Can someone advise me on how to create a user in Oracle 11g and only grant that user the ability only to execute one particular stored procedure and the tables in that procedure.
I am not really sure how to do this!
Asked
Active
Viewed 5.5e+01k times
9 Answers
86
Connect as SYSTEM.
CREATE USER username IDENTIFIED BY apassword;
GRANT CONNECT TO username;
GRANT EXECUTE on schema.procedure TO username;
You may also need to:
GRANT SELECT [, INSERT] [, UPDATE] [, DELETE] on schema.table TO username;
to whichever tables the procedure uses.
cagcowboy
- 30,012
- 11
- 69
- 93
-
6+1 Depending on the Oracle version, however, the `CONNECT` role has many more privileges than the name suggests. I'd much rather grant `CREATE SESSION` instead. – Justin Cave Feb 25 '12 at 20:06
-
The version I am using is 11g – Andy5 Feb 25 '12 at 20:39
-
2["CONNECT, RESOURCE, and DBA These roles are provided for compatibility with previous versions ... Oracle recommends that you design your own roles for database security rather than relying on these roles. These roles may not be created automatically by future versions of Oracle Database."](http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_9013.htm) – dani herrera Mar 13 '13 at 19:38
-
3You should not have to grant select, insert, update or delete on any of the tables. One of the points of using procedures is so that you can keep your tables "ungranted", and control access to them at the procedure level. – Dawood ibn Kareem Aug 02 '13 at 05:01
-
3"GRANT EXECUTE on schema.procedure TO username;" is returning an error saying "ERROR at line 1: ORA-04042: procedure, function, package, or package body does not exist " – Tasdik Rahman Sep 26 '15 at 08:46
26
Follow the below steps for creating a user in Oracle.
--Connect as System user
CONNECT <USER-NAME>/<PASSWORD>@<DATABASE NAME>;
--Create user query
CREATE USER <USER NAME> IDENTIFIED BY <PASSWORD>;
--Provide roles
GRANT CONNECT,RESOURCE,DBA TO <USER NAME>;
--Provide privileges
GRANT CREATE SESSION, GRANT ANY PRIVILEGE TO <USER NAME>;
GRANT UNLIMITED TABLESPACE TO <USER NAME>;
--Provide access to tables.
GRANT SELECT,UPDATE,INSERT ON <TABLE NAME> TO <USER NAME>;
-
-
2ORA-00990: missing or invalidad privilege on 'GRANT CREATE SESSION GRANT ANY PRIVILEGE TO
;' – Nicolas Mommaerts Nov 14 '14 at 13:02 -
4
-
2'--Provide privileges' line needs comma added here: GRANT CREATE SESSION, GRANT ANY PRIVILEGE TO
; I edited this but was rejected for some reason. – ghost_1989 May 31 '16 at 13:19 -
1`CONNECT,RESOURCE,DBA` [*"These roles are provided for compatibility with previous versions of Oracle Database... Oracle recommends that you design your own roles for database security rather than relying on these roles. These roles may not be created automatically by future versions of Oracle Database."*](http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_9013.htm#r209c1-t47) – Jeff Puckett Jun 07 '16 at 19:19
-
This grants significantly more than OP's *"only grant that user the ability only to execute one particular stored procedure"* – Jeff Puckett Jun 07 '16 at 19:27
21
The Oracle documentation is comprehensive, online and free. You should learn to use it. You can find the syntax for CREATE USER here and for GRANT here,
In order to connect to the database we need to grant a user the CREATE SESSION privilege.
To allow the new user rights on a stored procedure we need to grant the EXECUTE privilege. The grantor must be one of these:
- the procedure owner
- a user granted execute on that procedure with the WITH ADMIN option
- a user with the GRANT ANY OBJECT privilege
- a DBA or other super user account.
Note that we would not normally need to grant rights on objects used by a stored procedure in order to use the procedure. The default permission is that we execute the procedure with the same rights as the procedure owner and, as it were, inherit their rights when executing the procedure. This is covered by the AUTHID clause. The default is definer (i.e. procedure owner). Only if the AUTHID is set to CURRENT_USER (the invoker, that is our new user) do we need to grant rights on objects used by the procedure. Find out more.
11
Don't use these approach in critical environment like TEST and PROD. Below steps are just suggested for local environment. For my localhost i create the user via these steps:
IMPORTANT NOTE : Create your user with SYSTEM user credentials.Otherwise you may face problem when you run multiple application on same database.
CONNECT SYSTEM/<<System_User_Password>>@<<DatabaseName>>; -- connect db with username and password, ignore if you already connected to database.
