Scribd
Upload
58 views7 pages

Sustento Nota Metalink 168168 PDF

Sustento Nota metalink

Uploaded by

883716
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
58 views7 pages

Sustento Nota Metalink 168168 PDF

Sustento Nota metalink

Uploaded by

883716
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

14/10/2015 Document168168.

1
Jeanette(NotAvailable) (0) ContactUs Help
PowerViewisOff

Dashboard Knowledge ServiceRequests Patches&Updates Community

GiveFeedback...

GettingORA942orORA1031andPLS201orORA28111inPL/SQL,worksinSQL*Plus(DocID168168.1) ToBottom

Wasthisdocumenthelpful?
APPLIESTO:
Yes
OracleDatabaseEnterpriseEditionVersion9.2.0.8to12.1.0.2[Release9.2to12.1] No
Informationinthisdocumentappliestoanyplatform.
Checkedforrelevanceon08MAR2013
DocumentDetails

Type:
BULLETIN
PURPOSE Status:
PUBLISHED
LastMajor
19Aug2015
Update:
Thepurposeofthedocumentistoshowthelimitationsofprivilegesassignedtoroles. 19Aug2015
LastUpdate:

Duetotheselimitations,youmaygeterrorsinPL/SQLprocedures/packageswhenaccessingcertainobjectsorpackages,butthe
samecodeworksfromdirectlyrunSQL. RelatedProducts
OracleDatabaseEnterprise
Note:Thelimitationsaffectbothregularrolesandglobalroles Edition

InformationCenters
TheflaggederrorsareORA00942orORA01933orORA01031andORA06512orPLS00201andORA06550orORA28111
withFineGrainedAuditing(FGA).Thegeneratederrorsmaydifferineachrelease.
DocumentReferences
RolesandCreatingStored
Objects/Views[1011899.6]
SCOPE
ORA942whenselectfromany
v$viewwithinstoredPL/SQL
ThisnoteisappropriateforDBAsanddevelopers.Itintendstofocusonlimitationsofrolesandprivileges.Itshowswhicherrors procedure[1062335.6]
aretypicallyflaggedandhowtodetectwhichprivilegesaregranteddirectlyandwhichprivilegesaregrantedviaroles.
RoleRestrictions[11740.1]

A.Environmentusers/roles/privilegesused MasterNoteForPrivilegesAnd
B.Example:creatingaviewviaarolegeneratesORA00942orORA01933orORA1031 Roles[1347470.1]
C.Example:creatingaprocedureviaarolegeneratesPLS00201,ORA06550
D.Example:creatingatableviaarolegeneratesORA01031,ORA06512
E.Example:selectprivilegeviaarolegeneratesORA00942 RecentlyViewed
F.Example:ORA28111:insufficientprivilegetoevaluatepolicypredicateincombinationwithFGA GettingORA942orORA
1031andPLS201orORA
28111inPL/SQL,worksin
SQL*Plus[168168.1]
DETAILS
ORA28201NotEnough
PrivilegestoEnable
Rolesthataregrantedtooneusercannotbeappliedtoanotherbyintermediateobjectssuchasviewsorpl/sqlprocedures. ApplicationRole[150418.1]
Rolesexistinsessionsandareassociatedwithauserinanactivesessiononly,theprivilegesofarolecannotbetransferredto EM12c:EnterpriseManager
objects. CloudControlOMS
InstallationFailsWith''The
databasedetailswhichyou
Ifyou'reaccessingtables/viewsinaPL/SQLprocedureorpackageandgettingeitherORA1031orORA942(orPLS201),butthe haveprovideddoesn''t
sameselect/update/insert/deleteworksfineinSQLonly,thenyouneedtocheckiftheprivilegeshavebeengrantedtotheuser containvalidManagement
creatingtheprocedureviaarole.Privilegesgrantedviaroledonotworkinsidestoredproceduresthatarecreatedwithdefiner's Repository.Providecorrect
rights. databasedetailsandretry''
[1932146.1]
DatapumpExportFailsWith
ErrorORA06508:PL/SQL:
couldnotfindprogramunit
beingcalled:
LimitationsofPrivilegesandRoles:StoredPL/SQL "SYS.DBMS_CUBE_EXP"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [1962753.1]
Rolesaredisabledwhenstoredproceduresorpackagesareexecuted. DataPumpImport(IMPDP)
FailsWithErrorsORA4063
PackageBody
Auserexecutingaprocedureorpackagecanperformactionsagainstobjects(selectatable,selectaview,createatable,create XDB.DBMS_XMLPARSER
aview,createatrigger).Whenthenecessaryprivilegesaregrantedtothisuserindirectlyviaarole,theresultisORA00942or ORA600[kpodpbisfailure2]
ORA01933orORA01031andORA06512orPLS00201andORA06550. [1537209.1]
ShowMore
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 1/7
14/10/2015 Document168168.1
ShowMore
Theseactionsaresuccessfulwhenthenecessaryprivilegesaregranteddirectlytotheuser.

