This document discusses granting Oracle schema permissions to users when objects have not yet been created. It describes creating a read only role, granting the role to users, and using a DDL trigger to automatically grant permissions to new objects upon their creation. The trigger submits a DBMS job to execute a grant statement, allowing the role and permissions to take effect immediately. Finally, it provides notes on using this approach and offers to demonstrate it further if time allows.

1. Session ID:
Prepared by:
Granting Oracle Schema
Permissions When Objects not
Created Yet !
Jasmine B
Wednesday, April 13, 2016
12 – 12:30pm
1198
@mjgangler
Mike Gangler – Senior Database Specialist
Secure-24 - @mjgangler
Mjgangler@yahoo.com

2. About Mike Gangler
• Oracle ACE with robust database credentials
• DBA for over 28 years, working with Oracle
since version 4
• Team Lead and Senior Database Specialist at
Secure-24
• Currently serving on the board of the Southeast
Michigan Oracle Professionals (SEMOP) group
– www.meetup.com
• Charter member of the Board of Directors for
the International Oracle Users Group (IOUG) –
www.ioug.org
• Follow me on my Blog http://
mjgangler.wordpress.com and on twitter!
@mjgangler
2

3. About Secure-24
3
FOUNDED
HEADQUARTERS
GLOBAL
OPERATION
CENTERS
DATA CENTERS
Secure-24 was
founded in 2001 and
since then has grown
to 500+ employees and
has received
recogniPon as one of
Computerworld’s Best
Places to Work in IT, 3-
years running.
Secure-24 is
headquartered in
Southfield, MI
Serving customers
around the globe,
Secure-24 has two (2)
OperaPon Centers in
Michigan, one (1) in
Nevada and one (1) in
Hyderabad India.
Secure-24 has three
(3) data centers in
Michigan, one (1) in
Nevada, plus several
global partnerships.
We only choose the
safest locaPons for
our data centers.
Secure-24 has 15 years of experience delivering managed IT operaPons, applicaPon hosPng and cloud services to
enterprises worldwide. We manage SAP, Hyperion, PeopleSo], JD Edwards, Oracle E-Business Suite and other mission
criPcal applicaPons across all industries for businesses of every size.

4. Communi'es Educa'on
Join for as low as $150
SELECT Journal Resource Center IOUG Press Webinars & Podcasts IOUG Forum 5 Minute Briefing
Plus get access to IOUG’s content library, peer-to-peer networking, and more!
Corporate options also available!

5. Oracle Conferences in Detroit Area
Southeast Michigan Oracle Professionals
http://www.meetup.com/SouthEast-Michigan-Oracle-
Professionals/
Meet monthly – 2nd Tuesday of the month
Michigan Oracle User Summit
November 3, 2016
http://www.mous.us

6. Great Lakes Oracle Conference
• 2016 Great Lakes Oracle Conference (GLOC)
• May 18 & 19, 2016
Cleveland Public Auditorium
Cleveland, OH
https://www.neooug.org/gloc/

7. Todays Discussion
Learn how Secure-24 uses Roles and a simple trigger to
grant “Read Only” access to objects that are not created yet.
This process is quite common in MS SQL Server and is
needed for many database systems.
7

8. Pre-Steps – User Steps
• Create a read only role in the database
– > create role IOUG_READONLY;
8

9. Pre-Steps – User Steps
• Grant Role to user requiring read only access
– > grant IOUG_READONLY to IOUG_USER ;
– > alter user IOUG_USER default role all;
** Note – need default=yes or you will have to do a:
>> alter session set role=IOUG_READONLY;
>> 12c – set role ioug_readonly;
9

10. DDL Trigger
CREATE or REPLACE TRIGGER AFTER_DDL AFTER DDL on
IOUG_OBJECTS.SCHEMA
declare
v_sysevent varchar2(25);
v_message varchar(255);
l_job number;
begin
select ora_sysevent into v_sysevent from dual;
if ( v_sysevent in ('CREATE') )
then
v_message := 'execute immediate "grant select on
IOUG_OBJECTS.'||ora_dict_obj_name||' to IOUG_READONLY";';
dbms_job.submit (l_job,replace(v_message,'"','''') ) ;
end if;
end;
/
10

11. Results
Now whenever a new object gets created the role is
granted via the pl/sql and dbms_job. The following is a
test output:
Connect IOUG_OJBECTS/pw
IOUG_OBJECTS@IOUGDEV > create table foo1 (col1 varchar2(255));
Table created.
IOUG_OBJECTS@IOUGDEV > connect IOUG/pw
Connected.
IOUG@IOUGDEV > select * from IOUG_OBJECTS.foo1;
no rows selected
IOUG@IOUGDEV > desc IOUG_OBJECTS.foo1;
Name Null? Type
—————————————– ——– —————————-
COL1 VARCHAR2(255)
11

12. DDL Trigger - Notes
NOTES:
• Must use dbms_job.submit in order for the role to be in place.
• Unless you have a public synonym you may need to add the
schema name prior to the object.
• The default role must be set to true or you will need to alter
session to enable that read only role.
• Please let me know if this works for you and big thanks to
“Ask Tom” who helped me resolve the PL/SQL and DDL
issue. Also, please let me know if there is a automatic way
to do this Oracle.
12

13. Demo – If Time

14. Visit Secure-24 in booth #1315!
• Enter for a chance to win a $5,000 travel gift
card!
• Meet with other S-24 executives and technical
resources
• Discuss your organization’s Cloud Strategy for
2016
• Learn more about our capabilities with Oracle’s
Virtual Compute Appliance

15. Questions
Server
Pool 2
JDE
Mike Gangler
Michael.gangler@secure-24.com
Blog : hBps://
mjgangler.wordpress.com
mjgangler

16. Please complete the session evaluation
Paper – 1198
Author – Mike Gangler
We appreciate your feedback and Insight
You May complete the session evaluation via the
mobile app