I'm trying to create a view, and have distilled the problem down to the inability to create a view that references tables from a different schema.
For example, I can do:
select count(*) from otherschema.othertable;
and I can do:
create view foo as select count(*) as bar from oneofmytables;
But if I try:
create view foo as select count(*) as bar from otherschema.othertable;
I get an "insufficient privileges" error. What additional privileges do I need?
Do you have the grant to the other user's table directly? Or is it via a role? You will need the privilege to be granted directly in order to create an object (view, procedure, etc.) that references the other table. As a quick test, in SQL*Plus
SQL> set role none;
SQL> select count(*) from otherschema.othertable;
If that fails, then the problem is that you have been granted privileges on the table via a role.
I guess you have been given select right on otherschema.othertable via a role not via a direct grant.
If this is the case, you should connect as otheruser and then do a grant select on othertable to <your-schema>.
I believe that your DBA will need to grant you
create any view
privilege. Depending on the security restrictions at your site they may or not allow this. I typically do not
Related
I have a select statement in a stored procedure that I'd like to pull out and put into a view. The select statement pulls from dba_tables, dba_tab_partitions, and dba_tab_subpartitions.
If I run the statement on its own, it works fine. If I wrap it in a create view statement:
CREATE OR REPLACE VIEW "MYSCHEMA"."V_XWMS_TEST"
(
"OWNER"
,"SEGMENT_NAME"
,"PARTITION_NAME"
,"SEGMENT_TYPE"
,"TABLESPACE_NAME"
)
AS
SELECT "OWNER"
,"SEGMENT_NAME"
,"PARTITION_NAME"
,"SEGMENT_TYPE"
,"TABLESPACE_NAME"
FROM
[Original query]
then depending on which user I'm logged in as, I get either ORA-01031: insufficient privileges or ORA-00942: table or view does not exist. Again, with both users I can create views and I can run this select statement, but I can't run the select statement in the context of creating a view.
This might be caused by the difference between the system privilege SELECT ANY DICTIONARY and the role SELECT_CATALOG_ROLE.
On the surface they do the same thing by granting users access to the data dictionary. Either one of them would enable a user to run a query against tables like DBA_TABLES.
The difference is that roles are not enabled when creating objects with definer's rights, and views are always definer's rights. So to make the view work the user will need the system privilege SELECT ANY DICTIONARY, or a similar direct grant on individual objects.
ORA-01031: insufficient privileges or ORA-00942: table or view does not exist.
This error means that the new table from which the view is created doesn't have synonyms and grants created to be accessed by the schema in which the view is created.
In Oracle, I attempt to create a view like this
create view ddd as
select *
from myschema1.t1
join myschema2.t2
....
When I run this statement, I get an error ORA-01031 : insufficient privileges. If I just execute the query in Query Worksheet, however, it works.
Why does my CREATE VIEW statement fail and what privileges do I need in order to make the statement succeed?
In order to create a view that references myschema1.t1 and myschema2.t2, the user that owns the view has to be given access to those two tables directly, not via a role. My first guess is that you have been granted the privileges on the underlying table via a role. You can verify that in SQL*Plus by disabling roles and re-running the query. If you do
SQL> set role none;
SQL> select *
from myschema1.t1
join myschema2.t2 ...
does the query work? If not, then you only have the privileges granted via a role not directly. Note that if you want to be able to grant other users access to your view, you need to be granted privileges on the objects WITH GRANT OPTION.
GRANT SELECT ON myschema1.t1 TO <<user that will own the view>> WITH GRANT OPTION;
GRANT SELECT ON myschema2.t2 TO <<user that will own the view>> WITH GRANT OPTION;
If the problem is not with the privileges on the underlying objects, the problem is most likely that you have not been granted the CREATE VIEW privilege.
That sounds like you don't have the CREATE VIEW privilege. If you didn't have access to the tables, you should get ORA-00942: table or view does not exist.
I have tables in Schema A. I created views in Schema B using the tables in schema A.
I want to grant permissions to a user to select the data from view in Schema B.
For this to work i know we have to enable the grant option on tables in Schema A to user B.
But I want to do it in a single script (This script has to be in schema B). Is there a way to do this using the user name/password of schema A.
It's not unusual to want to have a single script to deploy a change. The thing is, such a script needs to be run by a power user, because it needs to have system privileges at the ANY level. This usually means a DBA account, preferably an application account but otherwise SYSTEM or SYS.
So the script you want would look like this:
grant select on user_a.t23 to user_b
/
grant select on user_a.t42 to user_b
/
create view user_b.v_69 as
select t23.col1, t42.col2
from user_a.t42
join user_a.t23
on (t42.id = t23.id)
/
grant select on user_b.v_69 to user_c
/
A common scenario is that we have a suite of individual scripts which have been written to be run by different users but which we now need to bundle up into a single deployment. The original scripts don't contain the schema names, and there are many good reasons why we wouldn't want to hardcode them in the scripts.
