inherit privilege权限：

B用户(较低权限)创建了Invoker’s right procedure，A用户(较高权限)调用B用户的procedure执行时使用的是A的权限，为防止B在A不知情的情况下修改Procedure利用A的高权限做一些越权操作，等下次A用户执行procedure是这些操作便被执行。12c中引入了inherit privilege权限，它表明invoker是否能以invoker的身份去执行owner的invoker’s right privilege，或者说B用户的procedure是否有权以A用户的权限去运行这个procedure。

 

1、  默认情况下系统对于新建的用户会将inherit privilege权限授予PUBLIC，相当于grant inherit privileges on NEWUSER to PUBLIC：

---建立用户：

drop user a cascade;

drop user b cascade;

create user a identified by a;

create user b identified by b;

grant connect, resource to a;

grant connect, resource to b;

grant unlimited tablespace to a,b;

 

---dba_tab_privs视图中验证a,b用户都已经将inherit privilege权限付给了PUBLIC

select * from dba_tab_privs where grantee='PUBLIC' AND privilege like '%INHERIT%'

connect a/a@192.168.56.101/orapdba

create table a (col1 varchar2(1));

insert into a values ('a');

commit;

 

connect b/b@192.168.56.101/orapdba

create table a (col1 varchar2(1));

insert into a values ('b');

commit;

 

create or replace procedure test_inv_rights authid current_user as

   v_current_user varchar2(30);

   v_session_user varchar2(30);

   t_val varchar2(10);

begin

    SELECT sys_context('USERENV','SESSION_USER'),

           sys_context('USERENV','CURRENT_USER')

        INTO v_session_user, v_current_user

    FROM dual;

    SELECT col1 into t_val from a;

    dbms_output.put_line( 'Called procedure is: ' || 'test_inv_rights' );

    dbms_output.put_line( 'User calling procedure: ' || v_session_user );

    dbms_output.put_line( 'User-context for procedure: ' || v_current_user );

    dbms_output.put_line( 'Table value : ' || t_val );

    --execute immediate 'begin test_schema_a; end;';

end;

/

 

---赋权给用户a

grant execute on b.test_inv_rights to a;

 

---a用户执行b用户下的存储过程

SQL> connect a/a@192.168.56.101/orapdba

SQL> set serveroutput on

SQL> exec b.test_inv_rights;

Called procedure is: test_inv_rights

User calling procedure: A

User-context for procedure: A

Table value : a

 

PL/SQL procedure successfully completed.

 

 

---从public revoke inherit privilege权限，a用户没有执行b用户procedure的权限了

SQL> connect a/a@192.168.56.101/orapdba

Connected.

 

SQL> revoke inherit privileges on user a from public; 

 

Revoke succeeded.

 

SQL>  exec b.test_inv_rights;

BEGIN b.test_inv_rights; END;

 

*

ERROR at line 1:

ORA-06598: insufficient INHERIT PRIVILEGES privilege

ORA-06512: at "B.TEST_INV_RIGHTS", line 1

ORA-06512: at line 1

 

---要恢复执行b用户procedure的权限，可以采取如下方法：

给b用户赋予inherit privilege的权限

SQL> connect a/a@192.168.56.101/orapdba

Connected.

SQL> grant inherit privileges on user a to b;

 

Grant succeeded.

    SQL> set serveroutput on

SQL> exec b.test_inv_rights;

Called procedure is: test_inv_rights

User calling procedure: A

User-context for procedure: A

Table value : a

 

PL/SQL procedure successfully completed.