7 Access Control for PL/SQL Programs

TimesTen has features to control database access with object-level resolution for database objects such as tables, views, materialized views, indexes, sequences, functions, procedures, and packages, for example. You can refer to "Managing Access Control" in Oracle TimesTen In-Memory Database Operations Guide for introductory information about TimesTen access control features.

This chapter introduces access control as it relates to PL/SQL users.

Note:

Access control is enabled when you install TimesTen. You cannot disable it.

Topics in this chapter include the following:

Access control for PL/SQL operations

This section covers the following topics:

Required privileges for PL/SQL statements and operations

For PL/SQL users, access control affects the ability to create, alter, drop, or execute PL/SQL procedures and functions, including packages and their member procedures and functions.

You need the CREATE PROCEDURE privilege to create a procedure, function, package definition, or package body if it is being created in your own schema, or CREATE ANY PROCEDURE if it is being created in any schema other than your own. To alter or drop a procedure, function, package definition, or package body, you must be the owner or have the ALTER ANY PROCEDURE privilege or DROP ANY PROCEDURE privilege, respectively.

To execute a procedure or function, you must be the owner, have the EXECUTE privilege for the procedure or function (or for the package to which it belongs, if applicable), or have the EXECUTE ANY PROCEDURE privilege. This is all summarized in Table 7-1.

Table 7-1 Privileges for using PL/SQL procedures and functions

Action SQL statement or operation Required Privilege

Create a procedure, function, package definition, or package body.

CREATE [OR REPLACE] PROCEDURE

CREATE [OR REPLACE] FUNCTION

CREATE [OR REPLACE] PACKAGE

CREATE [OR REPLACE] PACKAGE BODY

CREATE PROCEDURE in user's schema

Or:

CREATE ANY PROCEDURE in any other schema

Alter a procedure, function, or package.

ALTER PROCEDURE

ALTER FUNCTION

ALTER PACKAGE

Ownership of the procedure, function, or package

Or:

ALTER ANY PROCEDURE

Drop a procedure, function, package definition, or package body.

DROP PROCEDURE

DROP FUNCTION

DROP PACKAGE

DROP PACKAGE BODY

Ownership of the procedure, function, or package

Or:

DROP ANY PROCEDURE

Execute a procedure or function.

Invoke the procedure or function.

Ownership of the procedure or function, or of the package to which it belongs (if applicable)

Or:

EXECUTE for the procedure or function, or for the package to which it belongs (if applicable)

Or:

EXECUTE ANY PROCEDURE

Create a private synonym for a procedure, function, or package.

CREATE [OR REPLACE] SYNONYM

CREATE SYNONYM in user's schema

Or:

CREATE ANY SYNONYM in any other schema

Create a public synonym for a procedure, function, or package.

CREATE [OR REPLACE] PUBLIC SYNONYM

CREATE PUBLIC SYNONYM

Use a synonym to execute a procedure or function.

Invoke the procedure or function through its synonym.

Privilege to execute the underlying procedure or function

Drop a private synonym for a procedure, function, or package.

DROP SYNONYM

Ownership of the synonym

Or:

DROP ANY SYNONYM

Drop a public synonym for a procedure, function, or package.

DROP PUBLIC SYNONYM

DROP PUBLIC SYNONYM


See "SQL Statements" in Oracle TimesTen In-Memory Database SQL Reference for the syntax and required privileges of SQL statements discussed in this section.

Notes:

  • A user who has been granted privilege to execute a procedure (or function) can execute the procedure even if he or she has no privilege on other procedures that the procedure calls. For example, consider a stored procedure user2.proc1 that executes procedure user2.proc2. If user1 is granted privilege to execute proc1 but is not granted privilege to execute proc2, he could not run proc2 directly but could still run proc1.

  • Privilege to execute a procedure or function allows implicit compilation of the procedure or function if it is invalid or not compiled at the time of execution.

  • When CREATE OR REPLACE results in an object (such as a procedure, function, package, or synonym) being replaced, there is no effect on privileges that any users had previously been granted on that object. This is as opposed to when there is an explicit DROP and then CREATE to re-create an object, in which case all privileges on the object are revoked.

Granting and revoking privileges

Use the SQL statement GRANT to grant a privilege. Use REVOKE to revoke one.

The following example grants EXECUTE privilege to user2 for a procedure and a package that user1 owns:

Command> grant execute on user1.myproc to user2;
Command> grant execute on user1.mypkg to user2;

This example revokes the privileges:

Command> revoke execute on user1.myproc from user2;
Command> revoke execute on user1.mypkg from user2;

Example 7-1 Granting of required privileges

This example shows a series of attempted operations by a user, user1, as follows:

  1. The user attempts each operation before having the necessary privilege. The resulting error is shown.

  2. The instance administrator grants the necessary privilege.

  3. The user successfully performs the operation.

The ttIsql utility is used by user1 to perform (or attempt) the operations and by the instance administrator to grant privileges.

