RE: Question On authid current_user

  • From: Don Granaman <DonGranaman@xxxxxxxxxxxxxxx>
  • To: "srcdco@xxxxxxx" <srcdco@xxxxxxx>, "oracle-l@xxxxxxxxxxxxx" <oracle-l@xxxxxxxxxxxxx>
  • Date: Tue, 22 Jan 2013 00:46:42 -0600

This one has been haunting me since I answered it.  Of course, the first 
sentence is correct and that would work, but it was intended as a flip answer 
since it quite likely has unintended consequences for the package.

The second sentence is problematic though.  I didn't read the context carefully 
and was assuming a scenario devoid of the other complications and assumed the 
goal was simply to let user U1 execute user U2's definer-rights package and 
have U1's role-based privileges "sneak through" to a call to U1's user-rights 
procedure in that package when user U1 ran it.  With "other complications" like 
direct object grants to U2 and such, it is not so straight-forward.  

Don Granaman | Ph: 402-361-3073 | Cell: 402-960-6955  | Solutionary - Relevant 
| Intelligent | Security

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Don Granaman
Sent: Monday, January 21, 2013 4:40 PM
To: srcdco@xxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: RE: Question On authid current_user

Declare the outer package with audit current_user also.

It does absolutely no good to use authid current_user for a procedure inside a 
definer rights package.

Don Granaman | Ph: 402-361-3073 | Cell: 402-960-6955  | Solutionary - Relevant 
| Intelligent | Security

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On 
Behalf Of Scott Canaan
Sent: Monday, January 21, 2013 8:57 AM
To: oracle-l@xxxxxxxxxxxxx
Subject: Question On authid current_user

All,
   I created a stored procedure that analyzes the tables in a small schema.  
The procedure is owned by one user and was created with authid current_user, so 
it can be run by another user.  It runs fine as the other user, as long as it 
is called directly by that user.  When it is put inside a package, an 
ORA-01031: insufficient privileges error is raised.  The customer is asking me 
to grant "execute any" privilege to the second user so that it will run.  I'm 
not convinced that will solve the problem and I don't want to do this grant.  
What other options are there for getting this procedure to run inside the 
package?
Scott Canaan '88 (srcdco@xxxxxxx<mailto:Scott.Canaan@xxxxxxx>)
(585) 475-7886 - work           (585) 339-8659 - cell
"Life is like a sewer, what you get out of it depends on what you put into it." 
- Tom Lehrer.


--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l

Other related posts:

  1. Home
  2. oracle-l
  3. Archive
  4. 01-2013