Skip to Main Content
  • Questions
  • User logged in through proxy only sees default role

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, Sheng.

Asked: July 20, 2017 - 6:29 pm UTC

Last updated: July 24, 2017 - 12:09 pm UTC

Version: 12.2.2

Viewed 1000+ times

You Asked

Hi Tom,

I have a user with two roles, one role without password that is set by default, and another role that is set with a password. This user has been granted to connect through a proxy user with flag of "PROXY MAY ACTIVATE ALL CLIENT ROLES".

When I log in with this user without connecting through the proxy, I can see both roles in USER_ROLE_PRIVS and can set the password-protected role to this user without issues, but when I log in with this user through the proxy user, I can only see the default role in USER_ROLE_PRIVS and setting the password-protected role gives the "role not granted or does not exist" error.
This process works as expected in 11g (I can see both roles when logged in through proxy), but I run into this issue with a 12cR2 database. Is there anything I can do?

Thanks for your time.

Sheng

and Chris said...

The behaviour of password enabled roles for proxy users has changed. From MOS note 2286228.1:

This behavior has been investigated by the developers in Bug 25895472 and closed as not a bug. On 12.2 the design was deliberately changed so that the password protected roles cannot be set for the client user in a proxy session even if the role is granted to the client user.

You could remove the password from the role:

alter role r2 not identified;


But presumably you still want to limit how long users have access to the privileges it grants. In which case you may need too create additional users.

Note there is an ER in place to revert this behaviour:

The enhancement request Bug 26399839 - PASSWORD PROTECTED ROLES CAN NOT BE USED WITH PROXY USERS has been logged to allow the usage of secure roles in proxy user session

Though as this change was done intentionally, I don't know how likely it is to be undone.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Thank you!

A reader, July 24, 2017 - 4:55 pm UTC

Many thanks! The response was quick and very helpful.

More to Explore

Security

All of the vital components for a secure database are covered in the Security guide.