In Oracle, I attempt to create a view like this
create view ddd as
select *
from myschema1.t1
join myschema2.t2
....
When I run this statement, I get an error ORA-01031 : insufficient privileges. If I just execute the query in Query Worksheet, however, it works.
Why does my CREATE VIEW statement fail and what privileges do I need in order to make the statement succeed?
In order to create a view that references myschema1.t1 and myschema2.t2, the user that owns the view has to be given access to those two tables directly, not via a role. My first guess is that you have been granted the privileges on the underlying table via a role. You can verify that in SQL*Plus by disabling roles and re-running the query. If you do
SQL> set role none;
SQL> select *
from myschema1.t1
join myschema2.t2 ...
does the query work? If not, then you only have the privileges granted via a role not directly. Note that if you want to be able to grant other users access to your view, you need to be granted privileges on the objects WITH GRANT OPTION.
GRANT SELECT ON myschema1.t1 TO <<user that will own the view>> WITH GRANT OPTION;
GRANT SELECT ON myschema2.t2 TO <<user that will own the view>> WITH GRANT OPTION;
If the problem is not with the privileges on the underlying objects, the problem is most likely that you have not been granted the CREATE VIEW privilege.
That sounds like you don't have the CREATE VIEW privilege. If you didn't have access to the tables, you should get ORA-00942: table or view does not exist.
Related
In Oracle you can grant system privileges like
GRANT CREATE TRIGGER TO MY_USER;
But you can as well grant privileges this way
GRANT CREATE ANY TRIGGER TO MY_USER;
As system privileges are system-wide, where is the difference between the 2 statements above. Does the additional ANY-keyword grant anything else more than system? If I add a Grant ... ON SCHEMA ... it's no system privilege anymore, is it?
Assumption is that there are multiple schemas/objects in the database from different users one cannot access without these privileges.
EDIT:
SELECT *
FROM DBA_SYS_PRIVS
WHERE grantee = 'MY_USER';
returns
GRANTEE PRIVILEGE
------------ -------------
MY_USER CREATE ANY TRIGGER
MY_USER CREATE TRIGGER
(I omitted the columns ADMIN_OPTION and COMMON)
And the result is the same when querying this with MY_USER, MY_USER2 or any other user. I see no connection to a schema here. And it is also possible to only have the CREATE ANY TRIGGER-privilege.
In most cases, the trigger owner is also the owner of the table (or view) on which the trigger is based. In those cases, the table owner, with CREATE TRIGGER can create create triggers on their own table.
CREATE ANY TRIGGER allows the user to create a trigger owned by any user on any table. It is a big security hole because they can create a trigger owned by a privileged user on a table that they own or can insert into. Because they can insert into that table, they can force the trigger to execute and the trigger executes with the privileges of the trigger owner. The effect is that a user with CREATE ANY TRIGGER privilege can create and execute code as a privileged user (similar to having CREATE ANY PROCEDURE plus EXECUTE ANY PROCEDURE).
Limit to as few as people as possible and audit appropriately.
The first statements grants the right to create triggers in the schema of MY_USER. The owner will always by MY_USER.
The second statements grants the right to create triggers in ANY schema. The owner of the trigger can then be any user.
The last option is usually not wanted because it gives user MY_USERS the possibility to corrupt the data model.
I have a select statement in a stored procedure that I'd like to pull out and put into a view. The select statement pulls from dba_tables, dba_tab_partitions, and dba_tab_subpartitions.
If I run the statement on its own, it works fine. If I wrap it in a create view statement:
CREATE OR REPLACE VIEW "MYSCHEMA"."V_XWMS_TEST"
(
"OWNER"
,"SEGMENT_NAME"
,"PARTITION_NAME"
,"SEGMENT_TYPE"
,"TABLESPACE_NAME"
)
AS
SELECT "OWNER"
,"SEGMENT_NAME"
,"PARTITION_NAME"
,"SEGMENT_TYPE"
,"TABLESPACE_NAME"
FROM
[Original query]
then depending on which user I'm logged in as, I get either ORA-01031: insufficient privileges or ORA-00942: table or view does not exist. Again, with both users I can create views and I can run this select statement, but I can't run the select statement in the context of creating a view.
This might be caused by the difference between the system privilege SELECT ANY DICTIONARY and the role SELECT_CATALOG_ROLE.
On the surface they do the same thing by granting users access to the data dictionary. Either one of them would enable a user to run a query against tables like DBA_TABLES.
The difference is that roles are not enabled when creating objects with definer's rights, and views are always definer's rights. So to make the view work the user will need the system privilege SELECT ANY DICTIONARY, or a similar direct grant on individual objects.
