Skip to Main Content
  • Questions

  • Packages, roles, compilation and invoker rights and package privileges.

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question, lh.

Asked: May 31, 2017 - 2:39 pm UTC

Last updated: June 01, 2017 - 10:31 am UTC

Version: 12.1.0.2

Viewed 10K+ times! This question is

You Asked

Hi



I have need to select from tables in another schema (B). I am connected to schema (A) by using proxy account.
Privileges have been given to me through roles and I can select tables from schema B with sqlplus.

There is package in schema A which tries to select from schema B. It cannot access tables and compilation fails.

Database Advanced Application Developer's Guide: 6 Coding PL/SQL Subprograms and Packages states
To create without errors (to compile the subprogram or package successfully) requires these additional privileges:
- The owner of the subprogram or package must be explicitly granted the necessary object privileges for all objects referenced within the body of the code.
- The owner cannot obtain required privileges through roles.

I tried to compile package by
- using 'authid current_user'
- granting privileges to access schema B directly to package.

I did not succeed.

Is there a way to do this, besides giving table privileges directly, which is not feasible because of proxy account usage.
Why my attempts failed ?


lh

and Chris said...

The doc you've quoted is clear to me. If you want to compile a package in schema A referring to schema B, you need to grant the table privileges directly to A. Roles don't work. The authid definer clause has no impact on compilation.

So either you need to:

- Grant privileges on B's tables to A directly
- Create the package in B and grant A execute on this

I'm not sure what the proxy account has to do with this. You can still access tables you have via the role outside PL/SQL when using this user. And you can execute the procedure in B when it:

create role r;
grant r to chris;

create user u identified by u;
alter user chris grant connect through u;

conn hr/hr

grant select on employees to r;

conn u[chris]/u

select count(*) from hr.employees;

COUNT(*)  
107 

conn chris/chris

select count(*) from hr.employees;

COUNT(*)  
107 

create or replace procedure p is
begin
  for emps in (
    select * from hr.employees where employee_id > 200
  ) loop
    dbms_output.put_line('EMP ID: ' || emps.employee_id);
  end loop;
end p;
/
sho err

LINE/COL ERROR
-------- -----------------------------------------------------------------
4/5      PL/SQL: SQL Statement ignored
4/22     PL/SQL: ORA-00942: table or view does not exist
6/5      PL/SQL: Statement ignored
6/40     PLS-00364: loop index variable 'EMPS' use is invalid

conn hr/hr

grant select on employees to chris;

conn chris/chris

create or replace procedure p is
begin
  for emps in (
    select * from hr.employees where employee_id > 200
  ) loop
    dbms_output.put_line('EMP ID: ' || emps.employee_id);
  end loop;
end p;
/

Procedure P compiled

conn u[chris]/u

exec p;

EMP ID: 201
EMP ID: 202
EMP ID: 203
EMP ID: 204
EMP ID: 205
EMP ID: 206

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Why compliation requires more privileges than selecting?

A reader, May 31, 2017 - 6:49 pm UTC

Hi

Actually we are using system where nobody uses schema owner account directly. Everyone connects through proxy account.
(so only personal accounts must be dropped/locked when person is not working anymore with this project).

Why complilation needs more privileges than invoker rights?
I am with the impression that privileges are checked also when invoker rights package is executed.


lh
Chris Saxon
June 01, 2017 - 10:31 am UTC

"Why complilation needs more privileges than invoker rights?"

I'm not sure what you mean. You have to have direct grants on objects to compile PL/SQL on them. Period. Invoker rights is to do with runtime.

Tom discusses why you need direct grants to compile at:

https://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:1065832643319

Also see:

https://docs.oracle.com/database/122/LNPLS/plsql-subprograms.htm#LNPLS00809
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library