Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: authid definer

RE: authid definer

From: MacGregor, Ian A. <ian_at_SLAC.Stanford.EDU>
Date: Thu, 28 Jun 2001 10:55:37 -0700
Message-ID: <F001.0033C547.20010628105624@fatcity.com>

Authid definer is not new. It is the default authorization for pl/sql stored procedures; before 8i, "definer" was the only choice. Now in 8i you can have procedures where the authid is the invoker of the package. For example, you create a pl/sql procedure for users to change their passwords. Before invoker rights the owner of that procedure would need to be granted the "alter user" privilege and be able to change any user's password. However if the package runs under authid current_user, invoker rights, the owner of the procedure does not need the "alter user" privilege

Again definer rights are nothing new. Direct table level grants, that is not through roles, are needed to the owners of the procedures. Execute privilege is then granted on the roles, and the roles granted to the necessary users. These "necessary users" do not need and should not be granted table level privileges. An invoker of such a procedure must either fully qualify the name of the procedure (<owner>.<procedure>, or use some type of synonym translation, or make the default schema that of the owner of the procedure. Procedures should be placed in packages which curts down on the number of grants and synonymns needed and also helps with recompilation issues.

Ian MacGregor
Stanford Linear Accelerator Center
ian_at_slac.stanford.edu

-----Original Message-----
Sent: Thursday, June 28, 2001 8:03 AM
To: Multiple recipients of list ORACLE-L

What is authid definer? Every day something new.

Alex Hillman

-----Original Message-----
Sent: Thursday, June 28, 2001 7:04 AM
To: Multiple recipients of list ORACLE-L

One of our app development teams started out with lots of pl/sql and role based security, and found that roles are useless cause you have to grant the table level privs anyway to get the procedures to work.

We are considering switching to Authid Definer for several reasons: - Roles need only contain execute privs for the procedures (no table level grants required)
- private synonyms not needed anymore (all objects are resolved in the definers schema)
- No need for table level GRANTs any more (cause all procedures/funcs run as the table/proc owner)
Sounds too good to be true. Any gotchas to switching to authid Definer? Is this the preferred direction for app development, rather than the role/table grants nightmare?

Rgds
Mark Teehan
Singapore

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Mark Teehan
  INET: mteehan_at_erggroup.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Hillman, Alex
  INET: Alex.Hillman_at_usmint.treas.gov
Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: MacGregor, Ian A.
  INET: ian_at_SLAC.Stanford.EDU
Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Thu Jun 28 2001 - 12:55:37 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US