RDBPROD: RDB_NATCONN7nn ADDUSER Fails With No Privilege Error When Adding Another User (Doc ID 731737.1)

Last updated on JUNE 07, 2017

Applies to:

Oracle SQL/Services for Rdb on OpenVMS - Version 7.1.6.2 and later
HP OpenVMS Itanium
HP OpenVMS Alpha

Symptoms

Adding a user with RDB_NATCONNnn that has a different username than the username of the current user gives the following error: 

%Reason, - no privilege to perform operation on database


The problem can be demonstrated as follows:

Show the current user in AUTHORIZE (only the privileges are relevant in this case):

$ mc authorize
UAF> show USER1
 
Username: USER1                         Owner:  Test
.
.

Authorized Privileges:
  NETMBX       SETPRV       TMPMBX
Default Privileges:
  NETMBX       SETPRV       TMPMBX
Identifier                         Value           Attributes
  VMS$MEM_RESIDENT_USER            %X80000009
UAF>  Exit
%UAF-I-NOMODS, no modifications made to system authorization file
%UAF-I-NAFNOMODS, no modifications made to network proxy database
%UAF-I-RDBNOMODS, no modifications made to rights database

Create the database:

$ mc sql$
SQL> create database filename v_test;
SQL> create table t(i integer);
SQL> commit;
SQL>  Exit

Set all privileges to prepare the database and do the prepare:

$ set proc/priv=all
$ @sys$share:rdb_natconn72 prepare v_test
**** Preparing database V_TEST ****
**** Preparing database successfully completed ****
$

Set the privileges back as they are not needed to add the username of the current user and add this username:

$ set proc/priv=(noall,tmpmbx,netmbx)
$ @sys$share:rdb_natconn72 show v_test
Users in V_TEST
 
                             SYS
                          SYSTEM
                       Count = 2
 
$ @sys$share:rdb_natconn72
Operation (prepare/upgrade/drop/add_user/modify_user/remove_user/show_users): add
Username [USER1]:
User name [USER1] is used.
New password:
Password Verification:
Database: v_test
%ADDED, user USER1 added to V_TEST
 
$ @sys$share:rdb_natconn72 show v_test
Users in V_TEST
 
                           USER1
                             SYS
                          SYSTEM
                       Count = 3 
 

 Then set all privileges and check that you have SYSPRV, SECURITY and BYPASS:

$ mc authorize
UAF> sho user1
 
Username: USER1                         Owner:  Test
.
.
CPU:        (none)  Enqlm:     32767  Pgflquo:    2000000
Authorized Privileges:
  NETMBX       SETPRV       TMPMBX
Default Privileges:
  NETMBX       SETPRV       TMPMBX
Identifier                         Value           Attributes
  VMS$MEM_RESIDENT_USER            %X80000009
UAF>  Exit
%UAF-I-NOMODS, no modifications made to system authorization file
%UAF-I-NAFNOMODS, no modifications made to network proxy database
%UAF-I-RDBNOMODS, no modifications made to rights database
$ set proc/priv=all
$ sho proc/priv
 
19-AUG-2008 02:06:02.69   User: USER1         Process ID:   202006AE
                          Node: NODE1         Process name: "Process 1"
 
Authorized privileges:
 NETMBX       SETPRV       TMPMBX
 
Process privileges:
 ACNT                 may suppress accounting messages
 .
 .
 BYPASS               may bypass all object access controls
 .
 SECURITY             may perform security administration functions
 SETPRV               may set any privilege bit
 .
 SYSPRV               may access objects via system protection
 .
 WORLD                may affect other processes in the world
 
Process rights:
 USER1                          resource
 INTERACTIVE
 REMOTE
 VMS$MEM_RESIDENT_USER
 
System rights:
 SYS$NODE_NODE1
 
Soft CPU Affinity: off

Now try to add USER2, being logged in with username USER1 and having all privileges:

$ @sys$share:rdb_natconn72
Operation (prepare/upgrade/drop/add_user/modify_user/remove_user/show_users): add
Username [USER1]: user2
User name [USER2] is used.
New password:
Password Verification:
Database: v_test
%FAILED, update to V_TEST failed
%Reason, - no privilege to perform operation on database V_TEST

Despite having all privileges, you cannot add a user that is not the current user.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms