This document contains information about Patrick Barel, an Oracle consultant and author. It includes his contact details, areas of expertise, blogs and websites to read, plugins available for download, and upcoming training events he will be presenting. Some key points are:
- Patrick Barel has been working with Oracle technologies like PL/SQL, APEX, and OCA certification since 1997.
- He maintains blogs on technology.amis.nl and blog.bar-solutions.com about Oracle topics.
- Plugins for tools like PL/SQL Developer and APEX can be downloaded from his websites.
- Upcoming events include a Steven Feuerstein masterclass on PL/SQL best practices and new
2. About me…
• Patrick Barel
• Working with Oracle since 1997
• Working with PL/SQL since 1999
• Playing with APEX since 2003 (mod_plsql)
• ACE since 2011
• OCA since December 20th 2012
7. Steven Feuerstein Masterclass
Anti-Pattern PL/SQL Programming +
Oracle Database 12c New PL/SQL Features
12/13 December. AMIS, Nieuwegein
• Steven will present examples of "bad code"
(anti-patterns) and features of PL/SQL that
address them.
• Students working in pairs then use their
laptops to fix the anti-patterns.
• Steven then walks entire class through
optimal solutions.
8.
9. Definer Rights Model
Invoker Rights Model
Prior to Oracle8i, whenever you executed a stored
program, it ran under the privileges of the account in
which the program was defined.
This is called the …
With Oracle8i, you can now decide at compilation time
whether your program or package will execute in the
definer's schema (the default) or the schema of the invoker
of the code.
This is called the …
Definer Rights vs Invoker Rights
12. Allows you to centralize
access to and control of
underlying data structures.
Uses roles and doesn’t rely
on directly-granted privileges.
But it can be a source of confusion and
architectural problems.
Note: Oracle built-in packages have
long had the capability of running
under the invoker's authority.
Invoker Rights
13. What’s wrong with Definer Rights
Deployment & maintenance
Must install module in all schemas where needed
In some databases, each user has own copy of
table(s), requiring copy of stored module
Security
No declarative way to restrict privileges on certain
modules in a package -- it's all or nothing, unless you
write code in the package to essentially recreate roles
programmatically.
Difficult to audit privileges
Sure would be nice to have a choice...and now you do!
14. Deployment & maintenance
Must install module in all schemas where needed
In some databases, each user has own copy of
table(s), requiring copy of stored module
Security
No declarative way to restrict privileges on certain
modules in a package -- it's all or nothing, unless you
write code in the package to essentially recreate roles
programmatically.
Difficult to audit privileges
Sure would be nice to have a choice...and now you do!
What’s wrong with Definer Rights
15. CREATE [ OR REPLACE ] <module type>
[ AUTHID { DEFINER | CURRENT_USER } ]
AS ...
Invoker Rights
For top level modules:
For modules with separate spec and
body, AUTHID goes only in spec, and
must be at the package level.
Holds true for packages and object types.
33. SQL Injection
Dynamic SQL
Modification (drop) of objects
– You cannot drop what is not there
Modification of records
– Will only affect current users data
You should always use binding
instead of concatenating in
Dynamic SQL Statements
34. Definer Rights Model
Invoker Rights Model
Rules and Restrictions
• AUTHID DEFINER
– Uses directly granted
privileges
– Default, so no need to change current code
• AUTHID CURRENT_USER
– Uses ROLEs
– On entire objects
– Need for ‘mock’ objects
– (at compile time it’s Definer Rights)