Professional Documents
Culture Documents
1
Jeanette(NotAvailable) (0) ContactUs Help
PowerViewisOff
GiveFeedback...
GettingORA942orORA1031andPLS201orORA28111inPL/SQL,worksinSQL*Plus(DocID168168.1) ToBottom
Wasthisdocumenthelpful?
APPLIESTO:
Yes
OracleDatabaseEnterpriseEditionVersion9.2.0.8to12.1.0.2[Release9.2to12.1] No
Informationinthisdocumentappliestoanyplatform.
Checkedforrelevanceon08MAR2013
DocumentDetails
Type:
BULLETIN
PURPOSE Status:
PUBLISHED
LastMajor
19Aug2015
Update:
Thepurposeofthedocumentistoshowthelimitationsofprivilegesassignedtoroles. 19Aug2015
LastUpdate:
Duetotheselimitations,youmaygeterrorsinPL/SQLprocedures/packageswhenaccessingcertainobjectsorpackages,butthe
samecodeworksfromdirectlyrunSQL. RelatedProducts
OracleDatabaseEnterprise
Note:Thelimitationsaffectbothregularrolesandglobalroles Edition
InformationCenters
TheflaggederrorsareORA00942orORA01933orORA01031andORA06512orPLS00201andORA06550orORA28111
withFineGrainedAuditing(FGA).Thegeneratederrorsmaydifferineachrelease.
DocumentReferences
RolesandCreatingStored
Objects/Views[1011899.6]
SCOPE
ORA942whenselectfromany
v$viewwithinstoredPL/SQL
ThisnoteisappropriateforDBAsanddevelopers.Itintendstofocusonlimitationsofrolesandprivileges.Itshowswhicherrors procedure[1062335.6]
aretypicallyflaggedandhowtodetectwhichprivilegesaregranteddirectlyandwhichprivilegesaregrantedviaroles.
RoleRestrictions[11740.1]
A.Environmentusers/roles/privilegesused MasterNoteForPrivilegesAnd
B.Example:creatingaviewviaarolegeneratesORA00942orORA01933orORA1031 Roles[1347470.1]
C.Example:creatingaprocedureviaarolegeneratesPLS00201,ORA06550
D.Example:creatingatableviaarolegeneratesORA01031,ORA06512
E.Example:selectprivilegeviaarolegeneratesORA00942 RecentlyViewed
F.Example:ORA28111:insufficientprivilegetoevaluatepolicypredicateincombinationwithFGA GettingORA942orORA
1031andPLS201orORA
28111inPL/SQL,worksin
SQL*Plus[168168.1]
DETAILS
ORA28201NotEnough
PrivilegestoEnable
Rolesthataregrantedtooneusercannotbeappliedtoanotherbyintermediateobjectssuchasviewsorpl/sqlprocedures. ApplicationRole[150418.1]
Rolesexistinsessionsandareassociatedwithauserinanactivesessiononly,theprivilegesofarolecannotbetransferredto EM12c:EnterpriseManager
objects. CloudControlOMS
InstallationFailsWith''The
databasedetailswhichyou
Ifyou'reaccessingtables/viewsinaPL/SQLprocedureorpackageandgettingeitherORA1031orORA942(orPLS201),butthe haveprovideddoesn''t
sameselect/update/insert/deleteworksfineinSQLonly,thenyouneedtocheckiftheprivilegeshavebeengrantedtotheuser containvalidManagement
creatingtheprocedureviaarole.Privilegesgrantedviaroledonotworkinsidestoredproceduresthatarecreatedwithdefiner's Repository.Providecorrect
rights. databasedetailsandretry''
[1932146.1]
DatapumpExportFailsWith
ErrorORA06508:PL/SQL:
couldnotfindprogramunit
beingcalled:
LimitationsofPrivilegesandRoles:StoredPL/SQL "SYS.DBMS_CUBE_EXP"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [1962753.1]
Rolesaredisabledwhenstoredproceduresorpackagesareexecuted. DataPumpImport(IMPDP)
FailsWithErrorsORA4063
PackageBody
Auserexecutingaprocedureorpackagecanperformactionsagainstobjects(selectatable,selectaview,createatable,create XDB.DBMS_XMLPARSER
aview,createatrigger).Whenthenecessaryprivilegesaregrantedtothisuserindirectlyviaarole,theresultisORA00942or ORA600[kpodpbisfailure2]
ORA01933orORA01031andORA06512orPLS00201andORA06550. [1537209.1]
ShowMore
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 1/7
14/10/2015 Document168168.1
ShowMore
Theseactionsaresuccessfulwhenthenecessaryprivilegesaregranteddirectlytotheuser.
