Give users CREATE rights on sys_user_grmember table using an ACL

mr_t
Kilo Contributor

‎05-23-2022 10:55 AM

Hi, 

I wanted to give certain users CREATE rights to sys_user_grmember table.

I created a user group for those users. It contains one role: a3m_create_groupmember_table (elevated privilege)

I created a new ACL on that table:

find_real_file.png

When a member of the group executes a script that adds another user to an ADMIN group, I get this error:

find_real_file.png

Could anyone explain why this is happening? 

Thanks, 

T.

Labels:
Preview file
12 KB
Preview file
86 KB
0 Helpfuls
  • 2,094 Views
15 REPLIES 15

chrisperry
Giga Sage
In response to mr_t

‎05-24-2022 05:56 AM

There is no way for users to grant admin role to other users unless they have admin themselves, so as it turns out what you are trying to accomplish is not possible.

If this answer is helpful please mark correct and helpful!

Regards,

Christopher Perry

If this answer is helpful please mark correct and helpful!

Regards,
Chris Perry
0 Helpfuls

mr_t
Kilo Contributor
In response to chrisperry

‎05-24-2022 08:09 AM

I see. Is there any way to execute the script as system and grant user admin role?

0 Helpfuls

chrisperry
Giga Sage
In response to mr_t

‎05-24-2022 09:32 AM

You could try putting your script into a sysauto_script (Scheduled script execution) record and set the Run as field = System Administrator:

find_real_file.png

If this answer is helpful please mark correct and helpful!

Regards,

Christopher Perry

If this answer is helpful please mark correct and helpful!

Regards,
Chris Perry
Preview file
36 KB
0 Helpfuls

mr_t
Kilo Contributor
In response to chrisperry

‎05-24-2022 09:46 AM

Interesting. I will take a look, but doesn't this execute on schedule only? My script needs to run only when user performs a button click. 

 

Edit:

I've tried it, and it doesn't work. 

 

find_real_file.png

 

Preview file
43 KB
0 Helpfuls

chrisperry
Giga Sage
In response to mr_t

‎05-24-2022 11:04 AM

Right, that would be expected and it goes back to my answer above:

"There is no way for users to grant admin role to other users unless they have admin themselves"

So even though Run as is set to System Administrator, if a user is clicking Execute Now then that transaction is being created by that user clicking Execute Now, not System Administrator -- and if the user who is clicking Execute Now does not have admin role themselves, then it will error out by design because non-admins are not allowed to grant admin role to other users.

The only way the scheduled script execution would work to add users to the admin group is if you let the script run automatically as defined by its schedule so that the transaction is truly executed by System Administrator user.

If this answer is helpful please mark correct and helpful!

Regards,

Christopher Perry

If this answer is helpful please mark correct and helpful!

Regards,
Chris Perry
0 Helpfuls