Privileges granted to a role

Hello

Quick question on the privileges granted to a role...

Scenario 1:
---------------

create the CONNECT_ROLE role.

Grant connect to connect_role;
Grant, alter session to CONNECT_ROLE statement.
grant create cluster to CONNECT_ROLE;
grant create procedure CONNECT_ROLE;
grant create sequence to CONNECT_ROLE;
grant create synonym of CONNECT_ROLE;
grant create table CONNECT_ROLE;
grant create trigger to CONNECT_ROLE;
create grant type to CONNECT_ROLE.
grant create view to CONNECT_ROLE;
grant debug connect session to the CONNECT_ROLE;

grant connect_role to tom, mike;


Scenario 2:
---------------

create the dev_role role.

Grant select on scott.emp to dev_role;
Grant execute on rich.emp_pkg to dev_role;

grant dev_role to tom, mike;


To display the privileges that have been granted to a role, I created the following view.

CREATE OR REPLACE VIEW CHECK_PRIVS
(username, rolename, privilege)
AS
SELECT DECODE (SA1. GRANTEE #, 1, 'PUBLIC', U1.NAME), SUBSTR (U2.NAME, 1, 20),.
SUBSTR (SPM.NAME, 1: 27)
OF SYS. SYSAUTH$ SA1, SYS. SYSAUTH$ SA2, SYS. USER$ U1,
SYS. USER$ U2, SYS. SYSTEM_PRIVILEGE_MAP SPM
WHERE SA1. DEALER # = U1. THE USER #.
AND SA1. PRIVILEGE # = U2. THE USER #.
AND U2. USER # = SA2. DEALER #.
AND SA2. PRIVILEGE # = SPM. PRIVILEGE
UNION
SELECT U.NAME, NULL, SUBSTR(SPM.NAME,1,27)
OF SYS. SYSTEM_PRIVILEGE_MAP SPM, SYS. SYSAUTH$ SA, SYS. THE USER$ U
WHERE SA. GRANTEE #= U.USER #.
AND SA. PRIVILEGE #= SPM. PRIVILEGE


I get the correct results of the esteem for the #1 scenario, but I don't get any results for the #2 sight. Am I missing something here?

Thanks for your time.

Object level of subsidies are not access privileges.

Oracle already provide views to display system object and the level of privileges such as dba_tab_privs and dba_sys_privs so why do you need to create your own point of view?

HTH - Mark D Powell.

Tags: Database

Similar Questions

  • Is it not view DBA_ see the privileges granted to a role?

    DB version: 11.2

    I couldn't find DBA_ views that would list all the privileges granted to a role. Finally, I had to assign the role to a user and then sign in as a user who has granted and then query view ROLE_TAB_PRIVS. A DBA, I can not connect in business patterns to check for this.


    The scenario
    ==============
    SCOTT schema has two tables: HRTB_EMP_MASTER and HELLOWORLD
    I want to grant SELECT on these two tables privileges to another user called TESTUSER but not directly. through roles

    SQL> conn / as sysdba
Connected.

SQL> grant create role to testuser;

Grant succeeded.

SQL> conn testuser/test123
Connected.
SQL>
SQL> create role testuser_ro;  

Role created.

SQL> conn / as sysdba
Connected.
SQL> grant select on scott.hrtb_emp_master to testuser_ro;         --- > Granting the SELECT priv to the role first

Grant succeeded.

SQL> grant select on scott.helloworld to testuser_ro;               

Grant succeeded.

SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';  ----> This won't work because I am connected as SYS
                                                          ----> ROLE_TAB_PRIVS is user specific view
no rows selected
    Since I couldn't find a DBA view that will have the privileges granted to a role, I have granted the role to the user, I had to open a session to the user (against our security policy) and the query
    ROLE_TAB_PRIVS.

    SQL > grant testuser_ro to testuser;

    Grant succeeded.

    SQL > PRIVILEGE OF ROLE_TAB_PRIVS, TABLE_NAME, OWNER, SELECT ROLE where owner = 'SCOTT ';

    no selected line

    SQL> conn testuser/test123
Connected.


SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT';

ROLE            OWNER           TABLE_NAME           PRIVILEGE
--------------- --------------- -------------------- ----------
TESTUSER_RO     SCOTT           HELLOWORLD           SELECT
TESTUSER_RO     SCOTT           HRTB_EMP_MASTER      SELECT

    You must look for beneficiary, no owner

    Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> create role r1;

Role created.

