Matthias Kleinicke wrote:
> Hi,
>
> John Rose schrieb:
>
>> I am using Oracle security for my application and would like to allow
>> users to change their own passwords without using SQLPlus. I am
>> attempting to use "ALTER USER username IDENTIFIED BY newpassword
>> REPLACE oldpassword" in a stored procedure to provide this
>> functionality, but it always gets an insufficent priveleges error.
>> The users can change passwords freely at the SQLPlus prompt, but
>> cannot do the same via the procedure.
>>
>> Does anyone have any ideas?
>>
> the procedure must use caller rights. By default the procedure will run
> using all rights given to the owner of the procedure. I do not expect
> this owner to have right ALTER USER so the routine can not succeed.
> If caller rights are used, the routine will use privileges of the caller
> especially changing the own password.
>
> hth
>
> Matthias
>
> PS.: caller rights is an option on create procedure. see syntax in docu.
I would carefully test this approach for side effects. Using one invoker
rights procedure (in an application, that uses owner rights through out)
may cause context switching. So test the other procedures *after* a call
to your change password proc.
--
Regards,
Frank van Bortel
Top-posting is one way to shut me up...
Received on Tue Aug 16 2005 - 05:41:27 CDT
