Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Set Role in Trigger

Set Role in Trigger

From: <JApplewhite_at_austin.isd.tenet.edu>
Date: Sun, 27 Jul 2003 07:59:24 -0800
Message-ID: <F001.005C74E4.20030727075924@fatcity.com> 





Short form of my question:


How can I enable a Role for a User within a database trigger (owned by 
another Schema) on a table owned by yet another Schema?


- The M's I've RTF'd indicate that a trigger (and any procedure it calls) 

can never execute with Invoker's Rights.


- I can't find a way to execute Set Role for a User as another User, say, 

System.


- I'm stuck.






Longer form of my question:


I'm in the process of adding extra security features to our 3rd Party 
Student Information System, whose code I can't touch.  I've successfully 
implemented FGAC to keep Users at a School from accessing info.at other 
schools.  Now I need to limit which School Year's data they can update 
(Past, Current, Next).  The Application grants Sel, Ins, Upd, Del on its 
tables via a Role, so I thought I'd just switch Roles when the User 
switched School Years (via updating her record in a Users table).  Seemed 
like a good idea, but now I can't see how to implement it.



SQL and PL/SQL commands like Set Role, Alter Session, 
DBMS_Session.Set_Role, etc. only apply to the current User, which would be 
the Trigger Owner.  I've used DBMS_System.Set_SQL_Trace_In_Session, but 
can't find an equivalent procedure to Set Role for another User.



BTW, the fact that there's no Invoker_Rights_Clause in the Create Trigger 
syntax and a section in the PL/SQL User's Guide and Reference (Ch. 7 
Subprograms / Invoker Rights vs Definer Rights / Using Views and Database 
Triggers) are the basis for my being stuck.



The only possible way I see to do this is to create the trigger as System, 
then use Dynamic SQL to issue the "Alter User ... Default Role ...." 
command.  However, I don't know if that takes effect immediately (within 
the User's current Session) or would take effect at the User's next login. 
 Before I spend a bunch of time setting up a test, I thought I'd get some 
opinions from this very knowledgeable List.



Can I do it?  How?



TIA.


Jack C. Applewhite


Database Administrator


Austin Independent School District


Austin, Texas


512.414.9715 (wk)


512.935.5929 (pager)


JApplewhite_at_austin.isd.tenet.edu


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: 
  INET: JApplewhite_at_austin.isd.tenet.edu

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


Received on Sun Jul 27 2003 - 10:59:24 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US