Display of metadata to fetch the privileges granted to a role

Hello

I have a doubt in the display of the metadata of the roles, please give me more details on the same.

According to dba_roles, I could see the list of roles and to dba_role_privs, I could see the list of users who got this role.

Now, I would like to make a list of the privileges granted to this role. What metadata view I could find this information, please help.
Thank you.

In addition to SY's message:
to find out which data dictionary tables can help you:

SELECT *
FROM dict
WHERE table_name LIKE'%ROLE%'

Tags: Database

Similar Questions

Is it not view DBA_ see the privileges granted to a role?

DB version: 11.2

I couldn't find DBA_ views that would list all the privileges granted to a role. Finally, I had to assign the role to a user and then sign in as a user who has granted and then query view ROLE_TAB_PRIVS. A DBA, I can not connect in business patterns to check for this.

The scenario
==============
SCOTT schema has two tables: HRTB_EMP_MASTER and HELLOWORLD
I want to grant SELECT on these two tables privileges to another user called TESTUSER but not directly. through roles

SQL> conn / as sysdba
Connected.

SQL> grant create role to testuser;

Grant succeeded.

SQL> conn testuser/test123
Connected.
SQL>
SQL> create role testuser_ro;  

Role created.

SQL> conn / as sysdba
Connected.
SQL> grant select on scott.hrtb_emp_master to testuser_ro;         --- > Granting the SELECT priv to the role first

Grant succeeded.

SQL> grant select on scott.helloworld to testuser_ro;               

Grant succeeded.

SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';  ----> This won't work because I am connected as SYS
                                                          ----> ROLE_TAB_PRIVS is user specific view
no rows selected

Since I couldn't find a DBA view that will have the privileges granted to a role, I have granted the role to the user, I had to open a session to the user (against our security policy) and the query
ROLE_TAB_PRIVS.

SQL > grant testuser_ro to testuser;

Grant succeeded.

SQL > PRIVILEGE OF ROLE_TAB_PRIVS, TABLE_NAME, OWNER, SELECT ROLE where owner = 'SCOTT ';

no selected line

SQL> conn testuser/test123
Connected.


SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';

ROLE            OWNER           TABLE_NAME           PRIVILEGE
--------------- --------------- -------------------- ----------
TESTUSER_RO     SCOTT           HELLOWORLD           SELECT
TESTUSER_RO     SCOTT           HRTB_EMP_MASTER      SELECT

You must look for beneficiary, no owner

Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> create role r1;

Role created.

SQL> grant select on sys.v$database to r1;
grant select on sys.v$database to r1
                    *
ERROR at line 1:
ORA-02030: can only select from fixed tables/views

SQL> grant select on sys.v_$database to r1;

Grant succeeded.

SQL> select grantee, privilege, owner, table_name from dba_tab_privs where grantee='R1';

GRANTEE         PRIVILEGE                                OWNER           TABLE_NAME
--------------- ---------------------------------------- --------------- ------------------------------
R1              SELECT                                   SYS             V_$DATABASE

Display of metadata to fetch the user's privileges
Hello

I would like to get a list of the roles and privileges granted to the user. You use what metadata view, I'll be able to read this information,
Please share me the details, thank you.
Hello

That can be extremely difficult, given that the roles can be granted to roles, recursively.

Pete Finnigan has a nice script which is very useful:

http://www.petefinnigan.com/find_all_privs.SQL

Concerning
Peter

Privileges granted to a role
Hello

Quick question on the privileges granted to a role...

Scenario 1:
---------------

create the CONNECT_ROLE role.

Grant connect to connect_role;
Grant, alter session to CONNECT_ROLE statement.
grant create cluster to CONNECT_ROLE;
grant create procedure CONNECT_ROLE;
grant create sequence to CONNECT_ROLE;
grant create synonym of CONNECT_ROLE;
grant create table CONNECT_ROLE;
grant create trigger to CONNECT_ROLE;
create grant type to CONNECT_ROLE.
grant create view to CONNECT_ROLE;
grant debug connect session to the CONNECT_ROLE;

grant connect_role to tom, mike;

Scenario 2:
---------------

create the dev_role role.

Grant select on scott.emp to dev_role;
Grant execute on rich.emp_pkg to dev_role;

grant dev_role to tom, mike;

To display the privileges that have been granted to a role, I created the following view.

