14/10/2015 Document168168.

1
Jeanette(NotAvailable) (0) ContactUs Help
PowerViewisOff

Dashboard Knowledge ServiceRequests Patches&Updates Community

GiveFeedback...

GettingORA942orORA1031andPLS201orORA28111inPL/SQL,worksinSQL*Plus(DocID168168.1) ToBottom

Wasthisdocumenthelpful?
APPLIESTO:
Yes
OracleDatabaseEnterpriseEditionVersion9.2.0.8to12.1.0.2[Release9.2to12.1] No
Informationinthisdocumentappliestoanyplatform.
Checkedforrelevanceon08MAR2013
DocumentDetails

Type:
BULLETIN
PURPOSE Status:
PUBLISHED
LastMajor
19Aug2015
Update:
Thepurposeofthedocumentistoshowthelimitationsofprivilegesassignedtoroles. 19Aug2015
LastUpdate:

Duetotheselimitations,youmaygeterrorsinPL/SQLprocedures/packageswhenaccessingcertainobjectsorpackages,butthe
samecodeworksfromdirectlyrunSQL. RelatedProducts
OracleDatabaseEnterprise
Note:Thelimitationsaffectbothregularrolesandglobalroles Edition

InformationCenters
TheflaggederrorsareORA00942orORA01933orORA01031andORA06512orPLS00201andORA06550orORA28111
withFineGrainedAuditing(FGA).Thegeneratederrorsmaydifferineachrelease.
DocumentReferences
RolesandCreatingStored
Objects/Views[1011899.6]
SCOPE
ORA942whenselectfromany
v$viewwithinstoredPL/SQL
ThisnoteisappropriateforDBAsanddevelopers.Itintendstofocusonlimitationsofrolesandprivileges.Itshowswhicherrors procedure[1062335.6]
aretypicallyflaggedandhowtodetectwhichprivilegesaregranteddirectlyandwhichprivilegesaregrantedviaroles.
RoleRestrictions[11740.1]

A.Environmentusers/roles/privilegesused MasterNoteForPrivilegesAnd
B.Example:creatingaviewviaarolegeneratesORA00942orORA01933orORA1031 Roles[1347470.1]
C.Example:creatingaprocedureviaarolegeneratesPLS00201,ORA06550
D.Example:creatingatableviaarolegeneratesORA01031,ORA06512
E.Example:selectprivilegeviaarolegeneratesORA00942 RecentlyViewed
F.Example:ORA28111:insufficientprivilegetoevaluatepolicypredicateincombinationwithFGA GettingORA942orORA
1031andPLS201orORA
28111inPL/SQL,worksin
SQL*Plus[168168.1]
DETAILS
ORA28201NotEnough
PrivilegestoEnable
Rolesthataregrantedtooneusercannotbeappliedtoanotherbyintermediateobjectssuchasviewsorpl/sqlprocedures. ApplicationRole[150418.1]
Rolesexistinsessionsandareassociatedwithauserinanactivesessiononly,theprivilegesofarolecannotbetransferredto EM12c:EnterpriseManager
objects. CloudControlOMS
InstallationFailsWith''The
databasedetailswhichyou
Ifyou'reaccessingtables/viewsinaPL/SQLprocedureorpackageandgettingeitherORA1031orORA942(orPLS201),butthe haveprovideddoesn''t
sameselect/update/insert/deleteworksfineinSQLonly,thenyouneedtocheckiftheprivilegeshavebeengrantedtotheuser containvalidManagement
creatingtheprocedureviaarole.Privilegesgrantedviaroledonotworkinsidestoredproceduresthatarecreatedwithdefiner's Repository.Providecorrect
rights. databasedetailsandretry''
[1932146.1]
DatapumpExportFailsWith
ErrorORA06508:PL/SQL:
couldnotfindprogramunit
beingcalled:
LimitationsofPrivilegesandRoles:StoredPL/SQL "SYS.DBMS_CUBE_EXP"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [1962753.1]
Rolesaredisabledwhenstoredproceduresorpackagesareexecuted. DataPumpImport(IMPDP)
FailsWithErrorsORA4063
PackageBody
Auserexecutingaprocedureorpackagecanperformactionsagainstobjects(selectatable,selectaview,createatable,create XDB.DBMS_XMLPARSER
aview,createatrigger).Whenthenecessaryprivilegesaregrantedtothisuserindirectlyviaarole,theresultisORA00942or ORA600[kpodpbisfailure2]
ORA01933orORA01031andORA06512orPLS00201andORA06550. [1537209.1]
ShowMore
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 1/7
14/10/2015 Document168168.1
ShowMore
Theseactionsaresuccessfulwhenthenecessaryprivilegesaregranteddirectlytotheuser.

