Skip to Main Content
  • Questions
  • privileges of create any context and dbms_session

Breadcrumb

Dev Live Dev Intro

This month we are celebrating Developers at AskTOM. We welcome Developers of all levels of experience to join us at our FREE Developer Live events coming in August. Just click on the left to register today! If you are brand new to Database Technology, then we also have got you covered. Just click on the right for your comprehensive FREE training program to kick start your Oracle Database Development journey!

Question and Answer

Tom Kyte

Thanks for the question, koshal.

Asked: March 14, 2011 - 9:59 am UTC

Answered by: Tom Kyte - Last updated: January 15, 2020 - 6:56 am UTC

Category: Developer - Version: 10.2.0.4

Viewed 1000+ times

You Asked

Are there any issues if a user has been granted with create any context and dbms_session privileges. Can that you user 1. bring the database down 2. View the info that he is not supposed to view. With the context I am creating parameterized view and with dbms_session I am setting the value for context. Thanks again for your help


and we said...


Create ANY context is an extremely powerful privilege that must be granted with extreme care.

All of the ANY privileges are like that.


The reason: one of the number one reasons for using an application context is for virtual private database (a security feature implemented via DBMS_RLS). If I have create ANY context, I can recreate a context used by an implementation of virtual private database and basically bypass ALL of the security that was put in place. A context is tied to a stored procedure that knows how to SAFELY and SECURELY set values in the context. This context is then used by your security policy functions to let users see the data they should be able to see. If I can recreate your context, I can point it to MY stored procedure which will give me access to anything (i'll set your context to whatever value it needs to have to see ALL data).



You should have a special privileged account create the account for you - you should not have the privilege to create a context.

and you rated our response

  (3 ratings)

Is this answer out of date? If it is, please let us know via a Review

Reviews

Answer is fine, but Font size?

January 11, 2020 - 5:44 am UTC

Reviewer: A Fan. from Hiroshima

I am sure, the font size could have been made even more smaller to save the valuable screen space and to squeeze in the information and contents of this web-page in just one scroll-free window..

And then, the webmaster can also place an advertisement like -
"The answer to your query, is sponsored by Opticians Association of America (OAA)".

The same can also applied to Expert Series Books.

I know, its not funny, but it is jut for giggles : )

Wish you all a Happy New Year.

-Regards.

Connor McDonald

Followup  

January 13, 2020 - 3:08 am UTC

We value all feedback.

Can you tell us if this was on a tablet or PC?

Feedback

January 13, 2020 - 5:12 pm UTC

Reviewer: A Fan. from Hiroshima

Hi Connor,

This is on a PC , with 24" screen on Chrome with 100% zoom.
My thoughts -

1) the screen edges can be trimmed at both the sides to widen up the center window that contains the actual contents.

2) Need to increase font size at least by 1.5 or 2 points.

-Regards.
Connor McDonald

Followup  

January 14, 2020 - 2:37 am UTC

Thanks - we'll take this on board

No CREATE CONTEXT system privilege

January 14, 2020 - 6:24 pm UTC

Reviewer: Paul Muller from Denver, Colorado

I don't have a modern version around for testing; but at least in the v19 docs, there is no CREATE CONTEXT privilege. If you need to create a context, your schema needs CREATE ANY CONTEXT.

I think this kind of makes sense because CONTEXT objects don't exist inside a schema; but outside of it.
Connor McDonald

Followup  

January 15, 2020 - 6:56 am UTC

yup. Its a "schema-less" thing.

More to Explore

DBMS_RLS

More on PL/SQL routine DBMS_RLS here