Skip to Main Content
  • Questions

  • Invoker/Definer Rights Model & Performance

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Muhammad Riaz.

Asked: June 13, 2007 - 12:54 am UTC

Last updated: April 28, 2008 - 12:08 pm UTC

Version: 10.2.0.3

Viewed 1000+ times

You Asked

Hello Tom,
Is their any relationship between Performance and Invoker/Definer Right model. To me it is somehow related to security only, not to performance. But some of my colleagues say it is also affects the Performance of SQL statements. What is your opinion?

Regards,

Riaz Shahid

and Tom said...

it definitely affects overall system performance.

with definers rights routine, the SQL is parsed as the definer. There will be one copy of it in the shared pool.

with invokers rights - it is as if everyone was typing the sql in at the command line, there will be many copies of that sql in the shared pool possibly.

You should use invokers rights only for utility type routines - like a utility that accepts a sql statement as a string and outputs the contents to a file. So the SQL would run as the invoker (which is what you want for that utility typically)

Virtually every other stored procedure should be a definers rights routine, authid current_user would be used very very rarely.

Rating

  (3 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Little More Clarification

Muhammad Riaz Shahid, June 14, 2007 - 3:12 am UTC

So if i execute following SQL:

SELECT col1
FROM t

and another user executes the same SQL from his/her session, you mean to say in shared pool we will be having two queries and both the queries will be parsed (supposing table t refers to same table in both queries)?

regards,
Tom Kyte
June 14, 2007 - 7:45 am UTC

if the grants and all are the same and table T is in fact the same table T, there would not be. What I am saying is that invokers rights is just like running a pro*c program, a VB program, whatever - the sql is parsed as the user invoking it and that will tend to cause more SQL (by design) to be unshareable.

use invokers rights once in a very blue moon.

Blue Moon

Mike, June 14, 2007 - 9:43 am UTC

This should help then...

http://www.skyandtelescope.com/observing/objects/moon/3304131.html

Alexander hte ok, April 24, 2008 - 9:47 am UTC

Hi Tom,

Is there any other way out there that a user can execute pl/sql with definer's rights WITHOUT having execute granted directly to the user?

I have an application with user b that executes packages in schema a. He only has roles granted, the grant to call the package is in the role.

We forgot to make the roles default so the app started to fail. But I don't understand why this works at all, it says everywhere roles are disabled under definer's rights?

I checked for other elevated privs, the user only has table and package grants through a role, and some table grants granted directly.
Tom Kyte
April 28, 2008 - 12:08 pm UTC

in definers rights, roles are disabled during the compilation phase of all compiled stored objects


when you compile a procedure, everything that procedure accesses must be granted to the DEFINER directly, not via a role.

in order to simply EXECUTE a procedure, you just need a grant - either directly to you or indirectly via a role.


to COMPILE an object and have that object reference "X", you need to have that privilege granted DIRECTLY to you.
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library