In my oracle DB, i have a user named test this user has DML_ROLE in the DB. And, i have provided insert/update/delete/select access to DML_ROLE on a table named hdr_detail.
But, when user test execute an update query on hdr_detail table its getting error message as Returned error: ORA-01031: insufficient privileges. It works fine when i provide the access directly to the user.
I'm confused why this error shows up only when i provide the access through role.
Table structure:
COLUMN NAME DATA TYPE
PERIOD NUMBER
HDR_ID VARCHAR2(50)
Query i use to update:
update test_sch.hdr_detail set period=201108 where hdr_id = 'check';
Statement i use to grant:
grant insert,select,update,delete on test_sch.hdr_detail to dml_role;
select * from dba_role_privs where grantee like 'TEST' returns the following result
GRANTEE GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE
TEST DML_ROLE NO NO
select * from dba_tab_privs where table_name like 'HDR_DETAIL' returns the following result
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRANTABLE HIERARCHY
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH DELETE NO NO
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH INSERT NO NO
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH SELECT NO NO
DML_ROLE TEST_SCH HDR_DETAIL TEST_SCH UPDATE NO NO
Please help me in resolving this issue. Reply in comment if any more information is needed about this issue.
Try setting the role as the users default role:
ALTER USER test DEFAULT ROLE dml_role;
It could be an issue with how you are accessing the databse object HDR_DETAIL.
From Don burleson (http://www.dba-oracle.com/concepts/roles_security.htm):
Oracle roles have some limitations. In particular object privileges are granted through Oracle roles can not be used when writing PL/SQL code. When writing PL/SQL code, you must have direct grants to the objects in the database that your code is accessing.
If your user is issuing the UPDATE through an application or PL/SQL block then it will not use the role-based permissions. If this is the case you will have to grant the permissions directly.
That seems impossible.
Are you sure that your user connect to correct DB, schema, and query the right table?
I'm stunned.
Pls try
select * from test_sch.hdr_detail
wiht test user.
Related
I am trying to run below query from SOME_USER
SELECT * FROM V$Locked_Object; -- Public Synonym
also tried
SELECT * FROM "SYS"."V_$LOCKED_OBJECT";
and getting.
ORA-01435: user does not exist
01435. 00000 - "user does not exist"
*Cause:
*Action:
I have given these grants from SYS to SOME_USER
grant select on "SYS"."V_$LOCKED_OBJECT" to SOME_USER; still getting the same error.
I noticed that I am able to access other public synonyms in SOME_USER like V$LOCK_ACTIVITY, v$lock_type etc. getting this error when trying V$Locked_Object and V$LOCK only. Please suggest maybe I am missing some basics.
Oracle Version - Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit Production
I'd suggest you to check against metadata.
First, check whether the object exists in the DB at all (I'm sure it exists, but still for double checking).
I hope you have access to dba_% objects
select * from dba_objects where object_name like 'V%LOCKED%OBJ%';
Then, check if you have the permissions to access that object
select * from all_objects where object_name like 'V%LOCKED%OBJ%';
If the object exists in the dba_ table and can not be found in all_ it means you don't have the permissions for that. Execute the following for double checking
select *
from user_tab_privs
where table_name like 'V%LOCKED%OBJ%';
You'll get probably nothing here as you can't find the object, so the next thing I'd check is the role name that has access to that particular object
select *
from role_tab_privs
where table_name like 'V%LOCKED%OBJ%';
Then, check if you have that role assigned to your user
select * from session_roles
I hope this will help
use
select * from "SYS"."V$locked_objects"
That's it:
How to know if I can delete with my oracle user? Without actually deleting anything?
I'm using a database that I don't own, nor have full access.
This information is available in the data-dictionary.
You can check for direct grants to you via:
SELECT OWNER, TABLE_NAME
FROM USER_TAB_PRIVS
WHERE PRIVILEGE = 'DELETE';
You can also check for privileges accessible through a ROLE by:
SELECT ROLE, TABLE_SCHEMA, TABLE_NAME
FROM SESSION_ROLES
INNER JOIN ALL_TAB_PRIVS
ON SESSION_ROLES.ROLE = ALL_TAB_PRIVS.GRANTEE
AND PRIVILEGE = 'DELETE';
while installing sap on 3 tiered architecture, I need to install database instance (oracle) and central instance(sap) and two different machines.
after completing database install and proceeding with central instance installation, the setup is trying to access a table and fails with following error
SELECT USERID, PASSWD FROM
SAPUSER WHERE USERID IN (:A0, :A1)
OCI-call failed with
-1=OCI_ERROR SQL error 942: 'ORA-00942: table or view does not exist'
*** ERROR => ORA-942 when
accessing table SAPUSER
so I checked and found out that two cases are possible
Table does not exist or
User has no access rights to this Table
next I checked for table, and found an entry in dba_tables,
SQL> select owner from dba_tables where table_name='SAPUSER';
OWNER
------------------------------
OPS$E64ADM
but when trying to fetch data from it using select query
SQL> select * from SAPUSER;
select * from SAPUSER
*
ERROR at line 1:
ORA-00942: table or view does not exist
now I am confused, whether the table is available or not. what is the reason for this and how can it be resolved?
It depends on where you are accesing the object from,
check to see which user you are logged in as
SQL> SHOW USER
This will show which user you are logged in as,
if you are in OPS$E64ADM, the directly query using
SQL> select * from SAPUSER;
if show user show anyother user you need privilege to access it from other users, can ask dba or if you have access then run,
SQL> grant select on OPS$E64ADM.SAPUSER to username; -- the username from which you want to access the table;
then, you can acces from the other user , using,
SQL> select * from OPS$E64ADM.SAPUSER
who are you signed in as? unless it's the owner of the table you will need to change your code to include the owner ie.
select * from OPS$E64ADM.SAPUSER
Can any one see what's wrong with this:
User ABC:
create table def.something (
id number,
ref number references def.anotherTable(id)
);
create role ROUser;
grant select on def.something to ROUser;
grant ROUser to ghi;
User DEF:
select * from something;
...
X rows returned
User GHI:
select * from def.something;
ORA-00942: table or view does not exist
Is the fact that there's a foreign key, that GHI doesn't have access to, on def.something the problem?
EDIT I've just tried this again on another server and it works fine (i.e., as expected). Not entirely sure what's going on here, but I think it may have something to do with some error on my part... As such, I'm voting to close the question.
You are most probably running that SELECT statement in PL/SQL block? In PL/SQL, priviliges granted through roles are not recognized. Try adding direct SELECT privilege on that table and see if it works.
In Oracle, when I run:
GRANT SELECT on MYSCHEMA.ORDERS to APP_USER;
What query can I run in Oracle to check if this grant exists? I would like to validate that this grant is correctly created in our development, QA, and production databases.
You can get that from the all_tab_privs performance view, or the user_ or dba_ equivalents depending on your situation and privileges:
select *
from all_tab_privs
where table_schema = 'MYSCHEMA'
and table_name = 'ORDERS'
and grantee = 'APP_USER';
To see everyone who has access, leave off the grantee filter. Note though that the grantee may be (and quite probably should be) a role, not an individual user. In that case you'd need to see who has that role granted to get the full picture, and roles can be granted to roles, so that can get a bit recursive.
Execute the following (if you are logged in as app_user) :-
select owner from user_tab_privs where table_name='Order' and grantee='App_user' and owner='MySchema';
If you are logged in as dba, then execute following :-
select owner from dba_tab_privs where table_name='Order' and grantee='App_user' and owner='MySchema';
If the grant was successful, then the above sql statements should have non-null output.