Thismeansthattheuserexecutingtheprocedureorpackageshouldbegrantedtheprivilegesrequiredtoperformtheactions
againstobjectsdirectly.

Ausercannotacquireaprivilegeviaaroleifheneedsthatprivilegewhenexecutingastoredprocedureorfunctionorpackage.
IftheuserissuesthesamestatementsinSQL,itworksastheusercanusetheprivilegesgrantedviaarole.

Anotherlimitationofarole:VIEWS

UnderSQL,ifausercanselectanotheruser'stableandhastheprivilegetocreateaview,thecreateviewstatementwill
succeed.Yet,acreateviewontheotheruser'stablegeneratesORA00942iftheselectprivilegehasbeengrantedtrougharole
andnotdirectly.

Remark

Asmentionednotethattheflaggederrorsmaydifferindifferentreleases.

A.Environmentusers/roles/privilegesused:

connectsystem/manager
dropuseruserAcascade
dropuseruserBcascade
dropuseruserCcascade
droproleprivileges_for_b
droproleprivileges_for_c

connectsystem/manager
createuseruserAidentifiedbya
createuseruserBidentifiedbyb
createuseruserCidentifiedbyc
grantconnect,resourcetouserA
alteruseruserBdefaulttablespacesystemquota10monsystem
alteruseruserCdefaulttablespacesystemquota10monsystem
grantcreatesessiontouserB
grantcreatesessiontouserC

createroleprivileges_for_b
grantprivileges_for_btouserB
grantcreateprocedure,createview,createtabletoprivileges_for_b

connectusera/a
createtablea(a1number)
grantselectonatoprivileges_for_b

B.Example:CreatingaviewviaarolegeneratesORA00942orORA01933orORA1031:

connectuserb/b
createorreplaceviewcount_aasselect*fromusera.a
ERRORatline2:
ORA01031:insufficientprivileges

Notethatthequeryonthattableworks:

SQL>selectcount(*)fromusera.a

COUNT(*)

0

Investigationofprivileges:

colroleformata20
colownerformata8
coltable_nameformata5
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 2/7
14/10/2015 Document168168.1
coltable_nameformata5
coluser_nameformata10
colcolumn_nameformata5
colprivilegeformata15
colprivilegeformata17

select*fromsession_privs/*allprivilegesavailable*/

PRIVILEGE

CREATESESSION
CREATETABLE
CREATEVIEW
CREATEPROCEDURE

select*fromsession_roles/*whichrolesareenabled*/

ROLE

PRIVILEGES_FOR_B

select*fromuser_sys_privs/*privilegesgranteddirectly*/

USERNAMEPRIVILEGEADM

USERBCREATESESSIONNO

select*fromrole_role_privs/*arerolesgrantedtootherroles*/

norowsselected

select*fromrole_sys_privs/*privilegesviaarole*/

ROLEPRIVILEGEADM

PRIVILEGES_FOR_BCREATEPROCEDURENO
PRIVILEGES_FOR_BCREATETABLENO
PRIVILEGES_FOR_BCREATEVIEWNO

Conclusion:

UserBwhocreatestheviewisnotgrantedtheselectprivilegeontableaofuserAdirectly(onlyviarolePRIVILEGES_FOR_B).

Tofixthisgranttheselectobjectprivilegedirectly:

connectusera/a
grantselectonatouserb

connectuserb/b
createorreplaceviewcount_aasselect*fromusera.a
Viewcreated.

C.Example:CreatingaprocedurewhichwilluseaprivilegeacquiredviaarolegeneratesPLS00201,ORA06550:

connectuserb/b
createorreplaceprocedurebas
numnumber
begin
selectcount(*)intonumfromusera.a
end
/
Warning:Procedurecreatedwithcompilationerrors.
SQL>showerrors

ErrorsforPROCEDUREB:

LINE/COLERROR

5/3PL/SQL:SQLStatementignored
5/39PL/SQL:ORA00942:tableorviewdoesnotexist

Investigationofprivileges:

Sameresultasinthefirstexample(creatingaviewviarole)....
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 3/7
14/10/2015 Document168168.1
Sameresultasinthefirstexample(creatingaviewviarole)....