USER1:

Initially the user does not have permission to create a procedure. That must be granted even in his or her own schema.

Command> create procedure testproc is
       > begin
       > dbms_output.put_line('user1.testproc called');
       > end;
       > /
15100: User USER1 lacks privilege CREATE PROCEDURE
The command failed.

Instance administrator:

Command> grant create procedure to user1;

USER1:

Once user1 can create a procedure in his own schema, he can execute it because he owns it.

Command> create procedure testproc is
       > begin
       > dbms_output.put_line('user1.testproc called');
       > end;
       > /
 
Procedure created.
 
Command> begin
       > testproc();
       > end;
       > /
user1.testproc called
 
PL/SQL procedure successfully completed.
 

The user cannot yet create a procedure in another schema, though.

Command> create procedure user2.testproc is
       > begin
       > dbms_output.put_line('user2.testproc called');
       > end;
       > /
15100: User USER1 lacks privilege CREATE ANY PROCEDURE
The command failed.

Instance administrator:

Command> grant create any procedure to user1;

USER1:

Now user1 can create a procedure in another schema, but he cannot execute it yet because he does not own it or have privilege.

Command> create procedure user2.testproc is
       > begin
       > dbms_output.put_line('user2.testproc called');
       > end;
       > /
 
Procedure created.

Command> begin
       > user2.testproc();
       > end;
       > /
 8503: ORA-06550: line 2, column 7:
PLS-00904: insufficient privilege to access object USER2.TESTPROC
 8503: ORA-06550: line 2, column 1:
PL/SQL: Statement ignored
The command failed.

Instance administrator:

Command> grant execute any procedure to user1;

USER1:

Now user1 can execute a procedure in another schema.

Command> begin
       > user2.testproc();
       > end;
       > /
user2.testproc called
 
PL/SQL procedure successfully completed.

Invalidated objects

When a privilege on an object is revoked from a user, all of that user's PL/SQL objects that refer to that object are temporarily invalidated. Once the privilege has been restored, a user can explicitly recompile and revalidate an object by executing ALTER PROCEDURE, ALTER FUNCTION, or ALTER PACKAGE, as applicable, on the object. Alternatively, each object is recompiled and revalidated automatically the next time it is executed.

For example, if user1 has a procedure user1.proc0 that calls user2.proc1, proc0 becomes invalid if EXECUTE privilege for proc1 is revoked from user1.

Use the following to see if any of your objects are invalid:

select * from user_objects where status='INVALID';

See "SQL Statements" in Oracle TimesTen In-Memory Database SQL Reference for information about the ALTER statements.

Example 7-2 Invalidated object

This example shows a sequence that results in an invalidated object, in this case a PL/SQL procedure, as follows:

  1. A user is granted CREATE ANY PROCEDURE privilege, creates a procedure in another user's schema, then creates a procedure in his own schema that calls the procedure in the other user's schema.

  2. The user is granted EXECUTE privilege to execute the procedure in the other user's schema.

  3. The user executes the procedure in his schema that calls the procedure in the other user's schema.

  4. EXECUTE privilege for the procedure in the other user's schema is revoked from the user, invalidating the user's own procedure.

  5. EXECUTE privilege for the procedure in the other user's schema is granted to the user again. When he executes his own procedure, it is implicitly recompiled and revalidated.

Instance administrator:

Command> grant create any procedure to user1;

USER1:

Command> create procedure user2.proc1 is
       > begin
       > dbms_output.put_line('user2.proc1 is called');
       > end;
       > /
 
Procedure created.
 
Command> create procedure user1.proc0 is
       > begin
       > dbms_output.put_line('user1.proc0 is called');
       > user2.proc1;
       > end;
       > /
 
Procedure created.
 

Instance administrator:

Command> grant execute on user2.proc1 to user1;

USER1:

Command> begin
       > user1.proc0;
       > end;
       > /
user1.proc0 is called
user2.proc1 is called
 
PL/SQL procedure successfully completed.
 

And to confirm user1 has no invalid objects:

Command> select * from user_objects where status='INVALID';
0 rows found.

Instance administrator:

Now revoke the EXECUTE privilege from user1.

Command> revoke execute on user2.proc1 from user1;

USER1:

Immediately, user1.proc0 becomes invalid because user1 no longer has privilege to execute user2.proc1.

Command> select * from user_objects where status='INVALID';
< PROC0, <NULL>, 273, <NULL>, PROCEDURE, 2009-06-04 14:51:34, 2009-06-04 14:58:23,
2009-06-04:14:58:23, INVALID, N, N, N, 1, <NULL> >
1 row found.

So user1 can no longer execute the procedure.

Command> begin
       > user1.proc0;
       > end;
       > /
 8503: ORA-06550: line 2, column 7:
PLS-00905: object USER1.PROC0 is invalid
 8503: ORA-06550: line 2, column 1:
PL/SQL: Statement ignored
The command failed.

