DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Related

  • Data Privacy and Security: A Developer's Guide to Handling Sensitive Data With DuckDB
  • SQL Server to Postgres Database Migration
  • How To Generate Scripts of Database Objects in SQL Server
  • Different Ways To Rename Database Objects

Trending

  • My LLM Journey as a Software Engineer Exploring a New Domain
  • Microsoft Azure Synapse Analytics: Scaling Hurdles and Limitations
  • AI, ML, and Data Science: Shaping the Future of Automation
  • Why Database Migrations Take Months and How to Speed Them Up
  1. DZone
  2. Data Engineering
  3. Databases
  4. Using AUTHID Parameter in Oracle PL/SQL

Using AUTHID Parameter in Oracle PL/SQL

In Oracle, the AUTHID clause is a powerful option to manage DB security and access control. Explore its different settings and how to use it effectively.

By 
Sachin More user avatar
Sachin More
·
Oct. 28, 24 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
4.7K Views

Join the DZone community and get the full member experience.

Join For Free

In Oracle, the AUTHID clause is a powerful option to manage DB security and access control. It defines who is considered a current user for execution purposes within stored procedures and functions. This article explores the basics of AUTHID, different settings, and how to use it effectively.

About AUTHID

The AUTHID clause specifies whether the current user for authorization checks is the owner of the procedure or function (AUTHID DEFINER) or the user who invokes it (AUTHID CURRENT_USER).

AUTHID Definer (Default)

The current owner of the procedure/function is the current user for the execution authorization checks. This means it is the procedure or function is executed in the schema where the object exists.

AUTHID CURRENT_USER

The user who executes the procedure/function is the current user for the authorization. This enforces a more fine-grained approach of access control as the invoker's privileges are checked.

Real-World Use Case

In an enterprise, you may be dealing with an application running in a standalone database that has a single schema. The DB developer typically codes PL/SQL blocks that include procedures, functions, and packages with the consideration that the store proc objects will only be used by their own DB users (1 schema user in this case) and not across DBs that may be connected via DB links. With this knowledge, it is common that the code will consider the basic parameters that are mandatory. As the application landscape grows, there will be scenarios when the application talks to other databases through DB links.

For example, in a typical retail, healthcare, or any other industry enterprise application, there bound to be a separate database maintained for each of the functional verticals like MDM, finance, POS, and others that may maintain transactional information. In a multi-database setup like this, the PL/SQL procedure may run a batch process on another database's master data and end up executing DDL (Data definition language) statements on the target DB. An example could be the creation of a runtime object like a logical directory on the destination DB, resulting in an invalid reference since the object does not exist on the source database. In classic cases like these, the AUTHID parameter is extremely useful in taking out execution ambiguity, especially when the stored procedures are used by other users over a database link.

Options to Use AUTHID

When you create a PL/SQL procedure or function, there is an optional parameter AUTHID with 2 options as [CURRENT USER] or [DEFINER], which could be used to distinguish between the owner and the user. By default, Oracle creates [DEFINER] object.

Sample Code

PL/SQL Procedure (Named Block)

SQL
  
-- Create a Proc with AUTHID Option
CREATE OR REPLACE PROCEDURE myProc (i_Directory IN VARCHAR2)
AUTHID DEFINER | CURRENT_USER
AS
-- procedure code
BEGIN
-- statements
END myProc;
/


PL/SQL Function

SQL
  
-- Create a Function with AUTHID Option
CREATE OR REPLACE FUNCTION myFunc (i_Directory IN VARCHAR2)
AUTHID DEFINER | CURRENT_USER
AS
-- Function code
BEGIN
-- statements
END myFunc;
/


Definer (Default)

In a store procedure where AUTHID DEFINER is used, when the stored proc is executed, the statements are applied to the DB object owner's schema or database. Figure 1 below shows where the stored proc exists on the Target DB but is being executed from the Source DB. In this case, all of the statements are executed on the Target DB, as the definer of the stored procedure is the Target DB. The stored proc at the Target DB may have a combination of DDL and/or DML statements. This could mean the table updates if the table exists, or creating new objects in the Target database.

Source DB user executing Store Proc at the Target DB

Figure 1: Source DB user executing Store Proc at the Target DB

Current_USER

In a store procedure where AUTHID Current_USER is used, when the stored proc is executed, the statements are applied to the DB object schema or database. Figure 2 below shows where the stored proc exists on the Target DB but is being executed from the Source DB. In this case, all of the statements are executed on the Source DB, as the executor of the stored procedure is the Source DB. If the store proc does not exist on the Source DB, then the execution would fail. If the store proc already exists on the Source DB, then the DDL and DML statements are applied on the source schema.

Source DB user trying to execute SP1 on its own DB Schema

Figure 2: Source DB user trying to execute SP1 on its own DB Schema

When the user tries to perform a DDL or DML operation on another user’s object within the same DB or altogether on a different database, the application will halt causing runtime problems that may halt the entire process. It does not necessarily mean a problem but can be viewed as prevention.

Key Considerations

  • Security: Carefully consider the security implications of your chosen AUTHID setting. Grant privileges judiciously to avoid unauthorized access to the users of schemas of different DBs.
  • Performance: In some cases, AUTHID CURRENT_USER might incur a slight performance overhead due to the additional privilege checks or maybe using DB links.
  • Flexibility: AUTHID CURRENT_USER provides greater flexibility and granularity in managing access control and unauthorized runtime executions.

Best Practices

  • Use AUTHID CURRENT_USER as the default unless you have a specific reason to use AUTHID DEFINER.
  • Grant privileges to roles rather than individual users for easier management.
  • Regularly review and audit your database security to ensure it aligns with your organization's policies.

Conclusion

The AUTHID clause is a valuable tool for implementing robust security measures in Oracle databases. By understanding its different settings and how to use them effectively, you can ensure that your data is protected and accessed only by authorized users. Remember to choose the appropriate AUTHID setting based on your specific requirements and security considerations.

Data definition language Database PL/SQL Object (computer science) security sql

Opinions expressed by DZone contributors are their own.

Related

  • Data Privacy and Security: A Developer's Guide to Handling Sensitive Data With DuckDB
  • SQL Server to Postgres Database Migration
  • How To Generate Scripts of Database Objects in SQL Server
  • Different Ways To Rename Database Objects

Partner Resources

×
Comments

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • [email protected]

Let's be friends: