RE: Question On authid current_user
Date: Tue, 22 Jan 2013 07:44:38 -0500
Message-id: <A9F069F06B325049A1D90D1F8EBEB8B6C12B22D4DF_at_ex02mail02.ad.rit.edu>
Don,
Actually, I was able to get it to work by doing just as you originally said: define the package with authid current_user.
Scott Canaan '88 (srcdco_at_rit.edu)
(585) 475-7886 - work (585) 339-8659 - cell
"Life is like a sewer, what you get out of it depends on what you put into it." - Tom Lehrer.
-----Original Message-----
From: Don Granaman [mailto:DonGranaman_at_solutionary.com]
Sent: Tuesday, January 22, 2013 1:47 AM
To: Scott Canaan; oracle-l_at_freelists.org
Subject: RE: Question On authid current_user
This one has been haunting me since I answered it. Of course, the first sentence is correct and that would work, but it was intended as a flip answer since it quite likely has unintended consequences for the package.
The second sentence is problematic though. I didn't read the context carefully and was assuming a scenario devoid of the other complications and assumed the goal was simply to let user U1 execute user U2's definer-rights package and have U1's role-based privileges "sneak through" to a call to U1's user-rights procedure in that package when user U1 ran it. With "other complications" like direct object grants to U2 and such, it is not so straight-forward.
Don Granaman | Ph: 402-361-3073 | Cell: 402-960-6955 | Solutionary - Relevant | Intelligent | Security
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Don Granaman
Sent: Monday, January 21, 2013 4:40 PM
To: srcdco_at_rit.edu; oracle-l_at_freelists.org
Subject: RE: Question On authid current_user
Declare the outer package with audit current_user also.
It does absolutely no good to use authid current_user for a procedure inside a definer rights package.
Don Granaman | Ph: 402-361-3073 | Cell: 402-960-6955 | Solutionary - Relevant | Intelligent | Security
-----Original Message-----
From: oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Scott Canaan
Sent: Monday, January 21, 2013 8:57 AM
To: oracle-l_at_freelists.org
Subject: Question On authid current_user
All,
I created a stored procedure that analyzes the tables in a small schema. The procedure is owned by one user and was created with authid current_user, so it can be run by another user. It runs fine as the other user, as long as it is called directly by that user. When it is put inside a package, an ORA-01031: insufficient privileges error is raised. The customer is asking me to grant "execute any" privilege to the second user so that it will run. I'm not convinced that will solve the problem and I don't want to do this grant. What other options are there for getting this procedure to run inside the package? Scott Canaan '88 (srcdco_at_rit.edu<mailto:Scott.Canaan_at_rit.edu>) (585) 475-7886 - work (585) 339-8659 - cell "Life is like a sewer, what you get out of it depends on what you put into it." - Tom Lehrer.
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
Received on Tue Jan 22 2013 - 13:44:38 CET