0

I tried to grant CONNECT to a user through a role:

CREATE ROLE my_role IDENTIFIED BY "passwd";
GRANT CONNECT TO my_role;

CREATE USER my_user IDENTIFIED BY "passwd";
GRANT my_role TO my_user;

When I try this in 10g it works fine, while in 11g login is rejected:

ORA-01045:user MY_USER lacks CREATE SESSION privilege; logon denied

Granting CREATE SESSION to the role does not make a difference.
I can only login after directly granting CONNECT (or CREATE SESSION) to the user.

Has Oracle changed this behavior or am I doing something wrong?

NullUserException
  • 83,810
  • 28
  • 209
  • 234
Peter Lang
  • 54,264
  • 27
  • 148
  • 161

3 Answers3

6

I think you might have gotten away with a security "feature" in 10g. The way I read the SQL Reference and Security Guide for 11g indicates that password-enabled roles require the use of the SET ROLE my_role IDENTIFIED BY passwd before any rights granted by that role are effective.

You can't CREATE SESSION until you have the role, and you can't have the role until you issue SET ROLE.

Catch-22.

Adam Musch
  • 13,286
  • 2
  • 28
  • 32
  • Excellent, thanks a lot! Do you have a link where this is indicated? – Peter Lang Feb 18 '10 at 18:31
  • I don't have a link to tahiti.oracle.com's documentation, as it's availability is unreliable. CREATE ROLE and SET ROLE Syntax is in the Oracle Database SQL Language Reference 11g Release 2 (E10592-04) on Pages 15-59 and 19-60 respectively. – Adam Musch Feb 18 '10 at 19:17
2

Oracle Knowledge Base [ID 745407.1] explains this.

The DEFAULT clause in the:

alter user default roles ; specifies the roles granted by default to the user at logon. This clause can contain only roles that have been granted directly to the user with a GRANT statement, or roles created by the user with the CREATE ROLE privilege. You cannot use the DEFAULT ROLE clause to enable:

  1. Roles not granted to the user

  2. Roles granted through other roles

  3. Roles managed by an external service (such as the operating system), or by the Oracle Internet Directory

  4. Roles that are password authenticated.

  5. Roles that are implemented as secure application roles.

For password authenticated roles, the change has been introduced in version 10.2.0.5 and 11.1.0.7. For secure application roles, the change has been introduced in the Oracle releases 10.2.0.4 and 11.1.0.7 These changes will apply to all future releases. The above mentioned restrictions will be introduced in the future documentation.

One can easily turn the password enabled roles into standard roles by running the script resulting from:

select 'alter role '||role||' not identified;' from dba_roles where password_required='YES' and role not in (select role from dba_application_roles);

Trev Bryan
  • 21
  • 1
1

Activating default roles (granted to a user as Default) which are also password protected changed in Oracle 10g, version 10.2.0.5 (at least for our copy). In release 10.2.0.5, a password protected role would no longer become activated by default. It had to be specifically turned on with the appropriate password.

This was not documented as far as we could tell. But when our systems were upgraded from 10.2.0.4 to 10.2.0.5, this change broke several of our systems, and we had to create parallel non-protected roles for our functional accounts which did not have any mechanism to activate default roles. We basically created old_role_batch with no password as a copy of old_role whish was password protected.

rlstrommen
  • 11
  • 1