One way to build that master script is to use change the CURRENT_SCHEMA syntax:
alter session set current_schema=USER_A
/
#run_grants_to_userb.sql
alter session set current_schema=USER_B
/
#create_view69.sql
#run_grants_to_userc.sql
We still need a DBA user to run the master script. One advantage of switching the current schema is that it allows us to deploy objects like database links, which through a quirk of syntax cannot have the schema name in their declaration. One gotcha is that the user doesn't change, so a script which employs the USER pseudo-column may produce unwanted results.
Simply Run the query
GRANT INSERT, SELECT, UPDATE, DELETE ON TABLE1 TO SCHEMA2;
Only by connecting as user A at some point. You can still do it in one script if you really want to:
connect userA/passwordA
grant select on my_table to userB;
connect userB/passwordB
create view my_view as select * from userA.my_table;
Of course now you have a script lying around which exposes two sets of user credentials to anyone who can read it. So something to think hard about before doing in production, for example.
If you want other users to be able to select from the view, you don't need to grant explicit permissions on userA.my_table to them; as long as the view owner can see the underlying table, other users just need to be able to see the view. Which is often kinda the point (or one of them) as you can restrict the view to only expose selected data from the underlying table to the rest of the world. I assume you have a reason for not creating the view in schema A.
I'm not sure if you're really asking about granting select to user B with admin option so that user B can then grant select on user A's table to other people. If that's possible, it doesn't sound like a good idea, and isn't necessary for the view to work.
Let user A grant select on his tables to B and include the 'grant option'.
As user A:
GRANT select ON table TO user_b WITH GRANT OPTION;
Let user B grant select on his views to user A and include the 'grant option'.
As user B:
GRANT select ON view TO user_a WITH GRANT OPTION;
As user A:
GRANT select on user_b.view TO user_c;
This allows user A to pass this grant on to other users.
One of the pitfalls in Oracle is the fact that sometimes you can select from a table if you run a query in SQLplus but that you can't when running the query from a stored procedure. In order to run a query from a stored procedure you need a direct grant for the object and not a grant obtained through a role.
If I see a table in the all_tables view, how can I know if I can see this table because of a direct grant or because of a role grant?
Look at ALL_TAB_PRIVS:
select grantee from all_tab_privs
where table_schema = 'SCOTT' and table_name='EMP'
and privilege = 'SELECT';
This shows all grantees, whether roles or users.
One method to see exactly what a procedure would see is to issue the command:
SET ROLE none
It disables all roles for your current session.
When I try to execute a view that includes tables from different schemas an ORA-001031 Insufficient privileges is thrown. These tables have execute permission for the schema where the view was created. If I execute the view's SQL Statement it works. What am I missing?
Finally I got it to work. Steve's answer is right but not for all cases. It fails when that view is being executed from a third schema. For that to work you have to add the grant option:
GRANT SELECT ON [TABLE_NAME] TO [READ_USERNAME] WITH GRANT OPTION;
That way, [READ_USERNAME] can also grant select privilege over the view to another schema
As the table owner you need to grant SELECT access on the underlying tables to the user you are running the SELECT statement as.
grant SELECT on TABLE_NAME to READ_USERNAME;
Q. When is the "with grant option" required ?
A. when you have a view executed from a third schema.
Example:
schema DSDSW has a view called view_name
a) that view selects from a table in another schema (FDR.balance)
b) a third shema X_WORK tries to select from that view
Typical grants:
grant select on dsdw.view_name to dsdw_select_role;
grant dsdw_select_role to fdr;
But: fdr gets
select count(*) from dsdw.view_name;
ERROR at line 1:
ORA-01031: insufficient privileges
issue the grant:
grant select on fdr.balance to dsdw with grant option;
now fdr:
select count(*) from dsdw.view_name;
5 rows
Let me make a recap.
When you build a view containing object of different owners, those other owners have to grant "with grant option" to the owner of the view. So, the view owner can grant to other users or schemas....
Example:
User_a is the owner of a table called mine_a
User_b is the owner of a table called yours_b
Let's say user_b wants to create a view with a join of mine_a and yours_b
For the view to work fine, user_a has to give "grant select on mine_a to user_b with grant option"
Then user_b can grant select on that view to everybody.
If the view is accessed via a stored procedure, the execute grant is insufficient to access the view. You must grant select explicitly.
If the view is accessed via a stored procedure, the execute grant is insufficient to access the view. You must grant select explicitly.
simply type this
grant all on to public;
To use a view, the user must have the appropriate privileges but only for the view itself, not its underlying objects. However, if access privileges for the underlying objects of the view are removed, then the user no longer has access. This behavior occurs because the security domain that is used when a user queries the view is that of the definer of the view. If the privileges on the underlying objects are revoked from the view's definer, then the view becomes invalid, and no one can use the view. Therefore, even if a user has been granted access to the view, the user may not be able to use the view if the definer's rights have been revoked from the view's underlying objects.
Oracle Documentation
http://docs.oracle.com/cd/B28359_01/network.111/b28531/authorization.htm#DBSEG98017
you may also create view with schema name
for example create or replace view schema_name.view_name as select..