An anonymous block works, but same code in a named block may not work, because roles used in named PL/SQL blocks and anonymous PL/SQL blocks act differently. The workaround is to define the procedure as "AUTHID current_user":
CREATE or REPLACE procedure test_proc
AUTHID CURRENT_USER as
......
Anonymous PL/SQL blocks are executed based on privileges granted through enabled roles. All roles are disabled in any named PL/SQL block (stored procedure, function, or trigger) that executes with definer's rights. Roles are not used for privilege checking and you cannot set roles within a definer's rights procedure.
If the user was granted all the necessary privileges directly (not through a role), it won't matter if roles are enabled or disabled, nor will you need "authid current_user".
You can check what system privileges are granted with roles currently enabled, then you can disable roles and see what privileges are different.
SQL> select * from session_privs;
SQL> set role none;
SQL> select * from session_privs;
The SESSION_ROLES view shows all roles that are currently enabled. If a named PL/SQL block that executes with definer's rights queries SESSION_ROLES, then the query does not return any rows.
-- check current enabled roles
SQL> SELECT * FROM session_roles;
-- turn off roles
SQL> set role none;
-- re-query:
SQL> SELECT * FROM session_roles;
No comments:
Post a Comment