Thismeansthattheuserexecutingtheprocedureorpackageshouldbegrantedtheprivilegesrequiredtoperformtheactions
againstobjectsdirectly.

Ausercannotacquireaprivilegeviaaroleifheneedsthatprivilegewhenexecutingastoredprocedureorfunctionorpackage.
IftheuserissuesthesamestatementsinSQL,itworksastheusercanusetheprivilegesgrantedviaarole.

Anotherlimitationofarole:VIEWS

UnderSQL,ifausercanselectanotheruser'stableandhastheprivilegetocreateaview,thecreateviewstatementwill
succeed.Yet,acreateviewontheotheruser'stablegeneratesORA00942iftheselectprivilegehasbeengrantedtrougharole
andnotdirectly.

Remark

Asmentionednotethattheflaggederrorsmaydifferindifferentreleases.

A.Environmentusers/roles/privilegesused:

connectsystem/manager
dropuseruserAcascade
dropuseruserBcascade
dropuseruserCcascade
droproleprivileges_for_b
droproleprivileges_for_c

connectsystem/manager
createuseruserAidentifiedbya
createuseruserBidentifiedbyb
createuseruserCidentifiedbyc
grantconnect,resourcetouserA
alteruseruserBdefaulttablespacesystemquota10monsystem
alteruseruserCdefaulttablespacesystemquota10monsystem
grantcreatesessiontouserB
grantcreatesessiontouserC

createroleprivileges_for_b
grantprivileges_for_btouserB
grantcreateprocedure,createview,createtabletoprivileges_for_b

connectusera/a
createtablea(a1number)
grantselectonatoprivileges_for_b

B.Example:CreatingaviewviaarolegeneratesORA00942orORA01933orORA1031:

connectuserb/b
createorreplaceviewcount_aasselect*fromusera.a
ERRORatline2:
ORA01031:insufficientprivileges

Notethatthequeryonthattableworks:

SQL>selectcount(*)fromusera.a

COUNT(*)

0

Investigationofprivileges:

colroleformata20
colownerformata8
coltable_nameformata5
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 2/7
14/10/2015 Document168168.1
coltable_nameformata5
coluser_nameformata10
colcolumn_nameformata5
colprivilegeformata15
colprivilegeformata17

select*fromsession_privs/*allprivilegesavailable*/

PRIVILEGE

CREATESESSION
CREATETABLE
CREATEVIEW
CREATEPROCEDURE

select*fromsession_roles/*whichrolesareenabled*/

ROLE

PRIVILEGES_FOR_B

select*fromuser_sys_privs/*privilegesgranteddirectly*/

USERNAMEPRIVILEGEADM

USERBCREATESESSIONNO

select*fromrole_role_privs/*arerolesgrantedtootherroles*/

norowsselected

select*fromrole_sys_privs/*privilegesviaarole*/

ROLEPRIVILEGEADM

PRIVILEGES_FOR_BCREATEPROCEDURENO
PRIVILEGES_FOR_BCREATETABLENO
PRIVILEGES_FOR_BCREATEVIEWNO

Conclusion:

UserBwhocreatestheviewisnotgrantedtheselectprivilegeontableaofuserAdirectly(onlyviarolePRIVILEGES_FOR_B).

Tofixthisgranttheselectobjectprivilegedirectly:

connectusera/a
grantselectonatouserb

connectuserb/b
createorreplaceviewcount_aasselect*fromusera.a
Viewcreated.

