为什么 PL/SQL 不尊重角色授予的权限? [英] Why doesn't PL/SQL respect privileges granted by Roles?

问题描述

在执行 PL/SQL 块时，任何授予角色的权限都将被忽略.相反，您必须授予特定用户特定的授权才能运行它.如果我想授予 DBA 访问包、函数或过程的权限，我不能授予 DBA 角色权限.我必须向 DBA 角色中的每个用户授予授权，如果他们不再是 DBA，我必须删除该用户的授权，并且我必须将授权添加到任何新的 DBA.

When executing a PL/SQL block, any privileges granted to roles are ignored. Instead you must give specific users specific grants to run it. If I want to give DBAs access to a package or a function or a procedure, I can't give the DBA role a grant. I have to give a grant to each user in the DBA role, I have to remove the user's grant if they cease to be a DBA, and I have to add the grant to any new DBA.

我觉得这很难维护.

我的问题是为什么 PL/SQL 以这种方式工作?为了决定角色和 PL/SQL 应该如何协同工作，Oracle 做了哪些设计考虑?我一直无法找到不是事情就是这样"的答案.

My question is why does PL/SQL work this way? What design considerations did Oracle make to decide that this is how Roles and PL/SQL should work together? I've been unable to find an answer that isn't "that's just the way it is".

推荐答案

否则，如果您删除角色，那么在某些情况下 PL/SQL 包将变为 INVALID(没有重新编译的选项).

Otherwise if you drop a role then the PL/SQL package would become INVALID in some cases (without having the option to re-compile).

DROP ROLE ... 是 DCL(数据控制语言)语句.看起来 Oracle 决定:PL/SQL 包不应被 DCL 语句变为 INVALID"

DROP ROLE ... is a DCL (Data Control Language) statement. Looks like Oracle decided: "A PL/SQL package shall not become INVALID by a DCL statement"

这篇关于为什么 PL/SQL 不尊重角色授予的权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！