How about asking for only the private you need
Ramon Caballero, August 02, 2018 - 6:49 pm UTC
Even though the answer is correct; maybe the DBAs don't want you to have more privileges that what you need.
Request the DBA to grant you:
grant select on v_$session to youruser;
If they say no, then you cannot create your package.
August 03, 2018 - 4:46 pm UTC
True, that's a discussion for the OP to have with their DBAs.
Maybe you can find what you need elsewhere?
Tubby, August 02, 2018 - 7:35 pm UTC
August 03, 2018 - 4:47 pm UTC
Good suggestion.
kishore, August 03, 2018 - 2:46 am UTC
Thanks Chris Saxon.
Can we grant specific privileges from system user to application user so that a user can use v$session in plsql. Right now we are using select any dictionary and select catalog role but customers are raising the concerns to avoid these privileges. Can we grant specific privilege from system user so that application user can use in plsql. We are using v$session and alter system privilege for the killing the sessions. Your thoughts can be helpful to us.
August 03, 2018 - 4:35 pm UTC
Yes, "select any dictionary" and "select catalog" are privileges to avoid!
I'm not sure what you're trying to do here. Could you clarify?
A reader, August 06, 2018 - 3:04 am UTC
In our application we are trying to kill the session from the UI if the query is running more than 10 mins.
SELECT SID, SERIAL#, INST_ID FROM gv$session -- RAC
SELECT sid, serial#, sys_context('userenv', 'instance') FROM v$session WHERE username = UPPER(p_session_user) AND audsid = TO_NUMBER(p_sessionid); -- in a procedure.
Currently we are using select any dictionary and alter system privilege for a application user, where we can kill the session from the user.
SELECT ANY DICTIONARY privilege can select/view all the data dictionary objects, now we want to remove this privileges and we are looking for alternate to perform this. Is this possible and it should grant from system user only but not from the sys user. Please suggest me if any alternate are there.
August 06, 2018 - 10:31 am UTC
So you want to get rid of long-running queries?
Sounds like you want to use the resource manager. This allows you to:
Manage runaway sessions or calls in the following ways:
* By detecting when a session or call consumes more than a specified amount of CPU, physical I/O, logical I/O, or elapsed time, and then automatically either terminating the session or call, or switching to a consumer group with a lower resource allocation or a limit on the percentage of CPU that the group can use
* A logical I/O, also known as a buffer I/O, refers to reads and writes of buffers in the buffer cache. When a requested buffer is not found in memory, the database performs a physical I/O to copy the buffer from either disk or the flash cache into memory, and then a logical I/O to read the cached buffer.
* By recording detailed information about SQL statements that consume more than a specified amount of CPU, physical I/O, logical I/O, or elapsed time with real-time SQL monitoring
* By using the Automatic Workload Repository (AWR) to analyze a persistent record of SQL statements that consume more than a specified amount of CPU, physical I/O, logical I/O, or elapsed time
* By logging information about a runaway session without taking any other action related to the session https://docs.oracle.com/en/database/oracle/oracle-database/18/admin/managing-resources-with-oracle-database-resource-manager.html#GUID-040A4CC4-B8B3-40F8-9984-FA79D46521BB
Other possibility?
Dieter, August 13, 2018 - 1:46 pm UTC
Maybe I misunderstood the original poster's request, but I think we had a similar requirement serveral years ago.
IIRC to fulfill those, we created a view V_APP_SESSION for a privileged user on V$session, that only selects those rows that belongs to the application in question ("where s.PROGRAM = 'myapp.exe'"). Then we GRANTED SELECT on V_APP_SESSION to the application user.
We also created a package KILL_APP_SESSION that can kill sessions with the proper program name only.
August 15, 2018 - 11:51 pm UTC
nice input
A reader, August 16, 2018 - 1:28 am UTC
I tried creating a view as below from system user for v$session, it is throwing error like "ORA-01031: insufficient privileges".
create or replace view v_app_session as select * from v$session;
and also tried with sys.v_$session and getting same error.
create or replace view v_app_session as select * from sys.v_$session;
And we dont have access to sys user to create a view on v_$session. How to get the session information to a normal user without select any dictionary privilege or is there any other alternate to get the session information?