Then Run below script
CREATE USER <<username>> IDENTIFIED BY <<password>>; -- create user with password
GRANT CONNECT,RESOURCE,DBA TO <<username>>; -- grant DBA,Connect and Resource permission to this user(not sure this is necessary if you give admin option)
GRANT CREATE SESSION TO <<username>> WITH ADMIN OPTION; --Give admin option to user
GRANT UNLIMITED TABLESPACE TO <<username>>; -- give unlimited tablespace grant
EDIT: If you face a problem about oracle ora-28001 the password has expired also this can be useful run
select * from dba_profiles;-- check PASSWORD_LIFE_TIME
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED; -- SET IT TO UNLIMITED
erhun
- 3,549
- 2
- 35
- 44
-
2`CONNECT,RESOURCE,DBA` [*"These roles are provided for compatibility with previous versions of Oracle Database... Oracle recommends that you design your own roles for database security rather than relying on these roles. These roles may not be created automatically by future versions of Oracle Database."*](http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_9013.htm#r209c1-t47) – Jeff Puckett Jun 07 '16 at 19:20
4
As previously mentioned multiple times in the comments, the use of the CONNECT, RESOURCE and DBA roles is discouraged by Oracle.
You have to connect as SYS to create your role and the user(s) which are given this role. You can use SQL Developer or SQL*Plus as you prefer. Do not forget to mention the SYSDBA role in the logon string. The connect_identifier uses different syntaxes.
sqlplus sys/<<password>>@<<connect_identifier>> as sysdba
Let's say you have a 12cR1 like the one provided as a VM with the "Oracle Technology Network Developer Day". The connect strings might be (to connect to the provided PDB) :
sqlplus sys/oracle@127.0.0.1/orcl as sysdba
sqlplus sys@"127.0.0.1/orcl" as sysdba -- to avoid putting the pw in clear
Note that under Unix, the quotes have to be escaped otherwise they will be consumed by the shell. Thus " becomes \".
Then you create the role MYROLEand grant it other roles or privileges. I added nearly the bare minimum to do something interesting :
create role myrole not identified;
grant create session to myrole;
grant alter session to myrole;
grant create table to myrole;
Next your create the user MYUSER. The string following identified by which is the password is case-sensitive. The rest is not. You could also use SQL delimited identifiers (surrounded by quotes ") instead of regular identifiers which are converted tu uppercase and subject to a few limitations. The quota could be unlimited instead of 20m.
create user myuser identified by myuser default tablespace users profile default account unlock;
alter user myuser quota 20m on users;
grant myrole to myuser;
Eventually, you connect as your new user.
Please note that you could also alter the default profile or provide another one to customize some settings as the expiration period of passwords, the number of permitted failed login attempts, etc.
Ludovic Kuty
- 4,868
- 3
- 28
- 42
2
CREATE USER USER_NAME IDENTIFIED BY PASSWORD;
GRANT CONNECT, RESOURCE TO USER_NAME;
-
1`CONNECT,RESOURCE,DBA` [*"These roles are provided for compatibility with previous versions of Oracle Database... Oracle recommends that you design your own roles for database security rather than relying on these roles. These roles may not be created automatically by future versions of Oracle Database."*](http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_9013.htm#r209c1-t47) – Jeff Puckett Jun 07 '16 at 19:21
0
CREATE USER books_admin IDENTIFIED BY MyPassword;
GRANT CONNECT TO books_admin;
GRANT CONNECT, RESOURCE, DBA TO books_admin;
GRANT CREATE SESSION GRANT ANY PRIVILEGE TO books_admin;
GRANT UNLIMITED TABLESPACE TO books_admin;
GRANT SELECT, INSERT, UPDATE, DELETE ON schema.books TO books_admin;
https://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1006107 https://chartio.com/resources/tutorials/how-to-create-a-user-and-grant-permissions-in-oracle/
Md Nazrul Islam
- 363
- 4
- 13
-
-1 This is one of the top results on Google, but it's the worst possible advise. This example makes the user a dba with full privileges. This is "How to surrender control of your database" – Devon_C_Miller Nov 14 '18 at 21:27
0
First step:
Connect to a database using System/Password;
second Step:
create user username identified by password; (syntax)
Ex: create user manidb idntified by mypass;
third Step:
grant connect,resource to username; (Syntax)
Ex: grant connect,resource to manidb;
Manideep
- 353
- 3
- 13
-2
step 1 .
create user raju identified by deshmukh;step 2.
grant connect , resource to raju;step 3.
grant unlimitted tablespace to raju;step4.
grant select , update , insert , alter to raju;
-
1`CONNECT,RESOURCE,DBA` [*"These roles are provided for compatibility with previous versions of Oracle Database... Oracle recommends that you design your own roles for database security rather than relying on these roles. These roles may not be created automatically by future versions of Oracle Database."*](http://docs.oracle.com/cd/B28359_01/server.111/b28286/statements_9013.htm#r209c1-t47) – Jeff Puckett Jun 07 '16 at 19:22