SQL> grant select on sys.v$database to r1;
grant select on sys.v$database to r1
                    *
ERROR at line 1:
ORA-02030: can only select from fixed tables/views

SQL> grant select on sys.v_$database to r1;

Grant succeeded.

SQL> select grantee, privilege, owner, table_name from dba_tab_privs where grantee='R1';

GRANTEE         PRIVILEGE                                OWNER           TABLE_NAME
--------------- ---------------------------------------- --------------- ------------------------------
R1              SELECT                                   SYS             V_$DATABASE

  • Display of metadata to fetch the privileges granted to a role

    Hello

    I have a doubt in the display of the metadata of the roles, please give me more details on the same.

    According to dba_roles, I could see the list of roles and to dba_role_privs, I could see the list of users who got this role.

    Now, I would like to make a list of the privileges granted to this role. What metadata view I could find this information, please help.
    Thank you.

    In addition to SY's message:
    to find out which data dictionary tables can help you:

    SELECT *
FROM dict
WHERE table_name LIKE'%ROLE%'

  • How can I determine what were the privileges granted to the PUBLIC?

    I don't know 'out of the box' privileges by default Oracle, but rather the privileges that have been granted since the day 0.

    SQL > select * from dba_sys_privs where dealer = "PUBLIC";

    no selected line

    SQL > grant create any table to the public;

    Grant succeeded.

    SQL > select * from dba_sys_privs where dealer = "PUBLIC";

    DEALER PRIVILEGE SMA

    ------------------------------ ---------------------------------------- ---

    PUBLIC CREATE ANY TABLE NO.

    SQL > revoke create any table of public;

    Revoke succeeded.

    SQL > select * from dba_sys_privs where dealer = "PUBLIC";

    no selected line

    SQL >

    The PUBLIC role is a special role that each database user account is automatically when the account is created. By default, it has no privileges granted to it, but there are many grants, especially for Java objects.


    The same binding, which was provided by a member.


    DBA_ROLE_PRIVS - roles granted to users and roles

    ROLE_ROLE_PRIVS - roles that were granted to roles

    ROLE_SYS_PRIVS - privileges granted to the roles system

    ROLE_TAB_PRIVS - Table privileges granted to roles

    Concerning

    Girish Sharma

  • How the privilege of reading the role for package

    Dear guy,

    I need to grant read only for the procedure and package to user, but not executed. So, I create a role READ_PKG name then the privilege of debugging for the ROLE. Then grant the role to the user who needs to display. But this isn't success. Always user can't see the debug to the ROLE granted package.

    If I grant debugging directly to the user, user can view the package.

    CREATE THE ROLE READ_PKG NOT IDENTIFIED;

    GRANT debugging WE FCUB. ACPKS TO READ_PKG;

    grant READ_PKG to chuongnh;

    THEN, how the privilege of debugging a role?

    So thank you

    Chuong

    Hello

    Are you sure that the role is 'default' to the user?

    SQL > alter user chuongnh the role by default all;

    Kind regards

  • Block a privs of roles that has been granted to another role

    I don't think that I have which explains very well in the title...

    create the role role_a;
    Grant select, insert and update on the table to role_a;
    Grant select, insert, update the table to role_a b;
    Grant select, insert, update the table to role_a c;

    create the role role_b;
    grant role_a to role_b;
    revoke the insertion, update table b of role_b;

    What I have to do is revoke the insertion, update role_b.
    This example is simple, but I hope you get the gist of the problem.

    I believe that the suggestion that would be rather than to revoke the privileges of role_b, you must create a new role_c role, and then grant privileges on tables & c to c role.

    You cannot revoke the privileges to a role that are not directly granted to the role. If you can not role_b have a subset of the privileges granted to role_a by granting the role and removal of individual privileges. You must create a new role (role_c) which includes the subset of privileges you want and grant this new role_c to role_b. You can also, of course, just grant the privileges on tables role_b has & c directly rather than role_a.

    Justin

  • Question about registration granted to other roles roles

    Hello

    I'm trying find out what query lists the roles that are contained in other roles or, in other words, the roles have been granted to other roles.

