Invoker and Definer Rights

Detailed Study of Invoker and Definer Rights on Procedures, Functions and Packages

Roles and privileges in Oracle
• Users can be assigned rights what they're allowed to do in a database and what not – Privilage • A role is an object that allows resource access rights to be grouped and efficiently assigned to users

Where to put it?
• Procedures • Functions • Packages

Problem Statement
• Central Gov. has introduced new scheme for EBC students in Maharashtra. Information of students is collected by Gov. through forms. Central Gov. wants to provide scholarship to students on some defined terms. • Explain the steps involved in designing the database.

Approach
central_db

state_mh mh_proc ()

t_student

create or replace procedure "MH_PROC" is v_students number; begin dbms_output.put_line('In procedure "MH_PROC" AUTHID CUR select count(*) into v_students from t_student; dbms_output.put_line('Total Students are:'||v_students ); end;

Problem Statement
• Central Gov. now wants to introduce the same scheme for EBC students in Andhra Pradesh. Information of students is collected by Gov. through forms. Central Gov. wants to provide scholarship to students on the same defined terms that were defined for students of Maharashtra. • Explain the steps involved in designing the database.

Approach
central_db

state_mh mh_proc ()

state_ap ap_proc ()

t_student

t_student

Better Approach
central_db

state_mh mh_proc ()

create or replace procedure "MH_PROC"

state_ap

t_student

AUTHID CURRENT_USER is v_students number; begin dbms_output.put_line('In procedure "MH_PROC" AUTHID CUR t_student select count(*) into v_students from t_student; dbms_output.put_line('Total Students are:'||v_students ); end;

Other Better Approach
central_db

state_mh

state_all all_proc ()

state_ap

create or replace procedure “ALL_PROC"

t_student

AUTHID CURRENT_USER is t_student v_students number; begin dbms_output.put_line('In procedure "MH_PROC" AUTHID CURRENT_U select count(*) into v_students from t_student; dbms_output.put_line('Total Students are:'||v_students ); end;

Much Better Approach
central_db

state_all state_mh

Resolve reference by:1. Create a dummy table/object 2. Create a synonym 3. Execute Immediate

t_student all_proc ()

state_ap

t_student

t_student

Calling Proc/Fn
central_db

state_mh mh_proc () IR t_student st_test ()

state_ap

t_student

st_test ()

No run time privilege check is made when the procedure is called

Effect on Roles
• All roles are disabled in any named PL/SQL block that executes with definer rights • Named PL/SQL blocks that execute with invoker rights and anonymous PL/SQL blocks are executed based on privileges granted through enabled roles.

Thank you !

• All roles are disabled in any named PL/SQL block (stored procedure, function, or trigger) that executes with definer rights. Roles are not used for privilege checking and you cannot set roles within a definerrights procedure.

• Named PL/SQL blocks that execute with invoker rights and anonymous PL/SQL blocks are executed based on privileges granted through enabled roles. Current roles are used for privilege checking within an invoker-rights PL/SQL block, and you can use dynamic SQL to set a role in the session.

Sign up to vote on this title
UsefulNot useful