Authid definer is not new. It is the default authorization for pl/sql stored
procedures; before 8i, "definer" was the only choice. Now in 8i you can have
procedures where the authid is the invoker of the package. For example, you create a
pl/sql procedure for users to change their passwords. Before invoker rights the owner
of that procedure would need to be granted the "alter user" privilege and be able to
change any user's password. However if the package runs under authid current_user,
invoker rights, the owner of the procedure does not need the "alter user" privilege
Again definer rights are nothing new. Direct table level grants, that is not through
roles, are needed to the owners of the procedures. Execute privilege is then granted
on the roles, and the roles granted to the necessary users. These "necessary users"
do not need and should not be granted table level privileges. An invoker of such a
procedure must either fully qualify the name of the procedure (<owner>.<procedure>, or
use some type of synonym translation, or make the default schema that of the owner of
the procedure. Procedures should be placed in packages which curts down on the number
of grants and synonymns needed and also helps with recompilation issues.
Ian MacGregor
Stanford Linear Accelerator Center
[EMAIL PROTECTED]
-----Original Message-----
Sent: Thursday, June 28, 2001 8:03 AM
To: Multiple recipients of list ORACLE-L
What is authid definer? Every day something new.
Alex Hillman
-----Original Message-----
Sent: Thursday, June 28, 2001 7:04 AM
To: Multiple recipients of list ORACLE-L
One of our app development teams started out with lots of pl/sql and
role based security, and found that roles are useless cause you have to
grant the table level privs anyway to get the procedures to work.
We are considering switching to Authid Definer for several reasons:
- Roles need only contain execute privs for the procedures (no table
level grants required)
- private synonyms not needed anymore (all objects are resolved in the
definers schema)
- No need for table level GRANTs any more (cause all procedures/funcs
run as the table/proc owner)
Sounds too good to be true. Any gotchas to switching to authid Definer?
Is this the preferred direction for app development, rather than the
role/table grants nightmare?
Rgds
Mark Teehan
Singapore
---------------------------- ERG Group --------------------------
The contents of this email and any attachments are confidential
and may only be read by the intended recipient.
-----------------------------------------------------------------
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Mark Teehan
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Hillman, Alex
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: MacGregor, Ian A.
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
