I would like to grant readonly privileges to all the packages that I have in Oracle but not sure how to do so.
I have following command that grants select privilege to one of the user on a table.
grant select on scott.dept to app_user_ro;
I have bunch of packages that contains lot of stored procedures in it.
Is it possible to grant read only privileges to all these packages? If so, is this the correct command to do so?
grant select on scott.dept_package.* to app_user_ro;
grant select on scott.employee_package.* to app_user_ro;
..
..
some more here
Is there a way to grant read only privileges to all the packages in a single shot ?
A user can only be granted "EXECUTE" privileges on a package, in its entirety:
grant execute on scott.dept_package to app_user_ro;
Once granted, a user with execute privileges on the package will be able to do anything the package code does. If the package has procedures with definer's rights (the default) that insert, update, or delete rows in a table, then the user will be able to perform those activities through the package regardless of their individual privileges on the application tables.
There is no "read only" option other than writing the package to contain only "read only" code in the first place. You must ensure that the package code contains no DML code with definer's rights, but rather uses invoker's rights that are dependent on the user's individual privileges on objects referred to in the code.
See these links for more info on definer's and invoker's rights and how to manage them:
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/managing-security-for-definers-rights-and-invokers-rights.html#GUID-EF625176-A3AA-47F5-BAEE-248DBAAF22A3
https://oracle-base.com/articles/12c/control-invoker-rights-privileges-for-plsql-code-12cr1
Related
I have a package A, which uses some variables and procedures in another package B in the same schema. Now I want to move package A to a new schema. What privileges should I grant to the new schema for using the package B same way? What is the grant statement for that ?
Use GRANT to give execute privileges
grant execute on PACKAGE_B to new_schema;
Then, you need to ensure that any reference in package A includes the full path:
PACKAGE_B.SOME_PROC
It might be worth creating a public synonym in for the package, so that you can avoid referencing the schema too.
There is a table which when I use to execute a query it gets normally executed but when I compile it in a package it is giving an error for that table saying
insufficient privileges
Any idea what I can do about it ?
The user you are using got the privilege to access the table through a role.
Privileges obtained through roles are not in effect inside a PL/SQL program. You need to grant the select (insert,update,delete) privilege directly to the user in question.
How do you grant read/select access on all functions and views to an arbitrary user?
I use psql --user=postgres -d mydb -f myview.sql to create several functions and views, and then I run:
GRANT ALL PRIVILEGES ON DATABASE mydb TO myuser;
Having been granted all privileges, I would expect myuser to now have access to the functions and views created by the postgres user. However, when I try and access them with myuser, I get a "permission denied for relation..." error. Why is this?
The reason is that you need additional privileges to access a view or table. Privileges on the database do not cover access to all objects in it.
It is different with functions: EXECUTE privilege is granted to public by default. But the function is executed with the privileges of the current user. You may be interested in the SECURITY DEFINER modifier for CREATE FUNCTION. But normally it is enough to grant SELECT on involved tables.
Per documentation about default privileges:
Depending on the type of object, the initial default privileges might
include granting some privileges to PUBLIC. The default is no public
access for tables, columns, schemas, and tablespaces; CONNECT
privilege and TEMP table creation privilege for databases; EXECUTE
privilege for functions; and USAGE privilege for languages.
You may be interested in this DDL command (requires Postgres 9.0 or later):
GRANT SELECT ON ALL TABLES IN SCHEMA public TO myuser;
While connected to the database in question, of course (see #marcel's comment below), and as a user with sufficient privileges. You may also be interested in the setting DEFAULT PRIVILEGES:
Grant all on a specific schema in the db to a group role in PostgreSQL
More detailed answer how to manage privileges:
How to manage DEFAULT PRIVILEGES for USERs on a DATABASE vs SCHEMA?
pgAdmin has a feature for more sophisticated bulk operations:
Or you can query the system catalogs to create DDL statements for bulk granting / revoking ...
Does the following command effectively give the user, "MyUser," permission to execute ALL stored procedures in the database?
GRANT EXECUTE TO [MyDomain\MyUser]
SQL Server 2008 and Above:
/* CREATE A NEW ROLE */
CREATE ROLE db_executor
/* GRANT EXECUTE TO THE ROLE */
GRANT EXECUTE TO db_executor
For just a user (not a role):
USE [DBName]
GO
GRANT EXECUTE TO [user]
SQL Server 2005 introduced the ability to grant database execute permissions to a database principle, as you've described:
GRANT EXECUTE TO [MyDomain\MyUser]
That will grant permission at the database scope, which implicitly includes all stored procedures in all schemas. This means that you don't have to explicitly grant permissions per stored procedure.
You can also restrict by granting schema execute permissions if you want to be more granular:
GRANT EXECUTE ON SCHEMA ::dbo TO [MyDomain\MyUser]
In addition to the answers above, I'd like to add:
You might want to grant this to a role instead, and then assign the role to the user(s).
Suppose you have created a role myAppRights via
CREATE ROLE [myAppRights]
then you can give execute rights via
GRANT EXECUTE TO [myAppRights]
to that role.
Or, if you want to do it on schema level:
GRANT EXECUTE ON SCHEMA ::dbo TO [myAppRights]
also works (in this example, the role myAppRights will have execute rights on all elements of schema dbo afterwards).
This way, you only have to do it once and can assign/revoke all related application rights easily to/from a user if you need to change that later on - especially useful if you want to create more complex access profiles.
Note: If you grant a role to a schema, that affects also elements you will have created later - this might be beneficial or not depending on the design you intended, so keep that in mind.
I'm getting ORA-01031: insufficient privileges when creating a package my own schema. Shouldn't I have complete control over my schema. If this is not the case, what privileges does my schema need?
You may need to have GRANT CREATE PROCEDURE TO USERNAME.
If you are referencing tables that are not in your schema you may get this error even if you can select data from the tables. The problem is that permissions granted by roles work for sql but do not work for PL/SQL. PL/SQL requires the rights be granted to the user.
Another possible issue is that you do not have the create procedure system priviledge which is need to create procs.