You grant privileges to users so these users can accomplish tasks required for their job. You should grant a privilege only to a user who absolutely requires the privilege to accomplish necessary work. Excessive granting of unnecessary privileges can lead to compromised security. A user can receive a privilege in two different ways:
There are two distinct categories of privileges:
System privileges are granted to or revoked from users and roles using either of the following:
GRANT SELECT ON emp TO swilliams;
The user SWILLIAMS can query JWARD.EMP by referencing the table by name or using the synonym JWARD.EMPLOYEE:
SELECT * FROM jward.emp;
SELECT * FROM jward.employee;
If you grant object privileges on a table, view, sequence, procedure, function, or package to a synonym for the object, the effect is the same as if no synonym were used For example, if JWARD wanted to grant the SELECT privilege for the EMP table to SWILLIAMS, JWARD could issue either of the following statements:
GRANT SELECT ON emp TO swilliams;
GRANT SELECT ON employee TO swilliams;
If a synonym is dropped, all grants for the underlying object remain in effect, even if the privileges were granted by specifying the dropped synonym.
Data Manipulation Language Operations The DELETE, INSERT, SELECT, and UPDATE privileges allow the DELETE, INSERT, SELECT, and UPDATE DML operations, respectively, on a table or view (DML operations are those to view or change a table's contents). You should grant these privileges only to users and roles that need to view or manipulate a table's data. For more information on these operations, see the Oracle7 Server SQL Reference.
You can restrict the INSERT and UPDATE privileges for a table to specific columns of the table. With selective INSERT, a privileged user can insert a row, but only with values for the selected columns; all other columns receive NULL or the column's default value. With selective UPDATE, a user can update only specific column values of a row. Selective INSERT and UPDATE privileges are used to restrict a user's access to sensitive data.
For example, if you do not want data entry users to alter the SAL column of the employee table, selective INSERT and/or UPDATE privileges can be granted that exclude the SAL column. Alternatively, a view could satisfy this need for additional security.
As with the INSERT and UPDATE privileges, the REFERENCES privilege can be granted on specific columns of a table. The REFERENCES privilege enables the grantee to use the table on which the grant is made as a parent key to any foreign keys that the grantee wishes to create in his/her own tables. This action is controlled with a special privilege because the presence of foreign keys restricts the data manipulation and table alterations that can be done to the parent key. A column-specific REFERENCES privilege restricts the grantee to using the named columns, which, of course, must include at least one primary or unique key of the parent table. See Chapter 7, "Data Integrity," for more information about primary keys, unique keys, and integrity constraints.
Privileges Required To Create Views To create a view, you must meet the following requirements:
Views are useful for adding two more levels of security for tables:
CREATE VIEW emp_mgr AS
SELECT ename, empno, mgr FROM emp;
CREATE VIEW lowsal AS
SELECT * FROM emp
WHERE sal < 10000;
CREATE VIEW own_salary AS
SELECT ename, sal
FROM emp
WHERE ename = USER;
You can use procedures to add a level of database security. A user requires only the privilege to execute a procedure and no privileges on the underlying objects that a procedure's code accesses. By writing a procedure and granting only the EXECUTE privilege to a user (and not the privileges on the objects referenced by the procedure), the user can be forced to access the referenced objects only through the procedure (that is, the user cannot submit ad hoc SQL statements to the database).
Privileges Needed to Create or Alter a Procedure To create a procedure, a user must have the CREATE PROCEDURE or CREATE ANY PROCEDURE system privilege. To alter a procedure, that is, to manually recompile a procedure, a user must own the procedure or have the ALTER ANY PROCEDURE system privilege.
Additionally, the user who owns the procedure must have the required privileges for the objects referenced in the body of a procedure. To create a procedure, you must have been explicitly granted the necessary privileges (system and/or object) on all objects referenced by the stored procedure; you cannot have obtained the required privileges through roles. This includes the EXECUTE privilege for any procedures that are called inside the stored procedure being created. Triggers also require that privileges to referenced objects be granted explicitly to the trigger owner. Anonymous PL/SQL blocks can use any privilege, whether the privilege is granted explicitly or via a role.
