Scribd
Upload
74 views19 pages

9 Oracle PLSQL Part2 m9 Slides

The document discusses roles and privileges with subprograms in Oracle. It covers the AUTHID clause and how it determines whether external references are resolved based on the definer or current user privileges. The AUTHID DEFINER setting means external references use the definer's privileges, while AUTHID CURRENT_USER means the invoker's privileges are used. It also discusses how roles, grants, and privileges are evaluated differently depending on the AUTHID setting.

Uploaded by

Mani Mohan Amam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views19 pages

9 Oracle PLSQL Part2 m9 Slides

The document discusses roles and privileges with subprograms in Oracle. It covers the AUTHID clause and how it determines whether external references are resolved based on the definer or current user privileges. The AUTHID DEFINER setting means external references use the definer's privileges, while AUTHID CURRENT_USER means the invoker's privileges are used. It also discusses how roles, grants, and privileges are evaluated differently depending on the AUTHID setting.

Uploaded by

Mani Mohan Amam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Roles & Privileges with Subprograms

!!

Pankaj Jain

@twit_pankajj

Resolution
Namespace
demo schema

demo session

hr_mgmt package

!
!

update_emp

exec hr_mgmt.update_emp;

exec update_emp;

procedure
update_emp

test session
exec demo.update_emp;

test schema
procedure
update_emp

Public Synonym
update_emp
exec update_emp;

GRANT execute on update_emp to test;


CREATE PUBLIC SYNONYM update_emp for demo.update_emp;

Do Not Place Anything in


This Space
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

AUTHID Clause
! PLW-05018: unit <subprogram_name> omitted optional AUTHID clause: default value DEFINER used
!
DEFINER

Default Value

CURRENT_USER

Do Not Place Anything in


This Space
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

AUTHID Clause
!
!

AUTHID DEFINER | CURRENT_USER IS | AS

Standalone Procedure

!
!

CREATE OR REPLACE PROCEDURE update_emp AUTHID DEFINER IS

Standalone Function

!
!

CREATE OR REPLACE FUNCTION get_count RETURN NUMBER AUTHID CURRENT_USER IS

Packaged Subprograms
CREATE OR REPLACE PACKAGE hr_mgmt AUTHID CURRENT_USER AS

!
FUNCTION get_tier(p_sal NUMBER) RETURN NUMBER;
!
PROCEDURE update_emp(p_emp_id NUMBER, p_location VARCHAR2) RETURN NUMBER;
Do Not Place Anything in
!
This Space
END hr_mgmt;

(Add watermark during editing)


Note: Warning will not appear
during Slide Show view.

AUTHID DEFINER
Default Value
External References Resolved in the Schema of the Owner

!
CREATE OR REPLACE FUNCTION update_emp(p_dept_id NUMBER,
p_location VARCHAR2) RETURN NUMBER AUTHID DEFINER IS
l_count NUMBER;
BEGIN
UPDATE employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
COMMIT;
RETURN SQL%ROWCOUNT;
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE(DBMS_UTILITY.FORMAT_ERROR_BACKTRACE);
ROLLBACK;
RAISE;
END update_emp;
Do Not Place Anything in
/
This Space
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

AUTHID DEFINER
demo schema

test schema

Table Employee

!
!
!

Table

Function

CREATE OR REPLACE FUNCTION update_emp


(p _dept_id NUMBER,
p_location VARCHAR2)
RETURN NUMBER AUTHID DEFINER

UPDATE employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;

END update_dept;

demo session
DECLARE
l_count NUMBER;
BEGIN
l_count := update_emp(1,WA);
END;

!
!

Employee
Function

CREATE OR REPLACE FUNCTION update_emp


(p _dept_id NUMBER,
p_location VARCHAR2)
RETURN NUMBER AUTHID DEFINER

UPDATE employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;

END update_dept;

test session
DECLARE
l_count NUMBER;
BEGIN
l_count := demo.update_emp(1,WA);
END;

test session
DECLARE
Do Not Place Anything in
l_count NUMBER;
This Space
BEGIN
(Add watermark during editing)
l_count := update_emp(1,WA);
Note: Warning will not appear
END;
during Slide Show view.

AUTHID CURRENT_USER
demo schema
Table Employee

! !
!
!