C.Example:CreatingaprocedurewhichwilluseaprivilegeacquiredviaarolegeneratesPLS00201,ORA06550:

connectuserb/b
createorreplaceprocedurebas
numnumber
begin
selectcount(*)intonumfromusera.a
end
/
Warning:Procedurecreatedwithcompilationerrors.
SQL>showerrors

ErrorsforPROCEDUREB:

LINE/COLERROR

5/3PL/SQL:SQLStatementignored
5/39PL/SQL:ORA00942:tableorviewdoesnotexist

Investigationofprivileges:

Sameresultasinthefirstexample(creatingaviewviarole)....
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 3/7
14/10/2015 Document168168.1
Sameresultasinthefirstexample(creatingaviewviarole)....

Conclusion

UserBwhocreatestheproceduredoesn'thavetheselectprivilegeusedintheprocedurefortableaofuserAdirectly(onlyvia
rolePRIVILEGES_FOR_B).

Tofixthisgranttheselectobjectprivilegedirectly:

connectusera/a
grantselectonatouserb

connectuserb/b
createorreplaceprocedurebas
numnumber
begin
selectcount(*)intonumfromusera.a
end
/
Procedurecreated.

D.Example:Creatingatableinadefiner'srightproceduremakinguseoftheprivsacquiredviaarolefails

SQL>connuserb/b
Connected.

SQL>createorreplaceprocedureb2as
numnumber
begin
executeimmediate'Createtabletb(tb1number)'
end
/

Procedurecreated.

SQL>execb2
BEGINb2END

*
ERRORatline1:
ORA01031:insufficientprivileges
ORA06512:at"USERB.B2",line4
ORA06512:atline1

Investigationofprivileges:

SameresultasinIExample:creatingaviewviarole....

Conclusion:

UserBwhowantstocreatethetablebyexecutingtheproceduredoesn'thavethecreatetableprivilegeusedintheprocedure
granteddirectly.

Fixedbygrantingthiscreatetableprivilegedirectly:

connectsystem/manager
grantcreatetabletouserb

connectuserb/b
executeb2

PL/SQLproceduresuccessfullycompleted.

E.Example:SelectprivilegeviaarolegeneratesORA00942:

connectusera/a
grantselectonatouserb
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 4/7
14/10/2015 Document168168.1
grantselectonatouserb

connectuserb/b
createorreplaceprocedurebas
numnumber
begin
selectcount(*)intonumfromusera.a
end
/

createorreplaceviewcount_aasselect*fromusera.a

AlsoauserCiscreatedwhowilluseproceduresandviewcreatedbyuserB

connectsystem/manager
createroleprivileges_for_c
grantprivileges_for_ctouserc

connectusera/a
grantselectonatoprivileges_for_c

UserBnowgrantsselectonviewcount_atouserCandexecuteonhisprocedurebtouserC:

connectuserb/b

grantselectoncount_atoprivileges_for_c
ERRORatline1:
ERRORatline1:
ORA01720:grantoptiondoesnotexistfor'USERA.A'

grantexecuteonbtoprivileges_for_c
Grantsucceeded.

connectuserc/c

select*fromb.count_a
ERRORatline1:
ORA00942:tableorviewdoesnotexist

executeb.b
ERRORatline1:
ORA06550:line1,column7:
PLS00201:identifier'B.B'mustbedeclared
ORA06550:line1,column7:
PL/SQL:Statementignored

Investigationofprivileges:

select*fromsession_privs/*allprivilegesavailable*/

PRIVILEGE

CREATESESSION

select*fromsession_roles/*whichrolesareenabled*/

ROLE

PRIVILEGES_FOR_C

select*fromrole_sys_privs/*systemprivilegesgrantedtorole*/
=>norowsselected

select*fromrole_tab_privs/*objectprivilegesgrantedtorole*/

ROLEOWNERTABLECOLUMPRIVILEGEGRA

PRIVILEGES_FOR_CUSERAASELECTNO
PRIVILEGES_FOR_CUSERBBEXECUTENO

connectsystem/manager
select*fromdba_sys_privswheregrantee='USERC'/*systemprivilegesdirectly*/

GRANTEEPRIVILEGEADM

USERCCREATESESSIONNO

select*fromdba_tab_privswheregrantee='USERC'/*objectprivilegesdirectly*/
=>norowsselected

select*fromdba_role_privswheregrantee='USERC'/*rolesgrantedtoauser*/

GRANTEEGRANTED_ROLEADMDEF

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 5/7
14/10/2015 Document168168.1