August 18, 2018 - 1:17 pm UTC
The object is owned by SYS, so SYS must be used be to give access rights.
SQL> conn demo/demo
Connected.
SQL> select count(*) from v$session;
select count(*) from v$session
*
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> conn sys/admin as sysdba
Connected.
SQL> grant select on v_$session to demo;
Grant succeeded.
SQL> conn demo/demo
Connected.
SQL> select count(*) from v$session;
COUNT(*)
----------
48
A reader, August 18, 2018 - 2:32 pm UTC
Yes the v$ views are owned by the sys user. But we dont have access to sys user to grant permission from sys user. We create our application user and grant permissions from system user only. So we are looking any other alternate permission or solution to access v$session other than select_any_dicitionary system privilege or select catalog role.
August 20, 2018 - 3:49 am UTC
*Someone* must have SYS access (althought it might not be you)...and it will need to be *them* that grants you the access to read it.
There is not any way around this
Use custom function
Steef D., September 19, 2018 - 8:47 am UTC
We also needed a regular user without access to v$session to cleanup sessions. A function will execute with the privileges of the owning schema, so you create a function for that user you can execute it from the user without the required privilege.
So IFH_OWNER has access to v$session, user id854812 doesn't :
As id854812:
select count(*) from v$session
ORA-00942: table or view does not exist
As IFH_OWNER:
select count(*) from v$session
56
create or replace function getSessionCount return int
as
vCnt int;
begin
select count(*) into vCnt from v$session;
return( vCnt);
end;
/
select getSessionCount from dual;
56
grant execute on getSessionCount to id854812;
As id854812:
select ifh_owner.getSessionCount from dual;
56
September 19, 2018 - 10:28 am UTC
Yes. Though someone needs to grant IFH_OWNER v$session access in the first place.
Trucho
Trucho, October 26, 2022 - 3:20 pm UTC
If you want use v$session table in a Store Procedure, you need to grant permissions from within the SYS schema.
But if you have a database with containers, you may have some complications. Look:
----
C:\>sqlplus /nolog
SQL*Plus: Release 21.0.0.0.0 - Production on Wed Oct 26 16:47:54 2022
Version 21.3.0.0.0
Copyright (c) 1982, 2021, Oracle. All rights reserved.
SQL> connect sys/aaaaa@xeraiz as sysdba
Connected.
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
3 XEPDB1 READ WRITE NO
SQL> grant select on v_$session to teideusr;
grant select on v_$session to teideusr
*
ERROR at line 1:
ORA-01917: user or role 'TEIDEUSR' does not exist
SQL> select username from dba_users where username = 'TEIDEUSR';
no rows selected
----
We did not find this Schema because it is in another container.
We are going to change to the container where it is.
(We are still SYS)
----
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> alter session set container=xepdb1;
Session altered.
SQL> show con_name
CON_NAME
------------------------------
XEPDB1
SQL> select username from dba_users where username = 'TEIDEUSR';
USERNAME
------------------------------
TEIDEUSR
SQL> grant select on v_$session to teideusr;
Grant succeeded.
----
Now you can use the v$session table in a Store procedure.
What about public synonyms?
Anatolii Batura, January 24, 2024 - 10:03 pm UTC
What about public synonyms?
Do I understand correctly, that for system V_$... views the usage of public synonyms does not solve the problem?
This is a difference with normal tables/views...
I tried - 'table not found'
Will try to grant SELECT for a specific User (not SYS) for v_$session...
January 25, 2024 - 5:55 am UTC
You can't grant on a synonym, you need to grant on the underlying objects.
Clear, thank you!
Anatolii Batura, January 25, 2024 - 6:54 am UTC
Clear, thank you!
January 25, 2024 - 2:53 pm UTC
You're welcome