CREATE OR REPLACE VIEW CHECK_PRIVS
(username, rolename, privilege)
AS
SELECT DECODE (SA1. GRANTEE #, 1, 'PUBLIC', U1.NAME), SUBSTR (U2.NAME, 1, 20),.
SUBSTR (SPM.NAME, 1: 27)
OF SYS. SYSAUTH$ SA1, SYS. SYSAUTH$ SA2, SYS. USER$ U1,
SYS. USER$ U2, SYS. SYSTEM_PRIVILEGE_MAP SPM
WHERE SA1. DEALER # = U1. THE USER #.
AND SA1. PRIVILEGE # = U2. THE USER #.
AND U2. USER # = SA2. DEALER #.
AND SA2. PRIVILEGE # = SPM. PRIVILEGE
UNION
SELECT U.NAME, NULL, SUBSTR(SPM.NAME,1,27)
OF SYS. SYSTEM_PRIVILEGE_MAP SPM, SYS. SYSAUTH$ SA, SYS. THE USER$ U
WHERE SA. GRANTEE #= U.USER #.
AND SA. PRIVILEGE #= SPM. PRIVILEGE

I get the correct results of the esteem for the #1 scenario, but I don't get any results for the #2 sight. Am I missing something here?

Thanks for your time.
Object level of subsidies are not access privileges.

Oracle already provide views to display system object and the level of privileges such as dba_tab_privs and dba_sys_privs so why do you need to create your own point of view?

HTH - Mark D Powell.

How can I determine what were the privileges granted to the PUBLIC?

I don't know 'out of the box' privileges by default Oracle, but rather the privileges that have been granted since the day 0.

SQL > select * from dba_sys_privs where dealer = "PUBLIC";

no selected line

SQL > grant create any table to the public;

Grant succeeded.

SQL > select * from dba_sys_privs where dealer = "PUBLIC";

DEALER PRIVILEGE SMA

------------------------------ ---------------------------------------- ---

PUBLIC CREATE ANY TABLE NO.

SQL > revoke create any table of public;

Revoke succeeded.

SQL > select * from dba_sys_privs where dealer = "PUBLIC";

no selected line

SQL >

The PUBLIC role is a special role that each database user account is automatically when the account is created. By default, it has no privileges granted to it, but there are many grants, especially for Java objects.

The same binding, which was provided by a member.

DBA_ROLE_PRIVS - roles granted to users and roles

ROLE_ROLE_PRIVS - roles that were granted to roles

ROLE_SYS_PRIVS - privileges granted to the roles system

ROLE_TAB_PRIVS - Table privileges granted to roles

Concerning

Girish Sharma

Create the privilege granted procedure, but cannot create the procedure
I have a user that I have given the following privileges:
CREATE THE SESION
SELECT ANY TABLE
CREATE A PROCEDURE
CREATE PROCEDURE
RUN THE PROGRAM
RUN THE PROCEDURE

But when I try to create a procedure with this user I get, error proveleges not enough. What I am doing wrong?
What's wrong? You open the doors of barn proverbial ito security. This isn't how security should be made - allowing a schema create any code of procedure anywhere in the database. Or select data from any table.

How do you think that Sony's PS network has been hacked and millions of stolen credit card data users?

By this precarious type of stuff-security approach to security.

A schema has the minimum privileges in order to achieve its goals and its requirements. Nothing more.

For example
```
// standard logical database schema, 10Gb space allocation
create user HRDB
  identified by 
  default tablespace USERS
  quota 10G on USERS;

// configure the basic security layer for the schema
grant
  create session, --// allow client-server connections to schema
  create table, create trigger, --// allow to create standard db objects
  create sequence, create view, --// allow access to defining extended objects
  create procedure --// allow creating stored proc code
to HRDB;
```
In addition, you can decide on assign a profile of resources and specific roles and so on. In some cases, you can also leave the schema create types, synonyms and private database links, views materialized, etc.

Don't grant access. No access to the SYS code and objects. By default. Everything else is a security exception requiring a valid justification.

How the privilege of reading the role for package

Dear guy,
I need to grant read only for the procedure and package to user, but not executed. So, I create a role READ_PKG name then the privilege of debugging for the ROLE. Then grant the role to the user who needs to display. But this isn't success. Always user can't see the debug to the ROLE granted package.
If I grant debugging directly to the user, user can view the package.
CREATE THE ROLE READ_PKG NOT IDENTIFIED;
GRANT debugging WE FCUB. ACPKS TO READ_PKG;
grant READ_PKG to chuongnh;
THEN, how the privilege of debugging a role?
So thank you
Chuong

Hello

Are you sure that the role is 'default' to the user?

SQL > alter user chuongnh the role by default all;

Kind regards

get the privileges of the user
Hello

I created a user "ionm. in PL/SQL, how can I get all the privileges, this user's roles? I'm with dba role, I may grant him certain privileges and so on, now, how do I access all and all the tables there?

Edit: another question: How can I grant all privileges and user roles "ionm" to any other user, 'john', without having to write many statements like
```
grant .... on .... to ....
```
Thank you!