Conclusion

UserBwhocreatestheproceduredoesn'thavetheselectprivilegeusedintheprocedurefortableaofuserAdirectly(onlyvia
rolePRIVILEGES_FOR_B).

Tofixthisgranttheselectobjectprivilegedirectly:

connectusera/a
grantselectonatouserb

connectuserb/b
createorreplaceprocedurebas
numnumber
begin
selectcount(*)intonumfromusera.a
end
/
Procedurecreated.

D.Example:Creatingatableinadefiner'srightproceduremakinguseoftheprivsacquiredviaarolefails

SQL>connuserb/b
Connected.

SQL>createorreplaceprocedureb2as
numnumber
begin
executeimmediate'Createtabletb(tb1number)'
end
/

Procedurecreated.

SQL>execb2
BEGINb2END

*
ERRORatline1:
ORA01031:insufficientprivileges
ORA06512:at"USERB.B2",line4
ORA06512:atline1

Investigationofprivileges:

SameresultasinIExample:creatingaviewviarole....

Conclusion:

UserBwhowantstocreatethetablebyexecutingtheproceduredoesn'thavethecreatetableprivilegeusedintheprocedure
granteddirectly.

Fixedbygrantingthiscreatetableprivilegedirectly:

connectsystem/manager
grantcreatetabletouserb

connectuserb/b
executeb2

PL/SQLproceduresuccessfullycompleted.

E.Example:SelectprivilegeviaarolegeneratesORA00942:

connectusera/a
grantselectonatouserb
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 4/7
14/10/2015 Document168168.1
grantselectonatouserb

connectuserb/b
createorreplaceprocedurebas
numnumber
begin
selectcount(*)intonumfromusera.a
end
/

createorreplaceviewcount_aasselect*fromusera.a

AlsoauserCiscreatedwhowilluseproceduresandviewcreatedbyuserB

connectsystem/manager
createroleprivileges_for_c
grantprivileges_for_ctouserc

connectusera/a
grantselectonatoprivileges_for_c

UserBnowgrantsselectonviewcount_atouserCandexecuteonhisprocedurebtouserC:

connectuserb/b

grantselectoncount_atoprivileges_for_c
ERRORatline1:
ERRORatline1:
ORA01720:grantoptiondoesnotexistfor'USERA.A'

grantexecuteonbtoprivileges_for_c
Grantsucceeded.

connectuserc/c

select*fromb.count_a
ERRORatline1:
ORA00942:tableorviewdoesnotexist

executeb.b
ERRORatline1:
ORA06550:line1,column7:
PLS00201:identifier'B.B'mustbedeclared
ORA06550:line1,column7:
PL/SQL:Statementignored

Investigationofprivileges:

select*fromsession_privs/*allprivilegesavailable*/

PRIVILEGE

CREATESESSION

select*fromsession_roles/*whichrolesareenabled*/

ROLE

PRIVILEGES_FOR_C

select*fromrole_sys_privs/*systemprivilegesgrantedtorole*/
=>norowsselected

select*fromrole_tab_privs/*objectprivilegesgrantedtorole*/

ROLEOWNERTABLECOLUMPRIVILEGEGRA

PRIVILEGES_FOR_CUSERAASELECTNO
PRIVILEGES_FOR_CUSERBBEXECUTENO

connectsystem/manager
select*fromdba_sys_privswheregrantee='USERC'/*systemprivilegesdirectly*/

GRANTEEPRIVILEGEADM

USERCCREATESESSIONNO

select*fromdba_tab_privswheregrantee='USERC'/*objectprivilegesdirectly*/
=>norowsselected

select*fromdba_role_privswheregrantee='USERC'/*rolesgrantedtoauser*/

GRANTEEGRANTED_ROLEADMDEF

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 5/7
14/10/2015 Document168168.1

