OCP 1Z0 052 183

183. The HR user creates a stand-alone procedure as follows and grants the EXECUTE privilege on the

procedure to many database users:

CREATE OR REPLACE PROCEDURE create_dept ( v_deptno NUMBER, v_dname VARCHAR2, v_mgr

NUMBER, v_loc NUMBER)

BEGIN

INSERT INTO hr.departments VALUES (v_deptno, v_dname, v_mgr, v_loc);

END;

The users having permission to execute the procedure are able to insert records into the DEPARTMENTS

table even though they do not have the INSERT privilege on the table. You want only those users who

have privileges on the DEPARTMENTS table to be able to execute the procedure successfully.

What would you suggest to the PL/SQL developers to achieve this?

A.Create the procedure with definer's right.

B.Create the procedure with invoker's right.

C.Grant the EXECUTE privilege with GRANT OPTION on the procedure to selected users.

D.Create the procedure as part of a PL/SQL package and grant the EXECUTE privilege on the package

to selected users.

Answer: B

http://docs.oracle.com/cd/E11882_01/appdev.112/e25519/subprograms.htm#LNPLS00809

A unit whose

AUTHID

value
is

CURRENT_USER

is called an invoker's
rights unit, or IR
unit. A unit whose

AUTHID

value
is

DEFINER

is called a definer's
rights unit, or DR
unit. An anonymous
block always behaves like an IR unit. A trigger
or view
always behaves like a DR unit.

建立proc

SQL> show user;
USER is "HR"
SQL> CREATE OR REPLACE PROCEDURE create_dept(v_deptno NUMBER,
2                                          v_dname  VARCHAR2,
3                                          v_mgr    NUMBER,
4                                          v_loc    NUMBER) IS
5  BEGIN
6    INSERT INTO hr.departments VALUES (v_deptno, v_dname, v_mgr, v_loc);
7  END;
8  /

Procedure created.

SQL> exec create_dept(1,'test',null,1700);

PL/SQL procedure successfully completed.

SQL> rollback;

Rollback complete.

赋权限给scott

SQL> grant execute on create_dept to scott;

Grant succeeded.

SQL> conn scott/tiger
Connected.
SQL> exec hr.create_dept(1,'test',null,1700);

PL/SQL procedure successfully completed.

SQL> rollback;

Rollback complete.

增加参数 AUTHID CURRENT_USER

SQL> conn hr/hr;
Connected.
SQL> CREATE OR REPLACE PROCEDURE create_dept(v_deptno NUMBER,
2                                          v_dname  VARCHAR2,
3                                          v_mgr    NUMBER,
4                                          v_loc    NUMBER) AUTHID CURRENT_USER IS
5  BEGIN
6    INSERT INTO hr.departments VALUES (v_deptno, v_dname, v_mgr, v_loc);
7  END;
8  /

Procedure created.

SQL> conn scott/tiger
Connected.
SQL> exec hr.create_dept(1,'test',null,1700);
BEGIN hr.create_dept(1,'test',null,1700); END;

*
ERROR at line 1:
ORA-01031: insufficient privileges
ORA-06512: at "HR.CREATE_DEPT", line 6
ORA-06512: at line 1

增加权限

SQL> conn hr/hr
Connected.

SQL> grant insert on departments to scott;

Grant succeeded.

SQL> conn scott/tiger
Connected.
SQL> exec hr.create_dept(1,'test',null,1700);

PL/SQL procedure successfully completed.

SQL> rollback;

Rollback complete.