为什么 PL/SQL 不尊重角色授予的权限? [英] Why doesn't PL/SQL respect privileges granted by Roles?
问题描述
在执行 PL/SQL 块时,任何授予角色的权限都将被忽略.相反,您必须授予特定用户特定的授权才能运行它.如果我想授予 DBA 访问包、函数或过程的权限,我不能授予 DBA 角色权限.我必须向 DBA 角色中的每个用户授予授权,如果他们不再是 DBA,我必须删除该用户的授权,并且我必须将授权添加到任何新的 DBA.
When executing a PL/SQL block, any privileges granted to roles are ignored. Instead you must give specific users specific grants to run it. If I want to give DBAs access to a package or a function or a procedure, I can't give the DBA role a grant. I have to give a grant to each user in the DBA role, I have to remove the user's grant if they cease to be a DBA, and I have to add the grant to any new DBA.
我觉得这很难维护.
我的问题是为什么 PL/SQL 以这种方式工作?为了决定角色和 PL/SQL 应该如何协同工作,Oracle 做了哪些设计考虑?我一直无法找到不是事情就是这样"的答案.
My question is why does PL/SQL work this way? What design considerations did Oracle make to decide that this is how Roles and PL/SQL should work together? I've been unable to find an answer that isn't "that's just the way it is".
推荐答案
否则,如果您删除角色,那么在某些情况下 PL/SQL 包将变为 INVALID(没有重新编译的选项).
Otherwise if you drop a role then the PL/SQL package would become INVALID in some cases (without having the option to re-compile).
DROP ROLE ...
是 DCL(数据控制语言)语句.看起来 Oracle 决定:PL/SQL 包不应被 DCL 语句变为 INVALID"
DROP ROLE ...
is a DCL (Data Control Language) statement. Looks like Oracle decided: "A PL/SQL package shall not become INVALID by a DCL statement"
这篇关于为什么 PL/SQL 不尊重角色授予的权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!