments (ex. development, testing, training, production) without modifying the code, simply by running with a different library list. Therefore you can install code into production exactly the same code that was tested.
The following is from the V6R1 documentation:
Authorization
The privileges held by the authorization ID of the statement must
include at least one of the following:
The privilege to create in the schema. For more information, see
Privileges necessary to create in a schema.
Administrative authority
The privileges held by the authorization ID of the statement must
include at least one of the following:
The following system authorities: *USE to the Create Logical File
(CRTLF) CL command *CHANGE to the data dictionary if the library
into which the view is created is an SQL schema with a data dictionary
Administrative authority
The privileges held by the authorization ID of the statement must also
include at least one of the following:
For each table and view referenced directly through the fullselect,
or indirectly through views referenced in the fullselect: The SELECT
privilege on the table or view, and The system authority *EXECUTE on
the library containing the table or view Administrative authority
View ownership: If SQL names were specified:
If a user profile with the same name as the schema into which the
view is created exists, the owner of the view is that user profile.
Otherwise, the owner of the view is the user profile or group user
profile of the job executing the statement.
If system names were specified, the owner of the view is the user
profile or group user profile of the job executing the statement.
View authority:
If SQL names are used, views are created with the system authority of
*EXCLUDE on *PUBLIC. If system names are used, views are created with the authority to *PUBLIC as determined by the create authority
(CRTAUT) parameter of the schema.
If the owner of the view is a member of a group profile (GRPPRF
keyword) and group authority is specified (GRPAUT keyword), that group
profile will also have authority to the view.
The owner always acquires the SELECT privilege WITH GRANT OPTION on
the view and the authorization to drop the view.
The owner can also acquire the INSERT, UPDATE, and DELETE privileges
on the view. If the view is not read-only, then the same privileges
will be acquired on the new view as the owner has on the table or view
identified in the first FROM clause of the fullselect. These
privileges can be granted only if the privileges from which they are
derived can also be granted.
Related
I'm trying to grant access so that users can access all user information about themselves + non-sensitive information about others in the user table.
I thought user would inherit permissions from anonymous user which would give them access to the non-sensitive data of all users. This doesn't seem to be the case.
Is there a simple way to do this?
Figured out to create an SQL view for the private user info and set permissions for those columns. Set the remaining columns as public.
I am using Microsoft Dynamics 365 and I am attempting to change the Owner of an Opportunity. I have System Administrator privileges, but I still get this error message:
<Message>Principal user ... is missing prvReadps_application privilege (Id=75b45303-d5b2-494f-9300-04ffa37d2fee)</Message>
The prvReadps_application privilege is missing from the Dynamics documentation so I'm having a hard time tracking down what privilege is missing from my role. How can I use the privilege name or Id to add the privilege to my role?
It is not you that are missing the privilege - it's the user whom you are trying to give ownership of the Opportunity to. Let's say you have an account owned by User A. If you want to assign this account to user B, user B MUST have at least User-level Read privilege for the account entity. That is how Dynamics CRM/365 works. The user that you are trying to assign the Opportunity to is probably missing proper the security role.
As other pointed out, ps_application is a custom entity - You should go to your System Customizations area and check its display name (I bet it's something like Application). Now you should check what the security roles of the user are to whom you are trying to change ownership to - you should grant this role Read privilege for this entity (it will be on the last tab of Security Role configuration page).
So, why are you getting this error when assigning Opportunity? I bet that this ps_application entity is related to the Opportunity and the relationship is configured to propagate owner, so by changing owner on Opportunity, you are changing owner of related ps_applications -> and thus you are getting the error, as the user cannot be the owner for such records (does not have read privilege).
ps_application is your custom entity. That's why its missing in MS documentation.
prvReadps_application - says Read privilege missing, so look for Custom entity tab in Security role.
But System Administrator is a dynamic role, the privilege should be added when a new custom entity is added to the system. Make sure you didn't remove any privileges explicitly.
Also Verify the Security roles of the owner you are trying to assign, for Read privilege of this custom entity.
Arun V.'s answer made me realize that I missed the part about you being a System Administrator. Thanks Arun V., and my apologies.
Now I would say that you'll want to focus on the privs of the user to whom are you assigning the record. Their lack of permissions is likely what is preventing the assignment.
As Arun V. pointed out, ps_application could be a custom entity.
I have a schema that contains the vast majority of tables on my project, DEV2.
Additionally, I have a schema that contains oracle custom types used by DEV2: PUBLIC_TYPES.
I want to be able to create triggers on DEV2 that access the roles in PUBLIC_TYPES, but would prefer to do this with a role, so that when I create DEV3 (a clone of DEV2), I can just grant the role to DEV3 prior to compiling the triggers.
At the moment, if I perform the following:
grant all on public_types.type_name to DEV2;
and then (on the DEV2 user) I type:
desc public_types.type_name;
I get the proper description of the type.
However, if I instead do the following:
create role TABLE_PRIVS;
grant all on public_types.type_name_2 to TABLE_PRIVS;
grant table_privs to DEV2;
(and then switch to my DEV2 user, and desc)
desc public_types.type_name_2
I get
ORA-04043: object public_types.type_name_2 does not exist
What am I missing? I've granted the privilege to a role, and the role to a user. Does this work differently with types?
Thanks in advance!
Try to add role to user as default
grant table_privs to DEV2;
ALTER USER DEV2 DEFAULT ROLE table_privs;
otherwise you need to use SET ROLE
I'm trying to query the data dictionary to find information on the transformations in the database. I've given my user DBA privileges, so I can access the DBA_ dictionary views. With this user, I can access all the DBA_ views without issues, however it seems I can only access DBA_TRANSFORMATIONS when logged in AS SYSDBA. Am I missing a special privilege to access this view?
DBA_TRANSFORMATIONS does not have a public synonym by default.
Try this:
select *
from sys.DBA_TRANSFORMATIONS;
I wanted to create a view that looked something like the following but i keep getting an ORA-01031 - insufficient permission error
create view v_dbinfo as
Select INSTANCE_NAME,HOST_NAME from v$instance;
I can select from v$instance, and create a view from an existing table without any problems.
Any idea on why this is occurring and how i can go about fixing it?
Thanks
I would tend to wager that you have access to V$INSTANCE via a role rather than as a direct grant. If you want to create a view (or reference V$INSTANCE in a definer's rights stored procedure), you would need to have been granted access to the referenced objects via direct grants, not via a role.
In addition, if you intend on granting access to this new view to other users, you will need the access to V$INSTANCE to be granted using the WITH GRANT OPTION clause, i.e.
GRANT SELECT ON v$instance
TO your_user_name
WITH GRANT OPTION;