    Consider the following scenario:
    create role hr_junior;

grant create session                            to hr_junior;
grant select            on hr.regions           to hr_junior;
grant select            on hr.locations         to hr_junior;
grant select            on hr.countries         to hr_junior;


create role hr_senior;

grant hr_junior                                         to hr_senior with admin option;
grant insert, update, delete    on hr.employees         to hr_senior;
grant insert, update, delete    on hr.job_history       to hr_senior;


create role hr_manager;

grant hr_senior                                         to hr_manager with admin option;
grant all                       on hr.regions           to hr_manager;
grant all                       on hr.locations         to hr_manager;
grant all                       on hr.countries         to hr_manager;
    I have a query that will show me what system and object privileges have been assigned to a role, for example:
    col role        format a12
col owner       format a12
col table_name  format a12
col column_name format a12
col privilege   format a15
col grantable   format a3

select role
     , owner
     , table_name
     , column_name
     , privilege
     , grantable
  from role_tab_privs
 where role = 'HR_MANAGER'
 order by owner
        , table_name
        , column_name
        , privilege;

select role
     , privilege
     , admin_option
  from role_sys_privs
 where role = 'HR_MANAGER'
 order by privilege
        , admin_option;
    But it does not show what role contains other roles (for example, it does not show that have contains hrsenior) I would like to have a showing SQL query that
    hr_manager contains hr_senior
hr_senior contains hr_junior
hr_junior does not contain any roles
    Question: is it possible to write a query that displays the roles that contain other roles and, if so, what is the application?

    Thank you very much for your help,

    John.

    Hello

    The question: is it possible to write a query that displays the roles that contain other roles and, if so, what is the application?

    select * from dba_role_privs where grantee in (select role from dba_roles) order by grantee;

    DWDB.UTAC.COM.SG$SYS> create role main_role;

Role created.

DWDB.UTAC.COM.SG$SYS> create role sub_role1;

Role created.

DWDB.UTAC.COM.SG$SYS> create role sub_role2;

Role created.

DWDB.UTAC.COM.SG$SYS> grant sub_role1 to main_role;

Grant succeeded.

DWDB.UTAC.COM.SG$SYS> grant sub_role2 to main_role;

Grant succeeded.

DWDB.UTAC.COM.SG$SYS> grant sub_role2 to sub_role1;

Grant succeeded.

DWDB.UTAC.COM.SG$SYS> select * from dba_role_privs where grantee in (select role from dba_roles) order by grantee;

GRANTEE                        GRANTED_ROLE                   ADM DEF
------------------------------ ------------------------------ --- ---
DBA                            DELETE_CATALOG_ROLE            YES YES
DBA                            EXECUTE_CATALOG_ROLE           YES YES
DBA                            EXP_FULL_DATABASE              NO  YES
DBA                            GATHER_SYSTEM_STATISTICS       NO  YES
DBA                            IMP_FULL_DATABASE              NO  YES
DBA                            JAVA_ADMIN                     NO  YES
DBA                            JAVA_DEPLOY                    NO  YES
DBA                            OLAP_DBA                       NO  YES
DBA                            SCHEDULER_ADMIN                YES YES
DBA                            SELECT_CATALOG_ROLE            YES YES
DBA                            WM_ADMIN_ROLE                  NO  YES
DBA                            XDBADMIN                       NO  YES
DBA                            XDBWEBSERVICES                 NO  YES
EXECUTE_CATALOG_ROLE           HS_ADMIN_ROLE                  NO  YES
EXP_FULL_DATABASE              EXECUTE_CATALOG_ROLE           NO  YES
EXP_FULL_DATABASE              SELECT_CATALOG_ROLE            NO  YES
IMP_FULL_DATABASE              EXECUTE_CATALOG_ROLE           NO  YES
IMP_FULL_DATABASE              SELECT_CATALOG_ROLE            NO  YES
JAVASYSPRIV                    JAVAUSERPRIV                   NO  YES
LOGSTDBY_ADMINISTRATOR         RESOURCE                       NO  YES
*MAIN_ROLE                      SUB_ROLE1                      NO  YES*
*MAIN_ROLE                      SUB_ROLE2                      NO  YES*
OLAP_DBA                       SELECT_CATALOG_ROLE            NO  YES
OLAP_USER                      CONNECT                        NO  YES
OLAP_USER                      OEM_MONITOR                    NO  YES
OLAP_USER                      RESOURCE                       NO  YES
OLAP_USER                      SELECT_CATALOG_ROLE            NO  YES
SELECT_CATALOG_ROLE            HS_ADMIN_ROLE                  NO  YES
*SUB_ROLE1                      SUB_ROLE2                      NO  YES*
XDBADMIN                       XDBWEBSERVICES                 NO  YES

30 rows selected.

    Salman

    Published by: Salman Qureshi Sep 20, 2010 13:01

    Published by: Salman Qureshi Sep 20, 2010 13:02 added example

  • granting of all roles except 2

    Hi guys,.

