Definer rights and invoker rights are described in the Oracle docs as shown in
http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96624/08_subs.htm#15186
I took the following notes from the above docs to help me understand these concepts:
1. Assuming both Scott and Blake has a table called dept.
2. Scott created a procedure as follows:
CREATE PROCEDURE create_dept (
my_deptno NUMBER,
my_dname VARCHAR2,
my_loc VARCHAR2) AS
BEGIN
INSERT INTO dept VALUES (my_deptno, my_dname, my_loc);
END;
3. Scott grant the execute privilege to Blake, e.g.
scott@mydb> grant execute on create_dept to Blake;
4. Blake execute the procedure create_dept, e.g.
blake@mydb> execute create_dept(10, 'sales', 'New York');
5. Blake will create a department 'sales' in the table dept residing in Scott, not in Blake.
This is due to the definer's rights - the procedure gets executed with the privileges and schema context of the owner.
6. If in step 2, Scott create an invoker-rights procedure as follows
CREATE PROCEDURE create_dept (
my_deptno NUMBER,
my_dname VARCHAR2,
my_loc VARCHAR2) AUTHID CURRENT_USER AS
BEGIN
INSERT INTO dept VALUES (my_deptno, my_dname, my_loc);
END;
7. Then, if Blake repeats the step 4, Blake will create a a department 'sales' in the table dept residing in Blake, not in Scott.
This is due to the invoker's right - the procedure gets executed with the privileges and schema context of the current user.
Monday, October 22, 2007
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment