Privileges granted to a role
HelloQuick question on the privileges granted to a role...
Scenario 1:
---------------
create the CONNECT_ROLE role.
Grant connect to connect_role;
Grant, alter session to CONNECT_ROLE statement.
grant create cluster to CONNECT_ROLE;
grant create procedure CONNECT_ROLE;
grant create sequence to CONNECT_ROLE;
grant create synonym of CONNECT_ROLE;
grant create table CONNECT_ROLE;
grant create trigger to CONNECT_ROLE;
create grant type to CONNECT_ROLE.
grant create view to CONNECT_ROLE;
grant debug connect session to the CONNECT_ROLE;
grant connect_role to tom, mike;
Scenario 2:
---------------
create the dev_role role.
Grant select on scott.emp to dev_role;
Grant execute on rich.emp_pkg to dev_role;
grant dev_role to tom, mike;
To display the privileges that have been granted to a role, I created the following view.
CREATE OR REPLACE VIEW CHECK_PRIVS
(username, rolename, privilege)
AS
SELECT DECODE (SA1. GRANTEE #, 1, 'PUBLIC', U1.NAME), SUBSTR (U2.NAME, 1, 20),.
SUBSTR (SPM.NAME, 1: 27)
OF SYS. SYSAUTH$ SA1, SYS. SYSAUTH$ SA2, SYS. USER$ U1,
SYS. USER$ U2, SYS. SYSTEM_PRIVILEGE_MAP SPM
WHERE SA1. DEALER # = U1. THE USER #.
AND SA1. PRIVILEGE # = U2. THE USER #.
AND U2. USER # = SA2. DEALER #.
AND SA2. PRIVILEGE # = SPM. PRIVILEGE
UNION
SELECT U.NAME, NULL, SUBSTR(SPM.NAME,1,27)
OF SYS. SYSTEM_PRIVILEGE_MAP SPM, SYS. SYSAUTH$ SA, SYS. THE USER$ U
WHERE SA. GRANTEE #= U.USER #.
AND SA. PRIVILEGE #= SPM. PRIVILEGE
I get the correct results of the esteem for the #1 scenario, but I don't get any results for the #2 sight. Am I missing something here?
Thanks for your time.
Object level of subsidies are not access privileges.
Oracle already provide views to display system object and the level of privileges such as dba_tab_privs and dba_sys_privs so why do you need to create your own point of view?
HTH - Mark D Powell.
Tags: Database
Similar Questions
-
Is it not view DBA_ see the privileges granted to a role?
DB version: 11.2
I couldn't find DBA_ views that would list all the privileges granted to a role. Finally, I had to assign the role to a user and then sign in as a user who has granted and then query view ROLE_TAB_PRIVS. A DBA, I can not connect in business patterns to check for this.
The scenario
==============
SCOTT schema has two tables: HRTB_EMP_MASTER and HELLOWORLD
I want to grant SELECT on these two tables privileges to another user called TESTUSER but not directly. through roles
Since I couldn't find a DBA view that will have the privileges granted to a role, I have granted the role to the user, I had to open a session to the user (against our security policy) and the querySQL> conn / as sysdba Connected. SQL> grant create role to testuser; Grant succeeded. SQL> conn testuser/test123 Connected. SQL> SQL> create role testuser_ro; Role created. SQL> conn / as sysdba Connected. SQL> grant select on scott.hrtb_emp_master to testuser_ro; --- > Granting the SELECT priv to the role first Grant succeeded. SQL> grant select on scott.helloworld to testuser_ro; Grant succeeded. SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT'; ----> This won't work because I am connected as SYS ----> ROLE_TAB_PRIVS is user specific view no rows selected
ROLE_TAB_PRIVS.
SQL > grant testuser_ro to testuser;
Grant succeeded.
