| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.tools -> Re: Can't create view
Hi, Michael! Thank you for clarifying post!
I can see what you mean - there's a need to be able to grant permissions that can't be quasi-passed on through procedures, etc., or else every grant becomes something like a grant WITH DBA OPTION.
Still, it's not the way I would have designed it. For one thing, I think there's a need for a convenient, userdefined group of privileges that can be granted and revoked in a bundle, and I think a "role" is a good name for that. By trying to make the "role" concept fill both this privilege-package need and the without-DBA-option need, I think it loses some of its effectiveness as a bundle of privileges, plus there's the confusion of trying to accomplish two different objectives with it.
If it were me, I'd let priveleges be granted WITH REFERENCE(?) OPTION, WITHOUT REFERENCE OPTION, or WITH DBA OPTION - I'm just making up "reference" as a term to include procedures, views, etc. - to be explicit about to what degree those priveleges can be passed on. Then you'd be able to create roles that really were pure agglomerations of privileges.
But, hey - who died and made me Larry Ellison?
I guess it rarely comes up because most people have one ueber-owner for most/all of their procedures, views, etc. They give the ueber-owner all power and then can forget about it...
Well, anyway - thanks again for your explanation!
In article <vda8ht06t0doql0ipci9u3c6s7r73mbe2e_at_4ax.com>, Michael Dodd
<doddme_at_mindspring.com> writes:
>I've always looked at the role situation as if it tables were real
>estate, roles were renters and direct grants were deed transfers.
>
>If I create a table and grant you through a role you're a renter, you
>can't give my property to others, I could kick you out at any time.
>If you created a procedure that selected against my land and granted
>execute on that procedure to some other person then infact you have
>deeded my property and you were just a tenant. If you are granted
>specificially through object permissions then you can do with it what
>you want. You CAN deed to others the select. You're given special
>rights, specifically to you, by me. We have a contract. I can take
>away your rights specifically through a revoke or a quit-claim deed.
>If you want to do something with my property and it involves doing
>more than the lease intends - you need a direct grant.
>
 |
 |