Edited by: Roger22 the 07.06.2009 11:26
Hello

Roger22 wrote:
Hello

I created a user "ionm. in PL/SQL, how can I get all the privileges, this user's roles? I'm with dba role, I may grant him certain privileges and so on, now, how do I access all and all the tables there?

Hello

You can query the data dictionary views
DBA_TAB_PRIVS for direct privileges on tables and views.
DBA_ROLE_PRIVS for roles,
DBA_SYS_PRIVS for access privileges, and
DBA_COL_PRIVS for columns.

For example:
```
SELECT  owner
,       table_name
,       privilege
,       grantable
FROM    dba_tab_privs
WHERE   grantee  = 'IONM'        -- Strings inside quotes are case-sensitive
;
```
Edit: another question: How can I grant all privileges and user roles "ionm" to any other user, 'john', without having to write many statements like
```
grant .... on .... to ....
```
I don't know how to do it without run of many statements like that.
You don't have to write them manually; You can have an entry of query them all to a coil of the file, and then run the hold file.
In PL/SQL, you can use EXECUTE IMMEDIATE in a loop that reads all the privileges.

Block a privs of roles that has been granted to another role
I don't think that I have which explains very well in the title...

create the role role_a;
Grant select, insert and update on the table to role_a;
Grant select, insert, update the table to role_a b;
Grant select, insert, update the table to role_a c;

create the role role_b;
grant role_a to role_b;
revoke the insertion, update table b of role_b;

What I have to do is revoke the insertion, update role_b.
This example is simple, but I hope you get the gist of the problem.
I believe that the suggestion that would be rather than to revoke the privileges of role_b, you must create a new role_c role, and then grant privileges on tables & c to c role.

You cannot revoke the privileges to a role that are not directly granted to the role. If you can not role_b have a subset of the privileges granted to role_a by granting the role and removal of individual privileges. You must create a new role (role_c) which includes the subset of privileges you want and grant this new role_c to role_b. You can also, of course, just grant the privileges on tables role_b has & c directly rather than role_a.

Justin

What privileges granted to select from all the PDB files

Why the two selected does not return the same result? Or if you want the broader question - what privileges granted to select from all the PDB files.

I want to leave common user that I created to select and see all of the synonyms of all PDB files.

conn / as sysdba create user c##nir identified by c##nir container=all; grant connect,dba,resource to c##nir container=all; grant select on cdb_synonyms to c##nir container=all; select CON_ID from cdb_synonyms group by CON_ID; CON_ID ---------- 1 4 11 10 14 5 8 13 3 7 15 6 12 9 conn c##nir/c##nir select CON_ID from cdb_synonyms group by CON_ID; CON_ID ---------- 1 select CON_ID from containers(dba_synonyms) group by CON_ID * ERROR at line 1: ORA-00942: table or view does not exist

You must use the CONTAINER_DATA clause:

ALTER USER ##nir set container_data = container c all = current;

After running the above command, try to select again to cdb_synonyms and you will see the data of all containers.

Read more in my Post of Blog

grant the privilege on the SQL types to another schema

I created two SQL types under the APP_OWNER scheme as follows:

CREATE or REPLACE TYPE t_instr_info as an OBJECT
(NUMBER IMNT_KY)

CREATE or REPLACE TYPE t_tab_instr_info
AS THE t_instr_info TABLE

The privilege on these two types as follows:

Grant execute on t_tab_instr_info to vprods_app2

Grant execute on t_instr_info to vprods_app2

The stored procedures must be developed in the scheme of the APP. In the scheme of the APP, I need to call this type to declare the array as follows:

v_tab_output app_owner.t_tab_instr_info: = app_owner.t_tab_instr_info ();

I get a PLS-00905: object owner.t_tab_instr_info is not valid

I tried giving EVERYTHING instead of run, but the problem persists.

Help, please. As a policy of all objects including tables, types etc. must be app_owner and the app schema privileges

Thank you in advance.

One thing I forgot to mention (since you do not explicitly specify how you are granting things) is that you need to issue DIRECT subsidies (as in my example above), you cannot compile the code if you have subsidies via a role (but you can execute anonymous blocks).

This is an example

create user APP_OWNER identified by APP_OWNER default tablespace users temporary tablespace temp;
grant connect, resource, create role to APP_OWNER;

create user APP_SCHEMA identified by APP_SCHEMA default tablespace users temporary tablespace temp;
grant connect, resource to APP_SCHEMA;

connect APP_OWNER/APP_OWNER@xe

create role for_apps;

CREATE OR REPLACE TYPE t_instr_info as OBJECT
(IMNT_KY NUMBER);
/ 

CREATE OR REPLACE TYPE t_tab_instr_info
AS TABLE OF t_instr_info;
/ 

grant execute on t_instr_info to for_apps;
grant execute on t_tab_instr_info to for_apps;

grant for_apps to app_schema;

connect APP_SCHEMA/APP_SCHEMA@xe
APP_SCHEMA_XE?create or replace procedure test
  2  as
  3     v_tab_output app_owner.t_tab_instr_info := app_owner.t_tab_instr_info();
  4  begin
  5     null;
  6  end;
  7  /

Warning: Procedure created with compilation errors.