Procedure Execution and Security Domains A user with the EXECUTE privilege for a specific procedure can execute the procedure. A user with the EXECUTE ANY PROCEDURE system privilege can execute any procedure in the database. A user can be granted the privileges to execute procedures via roles.
When you execute a procedure, it operates under the security domain of the user who owns the procedure, regardless of who is executing it. Therefore, a user does not need privileges on the referenced objects to execute a procedure. Because the owner of a procedure must have the necessary object privileges for referenced objects, fewer privileges have to be granted to users of the procedure and tighter control of database access can be obtained.
The current privileges of the owner of a stored procedure are always checked before the procedure is executed. If a necessary privilege on a referenced object is revoked from the owner of a procedure, the procedure cannot be executed by the owner or any other user.
Note: Trigger execution follows these same patterns. The user executes a SQL statement, which he/she is privileged to execute. As a result of the SQL statement, a trigger is fired. The statements within the triggered action temporarily execute under the security domain of the user that owns the trigger.
Packages and Package Objects A user with the EXECUTE privilege for a package can execute any (public) procedure or function in the package, and access or modify the value of any (public) package variable. Specific EXECUTE privileges cannot be granted for a package's constructs. Because of this, you may find it useful to consider two alternatives for establishing security when developing procedures, functions, and packages for a database application. These alternatives are described in the following examples.
Example 1
This example shows four procedures created in the bodies of two packages.
CREATE PACKAGE BODY hire_fire AS
PROCEDURE hire(...) IS
BEGIN
INSERT INTO emp . . .
END hire;
PROCEDURE fire(...) IS
BEGIN
DELETE FROM emp . . .
END fire;
END hire_fire;
CREATE PACKAGE BODY raise_bonus AS
PROCEDURE give_raise(...) IS
BEGIN
UPDATE EMP SET sal = . . .
END give_raise;
PROCEDURE give_bonus(...) IS
BEGIN
UPDATE EMP SET bonus = . . .
END give_bonus;
END raise_bonus;
Access to execute the procedures is given by granting the EXECUTE privilege for the encompassing package, as in the following statements:
GRANT EXECUTE ON hire_fire TO big_bosses;
GRANT EXECUTE ON raise_bonus TO little_bosses;
This method of security for package objects is not discriminatory for any specific object in a package. The EXECUTE privilege granted for the package provides access to all package objects.
Example 2
This example shows four procedure definitions within the body of a single package. Two additional standalone procedures and a package are created specifically to provide access to the procedures defined in the main package.
CREATE PACKAGE BODY employee_changes AS
PROCEDURE change_salary(...) IS BEGIN ... END;
PROCEDURE change_bonus(...) IS BEGIN ... END;
PROCEDURE insert_employee(...) IS BEGIN ... END;
PROCEDURE delete_employee(...) IS BEGIN ... END;
END employee_change;
CREATE PROCEDURE hire
BEGIN
insert_employee(...)
END hire;
CREATE PROCEDURE fire
BEGIN
delete_employee(...)
END fire;
PACKAGE raise_bonus IS
PROCEDURE give_raise(...) AS
BEGIN
change_salary(...)
END give_raise;
PROCEDURE give_bonus(...)
BEGIN
change_bonus(...)
END give_bonus;
Using this method, the procedures that actually do the work (the procedures in the EMPLOYEE_CHANGES package) are defined in a single package and can share declared global variables, cursors, on so on. By declaring the top-level procedures HIRE and FIRE, and the additional package RAISE_BONUS, you can indirectly grant selective EXECUTE privileges on the procedures in the main package.
GRANT EXECUTE ON hire, fire TO big_bosses;
GRANT EXECUTE ON raise_bonus TO little_bosses;