Function

CREATE OR REPLACE FUNCTION update_emp


(p _dept_id NUMBER,
p_location VARCHAR2)
RETURN NUMBER AUTHID CURRENT_USER

UPDATE employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
l_count := get_emp_cout;

END update_dept;

!
DECLARE
l_count NUMBER;
BEGIN
l_count := update_emp(1,WA);
END;

test schema
Table

Employee

!
!
!
!

demo
session

DECLARE
l_count NUMBER;
BEGIN
l_count := demo.update_emp(1,WA);
END;

Do Not Place Anything in


This Space

test
(Add watermark during editing)
Note: Warning will not appear
session
during Slide Show view.

External References for AUTHID CURRENT_USER

DML Statements

Dynamic SQL
Statements

Open & Open for


Cursor
Statements

Lock Table
Statements

External References for AUTHID CURRENT_USER


demo schema
Table Employee

! !
!
!
!

Function

CREATE OR REPLACE FUNCTION update_emp


(p _dept_id NUMBER,
p_location VARCHAR2)
RETURN NUMBER AUTHID CURRENT_USER

UPDATE employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
l_count := get_emp_cout;

END update_dept;

Function
CREATE OR REPLACE FUNCTION
get_emp_count RETURN NUMBER
AUTHID DEFINER IS

DECLARE
l_count NUMBER;
BEGIN
l_count := update_emp(1,WA);
END;

demo
session

test schema
Table

Employee

!
!
!
!

Function
CREATE OR REPLACE FUNCTION
get_emp_count RETURN NUMBER
AUTHID DEFINER IS

DECLARE
l_count NUMBER;
BEGIN
l_count := demo.update_emp(1,WA);
END;

Do Not Place Anything in


This Space

test
(Add watermark during editing)
Note: Warning will not appear
session
during Slide Show view.

External References For AUTHID CURRENT_USER


demo schema
Table Employee

! !
!
!
!

test schema
Table

Function

CREATE OR REPLACE FUNCTION update_emp


(p _dept_id NUMBER,
p_location VARCHAR2)
RETURN NUMBER AUTHID CURRENT_USER

UPDATE employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
SELECT get_emp_cout into l_count FROM dual;

END update_dept;

Function
CREATE OR REPLACE FUNCTION
get_emp_count RETURN NUMBER
AUTHID DEFINER IS

DECLARE
l_count NUMBER;
BEGIN
l_count := update_emp(1,WA);
END;

demo
session

Employee

!
!
!

Function
CREATE OR REPLACE FUNCTION
get_emp_count RETURN NUMBER
AUTHID DEFINER IS

DECLARE
l_count NUMBER;
BEGIN
l_count := demo.update_emp(1,WA);
END;

Do Not Place Anything in


This Space

test
(Add watermark during editing)
Note: Warning will not appear
session
during Slide Show view.

Invoker to Definer
demo schema
Table Employee

! !
!
!
!
!
!

Function

CREATE OR REPLACE FUNCTION update_emp


(p _dept_id NUMBER,
p_location VARCHAR2)
RETURN NUMBER AUTHID CURRENT_USER

UPDATE employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
l_count := get_emp_cout;

END update_dept;

test schema
Table

Employee

test
session
DECLARE
l_count NUMBER;
BEGIN
l_count := demo.update_emp(1,WA);
END;

Function
CREATE OR REPLACE FUNCTION
get_emp_count RETURN NUMBER
AUTHID DEFINER IS

SELECT COUNT(*) INTO l_count FROM


employee

test

test session

demo

Do Not Place Anything in


INVOKER This SpaceDEFINER
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

Invoker to Invoker
demo schema
Table Employee

! !
!
!
!
!
!

Function

CREATE OR REPLACE FUNCTION update_emp


(p _dept_id NUMBER,
p_location VARCHAR2)
RETURN NUMBER AUTHID CURRENT_USER

UPDATE employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
l_count := get_emp_cout;

END update_dept;

test schema
Table

Employee

test
session
DECLARE
l_count NUMBER;
BEGIN
l_count := demo.update_emp(1,WA);
END;

Function
CREATE OR REPLACE FUNCTION
get_emp_count RETURN NUMBER
AUTHID CURRENT_USER IS

SELECT COUNT(*) INTO l_count FROM


employee

test

test session

test

Do Not Place Anything in


INVOKER This SpaceINVOKER
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

Definer to Invoker
demo schema
Table Employee

! !
!
!
!
!
!

