invoker rights
DESCRIPTION
Access Procedure from other SchemaTRANSCRIPT
Invoker Rights
1
2
3
Customized Objects
STD Objects
Dummy/Testing Objects
Objects = Procedures + Function + Packages
PROBLEM IDENTIFICATION
DIRMAT OPS_PROD
MKT
HR
PPC
ATTEN
INDIRECT
FIN
TRAIN
EXISTING POSITION OF DATABASE OBJECTS
PRAPOSED POSITION OF DATABASE OBJECTS
DIRMAT OPS_PROD INDIRECT
MKT PPC FIN
HR ATTEN TRAIN
Example
• If we have 50 STD Objects and If we have 20 schema
• 1000 Objects are Present in Database
INDIRECTLYSame 50 Objects Present in Same DATABASE 20 TIMES
DIRMAT INDIRECT
WHAT IS THE SOLUTION ?
Schema
ASchema
B
MAKE Schema A LIKE Schema B USE Invoker-Rights
What is Invoker-Rights?• Invoker rights is a new model for resolving
references to database elements in a PL/SQL program unit. From Oracle 8i onwards, we can decide if a program unit should run with the authority of the definer or of the invoker. This means that multiple schemas, accessing only those elements belonging to the invoker, can share the same piece of code.
Table
DIRMAT
Declare...Begin Select…End;
Pkg_trans
Table
PPC
Declare...Begin Select…End;
Pkg_trans
Table
INDIRECT
Declare...Begin Select…End;
Pkg_trans
Table
MKT
Declare...Begin Select…End;
Pkg_trans
Table
OPS_PROD
Declare...Begin Select…End;
Pkg_trans
Existing Method of Objects utilization
Table
DIRECT
Pkg_trans
PPC
INDIRECT
MKTTable
OPS_PROD
Declare...Begin Select…End;
Pkg_trans
Table
Pkg_trans
Table
Pkg_trans
Table
Pkg_trans
Objects utilization with Invoker-Rights
Exec sp_control
MKTDIRMAT
Sp_control
DIRMAT_CTL MKT_CTL
User X User Y
Sp_control
Exec mkt.sp_control
MKTDIRMAT
Sp_control
DIRMAT_CTL MKT_CTL
User X User Y
Sp_control
Exec sp_control
MKTDIRMAT
Sp_control
DIRMAT_CTL MKT_CTL
User X User Y
When you create a PL/SQL program unit, you can include an optional AUTHID clause.
There are two forms of this clause:
• AUTHID DEFINER
• AUTHID CURRENT_USER
AUTHID DEFINER is the default
WITH definer rights
create or replace procedure P as
Begin
---------
-------
end;
WITH invoker rights
create or replace procedure P AUTHID CURRENT_USER as
Begin
---------
-------
end;
Exec sp_control
MKTDIRMAT
DIRMAT_CTL MKT_CTL
User X User Z
OPS_PROD
PROD_CTL
Sp_control
User Y
Existing Problem
• If Changes done deploy to All Schema time consuming work
• Chances of Missing to some schema results in Issues
• More Objects More Maintenance
• Accumulation of Un-necessary Objects end up in JUNK Objects
• More Time for Backup and Recovery
Benefits• No Need of Deployment to Other schema in case of Changes
• Changes only in one place, lot of time saved
• Less Maintenance due to less Objects
• Security as Only Authorized person have access
• Fast Backup and Recovery due to Less Objects
Limitations• Not advised for big processing procedures as performance impact
• Implementation always with core schema
StepsConn OPS_PROD/OPS_PROD
create or replace procedure P AUTHID CURRENT_USER as
Begin
---------
-------
end;
grant execute on p to dirmatconn dirmat/dirmatexec ops_prod.p;grant execute on p to publiccreate public synonym sp_control for ops_prod.p;conn dirmat/dirmatexec sp_control;
Q & A
Thank you