Thismeansthattheuserexecutingtheprocedureorpackageshouldbegrantedtheprivilegesrequiredtoperformtheactions
againstobjectsdirectly.
Ausercannotacquireaprivilegeviaaroleifheneedsthatprivilegewhenexecutingastoredprocedureorfunctionorpackage.
IftheuserissuesthesamestatementsinSQL,itworksastheusercanusetheprivilegesgrantedviaarole.
Anotherlimitationofarole:VIEWS
UnderSQL,ifausercanselectanotheruser'stableandhastheprivilegetocreateaview,thecreateviewstatementwill
succeed.Yet,acreateviewontheotheruser'stablegeneratesORA00942iftheselectprivilegehasbeengrantedtrougharole
andnotdirectly.
Remark
Asmentionednotethattheflaggederrorsmaydifferindifferentreleases.
A.Environmentusers/roles/privilegesused:
connectsystem/manager
dropuseruserAcascade
dropuseruserBcascade
dropuseruserCcascade
droproleprivileges_for_b
droproleprivileges_for_c
connectsystem/manager
createuseruserAidentifiedbya
createuseruserBidentifiedbyb
createuseruserCidentifiedbyc
grantconnect,resourcetouserA
alteruseruserBdefaulttablespacesystemquota10monsystem
alteruseruserCdefaulttablespacesystemquota10monsystem
grantcreatesessiontouserB
grantcreatesessiontouserC
createroleprivileges_for_b
grantprivileges_for_btouserB
grantcreateprocedure,createview,createtabletoprivileges_for_b
connectusera/a
createtablea(a1number)
grantselectonatoprivileges_for_b
B.Example:CreatingaviewviaarolegeneratesORA00942orORA01933orORA1031:
connectuserb/b
createorreplaceviewcount_aasselect*fromusera.a
ERRORatline2:
ORA01031:insufficientprivileges
Notethatthequeryonthattableworks:
SQL>selectcount(*)fromusera.a
COUNT(*)
0
Investigationofprivileges:
colroleformata20
colownerformata8
coltable_nameformata5
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 2/7
14/10/2015 Document168168.1
coltable_nameformata5
coluser_nameformata10
colcolumn_nameformata5
colprivilegeformata15
colprivilegeformata17
select*fromsession_privs/*allprivilegesavailable*/
PRIVILEGE
CREATESESSION
CREATETABLE
CREATEVIEW
CREATEPROCEDURE
select*fromsession_roles/*whichrolesareenabled*/
ROLE
PRIVILEGES_FOR_B
select*fromuser_sys_privs/*privilegesgranteddirectly*/
USERNAMEPRIVILEGEADM
USERBCREATESESSIONNO
select*fromrole_role_privs/*arerolesgrantedtootherroles*/
norowsselected
select*fromrole_sys_privs/*privilegesviaarole*/
ROLEPRIVILEGEADM
PRIVILEGES_FOR_BCREATEPROCEDURENO
PRIVILEGES_FOR_BCREATETABLENO
PRIVILEGES_FOR_BCREATEVIEWNO
Conclusion:
UserBwhocreatestheviewisnotgrantedtheselectprivilegeontableaofuserAdirectly(onlyviarolePRIVILEGES_FOR_B).
Tofixthisgranttheselectobjectprivilegedirectly:
connectusera/a
grantselectonatouserb
connectuserb/b
createorreplaceviewcount_aasselect*fromusera.a
Viewcreated.
C.Example:CreatingaprocedurewhichwilluseaprivilegeacquiredviaarolegeneratesPLS00201,ORA06550:
connectuserb/b
createorreplaceprocedurebas
numnumber
begin
selectcount(*)intonumfromusera.a
end
/
Warning:Procedurecreatedwithcompilationerrors.
SQL>showerrors
ErrorsforPROCEDUREB:
LINE/COLERROR
5/3PL/SQL:SQLStatementignored
5/39PL/SQL:ORA00942:tableorviewdoesnotexist
Investigationofprivileges:
Sameresultasinthefirstexample(creatingaviewviarole)....
