When invoker rights (IR) routine invoked from a View, then IR routine is no more Invoker rights rather it appear as Define routine (DR).
rajesh@ORA11GR2> create or replace function f
2 return number
3 authid current_user
4 as
5 l_cnt number;
6 begin
7 select count(*) into l_cnt
8 from dept ;
9 return l_cnt;
10 end;
11 /
Function created.
Elapsed: 00:00:00.17
rajesh@ORA11GR2> create or replace view v
2 as
3 select f from dual ;
View created.
Elapsed: 00:00:00.90
rajesh@ORA11GR2> create user a identified by a;
User created.
Elapsed: 00:00:00.36
rajesh@ORA11GR2> grant create session to a;
Grant succeeded.
Elapsed: 00:00:01.16
rajesh@ORA11GR2> grant select on v to a;
Grant succeeded.
Elapsed: 00:00:00.05
rajesh@ORA11GR2> connect a/a@ora11g
Connected.
a@ORA11GR2> select * from rajesh.v ;
F
----------
4
1 row selected.
Elapsed: 00:00:00.11
a@ORA11GR2> desc dept;
ERROR:
ORA-04043: object dept does not exist
a@ORA11GR2> desc rajesh.dept
ERROR:
ORA-04043: object rajesh.dept does not exist
a@ORA11GR2>
Eventhough the user 'A' dont have access to Dept table is still able to access this view 'V' without any issue, but this got changed starting Oracle 12c, where the user got privilege of controlling DR and IR in view using BEQUEATH Clause
rajesh@PDB1> create or replace view v
2 BEQUEATH CURRENT_USER
3 as
4 select f from dual ;
View created.
Elapsed: 00:00:00.16
rajesh@PDB1> connect a/a@pdb1
Connected.
a@PDB1>
a@PDB1> select * from rajesh.v ;
select * from rajesh.v
*
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "RAJESH.F", line 7
Elapsed: 00:00:00.02
a@PDB1>
a@PDB1> desc dept
ERROR:
ORA-04043: object dept does not exist
a@PDB1> desc rajesh.dept
ERROR:
ORA-04043: object rajesh.dept does not exist
a@PDB1>
Now the user 'A' have access to view 'v' but not to the "rajesh.dept" table, hence the access to view 'v' from schema 'A' got failed.
rajesh@ORA11GR2> create or replace function f
2 return number
3 authid current_user
4 as
5 l_cnt number;
6 begin
7 select count(*) into l_cnt
8 from dept ;
9 return l_cnt;
10 end;
11 /
Function created.
Elapsed: 00:00:00.17
rajesh@ORA11GR2> create or replace view v
2 as
3 select f from dual ;
View created.
Elapsed: 00:00:00.90
rajesh@ORA11GR2> create user a identified by a;
User created.
Elapsed: 00:00:00.36
rajesh@ORA11GR2> grant create session to a;
Grant succeeded.
Elapsed: 00:00:01.16
rajesh@ORA11GR2> grant select on v to a;
Grant succeeded.
Elapsed: 00:00:00.05
rajesh@ORA11GR2> connect a/a@ora11g
Connected.
a@ORA11GR2> select * from rajesh.v ;
F
----------
4
1 row selected.
Elapsed: 00:00:00.11
a@ORA11GR2> desc dept;
ERROR:
ORA-04043: object dept does not exist
a@ORA11GR2> desc rajesh.dept
ERROR:
ORA-04043: object rajesh.dept does not exist
a@ORA11GR2>
Eventhough the user 'A' dont have access to Dept table is still able to access this view 'V' without any issue, but this got changed starting Oracle 12c, where the user got privilege of controlling DR and IR in view using BEQUEATH Clause
rajesh@PDB1> create or replace view v
2 BEQUEATH CURRENT_USER
3 as
4 select f from dual ;
View created.
Elapsed: 00:00:00.16
rajesh@PDB1> connect a/a@pdb1
Connected.
a@PDB1>
a@PDB1> select * from rajesh.v ;
select * from rajesh.v
*
ERROR at line 1:
ORA-00942: table or view does not exist
ORA-06512: at "RAJESH.F", line 7
Elapsed: 00:00:00.02
a@PDB1>
a@PDB1> desc dept
ERROR:
ORA-04043: object dept does not exist
a@PDB1> desc rajesh.dept
ERROR:
ORA-04043: object rajesh.dept does not exist
a@PDB1>
Now the user 'A' have access to view 'v' but not to the "rajesh.dept" table, hence the access to view 'v' from schema 'A' got failed.
No comments:
Post a Comment