I have two schemas, let's call them BOB and FRED. I need to call a table in schema FRED from schema BOB to use the primary key in that table as a foreign key. I've set up the appropriate grants for schema FRED to allow BOB access to it, but whenever I run the script, it complains that I do not have the correct permissions. Is there another setting that I need to change somewhere? Can this even be done?
My FK creation is as follows:
ALTER TABLE "BOB"."ITEMGROUP" WITH CHECK ADD CONSTRAINT FK_ITEMS_ITEM FOREIGN KEY (ItemID)
REFERENCES "FRED"."ITEMS"(ItemID)
And I'm doing the grant with:
GRANT ALTER ON "FRED"."ITEMS" TO "BOB"
I get this error message:
SQL Error: ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to change the current username or password
without the appropriate privilege. This error also occurs if
attempting to install a database without the necessary operating
system privileges.
When Trusted Oracle is configure in DBMS MAC, this error may occur
if the user was granted the necessary privilege at a higher label
than the current login.
*Action: Ask the database administrator to perform the operation or grant
the required privileges.
For Trusted Oracle users getting this error although granted the
the appropriate privilege at a higher label, ask the database
administrator to regrant the privilege at the appropriate label.
You need to:
grant references on "FRED"."ITEMS" TO "BOB"
See this "AskTom"
To create a foreign key referencing a table in another schema you need the "REFERENCES" privilege:
GRANT REFERENCES ON FRED.ITEMS TO BOB;
Related
I have created a user in AWS oracle RDS and have my tables,functions and all other code.
As I needed the same replica of this DB structure, I exported it to an sql file using SQL Developer.
Created another user, and now want to import the sql file to this new user, but it is throwing insufficient privilege error.
ORA-01031: insufficient privileges
00000 - "insufficient privileges"
*Cause: An attempt was made to perform a database operation without
the necessary privileges.
*Action: Ask your database administrator or designated security
administrator to grant you the necessary privileges
I have granted the privileges to the user. Is it because of the user1 which is present in the create table statement?
CREATE TABLE "user1"."MBOMCOMPONENTS" ( "COMPONENTNO" VARCHAR2(14 BYTE), "PLANT" VARCHAR2(50 BYTE) )
Could you please help.
Thank you,
Manju
CREATE TABLE"user1"."MBOMCOMPONENTS" ( "COMPONENTNO" VARCHAR2(14 BYTE), "PLANT" VARCHAR2(50 BYTE) )`
This statement builds a table in the "user1" schema. The command will fail if the current schema is not "user1" and the current user lacks the CREATE ANY TABLE privilege.
how can we have separate users with same schema and different data?
A schema is a set of objects owned by a user. A schema has the same name as the user which owns it. To achieve your aim all you need to do is remove "user1". from all the SQL statements, then run the script as USER2 (or whoever).
For future reference, the SQL Developer Export DDL tool has a checkbox for including the schema name; by default it is ticked (i.e. include) but we can unset it if we will want to run the scripts as different users.
I have 2 schemas:
ARIEL
ARIEL_APEX
All the tables in ARIEL are accessible to ARIEL_APEX and the queries run OK from the ARIEL_APEX schema.
For example,
SELECT * FROM ARIEL.DIM_REGISTRATION_SET
works fine from the ARIEL_APEX schema.
When I try to create a view in ARIEL_APEX:
CREATE VIEW TEST_VIEW AS
SELECT * FROM ARIEL.DIM_REGISTRATION_SET
I get this:
Error at Command Line : 465 Column : 23
Error report -
SQL Error: ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to change the current username or password
without the appropriate privilege. This error also occurs if
attempting to install a database without the necessary operating
system privileges.
When Trusted Oracle is configure in DBMS MAC, this error may occur
if the user was granted the necessary privilege at a higher label
than the current login.
*Action: Ask the database administrator to perform the operation or grant
the required privileges.
For Trusted Oracle users getting this error although granted the
the appropriate privilege at a higher label, ask the database
administrator to regrant the privilege at the appropriate label.
This works absolutely fine in the test and production environment, this is development. DBA saying all is well at their end.
ARIEL_APEX having below privileges.
GRANTEE PRIVILEGE
------------------------------ ----------------------------------------
ARIEL_APEX CREATE JOB
ARIEL_APEX CREATE MATERIALIZED VIEW
ARIEL_APEX CREATE TABLE
ARIEL_APEX CREATE OPERATOR
ARIEL_APEX CREATE VIEW
ARIEL_APEX CREATE TYPE
ARIEL_APEX CREATE SYNONYM
ARIEL_APEX CREATE CLUSTER
ARIEL_APEX CREATE DIMENSION
ARIEL_APEX CREATE TRIGGER
ARIEL_APEX CREATE SESSION
ARIEL_APEX CREATE INDEXTYPE
ARIEL_APEX CREATE PROCEDURE
ARIEL_APEX CREATE SEQUENCE
And we know the grants are OK on the ARIEL objects to ARIEL_APEX as we can execute the query manually.
This is Oracle 12. Never had the issue before we upgraded, but suspect this is related to accessing objects from another schema within a view.