USERCPRIVILEGES_FOR_CNOYES

select*fromrole_sys_privswhererole='PRIVILEGES_FOR_C'/*systemprivilegesgrantedtorole*/
=>norowsselected

select*fromrole_tab_privswhererole='PRIVILEGES_FOR_C'/objectprivilegesdirectly*/

ROLEOWNERTABLECOLUMPRIVILEGEGRA

PRIVILEGES_FOR_CUSERAASELECTNO
PRIVILEGES_FOR_CUSERBBEXECUTENO

Conclusion:

UserCwhoselectstheviewdoesn'thavetheselectprivilegeusedintheviewfortableaofuserAdirectly(onlyviarole
PRIVILEGES_FOR_C).Notethisisadocumentedlimitationofarole!
AlsouserClacksdirectexecuteprivilegeonprocedurebofuserB.

Fixedbygrantingthisselectprivilegeandexecuteprivilegedirectly:

connectusera/a
grantselectonatouserbwithgrantoption

connectuserb/b
grantselectoncount_atouserc
grantexecuteonbtouserc

connectuserc/c
select*fromuserb.count_a
norowsselected

connectuserc/c
executeuserb.b
PL/SQLproceduresuccessfullycompleted.

F.Example:ORA28111:insufficientprivilegetoevaluatepolicypredicateincombinationwithFGA

Whenthedynamicpredicatereturnedbythepolicyfunctionisasubquery(eg.
'useridIN(SELECTempnoFROMemp)')thepolicyfunctionownerneedsselectprivilegesonthetableemp.Thisprivilegecannot
begrantedthrougharoletothepolicyfunctionowner,inthatcaseanerrorORA28111:insufficientprivilegetoevaluatepolicy
predicateoccurs.Whentheprivilegeisgranteddirectlytothepolicyfunctionowner:grantselectonemptoandnotthrougha
role,everythingworksperfectly.

WhenusingFineGrainedAccess,theownerofthepolicyfunction(s)needsprivilegesontheobjectsusedinthesubqueriesof
thedynamicpredicates.Thisbecausethesecuritycheckandobjectlookupareperformedagainsttheownerofthepolicy
function(s).

Explanation:

AsOracleperformsasecuritycheckagainsttheownerofthepolicyfunctionstheownerofthesepolicyfunctionsneedsprivileges
ontheobjectsinthesubqueriesofthedynamicpredicates.FormoreinformationonFGAcheckthefollowingnote:

Note74556.19i/9.2:FineGrainedAuditing

Conclusion:

Whentheprivilegeisgranteddirectlytothepolicyfunctionownerandnotthrougharole,everythingworksperfectly.

G.Finalconclusion

AllrolesaredisabledinanynamedPL/SQLblock(storedprocedures,functions,ortriggers)thatexecuteswithdefiner'srights.
Furthermoretheyaredisabledinviews.Rolesarenotusedforprivilegecheckingandyoucannotsetroleswithinadefiner's
rightsprocedure.StoredPL/SQLblocksthatexecutewithinvoker'srights(storedprocedures,functions)andanonymousPL/SQL
blocksareabletousetheprivilegesgrantedthroughenabledroles.

REFERENCES

NOTE:1011899.6RolesandCreatingStoredObjects/Views
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 6/7
14/10/2015 Document168168.1
NOTE:1011899.6RolesandCreatingStoredObjects/Views
NOTE:1062335.6ORA942whenselectfromanyv$viewwithinstoredPL/SQLprocedure
NOTE:11740.1RoleRestrictions
NOTE:1347470.1MasterNoteForPrivilegesAndRoles
BUG:155762GRANTSASSIGNEDTOROLESARENOTBEINGUTILIZEDBYSTORED
BUG:668998RECEIVEINCORRECTERRORWHENCREATINGAVIEWWHENGRANTSELECTBYAROLE
Didn'tfindwhatyouarelookingfor? AskinCommunity...

Related
Products

OracleDatabaseProducts>OracleDatabaseSuite>OracleDatabase>OracleDatabaseEnterpriseEdition>RDBMS

Keywords
DBA_ROLE_PRIVS DBA_SYS_PRIVS
Errors
ORA1031 ORA1720 ORA1933 ORA28111 ORA6512 ORA6550 ORA942 PLS201

BacktoTop

Copyright(c)2015,Oracle.Allrightsreserved. LegalNoticesandTermsofUse PrivacyStatement

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 7/7

You might also like