Instance administrator:

Again grant EXECUTE privilege on user2.proc1 to user1.

Command> grant execute on user2.proc1 to user1;

USER1:

The procedure user1.proc0 is still invalid until it is either explicitly or implicitly recompiled. It is implicitly recompiled when it is executed, as shown here. Or ALTER PROCEDURE could be used to explicitly recompile it.

Command> select * from user_objects where status='INVALID';
< PROC0, <NULL>, 273, <NULL>, PROCEDURE, 2009-06-04 14:51:34, 2009-06-04 16:13:00,
2009-06-04:16:13:00, INVALID, N, N, N, 1, <NULL> >
1 row found.
Command> begin
       > user1.proc0;
       > end;
       > /
user1.proc0 is called
user2.proc1 is called
 
PL/SQL procedure successfully completed.
 
Command> select * from user_objects where status='INVALID';
0 rows found.

Access control for SQL operations

For any query or SQL DML statement executed in an anonymous block, or any SQL DDL statement executed in an EXECUTE IMMEDIATE statement, including all such operations discussed in this document or used in any example, it is assumed that the user has appropriate privilege to execute the statement and access the desired objects. SQL executed in a PL/SQL anonymous block requires the same privilege as when executed directly. For example, to insert rows of data into a table you own, no privilege is required. If you want to insert rows of data into a table you do not own, you must be granted INSERT privilege on that table or granted INSERT ANY TABLE.

Refer to "SQL Statements" in Oracle TimesTen In-Memory Database SQL Reference for details SQL statements and their required privileges.

Definer's rights and invoker's rights

When a PL/SQL procedure or function is defined, the optional AUTHID clause of the CREATE FUNCTION or CREATE PROCEDURE statement specifies whether the function or procedure executes with definer's rights (AUTHID DEFINER, the default) or invoker's rights (AUTHID CURRENT_USER). Similarly, for procedures or functions in a package, the AUTHID clause of the CREATE PACKAGE statement specifies whether each member function or procedure of the package executes with definer's rights or invoker's rights. The AUTHID clause is shown in the syntax documentation for these statements, under "SQL Statements" in Oracle TimesTen In-Memory Database SQL Reference.

The AUTHID setting affects the name resolution and privilege checking of SQL statements that a procedure or function issues at runtime. With definer's rights, SQL name resolution and privilege checking operate as though the owner of the procedure or function (the definer, in whose schema it resides) is running it. With invoker's rights, SQL name resolution and privilege checking simply operate as though the current user (the invoker) is running it.

Invoker's rights would be useful in a scenario where you might want to grant broad privileges for a body of code, but would want that code to affect only each user's own objects in his or her own schema.

Definer's rights would be useful in a situation where you want all users to have access to the same centralized tables or other SQL objects, but only for the specific and limited actions that are executed by the procedure. The users would not have access to the SQL objects otherwise.

See "Examples using the AUTHID clause" for examples using definer's and invoker's rights.

Refer to "Invoker's Rights and Definer's Rights (AUTHID Property)" in Oracle Database PL/SQL Language Reference for additional information.

Additional access control considerations

This section covers the following:

Access control for connections and connection attributes

Note the following when connecting to the database:

  • Privilege to connect to a database must be explicitly granted to every user, other than the instance administrator, through the CREATE SESSION privilege. This is a system privilege so must be granted to the user either by the instance administrator or by a user with ADMIN privilege. This can be accomplished either directly or through the PUBLIC role. Refer to "Managing Access Control" in Oracle TimesTen In-Memory Database Operations Guide for additional information and examples.

  • Required privileges for PL/SQL connection attributes are included in "PL/SQL connection attributes".

Access control for system views and supplied packages

Note the following regarding access to system views and PL/SQL supplied packages.

  • SELECT and EXECUTE privileges on various system tables, system views, PL/SQL functions, PL/SQL procedures, and PL/SQL packages are granted by default to all users through the PUBLIC role, of which all users are a member. This role is documented in "Privileges" in Oracle TimesTen In-Memory Database SQL Reference. Use the following command to see the list of these public database objects and the associated privileges:

    SELECT table_name, privilege FROM sys.all_tab_privs 
    WHERE grantee='PUBLIC';
    

    All users have SELECT privilege for the ALL_* and USER_* system views.

  • EXECUTE ANY PROCEDURE does not apply to supplied packages; however, most are accessible through the PUBLIC role. Access control for PL/SQL packages provided with TimesTen is noted at the beginning of Chapter 8, "TimesTen Supplied PL/SQL Packages."

Access control for built-in procedures relating to PL/SQL

The ttPLSQLMemoryStats built-in procedure, which returns statistics about library cache performance and activity, can be called by any user. This procedure is documented under "ttPLSQLMemoryStats" in Oracle TimesTen In-Memory Database Reference. Also see Example 6-3.