Monday, October 22, 2007

Definer rights vs Invoker rights

Definer rights and invoker rights are described in the Oracle docs as shown in
http://download.oracle.com/docs/cd/B10501_01/appdev.920/a96624/08_subs.htm#15186

I took the following notes from the above docs to help me understand these concepts:

1. Assuming both Scott and Blake has a table called dept.
2. Scott created a procedure as follows:

CREATE PROCEDURE create_dept (
my_deptno NUMBER,
my_dname VARCHAR2,
my_loc VARCHAR2) AS
BEGIN
INSERT INTO dept VALUES (my_deptno, my_dname, my_loc);
END;

3. Scott grant the execute privilege to Blake, e.g.
scott@mydb> grant execute on create_dept to Blake;

4. Blake execute the procedure create_dept, e.g.
blake@mydb> execute create_dept(10, 'sales', 'New York');

5. Blake will create a department 'sales' in the table dept residing in Scott, not in Blake.

This is due to the definer's rights - the procedure gets executed with the privileges and schema context of the owner.

6. If in step 2, Scott create an invoker-rights procedure as follows

CREATE PROCEDURE create_dept (
my_deptno NUMBER,
my_dname VARCHAR2,
my_loc VARCHAR2) AUTHID CURRENT_USER AS
BEGIN
INSERT INTO dept VALUES (my_deptno, my_dname, my_loc);
END;

7. Then, if Blake repeats the step 4, Blake will create a a department 'sales' in the table dept residing in Blake, not in Scott.

This is due to the invoker's right - the procedure gets executed with the privileges and schema context of the current user.

No comments: