I'm getting ORA-01031: insufficient privileges when creating a package my own schema. Shouldn't I have complete control over my schema. If this is not the case, what privileges does my schema need?
You may need to have GRANT CREATE PROCEDURE TO USERNAME.
If you are referencing tables that are not in your schema you may get this error even if you can select data from the tables. The problem is that permissions granted by roles work for sql but do not work for PL/SQL. PL/SQL requires the rights be granted to the user.
Another possible issue is that you do not have the create procedure system priviledge which is need to create procs.
Related
I am trying to grant usage on future stored procedures within a particular schema.
I am using the role SYSADMIN and the schema is owned by SYSADMIN.
The following statement works
GRANT USAGE ON ALL PROCEDURES IN SCHEMA UAT_CONTROL.PDS TO ROLE UAT_OPERATIONS;
While this one fails
GRANT USAGE ON FUTURE PROCEDURES IN SCHEMA UAT_CONTROL.PDS TO ROLE UAT_OPERATIONS;
"SQL Error [3001] [42501]: SQL access control error: Insufficient
privileges to operate on schema 'PDS'
Am I missing a trick?
Just wanted to provide the answer in case someone was looking for it in this forum. The MANAGE GRANTS privilege is required for future grants:
https://docs.snowflake.com/en/user-guide/security-access-control-configure.html#security-privileges-required-to-manage-future-grants
You also have to grant usage on your database and maybe on your schema:
GRANT USAGE ON DATABASE UAT_CONTROL TO ROLE UAT_OPERATIONS;
GRANT USAGE ON SCHEMA PDS TO ROLE UAT_OPERATIONS;
More infos here: https://docs.snowflake.com/en/sql-reference/sql/grant-privilege.html
I would like to grant readonly privileges to all the packages that I have in Oracle but not sure how to do so.
I have following command that grants select privilege to one of the user on a table.
grant select on scott.dept to app_user_ro;
I have bunch of packages that contains lot of stored procedures in it.
Is it possible to grant read only privileges to all these packages? If so, is this the correct command to do so?
grant select on scott.dept_package.* to app_user_ro;
grant select on scott.employee_package.* to app_user_ro;
..
..
some more here
Is there a way to grant read only privileges to all the packages in a single shot ?
A user can only be granted "EXECUTE" privileges on a package, in its entirety:
grant execute on scott.dept_package to app_user_ro;
Once granted, a user with execute privileges on the package will be able to do anything the package code does. If the package has procedures with definer's rights (the default) that insert, update, or delete rows in a table, then the user will be able to perform those activities through the package regardless of their individual privileges on the application tables.
There is no "read only" option other than writing the package to contain only "read only" code in the first place. You must ensure that the package code contains no DML code with definer's rights, but rather uses invoker's rights that are dependent on the user's individual privileges on objects referred to in the code.
See these links for more info on definer's and invoker's rights and how to manage them:
https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/managing-security-for-definers-rights-and-invokers-rights.html#GUID-EF625176-A3AA-47F5-BAEE-248DBAAF22A3
https://oracle-base.com/articles/12c/control-invoker-rights-privileges-for-plsql-code-12cr1
I am managing a database that has a number of schemas. I am having some difficulty with setting privileges and would like to request some help.
I have the schema called schemaA and a group_role db_writer
I use the following sql:
GRANT USAGE ON SCHEMA schemaA TO db_writer;
GRANT UPDATE, INSERT, SELECT, DELETE ON ALL TABLES IN SCHEMA schemaA TO db_writer;
However, the db_writer is unable to create views. They are returned with a permission denied error. Also, when I create views, she is then unable to select them...and I have to set the priviliges again for that view.
It was my understanding the views were treated as tables with respect to privileges...and if one is granted certain permissions to all tables in a schema this would apply to views also.
What am I missing? Any advice appreciated.
The problem is USAGE does not allow users to create objects within the database.
Try
GRANT USAGE, CREATE ON SCHEMA schemaA TO db_writer
Edit:
New objects will get default privileges, for the user to have those privileges for objects created in the future you can do it as:
ALTER DEFAULT PRIVILEGES IN SCHEMA schemaA GRANT UPDATE, INSERT, SELECT, DELETE ON TABLES TO db_writer;
ALTER DEFAULT PRIVILEGES IN SCHEMA schemaA GRANT SELECT ON TABLES TO db_reader;
Check this answer for more info
There is a table which when I use to execute a query it gets normally executed but when I compile it in a package it is giving an error for that table saying
insufficient privileges
Any idea what I can do about it ?
The user you are using got the privilege to access the table through a role.
Privileges obtained through roles are not in effect inside a PL/SQL program. You need to grant the select (insert,update,delete) privilege directly to the user in question.
How do you grant read/select access on all functions and views to an arbitrary user?
I use psql --user=postgres -d mydb -f myview.sql to create several functions and views, and then I run:
GRANT ALL PRIVILEGES ON DATABASE mydb TO myuser;
Having been granted all privileges, I would expect myuser to now have access to the functions and views created by the postgres user. However, when I try and access them with myuser, I get a "permission denied for relation..." error. Why is this?
The reason is that you need additional privileges to access a view or table. Privileges on the database do not cover access to all objects in it.
It is different with functions: EXECUTE privilege is granted to public by default. But the function is executed with the privileges of the current user. You may be interested in the SECURITY DEFINER modifier for CREATE FUNCTION. But normally it is enough to grant SELECT on involved tables.
Per documentation about default privileges:
Depending on the type of object, the initial default privileges might
include granting some privileges to PUBLIC. The default is no public
access for tables, columns, schemas, and tablespaces; CONNECT
privilege and TEMP table creation privilege for databases; EXECUTE
privilege for functions; and USAGE privilege for languages.
You may be interested in this DDL command (requires Postgres 9.0 or later):
GRANT SELECT ON ALL TABLES IN SCHEMA public TO myuser;
While connected to the database in question, of course (see #marcel's comment below), and as a user with sufficient privileges. You may also be interested in the setting DEFAULT PRIVILEGES:
Grant all on a specific schema in the db to a group role in PostgreSQL
More detailed answer how to manage privileges:
How to manage DEFAULT PRIVILEGES for USERs on a DATABASE vs SCHEMA?
pgAdmin has a feature for more sophisticated bulk operations:
Or you can query the system catalogs to create DDL statements for bulk granting / revoking ...