12c prevents this with this new feature:
INHERIT PRIVILEGES and INHERIT ANY PRIVILEGES Privileges.
12c introduced this new piece of functionality that initially looks a little odd but actually does make sense when you follow it through, i would imagine there are limited cases though where this specific functionality is required.
What it essentially allows only is relevant for invokers rights procedures where you might want a certain piece of the code block to have rights that the invoker might not have and you don't want to give them that right directly - you only want it to be valid when they run that code block. This new feature allows you to do that - with me so far?
Ok lets do a quick demo, we'll create a c##test user which will own the plsql procedure and a c##rich user who we will let invoke it but we don't actually want that user to have any additional rights - just be able to run the few lines of plsql with elevated rights. Now you could argue here - why bother with invokers rights then just run with definers rights - and in the simple case below that is true - but I'm sure there are more complex other cases where this new feature is useful.
Anyway lets set a few things up - starting with the user
What it essentially allows only is relevant for invokers rights procedures where you might want a certain piece of the code block to have rights that the invoker might not have and you don't want to give them that right directly - you only want it to be valid when they run that code block. This new feature allows you to do that - with me so far?
Ok lets do a quick demo, we'll create a c##test user which will own the plsql procedure and a c##rich user who we will let invoke it but we don't actually want that user to have any additional rights - just be able to run the few lines of plsql with elevated rights. Now you could argue here - why bother with invokers rights then just run with definers rights - and in the simple case below that is true - but I'm sure there are more complex other cases where this new feature is useful.
Anyway lets set a few things up - starting with the user
Re-create grants and synonyms
for Apps Schema using adadmin utility
Facing below error
sqlplus -s APPS/***** @/apps/ebs/apps/apps_st/appl/ad/12.0.0/patch/115/sql/adgrnctx.sql
&systempwd &un_fnd CTXSYS &un_jtf JTF
Connected.
Connected.
User altered.
declare
*
ERROR at line 1:
ORA-06598: insufficient INHERIT
PRIVILEGES privilege
ORA-06512: at
"SYSTEM.AD_DDL", line 165
ORA-06512: at line 160
Solution: -
12c prevents this with this new feature:
INHERIT PRIVILEGES and INHERIT ANY PRIVILEGES Privileges
But if SYS trusts x, the following can be done:
SQL> grant inherit privileges on user sys to system;
Grant succeeded.
This will allow x to inherit the privileges of SYS when
running code like the above.
SQL> grant INHERIT PRIVILEGES ON USER sys to public;
Grant succeeded.
SQL> grant INHERIT PRIVILEGES ON USER system to apps;
Grant succeeded.
SQL> grant dba to system;
Grant succeeded.
SQL> grant dba to apps;
Grant succeeded.
No comments:
Post a Comment