ORA-28111: insufficient privilege to evaluate policy predicate ORACLE 报错 故障修复 远程处理

文档解释

ORA-28111: insufficient privilege to evaluate policy predicate

Cause: Predicate has a subquery which contains objects that the owner of policy function does not have privilege to access.

Action: Grant appropriate privileges to the policy function owner.

Oracle错误 ORA-28111 是应用于策略管理的安全控制模型的技术。它表示会话未授权来求值策略前言，或者策略前言无效。它也表示未授权来检测策略触发器状态。

官方解释

ORA-28111: insufficient privilege to evaluate policy predicate

Cause: An attempt was made to evaluate a policy predicate of a security policy, but the current session did not have sufficient privileges to do so. This can occur if the policy has an invalid predicate, if the current session does not have the SELECT_CATALOG_ROLE, or if one of the objects needed to evaluate the predicate cannot be resolved.

Action: If the policy is a Data Masking policy, ensure that none of the attribute names are enclosed in double quotes. If using an application context, ensure that the needed application contexts are properly set up. Always ensure that the grant of the SELECT_CATALOG_ROLE privilege has been granted on the current session, as this privilege is necessary to access the Secure Application Roles views. Check the documentations of the packages DBMS_RLS and DBMS_MACADM or contact Oracle Support Services for more help.

常见案例

在尝试执行一个带有策略前言的安全策略时，可能会收到ORA-28111错误，例如：

SQL> begin

2 dbms_rls.add_policy ( object_schema => ‘SCHEMA1’

3 , object_name => ‘TABLE1’

4 , policy_name => ‘POL1’

5 , function_schema => ‘SCHEMA2’

6 , policy_function => ‘FUNC1’

7 , statement_types => ‘SELECT’

8 , policy_type => DBMS_RLS.RLS_TYPE_SELECT_CHECK

9 , policy_string => ‘application_context = ”POL1”’);

10 end;

11 /

begin

*

ERROR at line 1 ORA-28111: insufficient privilege to evaluate policy predicate

一般处理方法及步骤

1.确认策略前置有效，特别是据隔离策略的属性名是否正确引用而不以双引号引用。

2.确认当前会话具有SELECT_CATALOG_ROLE角色的权限，因为它是访问安全应用角色视图所必需的。可以使用以下语句检查：

—- 检查是否有’SELECT_CATALOG_ROLE’权限

SELECT GRANTED_ROLE

FROM USER_ROLE_PRIVS

WHERE GRANTED_ROLE = ‘SELECT_CATALOG_ROLE’;

3.如果没有为当前会话授予SELECT_CATALOG_ROLE角色，则可以使用下面的命令授权：

GRANT SELECT_CATALOG_ROLE TO CURRENT_USER;

4.可以检查DBMS_RLS和DBMS_MACADM包的文档，或联系Oracle支持服务获取更多帮助。