Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.misc -> Re: Oracle Stored Procedure Security
Pete Petersen wrote:
> Hypothetical Situation:
>
> User "superuser" creates a stored procedure called "update_customers"
> that performs an update on table "customer_master_file". "Superuser"
> owns the "customer_master_file" table and therefore has fullobject
> privileges on this table
>
> User "enduser" has been given execute access on the "update_customers"
>
> stored procedure, however, "enduser" does not have UPDATE privileges
> on
> the "customer_master_file" table.
>
> Query:
>
> Will "enduser" be able to update the "customer_master_file" when
> running
> the "update_customers" stored procedure OR will the update fail since
> "enduser" doesn't have update privileges on the table.
>
> What do YOU think.
I think that procedures in Oracle are executed using the object privileges of the owner, not the caller.
Therefore, enduser will be able to do the update.
This is a powerful security scheme, but sometimes it is painful - sometimes you want to expose a subroutine to many users but let them use it on a view that exists in their schema and that shows them just the information that they have access to.
Mike Received on Tue Jul 22 1997 - 00:00:00 CDT