Skip to Main Content
  • Questions

  • Not possible to revoke a grant on an invalid view from a role

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Navinth.

Asked: March 21, 2017 - 10:12 am UTC

Last updated: August 07, 2017 - 8:42 pm UTC

Version: 12.1.0.2

Viewed 1000+ times

You Asked

During one of our framework scripts, we perform revoke operations on some views from different product areas in our application which had already been granted. There we noticed that, if a view is invalid due to some reason, the revoke operation errors out.

Problem we have in simple is:
It is not possible to revoke a grant on an invalid view from a role.

Test Case: (not the exact test case, but a simple one which expresses exaclty the same problem)
1. Create view MIDDLE_VIEW
- CREATE OR REPLACE VIEW MIDDLE_VIEW AS SELECT 1 as ONE FROM DUAL;

2. Create view FINAL_VIEW using MIDDLE_VIEW
- CREATE OR REPLACE VIEW FINAL_VIEW AS SELECT 1 as ONE FROM MIDDLE_VIEW;

3. Create role MY_ROLE
- CREATE ROLE MY_ROLE;

4. Grant FINAL_VIEW to MY_ROLE
- GRANT SELECT ON FINAL_VIEW TO MY_ROLE;

5. Drop MIDDLE_VIEW so that FINAL_VIEW become invalid
- DROP VIEW MIDDLE_VIEW;

6. Now try to revoke FINAL_VIEW from MY_ROLE
- REVOKE SELECT ON FINAL_VIEW FROM MY_ROLE;
Below error is raised:
ORA-04063: view "FINAL_VIEW" has errors


SELECT OBJECT_NAME, OBJECT_ID, OBJECT_TYPE, LAST_DDL_TIME, STATUS, TEMPORARY FROM SYS.USER_OBJECTS
WHERE OBJECT_NAME = 'FINAL_VIEW';

OBJECT_NAME OBJECT_ID OBJECT_TYPE LAST_DDL_TIME STATUS TEMPORARY
------------- --------- ------------ --------------- --------------------
FINAL_VIEW 1439956 VIEW 3/21/2017 2:13:23 PM INVALID N


SELECT * FROM SYS.ROLE_TAB_PRIVS
WHERE ROLE = 'MY_ROLE';

ROLE OWNER TABLE_NAME COLUMN_NAME PRIVILEGE GRANTABLE COMMON
MY_ROLE IFSAPP FINAL_VIEW SELECT NO N

According to the above to queries, at this time, both the Oracle Object FINAL_VIEW exists (even though it is invalid) & its grant to role MY_ROLE exists.

So I wonder why Oracle errors out here as being invalid has nothing to do with the revoke operation. Instead, it should revoke the grant.

In our application, at the point of this revoke operation, as the framework, it is not possible for us to find the cause of the invalidation or to make the view valid thus this is a real problem for us.

Is there any special reason why Oracle handles this way or is there a possible bug?

and Connor said...

That's just the way it is. To get the revoke to work, you can temporarily create the view as any valid SQL, then use the FORCE option to put the definition back, eg

<code>
SQL> create table t ( x int );

Table created.

SQL> create or replace
2 view V as select * from T;

View created.

SQL>
SQL> grant select on V to scott;

Grant succeeded.

SQL>
SQL> drop table T purge;

Table dropped.

SQL>
SQL> revoke select on V from scott;
revoke select on V from scott
*
ERROR at line 1:
ORA-04063: view "MCDONAC.V" has errors


SQL>
SQL> create or replace
2 view V as select 1 x from dual;

View created.

SQL>
SQL> revoke select on V from scott;

Revoke succeeded.

SQL>
SQL> create or replace
2 force view V as select * from T;

Warning: View created with compilation errors.

<code>

Rating

  (3 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

Navinth Bakmeedeniya, March 24, 2017 - 3:57 am UTC

Thanks for your update.

But why Oracle has implemented it in this way? Is there any special reason why Oracle blocking the revoke operation?

If Oracle proceeds the revoke operation when the view is invalid, any issue that can arise compared to the situation where view is valid? If there are no issues, why users should go for a workaround to complete the revoke instead implementing it in the expected way?

As I mentioned, I don't see any relation of revoke operation with the invalidity.
Connor McDonald
March 25, 2017 - 3:37 am UTC

It is what it is.

I have a bigger concern

Bill S., March 24, 2017 - 5:36 pm UTC

Why is your focus on the inability to revoke a grant and NOT on the fact that your view is invalid for a reason?

Fix the view, the grant becomes active and you can revoke it.

Seems eminently more sensible than asking Oracle to allow the revocation of privileges on objects that are not in a ready use state.

Monji Midani, August 07, 2017 - 7:32 am UTC

I have a task to lock any users and to revoke all privileges from these users.
There are any invalid views.
It is not my task to validate these views.
I have diffucilties to revoke privileges on invalid objects...

It is not logic to not allowed revoke privileges on invalid objects!
But it is allowed to grant privileges to locked users or to create synonyms for invalid objects....
Connor McDonald
August 07, 2017 - 8:42 pm UTC

You'd need to use the method I said before.

- remember the bad definition of the view
- replace it with a simple one
- revoke it
- replace it with the original one
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library