ARIEL_APEX is a member of the ANALYTICS_ROLE, the ANALYTICS_ROLE grants select on all tables in the ARIEL schema, which can be seen to working below.
Works in upper environments, only difference is grants provided by a role...in other environments SELECT grants provided directly on objects.
As noted in the documentation (emphasis added):
The owner of the schema containing the view must have the privileges necessary to either select (READ or SELECT privilege), insert, update, or delete rows from all the tables or views on which the view is based. The owner must be granted these privileges directly, rather than through a role.
If you only have the select privileged on the underlying table granted through a a role then you cannot create a view against it. Even if you move to role generally, you'll have to keep explicit grant on top for any views you want to create.
I imagine this is to do with how roles work. With a direct grant Oracle knows whether you can see the table in the other schema. If you grant select on your view to someone else then when they query the view Oracle knows that the chain of privileges is there. If your direct grant on the table is revoked then there are mechanisms to invalidate dependent objects. But what should happen the role's select privilege on the table is revoked; or your access to the role is revoked; or just within your own session, what should happen if you disable that role - can you still access the view? It's a bit more complicated that it seems at first glance.
Fortunately creating views should be relatively rare and controllable. Most people accessing the table via the role won't need to create a view on it (I assume!).
Another option here is create the view in the ARIEL schema, and then grant privileges to APEX_ARIEL and/or a role. Whether that is appropriate depends on your real view query and your motivation for creating the view.
Whenever I give a user "all privileges" in ORACLE (example below), what does this actually do?
My understanding is that it gives a user any privilege, e.g inserting, deleting etc within that schema but not to any schema in the DB?
grant all privileges to my_user;
You can grant all [privileges] on <some object>, but you aren't specifying an object; so you are granting system privileges:
The documentation for system privileges says:
Oracle Database provides the ALL PRIVILEGES shortcut for granting all the system privileges listed in Table 18-1, except the SELECT ANY DICTIONARY, ALTER DATABASE LINK, and ALTER PUBLIC DATABASE LINK privileges.
System privileges are not always restricted to a schema. That table includes a lot of ANY privileges, which are specifically not restricted to a schema. If you grant all privileges to a user they will be able to create or alter a table in any schema, for example. That probably isn't what you want.
There is no shortcut to grant only schema-restricted privileges. You'll need to grant CREATE TABLE, CREATE INDEX, etc. explicitly.
It's common practice to create a role to which you grant the necessary privileges, and then you just have to grant that role to your users. (Although you sometimes still need to grant privileges directly to users, e.g. if they are required in a stored procedure).
I create user(schema) in oracle. like this
create user EMP_DB identified by netsolpk account unlock;
But when i tried login through schema name and password, login failed. Below is the error message.
user EMP_DB lacks create session privilage; login denied.
I've not created any tablespaces.
For this, do I need to create any tablespace? If needed, how to create a tablespace?
And what more things are required for creating a schema in oracle 11g.
Please help me and give me step by step procedure.
The error user EMP_DB lacks create session privilage; login denied indicates that you need privilege to create a session. So you need to grant the appropriate privilege like,
GRANT CREATE SESSION TO emp_db;
Or You can go with granting the roles(group of privileges), CONNECT and RESOURCE.
CONNECT role has only CREATE SESSION privilege.
RESOURCE has the following privilges,
CREATE TRIGGER
CREATE SEQUENCE
CREATE TYPE
CREATE PROCEDURE
CREATE CLUSTER
CREATE OPERATOR
CREATE INDEXTYPE
CREATE TABLE
To find these PRIVILEGES of a ROLE, You can query the DBA_SYS_PRIVS table with a query like this:
SELECT grantee, privilege, admin_option
FROM DBA_SYS_PRIVS
WHERE grantee='RESOURCE';
Also to use the existing tablespace USERS, You can create a user with QUOTA UNLIMITED statement like,
CREATE USER emp_db IDENTIFIED BY netsolpk QUOTA UNLIMITED on USERS;
the fastest, quickest way to create a new user with privileges is
grant connect, resource to NewUser_name identified by NewUser_password;
by this command you will be sure that errors like above will not displayed.
i was running an insert query on a synonym i got ORA-01031 in sql developer, we are accessing almost all tables through synonym only, but only this one in the schema gave ORA-0103 error. Please guide.
Error report: SQL Error: ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to change the current username or password
without the appropriate privilege. This error also occurs if
attempting to install a database without the necessary operating
system privileges.
When Trusted Oracle is configure in DBMS MAC, this error may occur
if the user was granted the necessary privilege at a higher label
than the current login.
*Action: Ask the database administrator to perform the operation or grant
the required privileges.
For Trusted Oracle users getting this error although granted the
the appropriate privilege at a higher label, ask the database
administrator to regrant the privilege at the appropriate label.
did you execute something like:
GRANT select, insert, update, delete on Table to your_synonym_user;
and this line should be executed by the Table owner or the user with that permission.
It looks very much like the permissions you have to either the underlying table, or the synonym are insufficient, or possibly that your password has expired?