Short form of my question:
How can I enable a Role for a User within a database trigger (owned by another Schema) on a table owned by yet another Schema?
- The M's I've RTF'd indicate that a trigger (and any procedure it calls) can never execute with Invoker's Rights.
- I can't find a way to execute Set Role for a User as another User, say, System.
- I'm stuck.
- Environment: 8.1.7 on Win2k and HP-UX.
Longer form of my question:
I'm in the process of adding extra security features to our 3rd Party Student Information System, whose code I can't touch. I've successfully implemented FGAC to keep Users at a School from accessing info.at other schools. Now I need to limit which School Year's data they can update (Past, Current, Next). The Application grants Sel, Ins, Upd, Del on its tables via a Role, so I thought I'd just switch Roles when the User switched School Years (via updating her record in a Users table). Seemed like a good idea, but now I can't see how to implement it.
SQL and PL/SQL commands like Set Role, Alter Session, DBMS_Session.Set_Role, etc. only apply to the current User, which would be the Trigger Owner. I've used DBMS_System.Set_SQL_Trace_In_Session, but can't find an equivalent procedure to Set Role for another User.
BTW, the fact that there's no Invoker_Rights_Clause in the Create Trigger syntax and a section in the PL/SQL User's Guide and Reference (Ch. 7 Subprograms / Invoker Rights vs Definer Rights / Using Views and Database Triggers) are the basis for my being stuck.
The only possible way I see to do this is to create the trigger as System, then use Dynamic SQL to issue the "Alter User ... Default Role ...." command. However, I don't know if that takes effect immediately (within the User's current Session) or would take effect at the User's next login. Before I spend a bunch of time setting up a test, I thought I'd get some opinions from this very knowledgeable List.
Can I do it? How?
TIA.
Jack C. Applewhite
Database Administrator
Austin Independent School District
Austin, Texas
512.414.9715 (wk)
512.935.5929 (pager)
[EMAIL PROTECTED]
- Re: Set Role in Trigger JApplewhite
- Re: Set Role in Trigger Arup Nanda
- RE: Set Role in Trigger Pardee, Roy E
- Re: Set Role in Trigger Arup Nanda
- Re: Set Role in Trigger Tanel Poder
- Re: Set Role in Trigger Arup Nanda
- Re: Set Role in Trigger Tanel Poder
- Re: Set Role in Trigger JApplewhite
- Re: Set Role in Trigger Arup Nanda
- RE: Set Role in Trigger Pardee, Roy E
- Re: Set Role in Trigger JApplewhite
