Oracle Database 12c INHERIT PRIVILEGES Privilege (PL/SQL Security) Tutorial

Oracle Database Security Tutorial for PL/SQL

Historically, we had definer’s rights and invoker’s rights. Definer’s rights code lets the invoker escalate his privileges, invoker’s rights code lets the definer escalate his privileges. Big problem! And the use of roles complicated things further. We have all been caught out by misunderstanding how roles are applied (or not) within PL/SQL. Oracle Database 12c tidies this up, with the INHERIT [ANY] PRIVILEGE privilege, and the ability to grant roles to program units. It is enabled by default, so make sure you understand it.

Presented by Oracle Certified Master John Watson, SkillBuilders’ Director of Oracle Database Services.

Be sure to see our free tutorial that shows how the 12c INHERIT PRIVILEGES privilege can prevent SQL injection!

This free Oracle 12c PL/SQL Security tutorial is segmented into several separate lessons:

  1. Introduction (1:20)
  2. Tutorial Agenda (4:11)
  3. Review: Definer and Invoker’s Rights (We’d bet you didn’t know all this.) (16:51)
  4. Review: Roles and PL/SQL(6:21)
  5. 12c INHERIT PRIVILEGES Privilege (6:47)
  6. 12c Granting Roles to Procedures (6:37)
  7. 12c Bequeath Views (1:44) (click on video below)
  8. 12c PL/SQL Security Summary (3:57)

Date: Aug 28, 2013

NOTE: Some corporate firewalls will not allow videos hosted by YouTube.


12c Bequeath Views

Session 7 – Bequeath Views in 12c

>> John:  Final topic then, bequeath views, another 12c new capability. 

By default and always of course in previous releases, views execute the definer’s rights. So you create a view you give someone privileges on the view, the invoker needs a privilege on the view, and you’ll inherit the owner’s privileges while the view is being executed. It isn’t quite the same as code and the stored program units. He will inherit the owner’s privileges on source tables and functions but there’s one difference we’ll see. 


We can now use create view bequeath current user. That’s all the syntax is, we create a view bequeath current user, and we see that then the current user will have to have privileges on any objects that you uses. That will prevent the invoker from inheriting ludicrous privileges through hacking views. 


Name resolution this is different to program units. Name resolution still done in the owner’s schema. I have wondered if that counts as a bug, but it is documented that it works that way. That seem to be the way that it’s intended to function. 


Closely associated with inheriting privileges for stored program units, we have the equivalent on inherit privileges reviews as well.


Copyright 2017

Free Online Registration Required

The tutorial session you want to view requires your registering with us.

It’s fast and easy, and totally FREE.

And best of all, once you are registered, you’ll also have access to all the other 100’s of FREE Video Tutorials we offer!