Oracle-L: RE: View creation error on a table with grant through a role?

From: Jack van Zanen <nlzanen1_at_EY.NL>
Date: Thu, 04 Apr 2002 06:28:33 -0800
Message-ID: <F001.0043B267.20020404062833@fatcity.com>

Hi,

>From the online generic doc's version 8.1.7

Data Definition Language Statements and Roles A user requires one or more privileges to successfully execute a data definition language (DDL) statement, depending on the statement. For example, to create a table, the user must have the CREATE TABLE or CREATE ANY TABLE system privilege. To create a view of another user's table, the creator requires the CREATE VIEW or CREATE ANY VIEW system privilege and either the SELECT object privilege for the table or the SELECT ANY TABLE system privilege.

Oracle avoids the dependencies on privileges received by way of roles by restricting the use of specific privileges in certain DDL statements. The following rules outline these privilege restrictions concerning DDL statements:

All system privileges and schema object privileges that permit a user to perform a DDL operation are usable when received through a role.

Examples:

System Privileges: the CREATE TABLE, CREATE VIEW and CREATE PROCEDURE privileges.

Schema Object Privileges: the ALTER and INDEX privileges for a table.

Exception: The REFERENCES object privilege for a table cannot be used to define a table's foreign key if the privilege is received through a role.

All system privileges and object privileges that allow a user to perform a DML operation that is required to issue a DDL statement are not usable when received through a role.

Example:

A user who receives the SELECT ANY TABLE system privilege or the SELECT object privilege for a table through a role can use neither privilege to create a view on another user's table.

The following example further clarifies the permitted and restricted uses of privileges received through roles:

Example: Assume that a user is:

Granted a role that has the CREATE VIEW system privilege

Granted a role that has the SELECT object privilege for the EMP table, but the user is indirectly granted the SELECT object privilege for the EMP table

Directly granted the SELECT object privilege for the DEPT table

Given these directly and indirectly granted privileges:

The user can issue SELECT statements on both the EMP and DEPT tables.

Although the user has both the CREATE VIEW and SELECT privilege for the EMP table through a role, the user cannot create a usable view on the EMP table, because the SELECT object privilege for the EMP table was granted through a role. Any views created will produce errors when accessed.

The user can create a view on the DEPT table, because the user has the CREATE VIEW privilege through a role and the SELECT privilege for the DEPT table directly.

HTH Jack

                                                                                                                                       
                      Szecsy Tamas                                                                                                     
                      <tszecsy_at_GEOMETRI        To:       Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>                   
                      A.hu>                    cc:       (bcc: Jack van Zanen/nlzanen1/External/MEY/NL)                                
                      Sent by:                 Subject:  RE: View creation error on a table with grant through a role?                 
                      root_at_fatcity.com                                                                                                 
                                                                                                                                       
                                                                                                                                       
                      04-04-2002 15:08                                                                                                 
                      Please respond to                                                                                                
                      ORACLE-L

:-O Thanks. Its funny. Could some one please point me to some online docs (OTN)? Just to see the logic behind this - for me unwanted - feature?

Tamas

-----Original Message-----

Sent: Thursday, April 04, 2002 2:14 PM
To: Multiple recipients of list ORACLE-L

To create a view or procedure the rights have to be granten to the person directly and not through a role
So yes, quite normal behaviour (maybe not wanted)

Jack

                      Szecsy Tamas

                      <tszecsy_at_GEOMETRI        To:       Multiple

recipients
of list ORACLE-L <ORACLE-L_at_fatcity.com>

                      A.hu>                    cc:       (bcc: Jack van
Zanen/nlzanen1/External/MEY/NL)
                      Sent by:                 Subject:  View creation

error
on a table with grant through a role?

                      root_at_fatcity.com





                      04-04-2002 13:28

                      Please respond to

                      ORACLE-L

Hi,

Is it normal that

connect x/x
select id, name
from y_schema.table1;

execuites fine, but

connect x/x
create or rpelace view v_myview( id, name) as select id, name
from y_schema.table1;

fails? User X has grants on y_schema's table1 through a role only.

TIA, Tamas Szecsy
--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Szecsy Tamas
INET: tszecsy_at_GEOMETRIA.hu

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists


--------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message

De informatie verzonden in dit e-mailbericht is vertrouwelijk en is uitsluitend bestemd voor de geadresseerde. Openbaarmaking, vermenigvuldiging, verspreiding en/of verstrekking van deze informatie aan derden is, behoudens voorafgaande schriftelijke toestemming van Ernst & Young, niet toegestaan. Ernst & Young staat niet in voor de juiste en volledige overbrenging van de inhoud van een verzonden e-mailbericht, noch voor tijdige ontvangst daarvan. Ernst & Young kan niet garanderen dat een verzonden e-mailbericht vrij is van virussen, noch dat e-mailberichten worden overgebracht zonder inbreuk of tussenkomst van onbevoegde derden.

Indien bovenstaand e-mailbericht niet aan u is gericht, verzoeken wij u vriendelijk doch dringend het e-mailbericht te retourneren aan de verzender en het origineel en eventuele kopieën te verwijderen en te vernietigen.

Ernst & Young hanteert bij de uitoefening van haar werkzaamheden algemene voorwaarden, waarin een beperking van aansprakelijkheid is opgenomen. De algemene voorwaarden worden u op verzoek kosteloos toegezonden.

The information contained in this communication is confidential and is intended solely for the use of the individual or entity to whom it is addressed. You should not copy, disclose or distribute this communication without the authority of Ernst & Young. Ernst & Young is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. Ernst & Young does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference.

If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies.

In carrying out its engagements, Ernst & Young applies general terms and conditions, which contain a clause that limits its liability. A copy of these terms and conditions is available on request free of charge.

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Jack van Zanen
INET: nlzanen1_at_EY.NL

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists


--------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message

to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Szecsy Tamas
INET: tszecsy_at_GEOMETRIA.hu

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists


--------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message

If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies.

--

Please see the official ORACLE-L FAQ: http://www.orafaq.com
--

Author: Jack van Zanen
INET: nlzanen1_at_EY.NL

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists


--------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message