Invoker Caller Routine
, the concept of invoker's rights was introduced.
As the name implies, invoker's rights allow a stored procedure to be executed with the current rights allocated to the user who is calling, or invoking, the stored procedure. This makes privileges late-bound
, where they are assigned at runtime, rather than early-bound
, where they are assigned when a stored procedure is created or modified.
Because invoker's rights apply to the current set of privileges of the calling user, you can use roles with stored procedures compiled with invoker's rights specified. Privileges allowed by roles can also be used for the stored procedure.
For more information on invoker's rights, please refer to the documentation for Oracle13c.
Four basic types of database operations can be limited by security privileges in an Oracle Database:
- SELECT to perform queries
- INSERT to put rows into tables or views
- UPDATE to update rows in tables or views
- DELETE to remove rows from tables, table partitions, or views
In addition to these data-specific privileges, several other privileges apply to the objects
within a database schema, such as:
- CREATE to create a table in a schema
- DROP to remove a table in a schema
- ALTER to alter tables or views
All of these privileges can be handled with two simple SQL commands. The GRANT command gives a particular privilege to a user or role, while the REVOKE command takes away a specific privilege. You can use GRANT and REVOKE to modify the privileges for an
individual or a role. You can also grant the ability to re-grant privileges to others. You can use either of these commands with the keyword PUBLIC to issue or revoke a privilege for all database users. Another security privilege, EXECUTE, allows users to run a PL/SQL procedure or function. By default, the PL/SQL routine runs with the security privileges of the user who compiled the routine. Alternately, you can specify that a PL/SQL routine run with what is termed invoker’s rights, which means that the routine is run with the security privileges of the user who is invoking the routine.
When a value is resolved at runtime, it is called late-bound.
When a value is resolved at compile time, it is called early-bound.