Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

grant drop table to a specific table

Posted on 2011-09-13
8
Medium Priority
?
4,271 Views
Last Modified: 2012-05-12
I want to grant drop table on a particular table to a particular user but I am gettting error. invalid privs.

grant drop on table_name to user_name;

can soneone help me.
0
Comment
Question by:nirvairghuman
  • 4
  • 3
8 Comments
 
LVL 74

Accepted Solution

by:
sdstuber earned 400 total points
ID: 36529343
there is no such privilege.

you could instead create a procedure owned by the object owner that does the drop and grant execute on that procedure

or grant "drop any table",  but use a ddl trigger to block all drops except that one table


however,  why do you want to allow the drop?  Is it really necessary?
0
 

Author Comment

by:nirvairghuman
ID: 36529356
I want to grant tuncate table but thet comes with drop table. Is there any other solution.
0
 
LVL 74

Assisted Solution

by:sdstuber
sdstuber earned 400 total points
ID: 36529387
there is no truncate table privilege either.

I recommend going with the procedure that you allow access to


create or replace truncate_my_table
is
begin
     execute immediate 'truncate table MY_TABLE';
end;

then grant execute on that procedure
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 7

Assisted Solution

by:Javier Morales
Javier Morales earned 100 total points
ID: 36530521
you have to grant DROP ANY TABLE to allow this user to truncate a table out of its schema.
ALTER ANY TABLE isn't enough for that (raises "insufficient privileges" instead of "Table or view doesn't exists")


Here's an example:


SQL> create user test identified by test;

User created.

SQL> grant connect to test;

Grant succeeded.

SQL> show user    
USER is "GESTION_USUARIOS"
SQL> create table drop_test_table  (id number);

Table created.

SQL> insert into drop_test_table values (1);

1 row created.

SQL> commit;

Commit complete.

SQL> connect test/test
Connected.

SQL> truncate table gestion_usuarios.drop_test_table;
truncate table gestion_usuarios.drop_test_table
                                *
ERROR at line 1:
ORA-00942: table or view does not exist


SQL> connect gestion_usuarios
Enter password: 
Connected.
SQL> grant alter any table to test;

Grant succeeded.

SQL> connect test/test
Connected.
SQL> truncate table gestion_usuarios.drop_test_table;
truncate table gestion_usuarios.drop_test_table
                                *
ERROR at line 1:
ORA-01031: insufficient privileges


SQL> connect gestion_usuarios
Enter password: 
Connected.

SQL> grant drop any table to test;

Grant succeeded.

SQL> connect test/test
Connected.
SQL> truncate table gestion_usuarios.drop_test_table;

Table truncated.

SQL> connect gestion_usuarios
Enter password: 
Connected.
SQL> revoke alter any table from test;

Revoke succeeded.

SQL> connect test/test
Connected.
SQL> truncate table gestion_usuarios.drop_test_table;

Table truncated.

Open in new window



Tables can be truncated only with DROP ANY TABLE privilege for tables out of the ownership.

Please, keep in mind that "DROP ANY TABLE" allows to "drop any of the tables" in the database...

As sdstuber recommends, the best way is to create a procedure to truncate the table (under our own privileges) and grant execution privileges... then, the privilege DROP ANY TABLE is not needed.

SQL> create or replace procedure truncate_my_table
  2  is
  3  begin
  4   execute immediate 'truncate table drop_test_table';
  5  end;
  6  /

Procedure created.

SQL> grant execute on truncate_my_table to test;

Grant succeeded.

SQL> revoke drop any table from test;

Revoke succeeded.

SQL> connect test/test
Connected.
SQL> exec gestion_usuarios.truncate_my_table;

PL/SQL procedure successfully completed.

Open in new window


If you don't need to allow "exactly" truncate table comand, the securest way is using the procedure. If you need to allow the user execute "truncate table schema.table_name" then, the only solution is granting DROP ANY TABLE.
0
 

Author Comment

by:nirvairghuman
ID: 36531376
Hi,
I tried with stored procedure, but now the problem is Some users have execute any stored procedure, Now what would be the solution.
0
 
LVL 74

Assisted Solution

by:sdstuber
sdstuber earned 400 total points
ID: 36531387
check the user name inside the procedure or check the role, or some other rule to make sure only the people you authorize can use it


create or replace truncate_my_table
is
begin
    if USER = 'ALLOWED_USER' then
     execute immediate 'truncate table MY_TABLE';
    end if;
end;
0
 

Author Comment

by:nirvairghuman
ID: 36531808
Hi sdstuber,

I tried the stored procedure and It went fine.

 Can you please tell about more the below option means syntax for the trigger

or grant "drop any table",  but use a ddl trigger to block all drops except that one table

0
 
LVL 74

Assisted Solution

by:sdstuber
sdstuber earned 400 total points
ID: 36531860
I can tell you about it but I'll also tell you not to use this method.

If what you want is to allow truncate of a single table,  then use the procedure suggested above.

rather than black listing,  use the procedure a white list.


CREATE OR REPLACE TRIGGER check_ddl
    BEFORE DDL
    ON YOUR_USER.schema
BEGIN  
    IF ora_dict_obj_owner  != 'YOUR_SCHEMA' or ora_dict_obj_name != 'YOUR_TABLE'
    THEN
        raise_application_error(-20001, 'YOUR_SER can only modify the YOUR_SCHEMA.YOUR_TABLE table');
    END IF;
END;


alternately, you could create a database wide DDL trigger of similar design.

CREATE OR REPLACE TRIGGER check_ddl
    BEFORE DDL
    ON DATABASE

but, again, using the procedure is a simpler and better design.
0

Featured Post

[Webinar] Cloud Security

In this webinar you will learn:

-Why existing firewall and DMZ architectures are not suited for securing cloud applications
-How to make your enterprise “Cloud Ready”, and fix your aging DMZ architecture
-How to transform your enterprise and become a Cloud Enabler

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Working with Network Access Control Lists in Oracle 11g (part 2) Part 1: http://www.e-e.com/A_8429.html Previously, I introduced the basics of network ACL's including how to create, delete and modify entries to allow and deny access.  For many…
This post first appeared at Oracleinaction  (http://oracleinaction.com/undo-and-redo-in-oracle/)by Anju Garg (Myself). I  will demonstrate that undo for DML’s is stored both in undo tablespace and online redo logs. Then, we will analyze the reaso…
This video shows syntax for various backup options while discussing how the different basic backup types work.  It explains how to take full backups, incremental level 0 backups, incremental level 1 backups in both differential and cumulative mode a…
This video shows how to configure and send email from and Oracle database using both UTL_SMTP and UTL_MAIL, as well as comparing UTL_SMTP to a manual SMTP conversation with a mail server.

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question