SQL uses an authorization identifier in a stored or nonstored module to convey to Oracle Rdb the concept of a user. These modules can be either definer's rights or invoker's rights.
1 – Stored Modules
A stored module resides in the database as an object. You can store modules and their procedures and functions with the CREATE MODULE statement. The authorization identifier, specified by using the AUTHORIZATION clause, enables Oracle Rdb to identify the user under whom the module executes. When you specify an authorization identifier in the definition of a stored module, that stored module is called a definer's rights module. This type of module enables any user who has EXECUTE privilege on the module to execute any of the module's routines without privileges on any of the underlying schema objects that the routine references. The routines execute under the rights identifier of the module definer, not the rights identifier of the person executing the routine. This ability to allow users access to schema objects through a call to a stored routine without having direct access to those schema objects is a key benefit of stored modules. In contrast, when you omit the AUTHORIZATION clause in the definition of a stored module, that stored module is called an invoker's rights module. In this type of module, users who have EXECUTE privilege on a particular module must also have privileges to all the underlying schema objects associated with any of the routines in this module that they want to execute. The following examples relate to stored modules and procedures. Authorization and CURRENT_USER are handled the same for both types of stored routines. Consider the following stored module definition, Module M1 with Procedure P1 and Authorization Brown. For example: CREATE MODULE M1 LANGUAGE SQL AUTHORIZATION BROWN PROCEDURE P1 (); BEGIN TRACE CURRENT_USER; CALL P2 (); END; END MODULE; As you can see in the preceding example, P1 calls another stored procedure, P2. Procedure P2 is defined in Module M2 as the following example shows: CREATE MODULE M2 LANGUAGE SQL -- no authorization PROCEDURE P2 (); BEGIN TRACE CURRENT_USER; CALL P3 (); END; END MODULE; Procedure P2 calls another procedure, P3, from Module M3, which is shown in the following example: CREATE MODULE M3 LANGUAGE SQL -- no authorization PROCEDURE P3 (); BEGIN TRACE CURRENT_USER; . . . END; END MODULE; In each procedure you can trace the CURRENT_USER. Assume the following: o Smith is granted the EXECUTE privilege on Module M1; but not on M2 or on M3. o Brown is granted the EXECUTE privilege on Modules M1, M2, and M3. o Jones is granted the EXECUTE privilege on Modules M1 and M2. When P1 is executed, CURRENT_USER always returns Brown as defined by the AUTHORIZATION clause in Module M1. When P2 or P3 are executed, the CURRENT_USER is either: o Inherited from the calling routines AUTHORIZATION clause, or o The CURRENT_USER of the calling routine if no authorization was specified When there is no AUTHORIZATION clause for the first calling routine, then CURRENT_USER is inherited from the SESSION_USER.
2 – Nonstored Modules
A nonstored module resides outside the database in an SQL module file. The AUTHORIZATION clause specifies the authorization identifier for the module. If you omit the authorization identifier, SQL selects the user name of the user compiling the module as the default authorization. Thus, if you use the RIGHTS clause, SQL compares the user name of the person who executes a module with the authorization identifier with which the module was compiled and prevents any user other than the one who compiled that module from invoking that module. When you use the RIGHTS clause, SQL bases privilege checking on the default authorization identifier in compliance with the ANSI/ISO standard.