    I have two special roles that does not have my user. Other than that, my user should be able to grant all other roles (including the all new created in the future) to other users, including himself.

    I can't grant grant any role to X, this means that X can then give these two special roles! so, how can I work around this problem?

    Thank you

    You can't unless you use a DDL event trigger
    http://www.psoug.org/reference/ddl_trigger.html

    or write a stored procedure that allows the user to control the privileges submitted as input parameters and a list hardcoded these privileges that can be granted.

    Personally, I find the idea of giving any person, other than a DBA or trusted security agent, the ability to grant privileges a violation of governance and security practices and would discourage you to do except in a procedure as described above.

  • What privileges granted to select from all the PDB files

    Why the two selected does not return the same result? Or if you want the broader question - what privileges granted to select from all the PDB files.


    I want to leave common user that I created to select and see all of the synonyms of all PDB files.


    conn / as sysdba

    create user c##nir identified by c##nir container=all;

    grant connect,dba,resource to c##nir container=all;
    grant select on cdb_synonyms to c##nir container=all;

    select CON_ID  from cdb_synonyms  group by CON_ID;

      CON_ID
    ----------
           1
           4
           11
           10
           14
           5
           8
           13
           3
           7
           15
           6
           12
           9

    conn c    ##nir/c##nir

    select CON_ID  from cdb_synonyms  group by CON_ID;

      CON_ID
    ----------
           1

    select CON_ID  from containers(dba_synonyms)  group by CON_ID
           *
    ERROR at line     1:
    ORA-00942    : table or view does not exist

    You must use the CONTAINER_DATA clause:

    ALTER USER ##nir set container_data = container c all = current;

    After running the above command, try to select again to cdb_synonyms and you will see the data of all containers.

    Read more in my Post of Blog

  • What is the difference between the granting of privileges directly and by role

    When you want to create a view in the schema to user1, this user must be granted by the right to select on the table user2.t2, but not via a role, what is the difference?
    Y at - it of the other privileges that must be granted directly?

    The same answer I gave here already 100 s of the time:

    The views are compiled objects.
    Roles are volatile, can change after compilation.

    Result: Stored procedures, functions, packages and views of the roles to ignore .

    And of course, the user who creates the view should have the System CREATE VIEW privilege.

    Most of the questions here can easily be answered by applicants, with little effort. Documentation is necessary and some industry and eagerness to learn.

    ----------------
    Sybrand Bakker
    Senior Oracle DBA

  • Find privileges granted explicitly to the outside roles

    Hi gurus,

    Is there a query to find explicit privileges(select,insert...) granted to users outside the roles?

    Thank you

    Maybe like this

    Select the dealer | "have privilege | privilege | "on" | owner | '.' || table-name
    of dba_tab_privs
    When the dealer not in ('SYS', 'SYSTEM', 'GENERAL', S / ', 'PUBLIC')
    and dealer not in (select dba_roles role)
    /

    Be careful with the PUBLIC!

  • Object-level privileges granted...

    Hello

    I want to grant object-level privileges to some user so that he can view (select) any object which resides under another user. Don't select any option from the table.

    I tried in vain to do something like that.

    Kind regards

    Why do you have thousands of tables in a schema?

    And Yes quite easy to grant privileges in this way

    Connect the schema that you want to grant of in.

    -- 'Granting select on tables and views to  scott'
declare
v_sql varchar2(4000);
begin
      for cur in
      (
          select object_name from user_objects
          where object_type in ('TABLE','VIEW','MATERIALIZED VIEW')
      )
      loop
          v_sql := 'grant select on '||cur.object_name||' to scott';
          execute immediate v_sql;
      end loop;
end;
/

    If I were you, I would create a role.
    And then grant privileges to this role.
    He can then grant this role to users.
    And it's much easier than the grant select on thousands of tables

    Published by: Keith Jamieson on August 28, 2012 10:02

  • Create the privilege granted procedure, but cannot create the procedure

    I have a user that I have given the following privileges:
    CREATE THE SESION
    SELECT ANY TABLE
    CREATE A PROCEDURE
    CREATE PROCEDURE
    RUN THE PROGRAM
    RUN THE PROCEDURE

    But when I try to create a procedure with this user I get, error proveleges not enough. What I am doing wrong?

    What's wrong? You open the doors of barn proverbial ito security. This isn't how security should be made - allowing a schema create any code of procedure anywhere in the database. Or select data from any table.

    How do you think that Sony's PS network has been hacked and millions of stolen credit card data users?

    By this precarious type of stuff-security approach to security.

