Database Reference
In-Depth Information
caller must have granted the “inherit privileges” system privilege to the owner of the stored code. Alternatively the
“inherit any privileges” system privilege must be granted to the owner of the invoker rights code. If the owner of the
stored code has neither of these two the runtime engine will raise an ORA-06598 "insufficient INHERIT PRIVILEGES
privilege" error.
It appears that “inherit privileges” is granted to public in order not to break any existing applications.
Post-migration you might want to review these grants and perhaps remove the grant from public:
SYS AS SYSDBA> revoke inherit privileges on user highprivs from public;
Revoke succeeded.
Subsequent calls to the procedure will cause the error mentioned above:
HIGHPRIVS> exec lowprivs.harmless(2, user)
BEGIN lowprivs.harmless(2, user); END;
*
ERROR at line 1:
ORA-06598: insufficient INHERIT PRIVILEGES privilege
ORA-06512: at "LOWPRIVS.HARMLESS", line 1
ORA-06512: at line 1
White Lists to Restrict PL/SQL Program Unit References
Oracle 12c introduces a finer level of granularity for calls to PL/SQL stored units, named white lists. This allows the
developer to create stored code which can only be invoked by other PL/SQL units which are on the calling unit's white
list. Imagine a procedure that performs debugging operations. To prevent the procedure from being invoked outside
the context of your code you can add the new
accessible by
clause.
Before Oracle 12c it was really difficult to implement a list of calls that was permissible from within an
application. At best a list of privileges granted to roles and/or multiple users was necessary to facilitate more
fine-grained access.
Consider for example an Application Programming Interface (API) which defines access to the tables of an
application. The API could be defined in a way similar to the Java interface, providing just a stub that must be
implemented elsewhere. The implementation can then be “private” to the application, in other words cannot be
invoked outside the context of the calling API.
To demonstrate how easy it is consider a function which helps write debugging information into a log table.
SQL> create or replace procedure debug_proc( pi_message varchar2 )
2 accessible by (input_api_interface_pkg)
3 as
4 pragma autonomous_transaction;
5 begin
6 insert into debug_tab (
7 t, vc)
8 values (
9 systimestamp,
10 pi_message
11 );
Search WWH ::
Custom Search