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 3/7
14/10/2015 Document168168.1
Sameresultasinthefirstexample(creatingaviewviarole)....
Conclusion
UserBwhocreatestheproceduredoesn'thavetheselectprivilegeusedintheprocedurefortableaofuserAdirectly(onlyvia
rolePRIVILEGES_FOR_B).
Tofixthisgranttheselectobjectprivilegedirectly:
connectusera/a
grantselectonatouserb
connectuserb/b
createorreplaceprocedurebas
numnumber
begin
selectcount(*)intonumfromusera.a
end
/
Procedurecreated.
D.Example:Creatingatableinadefiner'srightproceduremakinguseoftheprivsacquiredviaarolefails
SQL>connuserb/b
Connected.
SQL>createorreplaceprocedureb2as
numnumber
begin
executeimmediate'Createtabletb(tb1number)'
end
/
Procedurecreated.
SQL>execb2
BEGINb2END
*
ERRORatline1:
ORA01031:insufficientprivileges
ORA06512:at"USERB.B2",line4
ORA06512:atline1
Investigationofprivileges:
SameresultasinIExample:creatingaviewviarole....
Conclusion:
UserBwhowantstocreatethetablebyexecutingtheproceduredoesn'thavethecreatetableprivilegeusedintheprocedure
granteddirectly.
Fixedbygrantingthiscreatetableprivilegedirectly:
connectsystem/manager
grantcreatetabletouserb
connectuserb/b
executeb2
PL/SQLproceduresuccessfullycompleted.
E.Example:SelectprivilegeviaarolegeneratesORA00942:
connectusera/a
grantselectonatouserb
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 4/7
14/10/2015 Document168168.1
grantselectonatouserb
connectuserb/b
createorreplaceprocedurebas
numnumber
begin
selectcount(*)intonumfromusera.a
end
/
createorreplaceviewcount_aasselect*fromusera.a
AlsoauserCiscreatedwhowilluseproceduresandviewcreatedbyuserB
connectsystem/manager
createroleprivileges_for_c
grantprivileges_for_ctouserc
connectusera/a
grantselectonatoprivileges_for_c
UserBnowgrantsselectonviewcount_atouserCandexecuteonhisprocedurebtouserC:
connectuserb/b
grantselectoncount_atoprivileges_for_c
ERRORatline1:
ERRORatline1:
ORA01720:grantoptiondoesnotexistfor'USERA.A'
grantexecuteonbtoprivileges_for_c
Grantsucceeded.
connectuserc/c
select*fromb.count_a
ERRORatline1:
ORA00942:tableorviewdoesnotexist
executeb.b
ERRORatline1:
ORA06550:line1,column7:
PLS00201:identifier'B.B'mustbedeclared
ORA06550:line1,column7:
PL/SQL:Statementignored
Investigationofprivileges:
select*fromsession_privs/*allprivilegesavailable*/
PRIVILEGE
CREATESESSION
select*fromsession_roles/*whichrolesareenabled*/
ROLE
PRIVILEGES_FOR_C
select*fromrole_sys_privs/*systemprivilegesgrantedtorole*/
=>norowsselected
select*fromrole_tab_privs/*objectprivilegesgrantedtorole*/
ROLEOWNERTABLECOLUMPRIVILEGEGRA
PRIVILEGES_FOR_CUSERAASELECTNO
PRIVILEGES_FOR_CUSERBBEXECUTENO
connectsystem/manager
select*fromdba_sys_privswheregrantee='USERC'/*systemprivilegesdirectly*/
GRANTEEPRIVILEGEADM
USERCCREATESESSIONNO
select*fromdba_tab_privswheregrantee='USERC'/*objectprivilegesdirectly*/
=>norowsselected
select*fromdba_role_privswheregrantee='USERC'/*rolesgrantedtoauser*/
GRANTEEGRANTED_ROLEADMDEF
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 5/7
14/10/2015 Document168168.1
USERCPRIVILEGES_FOR_CNOYES
select*fromrole_sys_privswhererole='PRIVILEGES_FOR_C'/*systemprivilegesgrantedtorole*/
=>norowsselected
select*fromrole_tab_privswhererole='PRIVILEGES_FOR_C'/objectprivilegesdirectly*/
ROLEOWNERTABLECOLUMPRIVILEGEGRA
PRIVILEGES_FOR_CUSERAASELECTNO
PRIVILEGES_FOR_CUSERBBEXECUTENO
Conclusion:
UserCwhoselectstheviewdoesn'thavetheselectprivilegeusedintheviewfortableaofuserAdirectly(onlyviarole
PRIVILEGES_FOR_C).Notethisisadocumentedlimitationofarole!