USERCPRIVILEGES_FOR_CNOYES

select*fromrole_sys_privswhererole='PRIVILEGES_FOR_C'/*systemprivilegesgrantedtorole*/
=>norowsselected

select*fromrole_tab_privswhererole='PRIVILEGES_FOR_C'/objectprivilegesdirectly*/

ROLEOWNERTABLECOLUMPRIVILEGEGRA

PRIVILEGES_FOR_CUSERAASELECTNO
PRIVILEGES_FOR_CUSERBBEXECUTENO

Conclusion:

UserCwhoselectstheviewdoesn'thavetheselectprivilegeusedintheviewfortableaofuserAdirectly(onlyviarole
PRIVILEGES_FOR_C).Notethisisadocumentedlimitationofarole!
AlsouserClacksdirectexecuteprivilegeonprocedurebofuserB.

Fixedbygrantingthisselectprivilegeandexecuteprivilegedirectly:

connectusera/a
grantselectonatouserbwithgrantoption

connectuserb/b
grantselectoncount_atouserc
grantexecuteonbtouserc

connectuserc/c
select*fromuserb.count_a
norowsselected

connectuserc/c
executeuserb.b
PL/SQLproceduresuccessfullycompleted.

F.Example:ORA28111:insufficientprivilegetoevaluatepolicypredicateincombinationwithFGA

Whenthedynamicpredicatereturnedbythepolicyfunctionisasubquery(eg.
'useridIN(SELECTempnoFROMemp)')thepolicyfunctionownerneedsselectprivilegesonthetableemp.Thisprivilegecannot
begrantedthrougharoletothepolicyfunctionowner,inthatcaseanerrorORA28111:insufficientprivilegetoevaluatepolicy
predicateoccurs.Whentheprivilegeisgranteddirectlytothepolicyfunctionowner:grantselectonemptoandnotthrougha
role,everythingworksperfectly.

WhenusingFineGrainedAccess,theownerofthepolicyfunction(s)needsprivilegesontheobjectsusedinthesubqueriesof
thedynamicpredicates.Thisbecausethesecuritycheckandobjectlookupareperformedagainsttheownerofthepolicy
function(s).

Explanation:

AsOracleperformsasecuritycheckagainsttheownerofthepolicyfunctionstheownerofthesepolicyfunctionsneedsprivileges
ontheobjectsinthesubqueriesofthedynamicpredicates.FormoreinformationonFGAcheckthefollowingnote:

Note74556.19i/9.2:FineGrainedAuditing

Conclusion:

Whentheprivilegeisgranteddirectlytothepolicyfunctionownerandnotthrougharole,everythingworksperfectly.

G.Finalconclusion

AllrolesaredisabledinanynamedPL/SQLblock(storedprocedures,functions,ortriggers)thatexecuteswithdefiner'srights.
Furthermoretheyaredisabledinviews.Rolesarenotusedforprivilegecheckingandyoucannotsetroleswithinadefiner's
rightsprocedure.StoredPL/SQLblocksthatexecutewithinvoker'srights(storedprocedures,functions)andanonymousPL/SQL
blocksareabletousetheprivilegesgrantedthroughenabledroles.

REFERENCES

NOTE:1011899.6RolesandCreatingStoredObjects/Views
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 6/7
14/10/2015 Document168168.1
NOTE:1011899.6RolesandCreatingStoredObjects/Views
NOTE:1062335.6ORA942whenselectfromanyv$viewwithinstoredPL/SQLprocedure
NOTE:11740.1RoleRestrictions
NOTE:1347470.1MasterNoteForPrivilegesAndRoles
BUG:155762GRANTSASSIGNEDTOROLESARENOTBEINGUTILIZEDBYSTORED
BUG:668998RECEIVEINCORRECTERRORWHENCREATINGAVIEWWHENGRANTSELECTBYAROLE
Didn'tfindwhatyouarelookingfor? AskinCommunity...

Related
Products

OracleDatabaseProducts>OracleDatabaseSuite>OracleDatabase>OracleDatabaseEnterpriseEdition>RDBMS

Keywords
DBA_ROLE_PRIVS DBA_SYS_PRIVS
Errors
ORA1031 ORA1720 ORA1933 ORA28111 ORA6512 ORA6550 ORA942 PLS201

BacktoTop

Copyright(c)2015,Oracle.Allrightsreserved. LegalNoticesandTermsofUse PrivacyStatement

https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 7/7