Function

CREATE OR REPLACE FUNCTION update_emp


(p _dept_id NUMBER,
p_location VARCHAR2)
RETURN NUMBER AUTHID DEFINER

UPDATE employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
l_count := get_emp_cout;

END update_dept;

test schema
Table

Employee

test
session
DECLARE
l_count NUMBER;
BEGIN
l_count := demo.update_emp(1,WA);
END;

Function
CREATE OR REPLACE FUNCTION
get_emp_count RETURN NUMBER
AUTHID CURRENT_USER IS

SELECT COUNT(*) INTO l_count FROM


employee

demo
test session

demo

Do Not Place Anything in


DEFINER This SpaceINVOKER
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

Direct Grants

Explicitly Granting Privileges to User Directly

!
GRANT SELECT, UPDATE, INSERT, DELETE on demo.employee to test;
!
GRANT EXECUTE ON demo.get_emp_count to test;

Roles

Granting Multiple Privileges to User(s)


Can Be Granted to Another Role
Based on Functions or Business Role

!
CREATE ROLE human_resources;
!
GRANT SELECT, UPDATE, INSERT, DELETE on demo.employee to human_resources;
!
GRANT EXECUTE ON demo.get_emp_count to human_resources;
!
GRANT human_resources to test;

Do Not Place Anything in


This Space
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

Privileges for AUTHID DEFINER


Roles Disabled
Only Direct Grants Work
test session

!
CREATE OR REPLACE FUNCTION update_emp(p_dept_id NUMBER,
p_location VARCHAR2) RETURN
NUMBER AUTHID DEFINER AS
l_count NUMBER;
BEGIN
UPDATE demo.employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
COMMIT;
l_count := demo.get_emp_count(p_dept_id);
RETURN l_count;
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE(DBMS_UTILITY.FORMAT_ERROR_BACKTRACE);
ROLLBACK;
RAISE;
END update_emp;

Do Not Place Anything in


This Space
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

Privileges for AUTHID CURRENT_USER


Roles Enabled for Runtime Evaluation
Compilation Requires Direct Grants in Compiling Schema

Do Not Place Anything in


This Space
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

Privileges for AUTHID CURRENT_USER


!

test session

CREATE OR REPLACE FUNCTION update_emp(p_dept_id NUMBER,


p_location VARCHAR2) RETURN
NUMBER AUTHID CURRENT_USER AS
l_count NUMBER;
BEGIN
UPDATE demo.employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
COMMIT;
l_count := demo.get_emp_count(p_dept_id);
RETURN l_count;
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE(DBMS_UTILITY.FORMAT_ERROR_BACKTRACE);
ROLLBACK;
RAISE;
END update_emp;

dev

CREATE ROLE hr_role;


GRANT SELECT, UPDATE, INSERT, DELETE
on demo.employee to hr_role;

dev session
GRANT EXECUTE ON test.update_emp to dev;
GRANT hr_role to dev;

DECLARE
Do Not Place Anything in
l_count NUMBER;This Space
BEGIN
(Add watermark during editing)
Note: Warning will not appear
l_count := test.update_emp(1,WA);
during Slide Show view.
END;

Selective Privileges
!!

test session

CREATE OR REPLACE FUNCTION update_emp(p_dept_id NUMBER,


p_location VARCHAR2) RETURN
NUMBER AUTHID CURRENT_USER AS
l_count NUMBER;
BEGIN
UPDATE demo.employee
SET emp_loc = p_location
WHERE emp_dept_id = p_dept_id;
COMMIT;
l_count := demo.get_emp_count(p_dept_id);
RETURN l_count;
EXCEPTION
WHEN OTHERS THEN
DBMS_OUTPUT.PUT_LINE(DBMS_UTILITY.FORMAT_ERROR_BACKTRACE);
ROLLBACK;
RAISE;
END update_emp;

dev

CREATE ROLE hr_role;


GRANT SELECT, UPDATE, INSERT, DELETE
on demo.employee to hr_role;

dev session
GRANT EXECUTE ON test.update_emp to dev;
GRANT hr_role to dev;

DECLARE
Do Not Place Anything in
l_count NUMBER;This Space
BEGIN
(Add watermark during editing)
Note: Warning will not appear
l_count := test.update_emp(1,WA);
during Slide Show view.
END;

Name Resolution

Summary

AUTHID Clause

!
Direct Grants vs Roles

Do Not Place Anything in


This Space
(Add watermark during editing)
Note: Warning will not appear
during Slide Show view.

You might also like