AlsouserClacksdirectexecuteprivilegeonprocedurebofuserB.
Fixedbygrantingthisselectprivilegeandexecuteprivilegedirectly:
connectusera/a
grantselectonatouserbwithgrantoption
connectuserb/b
grantselectoncount_atouserc
grantexecuteonbtouserc
connectuserc/c
select*fromuserb.count_a
norowsselected
connectuserc/c
executeuserb.b
PL/SQLproceduresuccessfullycompleted.
F.Example:ORA28111:insufficientprivilegetoevaluatepolicypredicateincombinationwithFGA
Whenthedynamicpredicatereturnedbythepolicyfunctionisasubquery(eg.
'useridIN(SELECTempnoFROMemp)')thepolicyfunctionownerneedsselectprivilegesonthetableemp.Thisprivilegecannot
begrantedthrougharoletothepolicyfunctionowner,inthatcaseanerrorORA28111:insufficientprivilegetoevaluatepolicy
predicateoccurs.Whentheprivilegeisgranteddirectlytothepolicyfunctionowner:grantselectonemptoandnotthrougha
role,everythingworksperfectly.
WhenusingFineGrainedAccess,theownerofthepolicyfunction(s)needsprivilegesontheobjectsusedinthesubqueriesof
thedynamicpredicates.Thisbecausethesecuritycheckandobjectlookupareperformedagainsttheownerofthepolicy
function(s).
Explanation:
AsOracleperformsasecuritycheckagainsttheownerofthepolicyfunctionstheownerofthesepolicyfunctionsneedsprivileges
ontheobjectsinthesubqueriesofthedynamicpredicates.FormoreinformationonFGAcheckthefollowingnote:
Note74556.19i/9.2:FineGrainedAuditing
Conclusion:
Whentheprivilegeisgranteddirectlytothepolicyfunctionownerandnotthrougharole,everythingworksperfectly.
G.Finalconclusion
AllrolesaredisabledinanynamedPL/SQLblock(storedprocedures,functions,ortriggers)thatexecuteswithdefiner'srights.
Furthermoretheyaredisabledinviews.Rolesarenotusedforprivilegecheckingandyoucannotsetroleswithinadefiner's
rightsprocedure.StoredPL/SQLblocksthatexecutewithinvoker'srights(storedprocedures,functions)andanonymousPL/SQL
blocksareabletousetheprivilegesgrantedthroughenabledroles.
REFERENCES
NOTE:1011899.6RolesandCreatingStoredObjects/Views
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 6/7
14/10/2015 Document168168.1
NOTE:1011899.6RolesandCreatingStoredObjects/Views
NOTE:1062335.6ORA942whenselectfromanyv$viewwithinstoredPL/SQLprocedure
NOTE:11740.1RoleRestrictions
NOTE:1347470.1MasterNoteForPrivilegesAndRoles
BUG:155762GRANTSASSIGNEDTOROLESARENOTBEINGUTILIZEDBYSTORED
BUG:668998RECEIVEINCORRECTERRORWHENCREATINGAVIEWWHENGRANTSELECTBYAROLE
Didn'tfindwhatyouarelookingfor? AskinCommunity...
Related
Products
OracleDatabaseProducts>OracleDatabaseSuite>OracleDatabase>OracleDatabaseEnterpriseEdition>RDBMS
Keywords
DBA_ROLE_PRIVS DBA_SYS_PRIVS
Errors
ORA1031 ORA1720 ORA1933 ORA28111 ORA6512 ORA6550 ORA942 PLS201
BacktoTop
Copyright(c)2015,Oracle.Allrightsreserved. LegalNoticesandTermsofUse PrivacyStatement
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=398557307624008&parent=DOCUMENT&parent=DOCUMENT&sourceId=1347470. 7/7