User Tools

Site Tools


system_privileges_required_by_lure

System Privileges Required by Lure

Privileges required during export

In order to export the source code or DDL for any object Lure connects to the database using the owner schema of those objects. In other words when exporting a schema Lure requires the password for this schema (user) to be specified in the connect properties file.

In order to export roles (and the privileges granted to these roles) Lure will iterate through all users for which passwords are specified in the connect property file and then:

  1. Select the first user that has the SELECT ANY DICTIONARY privilege. If found Lure will use this user to export the DDL for all roles in the export.
  2. Alternatively Lure will, for each role, look for the first user that has the role granted to it (in which case the user can be used to extract all DDL for this role).
  3. If no user is found to export the role Lure execution will terminate.

Privileges required during import

Since the Lure import command internally (as a first step) also exports the database source code, all privilege requirements as outlined in the above sectionare also required for import. This section lists additional requirements by import.

As a general rule Lure uses a database user (schema) to import/export its own objects. It is therefore a requirement that schemas that are being synchronized have the necessary system privileges to create these objects, e.g. CREATE TABLE, CREATE VIEW etc.

Since Lure is able to synchronize system privileges as well it is only necessary to add these privileges to the source database schema. These privileges will then be exported (from the source schema) and imported to the target database schema as a first step before Lure will use this user to import (create) any objects.

Lure uses a different approach for importing object privileges. Since in general it is not safe to grant the GRANT ANY OBJECT PRIVILEGE privilege to ordinary users, Lure imports object privileges as follows:

  1. Lure firstly attempts to use the object owner to grant the privilege to the target user. (No special system privileges are required in this case, just the password of the object owner.)
  2. If the password for the object owner is not specified in the properties file then Lure looks for any other user (for which a password is specified in the property file) with aGRANT ANY OBJECT PRIVILEGE. Lure then uses this user to grant the object privilege.

In addition to the above scenario there are a few other system privileges that Lure may require during import but where Lure does not expect these privileges to be granted to the user/schema being imported. Lure will iterate through all usernames/passwords that are specified in the connect property file in order to determine which of these users have the necessary system privileges. Lure will then use these users with special privileges to execute the required import changes.

The following table lists all system privileges that Lure may need and that it will use if granted to any of the users for which passwords are specified in the connect property file:

System Privilege Used for
CREATE USER To create a user during import when the user does not exist at the time of import.
CREATE ROLE To create a role on import.
ALTER USER To add tablespace allocations to a user.
GRANT ANY ROLE To grant a role to a user.
GRANT ANY PRIVILEGE To grant a system privilege to a user.
GRANT ANY OBJECT PRIVILEGE To grant object privileges to users in the case where the object owner password is not specified.
SELECT ANY DICTIONARY If roles are synchronized then this privilege is required to extract all information relating to the privileges granted to a role during export.
system_privileges_required_by_lure.txt · Last modified: 2013/07/25 21:00 (external edit)

Page Tools