    A schema has the minimum privileges in order to achieve its goals and its requirements. Nothing more.

    For example

    // standard logical database schema, 10Gb space allocation
create user HRDB
  identified by 
  default tablespace USERS
  quota 10G on USERS;

// configure the basic security layer for the schema
grant
  create session, --// allow client-server connections to schema
  create table, create trigger, --// allow to create standard db objects
  create sequence, create view, --// allow access to defining extended objects
  create procedure --// allow creating stored proc code
to HRDB;

    In addition, you can decide on assign a profile of resources and specific roles and so on. In some cases, you can also leave the schema create types, synonyms and private database links, views materialized, etc.

    Don't grant access. No access to the SYS code and objects. By default. Everything else is a security exception requiring a valid justification.

  • Quota of tablespace Grant to the role of Oracle

    Hello

    Is it possible to give tablespace quotas to a role instead of the oracle user?

    As:
    ALTER USER USER_NAME QUOTA UNLIMITED ON NOM_TABLESPACE;

    Thank you

    Is it possible to give tablespace quotas to a role instead of the oracle user?

    N °

  • Role permissions for the same object more

    Hello everyone,

    I work in a large company with lots of data and Oracle DB base, specifically

    the management of the security services account (accounts, roles, privileges, etc...).

    In a few DB, we have a role named RO ALFA READ, with grant select on table TABLE_32.

    The ROLE of ALPHA, or better, the ROLE ALFA users grant specifically also in the array of objects.

    This is the final situation:

    SQL > SELECT * FROM DBA_ROLE_PRIVS WHERE DEALER = "TIZIO";

    DEALER GRANTED_ROLE SMA DEF

    ------------------------------ ------------------------------ --- ---

    TIZIO CONNECT YES

    TIZIO RESOURCE NO YES

    TIZIO                          DBA                            NO  YES

    TIZIO SELECT_CATALOG_ROLE NO YES

    TIZIO AQ_ADMINISTRATOR_ROLE NO YES

    TIZIO RO_ALFA_READ NO YES

    SQL > c.role.tab

    1 * SELECT * FROM DBA_tab_PRIVS WHERE DEALER = "TIZIO".

    SQL > r

    1 * SELECT * FROM DBA_tab_PRIVS WHERE DEALER = "TIZIO".

    DEALERSHIP OWNER TABLE_NAME GRANTOR PRIVILEGE

    ------------------------------ ------------------------------ ------------------------------ --------------------------------

    TIZIO                          SYS                            TABLE_32                       SYS                    SELECT

    In your view, why the engineer decided to give this privilege 'double' on the table?

    Thank you!

    Perhaps because the privileges granted through a role are not used during the execution of a procedure:

    [oracle@db11204 ~] $ sqlplus / as sysdba

    SQL * more: Production of liberation 11.2.0.4.0 Thu Aug 20 23:48:31 2015

    Copyright (c) 1982, 2013, Oracle.  All rights reserved.

    Connected to:

    Oracle Database 11 g Enterprise Edition Release 11.2.0.4.0 - 64 bit Production

    With partitioning, OLAP, Data Mining and Real Application Testing options

    SQL > create user t1 identified by t1.

    Created by the user.

    SQL > create user t2 identified by t2;

    Created by the user.

    SQL > grant connect, resource for t1, t2;

    Grant succeeded.

    SQL > create table t1.tt (ID);

    Table created.

    SQL > insert into t1.tt values (2);

    1 line of creation.

    SQL > commit;

    Validation complete.

    SQL > create role role1.

    Created role.

    SQL > grant select on t1.tt to role1.

    Grant succeeded.

    SQL > grant role1 at t2;

    Grant succeeded.

    SQL > conn t2/t2

    Connected.

    SQL > select * from t1.tt;

    ID

    ----------

    2

    SQL > conn / as sysdba

    Connected.

    SQL > grant create procedure at t2;

    Grant succeeded.

    SQL > conn t2/t2

    Connected.

    SQL > create procedure p1 is

    2 start

    3 run immediately "select * from t1.tt';"

    4 end;

    5.

    Created procedure.

    SQL > set serveroutput on

    SQL > exec p1

    BEGIN p1; END;

    *

    ERROR on line 1:

    ORA-00942: table or view does not exist

    ORA-06512: at the 'T2 '. "P1", line 3

    ORA-06512: at line 1

    SQL > select * from t1.tt;

    ID

    ----------

    2

    SQL > show user

    The USER is 'T2 '.

    SQL >

Maybe you are looking for