tags:

views:

891

answers:

2
Q: 

Grants by role changed in Oracle 11g?

I tried to grant CONNECT to a user through a role:

CREATE ROLE my_role IDENTIFIED BY "passwd";
GRANT CONNECT TO my_role;

CREATE USER my_user IDENTIFIED BY "passwd";
GRANT my_role TO my_user;

When I try this in 10g it works fine, while in 11g login is rejected:

ORA-01045:user MY_USER lacks CREATE SESSION privilege; logon denied

Granting CREATE SESSION to the role does not make a difference.
I can only login after directly granting CONNECT (or CREATE SESSION) to the user.

Has Oracle changed this behavior or am I doing something wrong?

+3  A: 

I think you might have gotten away with a security "feature" in 10g. The way I read the SQL Reference and Security Guide for 11g indicates that password-enabled roles require the use of the SET ROLE my_role IDENTIFIED BY passwd before any rights granted by that role are effective.

You can't CREATE SESSION until you have the role, and you can't have the role until you issue SET ROLE.

Catch-22.

Adam Musch  2010-02-17 16:30:40
Excellent, thanks a lot! Do you have a link where this is indicated?
Peter Lang  2010-02-18 18:31:20
I don't have a link to tahiti.oracle.com's documentation, as it's availability is unreliable. CREATE ROLE and SET ROLE Syntax is in the Oracle Database SQL Language Reference 11g Release 2 (E10592-04) on Pages 15-59 and 19-60 respectively.
Adam Musch  2010-02-18 19:17:57
A: 

I tried to execute a PLSQL block where I use SET ROLE as in the example:

SQL> EXEC BEGIN DBMS_SESSION.SET_ROLE ('SMPXXX IDENTIFIED BY PASIVASXXX');INSERT INTO SMPXXX.HISTORIAL(H_ID,H_FECHA,H_FUNCEJECUTADA,H_USUARIO) VALUES(99995,sysd ate,'A','B');END; BEGIN BEGIN DBMS_SESSION.SET_ROLE ('SMPXXX IDENTIFIED BY PASIVASXXX');INSERT INT O SMPXXX.HISTORIAL(H_ID,H_FECHA,H_FUNCEJECUTADA,H_USUARIO) VALUES(99995,sysdate, 'A','B');END; END;

     *

ERROR at line 1: ORA-06550: line 1, column 90: PL/SQL: ORA-00942: table or view does not exist ORA-06550: line 1, column 71: PL/SQL: SQL Statement ignored

If I try the same by console, it´s Ok : SQL> set role SMPXXX identified by PASIVASXXX;

Role set.

SQL> INSERT INTO SMPXXX.HISTORIAL(H_ID,H_FECHA,H_FUNCEJECUTADA,H_USUARIO) VALUES (99994,SYSDATE,'A','B');

1 row created.

Has Oracle changed something between 9i and 10g? Gus

Gus  2010-04-08 14:14:51
@Gus: Welcome to StackOverflow! Your post does not seem to be an answer to my question. In order to get answers to your own question please click the `Ask Question` button top right, and post your question there. Make sure to format your question (try the buttons above the editor) and to give it proper tags (`oracle`, `oracle-10g`, `roles`)
Peter Lang  2010-04-08 15:49:33

related questions

Is there a Way to use Linq to Oracle
NHibernate and Oracle connect through Windows Authenication
Boolean Field in Oracle
How do you manage schema upgrades to a production database?
How do I deal with quotes ' in SQL
When do you use table clusters?
Oracle write to file
MS SQL Server 2008 "linked server" to Oracle : schema not showing
Develop on local Oracle instance
Resources for an Oracle beginner
What strategies have you employed to improve web application performance?
Automate Syncing Oracle Tables With MySQL Tables
Best way to encapsulate complex Oracle PL/SQL cursor logic as a view?
What Content Management does your workplace use?
What is the difference between oracle's 'yy' and 'rr' date mask?
SQL/Query tools?
How to make Pro*C cope with #warning directives?
Oracle SQL Developer not responsive when trying to view tables (or suggest an Oracle Mac client)
How big would such a database be?
Oracle - What TNS Names file am I using?
What is a good way to open large files across a WAN?
How do I find the high water mark (for sessions) on Oracle 9i
SQL Case Statement Syntax?
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?