Skip to Main Content
  • Questions

  • How to preserve grants on recreated table

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Sergej.

Asked: September 13, 2004 - 9:33 am UTC

Last updated: September 13, 2004 - 9:33 am UTC

Version: 8.1.7

Viewed 1000+ times

You Asked

Hi Tom,

We have on SAP R/3 three special tables and one very restricted oracle user, which is only allowed to write into these tables. The permissions to do this are given through 3 grants.

The tables I've mentioned are created and changed from SAP GUI. The problem is: after every change the tables are dropped and recreated, in background, this can't be controlled. So the 3 permisions are lost after every "drop table". They have to be granted once more, in fact not from SAP GUI. It should be done from an Oracle shell (SQL+, Toad). This is not always unproblematic.

Do you have an idea, how we can preserve these grants during recreating a table? Or how we can automatically grant, for example on logon of the user? Or any othe idea?

and Tom said...

</code> http://asktom.oracle.com/pls/asktom/f?p=100:11:::::P11_QUESTION_ID:646423863863 <code>

You could have a trigger that looks to see "oh, this special table is being created" and have it run the grants in the background using dbms_job.

Rating

  (1 rating)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Grants remain after object is dropped and recreated

A reader, March 28, 2007 - 1:13 pm UTC

Tom,
I am seeing a strange problem in 10.2.0.2 database. After I drop and recreate a function (or package), its grants remain till I do an alter system flush shared_pool. I have taken the function from PL/SQL manual.

Here is an example:
Create users and role as system:
create user test_ag1 identified by test default tablespace users_data;
grant create session, create table, create procedure, create trigger, create view to test_ag1;

create user test_ag2 identified by test default tablespace users_data;
grant create session to test_ag2;

create role test_ag_role;

grant test_ag_role to test_ag2;


Now connect as test_ag1 and create a function:
CREATE OR REPLACE FUNCTION half_of_square(original NUMBER)
RETURN NUMBER IS
BEGIN
RETURN (original * original)/2 + (original * 4);
END half_of_square;
/

grant execute on half_of_square to test_ag_role;


Connect as test_ag2 and run the function:
set 
serverout on
declare
a number;
begin
a:=test_ag1.half_of_square(100);
dbms_output.put_line(a);
end;
/

SQL> /
5400

PL/SQL procedure successfully completed.

SQL>

Now connect as test_ag1 and drop the function:
drop function half_of_square;

Connect as test_ag2 and verify that we cannot run the function.

SQL> /
a:=test_ag1.half_of_square(100);
*
ERROR at line 4:
ORA-06550: line 4, column 4:
PLS-00201: identifier 'TEST_AG1.HALF_OF_SQUARE' must be declared
ORA-06550: line 4, column 1:
PL/SQL: Statement ignored


SQL>

Connect as test_ag1 and recreate the function but do not grant execute to anyone:
CREATE OR REPLACE FUNCTION half_of_square(original NUMBER)
RETURN NUMBER IS
BEGIN
RETURN (original * original)/2 + (original * 4);
END half_of_square;
/
Function created.

SQL>

Connect as test_ag2 and try to run the function:
SQL> set serverout on
SQL> declare
2 a number;
3 begin
4 a:=test_ag1.half_of_square(100);
5 dbms_output.put_line(a);
6 end;
7 /
5400

PL/SQL procedure successfully completed.

SQL>

It runs successfully even without the grant via role. On a low activity database, it will keep running till I do an alter system flush shared_pool.

Is this a bug?

Thanks

more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library