ADMINISTER DATABASE TRIGGER privilege
https://dba.stackexchange.com/questions/6709
-
16-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
What does ADMINISTER DATABASE TRIGGER privilege actually mean?
I have the following case:
I have 2 databases: DB1 and DB2
On DB1 I have a trigger which arises after logon on database and checks if this username exists in some table. If not raises application error like "You are not permitted to log on!"
I created link on DB2, which is connecting to DB1 by some username, for example by kupa_dba.
Note that kupa_dba is not in an access list(in the table storing usernames that can connect to the database)
If kupa_dba doesn't have ADMINISTER DATABASE TRIGGER than trigger works, BUT if kupa_dba has ADMINISTER DATABASE TRIGGER privilege there is no application error raising, trigger is ignored and DB2 can retrieve data from DB1
Solution
The ADMINISTER DATABASE TRIGGER privilege allows you to create database-level triggers (server error, login, and logout triggers). It also allows you to log in regardless of errors thrown by a login trigger as a failsafe. If you inadvertently coded your login trigger to throw an error no matter who was logging in, for example, you need to allow someone to log in to fix the trigger.
It appears that the trigger is behaving as expected in this case. You wouldn't in reality create a database link from one database to another using a DBA account.
