Invoker Rights

1

2

3

Customized Objects

STD Objects

Dummy/Testing Objects

Objects = Procedures + Function + Packages

PROBLEM IDENTIFICATION

DIRMAT OPS_PROD

MKT

HR

PPC

ATTEN

INDIRECT

FIN

TRAIN

EXISTING POSITION OF DATABASE OBJECTS

PRAPOSED POSITION OF DATABASE OBJECTS

DIRMAT OPS_PROD INDIRECT

MKT PPC FIN

HR ATTEN TRAIN

Example

• If we have 50 STD Objects and If we have 20 schema

• 1000 Objects are Present in Database

INDIRECTLYSame 50 Objects Present in Same DATABASE 20 TIMES

DIRMAT INDIRECT

WHAT IS THE SOLUTION ?

Schema

ASchema

B

MAKE Schema A LIKE Schema B USE Invoker-Rights

What is Invoker-Rights?• Invoker rights is a new model for resolving

references to database elements in a PL/SQL program unit. From Oracle 8i onwards, we can decide if a program unit should run with the authority of the definer or of the invoker. This means that multiple schemas, accessing only those elements belonging to the invoker, can share the same piece of code.

Table

DIRMAT

Declare...Begin Select…End;

Pkg_trans

Table

PPC

Declare...Begin Select…End;

Pkg_trans

Table

INDIRECT

Declare...Begin Select…End;

Pkg_trans

Table

MKT

Declare...Begin Select…End;

Pkg_trans

Table

OPS_PROD

Declare...Begin Select…End;

Pkg_trans

Existing Method of Objects utilization

Table

DIRECT

Pkg_trans

PPC

INDIRECT

MKTTable

OPS_PROD

Declare...Begin Select…End;

Pkg_trans

Table

Pkg_trans

Table

Pkg_trans

Table

Pkg_trans

Objects utilization with Invoker-Rights

Exec sp_control

MKTDIRMAT

Sp_control

DIRMAT_CTL MKT_CTL

User X User Y

Sp_control

Exec mkt.sp_control

MKTDIRMAT

Sp_control

DIRMAT_CTL MKT_CTL

User X User Y

Sp_control

Exec sp_control

MKTDIRMAT

Sp_control

DIRMAT_CTL MKT_CTL

User X User Y

When you create a PL/SQL program unit, you can include an optional AUTHID clause.

There are two forms of this clause:

• AUTHID DEFINER

• AUTHID CURRENT_USER

AUTHID DEFINER is the default

WITH definer rights

create or replace procedure P as

Begin

---------

-------

end;

WITH invoker rights

create or replace procedure P AUTHID CURRENT_USER as

Begin

---------

-------

end;

Exec sp_control

MKTDIRMAT

DIRMAT_CTL MKT_CTL

User X User Z

OPS_PROD

PROD_CTL

Sp_control

User Y

Existing Problem

• If Changes done deploy to All Schema time consuming work

• Chances of Missing to some schema results in Issues

• More Objects More Maintenance

• Accumulation of Un-necessary Objects end up in JUNK Objects

• More Time for Backup and Recovery

Benefits• No Need of Deployment to Other schema in case of Changes

• Changes only in one place, lot of time saved

• Less Maintenance due to less Objects

• Security as Only Authorized person have access

• Fast Backup and Recovery due to Less Objects

Limitations• Not advised for big processing procedures as performance impact

• Implementation always with core schema

StepsConn OPS_PROD/OPS_PROD

create or replace procedure P AUTHID CURRENT_USER as

Begin

---------

-------

end;

grant execute on p to dirmatconn dirmat/dirmatexec ops_prod.p;grant execute on p to publiccreate public synonym sp_control for ops_prod.p;conn dirmat/dirmatexec sp_control;

Q & A

Thank you