ORA-01031: insufficient privileges or ORA-00942: table or view does not exist.
This error means that the new table from which the view is created doesn't have synonyms and grants created to be accessed by the schema in which the view is created.
I'm trying to create a view, and have distilled the problem down to the inability to create a view that references tables from a different schema.
For example, I can do:
select count(*) from otherschema.othertable;
and I can do:
create view foo as select count(*) as bar from oneofmytables;
But if I try:
create view foo as select count(*) as bar from otherschema.othertable;
I get an "insufficient privileges" error. What additional privileges do I need?
Do you have the grant to the other user's table directly? Or is it via a role? You will need the privilege to be granted directly in order to create an object (view, procedure, etc.) that references the other table. As a quick test, in SQL*Plus
SQL> set role none;
SQL> select count(*) from otherschema.othertable;
If that fails, then the problem is that you have been granted privileges on the table via a role.
I guess you have been given select right on otherschema.othertable via a role not via a direct grant.
If this is the case, you should connect as otheruser and then do a grant select on othertable to <your-schema>.
I believe that your DBA will need to grant you
create any view
privilege. Depending on the security restrictions at your site they may or not allow this. I typically do not
One of the pitfalls in Oracle is the fact that sometimes you can select from a table if you run a query in SQLplus but that you can't when running the query from a stored procedure. In order to run a query from a stored procedure you need a direct grant for the object and not a grant obtained through a role.
If I see a table in the all_tables view, how can I know if I can see this table because of a direct grant or because of a role grant?
Look at ALL_TAB_PRIVS:
select grantee from all_tab_privs
where table_schema = 'SCOTT' and table_name='EMP'
and privilege = 'SELECT';
This shows all grantees, whether roles or users.
One method to see exactly what a procedure would see is to issue the command:
SET ROLE none
It disables all roles for your current session.
When I try to execute a view that includes tables from different schemas an ORA-001031 Insufficient privileges is thrown. These tables have execute permission for the schema where the view was created. If I execute the view's SQL Statement it works. What am I missing?
Finally I got it to work. Steve's answer is right but not for all cases. It fails when that view is being executed from a third schema. For that to work you have to add the grant option:
GRANT SELECT ON [TABLE_NAME] TO [READ_USERNAME] WITH GRANT OPTION;
That way, [READ_USERNAME] can also grant select privilege over the view to another schema
As the table owner you need to grant SELECT access on the underlying tables to the user you are running the SELECT statement as.
grant SELECT on TABLE_NAME to READ_USERNAME;
Q. When is the "with grant option" required ?
A. when you have a view executed from a third schema.
Example:
schema DSDSW has a view called view_name
a) that view selects from a table in another schema (FDR.balance)
b) a third shema X_WORK tries to select from that view
Typical grants:
grant select on dsdw.view_name to dsdw_select_role;
grant dsdw_select_role to fdr;
But: fdr gets
select count(*) from dsdw.view_name;
ERROR at line 1:
ORA-01031: insufficient privileges
issue the grant:
grant select on fdr.balance to dsdw with grant option;
now fdr:
select count(*) from dsdw.view_name;
5 rows
Let me make a recap.
When you build a view containing object of different owners, those other owners have to grant "with grant option" to the owner of the view. So, the view owner can grant to other users or schemas....
Example:
User_a is the owner of a table called mine_a
User_b is the owner of a table called yours_b
Let's say user_b wants to create a view with a join of mine_a and yours_b
For the view to work fine, user_a has to give "grant select on mine_a to user_b with grant option"
Then user_b can grant select on that view to everybody.
If the view is accessed via a stored procedure, the execute grant is insufficient to access the view. You must grant select explicitly.
If the view is accessed via a stored procedure, the execute grant is insufficient to access the view. You must grant select explicitly.
simply type this
grant all on to public;
To use a view, the user must have the appropriate privileges but only for the view itself, not its underlying objects. However, if access privileges for the underlying objects of the view are removed, then the user no longer has access. This behavior occurs because the security domain that is used when a user queries the view is that of the definer of the view. If the privileges on the underlying objects are revoked from the view's definer, then the view becomes invalid, and no one can use the view. Therefore, even if a user has been granted access to the view, the user may not be able to use the view if the definer's rights have been revoked from the view's underlying objects.
Oracle Documentation
http://docs.oracle.com/cd/B28359_01/network.111/b28531/authorization.htm#DBSEG98017
you may also create view with schema name
for example create or replace view schema_name.view_name as select..