Re: How to issue CREATE USER command from a stored proc?

From: Ed Bruce <bruce_at_ha.hac.com>
Date: 1996/06/03
Message-ID: <31B31B18.10C1_at_ha.hac.com>#1/1

LGE wrote:

<snip>

> One item of interest is that I had to *explicitely* grant the "Create
> User" privilege (as well as the other privileges related to the
> application) to the procedure owner. For example, during development,
> a DBA user owned the procedure; but, I still received an error message
> that the user did not have the privileges required to create a user.
> Even though the account was a DBA account, and I could create a user
> via SQL*Plus when logged on as the DBA account, the procedure could
> not until I explicitely granted the "Create User" privilege. Who
> knows, maybe I am missing out on something; but, this is what I had to
> do to get it to work.

I ran into a similiar problem when I first started using Stored Procedures. It is a security issue. I believe it has a lot to do with your example of immediate code. If a stored procedure was allowed to request privileges not explicitly granted, then a user could call a procedure, say created by a DBA, and send it a request to grant said user DBA privileges. Big hole there, so the rule that stored procedure only runs with the priveleges explicitly granted, not through roles to the creating owner.

Ed Bruce Received on Mon Jun 03 1996 - 00:00:00 CEST

This message: [ Message body ]
Next message: Michael Krolewski: "Re: Problem using DBMS_PIPE"
Previous message: Magnus Nyborg: "RE: Object oriented oracle ?"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message