Elapsed: 00:00:01.17
APP_SCHEMA_XE?show err
Errors for PROCEDURE TEST:

LINE/COL ERROR
-------- -----------------------------------------------------------------
3/17     PL/SQL: Item ignored
3/17     PLS-00201: identifier 'APP_OWNER.T_TAB_INSTR_INFO' must be
         declared

APP_SCHEMA_XE?declare
  2     v_tab_output app_owner.t_tab_instr_info := app_owner.t_tab_instr_info();
  3  begin
  4     null;
  5  end;
  6  /

PL/SQL procedure successfully completed.

Elapsed: 00:00:01.17

Cannot grant the privilege on the column the user through role?
Hello:

From what I read in the docs I should be able to create a role that has privileges to UPDATE a column in a table and then assign this role to a user, that should be able to update the column in the table. I get "insufficient privileges" when I try which, although it works as advertised if I book directly to the user. I read the docs wrong?

WATCH session:
```
CREATE TABLE "GAFF"."FOO2" 

   (    "F1" NUMBER, 

    "F2" NUMBER, 

    "F3" VARCHAR2(50), 

    "F4" NUMBER, 

     CONSTRAINT "FOO2_PK" PRIMARY KEY ("F1")

/



create role foo2_u_f2;



grant update (f2) on foo2 to foo2_u_f2 ;



grant select on gaff.foo2 to play ;



grant foo2_u_f2 to play ;
```
GAME session:
```
update gaff.foo2 set f2 = 1 where f1 = 1
```
ORA-01031: insufficient privileges
Probably foo2_u_f2 role is not a default role to the user's game. Initially, when the user is created the default role is set to ALL. Later, it can be changed to NONE or set of roles. Log in as a game and question:
```
select * from session_roles
/
```
I bet that you won't see any foo2_u_f2. Then the question:
```
select granted_role,default_role from user_role_privs
/
```
This will give you a list of the user default set roles. Another question, you can:
```
set role foo2_u_f2
/
```
This will allow the role of foo2_u_f2 in the current session. Or you can identify you as privileged user and issue AMENDED the USER default ROLE..., foo2_u_f2.

SY.

AUDIT only creates a record if the privilege is granted

Hello world. I try to configure auditing for security requirements and did some tests on a test database. (10.2.0.5 on RHEL 6) with the statement of VERIFICATION BY CREATING the ACCESS USERS.

Just did some quick tests, I found that VERIFICATION will only create a folder if I have the privilege to CREATE a USER. For example, here's my test case and the result:

1. without privilege

-CHECK CREATE USER BY ACCESS

-Scott doesn't have the privilege to create users

-Try to create the user, without success.

-No record is generated in the audit log.

2. with privilege

-CHECK CREATE USER BY ACCESS

-Scott got the privilege to create users

-Try to create users, success

-Record is generated in the audit log

-Try to remove the user, without success

-No record is generated in the audit log.

I guess it comes to the design provided by Oracle, but this is not a little limited with respect to the audit of the attempts of creating a user? For example, if a user can access the database and kept the attempt to add users or perform other commands to test the limits of its privileges, which doesn't record? Just my 2 cents.

CHECKING DBA;

will begin recording failures.

Before checking dba:

Select username, extended_timestamp, action_name returncode from dba_audit_trail where username = 'AAA ';

USERNAME

EXTENDED_TIMESTAMP

ACTION_NAME

RETURNCODE

------------------------------ --------------------------------------------------------------------------- ---------------------------- ----------

AAA	10.34.49.648357 25-SEP-14 H + 03:00	OPENING OF SESSION
AAA	10.53.58.118870 25-SEP-14 H + 03:00	OPENING OF SESSION
AAA	10.55.25.684156 25-SEP-14 H + 03:00	OPENING OF SESSION
AAA	11.07.13.836793 25-SEP-14 H + 03:00	OPENING OF SESSION
AAA	10.35.08.209502 25-SEP-14 H + 03:00	CLOSURE OF SESSION
AAA	10.54.18.688233 25-SEP-14 H + 03:00	CLOSURE OF SESSION
AAA	10.55.44.786759 25-SEP-14 H + 03:00	CLOSURE OF SESSION
AAA	11.07.23.881964 25-SEP-14 H + 03:00	CLOSURE OF SESSION

After checking dba: