| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle Stored Procedure Security
Pete Petersen wrote:
>
> Will "enduser" be able to update the "customer_master_file" when running
> the "update_customers" stored procedure OR will the update fail since
> "enduser" doesn't have update privileges on the table.
>
> What do YOU think.
What we *think* may be important in philosophy, but not in programming.
The user who executes a stored procedure will do so with the same privileges as the owner of the stored procedure. If you don't wish some users to perform the functionality that is in the stored procedure, either don't give them execute access to the SP, or handle the security checking from within the SP.
We use the latter method as *all* user access to our database is thru packages. Before the SP modifies any table (or performs any critical operation), it checks the user's ability (usually thru roles) to perform the operation.
We even enable and disable roles from with our SPs. Yes, I know we are not supposed to be able to do that. (We cheat!)
-- Tomm Carr -- "Can you describe your assailant?" "No problem, Officer. That's exactly what I was doing when he hit me!"Received on Mon Jul 21 1997 - 00:00:00 CDT
 |
 |