This document discusses granting Oracle schema permissions to users when objects have not yet been created. It describes creating a read only role, granting the role to users, and using a DDL trigger to automatically grant permissions to new objects upon their creation. The trigger submits a DBMS job to execute a grant statement, allowing the role and permissions to take effect immediately. Finally, it provides notes on using this approach and offers to demonstrate it further if time allows.
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Granting Oracle Schema Permissions when Objects not created Yet
1. Session ID:
Prepared by:
Granting Oracle Schema
Permissions When Objects not
Created Yet !
Jasmine B
Wednesday, April 13, 2016
12 – 12:30pm
1198
@mjgangler
Mike Gangler – Senior Database Specialist
Secure-24 - @mjgangler
Mjgangler@yahoo.com
2. About Mike Gangler
• Oracle ACE with robust database credentials
• DBA for over 28 years, working with Oracle
since version 4
• Team Lead and Senior Database Specialist at
Secure-24
• Currently serving on the board of the Southeast
Michigan Oracle Professionals (SEMOP) group
– www.meetup.com
• Charter member of the Board of Directors for
the International Oracle Users Group (IOUG) –
www.ioug.org
• Follow me on my Blog http://
mjgangler.wordpress.com and on twitter!
@mjgangler
2
3. About Secure-24
3
FOUNDED
HEADQUARTERS
GLOBAL
OPERATION
CENTERS
DATA CENTERS
Secure-24 was
founded in 2001 and
since then has grown
to 500+ employees and
has received
recogniPon as one of
Computerworld’s Best
Places to Work in IT, 3-
years running.
Secure-24 is
headquartered in
Southfield, MI
Serving customers
around the globe,
Secure-24 has two (2)
OperaPon Centers in
Michigan, one (1) in
Nevada and one (1) in
Hyderabad India.
Secure-24 has three
(3) data centers in
Michigan, one (1) in
Nevada, plus several
global partnerships.
We only choose the
safest locaPons for
our data centers.
Secure-24 has 15 years of experience delivering managed IT operaPons, applicaPon hosPng and cloud services to
enterprises worldwide. We manage SAP, Hyperion, PeopleSo], JD Edwards, Oracle E-Business Suite and other mission
criPcal applicaPons across all industries for businesses of every size.
4. Communi'es Educa'on
Join for as low as $150
SELECT Journal Resource Center IOUG Press Webinars & Podcasts IOUG Forum 5 Minute Briefing
Plus get access to IOUG’s content library, peer-to-peer networking, and more!
Corporate options also available!
5. Oracle Conferences in Detroit Area
Southeast Michigan Oracle Professionals
http://www.meetup.com/SouthEast-Michigan-Oracle-
Professionals/
Meet monthly – 2nd Tuesday of the month
Michigan Oracle User Summit
November 3, 2016
http://www.mous.us
6. Great Lakes Oracle Conference
• 2016 Great Lakes Oracle Conference (GLOC)
• May 18 & 19, 2016
Cleveland Public Auditorium
Cleveland, OH
https://www.neooug.org/gloc/
7. Todays Discussion
Learn how Secure-24 uses Roles and a simple trigger to
grant “Read Only” access to objects that are not created yet.
This process is quite common in MS SQL Server and is
needed for many database systems.
7
8. Pre-Steps – User Steps
• Create a read only role in the database
– > create role IOUG_READONLY;
8
9. Pre-Steps – User Steps
• Grant Role to user requiring read only access
– > grant IOUG_READONLY to IOUG_USER ;
– > alter user IOUG_USER default role all;
** Note – need default=yes or you will have to do a:
>> alter session set role=IOUG_READONLY;
>> 12c – set role ioug_readonly;
9
10. DDL Trigger
CREATE or REPLACE TRIGGER AFTER_DDL AFTER DDL on
IOUG_OBJECTS.SCHEMA
declare
v_sysevent varchar2(25);
v_message varchar(255);
l_job number;
begin
select ora_sysevent into v_sysevent from dual;
if ( v_sysevent in ('CREATE') )
then
v_message := 'execute immediate "grant select on
IOUG_OBJECTS.'||ora_dict_obj_name||' to IOUG_READONLY";';
dbms_job.submit (l_job,replace(v_message,'"','''') ) ;
end if;
end;
/
10
11. Results
Now whenever a new object gets created the role is
granted via the pl/sql and dbms_job. The following is a
test output:
Connect IOUG_OJBECTS/pw
IOUG_OBJECTS@IOUGDEV > create table foo1 (col1 varchar2(255));
Table created.
IOUG_OBJECTS@IOUGDEV > connect IOUG/pw
Connected.
IOUG@IOUGDEV > select * from IOUG_OBJECTS.foo1;
no rows selected
IOUG@IOUGDEV > desc IOUG_OBJECTS.foo1;
Name Null? Type
—————————————– ——– —————————-
COL1 VARCHAR2(255)
11
12. DDL Trigger - Notes
NOTES:
• Must use dbms_job.submit in order for the role to be in place.
• Unless you have a public synonym you may need to add the
schema name prior to the object.
• The default role must be set to true or you will need to alter
session to enable that read only role.
• Please let me know if this works for you and big thanks to
“Ask Tom” who helped me resolve the PL/SQL and DDL
issue. Also, please let me know if there is a automatic way
to do this Oracle.
12
14. Visit Secure-24 in booth #1315!
• Enter for a chance to win a $5,000 travel gift
card!
• Meet with other S-24 executives and technical
resources
• Discuss your organization’s Cloud Strategy for
2016
• Learn more about our capabilities with Oracle’s
Virtual Compute Appliance
16. Please complete the session evaluation
Paper – 1198
Author – Mike Gangler
We appreciate your feedback and Insight
You May complete the session evaluation via the
mobile app