Definer and Invoker Rights

The definer rights model is the default for Oracle Database 11g and Oracle MySQL 5.5 databases. Both databases also support the invoker rights model. Although the same general principals apply to these models, some differences exist between the implementations. Most are syntax related and of little consequence, but one key difference is important to note. MySQL doesn’t support synonyms. The workaround is to create views for tables and wrapper subroutines for subroutines. Views were covered earlier in the “Security Privileges” section. Chapter 15 shows you how to write MySQL wrappers.

Definer Rights

A centralized data repository is synonymous with the definer rights model. The definer owns all objects that it creates and holds the right to query and transact with them. A definer can also grant rights on the tables, views, and stored programs to other users. Stored programs run with the same privileges as the definer. This is the application design pattern that supports VPDs. Effectively, every table becomes like an apartment building or a multiple tenancy building: some rows in the table belong to one user or privileged group while others belong to another user.