Skip to Main Content
  • Questions
  • privileges of create any context and dbms_session

Breadcrumb

May 4th

Question and Answer

Connor McDonald

Thanks for the question, koshal.

Asked: March 14, 2011 - 9:59 am UTC

Last updated: January 15, 2020 - 6:56 am UTC

Version: 10.2.0.4

Viewed 10K+ times! This question is

You Asked

Are there any issues if a user has been granted with create any context and dbms_session privileges. Can that you user 1. bring the database down 2. View the info that he is not supposed to view. With the context I am creating parameterized view and with dbms_session I am setting the value for context. Thanks again for your help


and Tom said...


Create ANY context is an extremely powerful privilege that must be granted with extreme care.

All of the ANY privileges are like that.


The reason: one of the number one reasons for using an application context is for virtual private database (a security feature implemented via DBMS_RLS). If I have create ANY context, I can recreate a context used by an implementation of virtual private database and basically bypass ALL of the security that was put in place. A context is tied to a stored procedure that knows how to SAFELY and SECURELY set values in the context. This context is then used by your security policy functions to let users see the data they should be able to see. If I can recreate your context, I can point it to MY stored procedure which will give me access to anything (i'll set your context to whatever value it needs to have to see ALL data).



You should have a special privileged account create the account for you - you should not have the privilege to create a context.

Rating

  (3 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Answer is fine, but Font size?

A Fan., January 11, 2020 - 5:44 am UTC

I am sure, the font size could have been made even more smaller to save the valuable screen space and to squeeze in the information and contents of this web-page in just one scroll-free window..

And then, the webmaster can also place an advertisement like -
"The answer to your query, is sponsored by Opticians Association of America (OAA)".

The same can also applied to Expert Series Books.

I know, its not funny, but it is jut for giggles : )

Wish you all a Happy New Year.

-Regards.

Connor McDonald
January 13, 2020 - 3:08 am UTC

We value all feedback.

Can you tell us if this was on a tablet or PC?

Feedback

A Fan., January 13, 2020 - 5:12 pm UTC

Hi Connor,

This is on a PC , with 24" screen on Chrome with 100% zoom.
My thoughts -

1) the screen edges can be trimmed at both the sides to widen up the center window that contains the actual contents.

2) Need to increase font size at least by 1.5 or 2 points.

-Regards.
Connor McDonald
January 14, 2020 - 2:37 am UTC

Thanks - we'll take this on board

No CREATE CONTEXT system privilege

Paul Muller, January 14, 2020 - 6:24 pm UTC

I don't have a modern version around for testing; but at least in the v19 docs, there is no CREATE CONTEXT privilege. If you need to create a context, your schema needs CREATE ANY CONTEXT.

I think this kind of makes sense because CONTEXT objects don't exist inside a schema; but outside of it.
Connor McDonald
January 15, 2020 - 6:56 am UTC

yup. Its a "schema-less" thing.

More to Explore

Security

All of the vital components for a secure database are covered in the Security guide.