SQL > PRIVILEGE OF ROLE_TAB_PRIVS, TABLE_NAME, OWNER, SELECT ROLE where owner = 'SCOTT ';
no selected line
SQL> conn testuser/test123 Connected. SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT'; ROLE OWNER TABLE_NAME PRIVILEGE --------------- --------------- -------------------- ---------- TESTUSER_RO SCOTT HELLOWORLD SELECT TESTUSER_RO SCOTT HRTB_EMP_MASTER SELECT
You must look for beneficiary, no owner
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> create role r1; Role created. SQL> grant select on sys.v$database to r1; grant select on sys.v$database to r1 * ERROR at line 1: ORA-02030: can only select from fixed tables/views SQL> grant select on sys.v_$database to r1; Grant succeeded. SQL> select grantee, privilege, owner, table_name from dba_tab_privs where grantee='R1'; GRANTEE PRIVILEGE OWNER TABLE_NAME --------------- ---------------------------------------- --------------- ------------------------------ R1 SELECT SYS V_$DATABASE
-
Display of metadata to fetch the privileges granted to a role
Hello
I have a doubt in the display of the metadata of the roles, please give me more details on the same.
According to dba_roles, I could see the list of roles and to dba_role_privs, I could see the list of users who got this role.
Now, I would like to make a list of the privileges granted to this role. What metadata view I could find this information, please help.
Thank you.In addition to SY's message:
to find out which data dictionary tables can help you:SELECT * FROM dict WHERE table_name LIKE'%ROLE%'
-
How can I determine what were the privileges granted to the PUBLIC?
I don't know 'out of the box' privileges by default Oracle, but rather the privileges that have been granted since the day 0.
SQL > select * from dba_sys_privs where dealer = "PUBLIC";
no selected line
SQL > grant create any table to the public;
Grant succeeded.
SQL > select * from dba_sys_privs where dealer = "PUBLIC";
DEALER PRIVILEGE SMA
------------------------------ ---------------------------------------- ---
PUBLIC CREATE ANY TABLE NO.
SQL > revoke create any table of public;
Revoke succeeded.
SQL > select * from dba_sys_privs where dealer = "PUBLIC";
no selected line
SQL >
The
PUBLIC
role is a special role that each database user account is automatically when the account is created. By default, it has no privileges granted to it, but there are many grants, especially for Java objects.The same binding, which was provided by a member.
DBA_ROLE_PRIVS - roles granted to users and roles
ROLE_ROLE_PRIVS - roles that were granted to roles
ROLE_SYS_PRIVS - privileges granted to the roles system
ROLE_TAB_PRIVS - Table privileges granted to roles
Concerning
Girish Sharma
-
How the privilege of reading the role for package
Dear guy,
I need to grant read only for the procedure and package to user, but not executed. So, I create a role READ_PKG name then the privilege of debugging for the ROLE. Then grant the role to the user who needs to display. But this isn't success. Always user can't see the debug to the ROLE granted package.
If I grant debugging directly to the user, user can view the package.
CREATE THE ROLE READ_PKG NOT IDENTIFIED;
GRANT debugging WE FCUB. ACPKS TO READ_PKG;
grant READ_PKG to chuongnh;
THEN, how the privilege of debugging a role?
So thank you
Chuong
Hello
Are you sure that the role is 'default' to the user?
SQL > alter user chuongnh the role by default all;
Kind regards
-
Block a privs of roles that has been granted to another role
I don't think that I have which explains very well in the title...
create the role role_a;
Grant select, insert and update on the table to role_a;
Grant select, insert, update the table to role_a b;
Grant select, insert, update the table to role_a c;
create the role role_b;
grant role_a to role_b;
revoke the insertion, update table b of role_b;
What I have to do is revoke the insertion, update role_b.
This example is simple, but I hope you get the gist of the problem.I believe that the suggestion that would be rather than to revoke the privileges of role_b, you must create a new role_c role, and then grant privileges on tables & c to c role.
You cannot revoke the privileges to a role that are not directly granted to the role. If you can not role_b have a subset of the privileges granted to role_a by granting the role and removal of individual privileges. You must create a new role (role_c) which includes the subset of privileges you want and grant this new role_c to role_b. You can also, of course, just grant the privileges on tables role_b has & c directly rather than role_a.
Justin
-
Question about registration granted to other roles roles
Hello
I'm trying find out what query lists the roles that are contained in other roles or, in other words, the roles have been granted to other roles.
Consider the following scenario:
I have a query that will show me what system and object privileges have been assigned to a role, for example:create role hr_junior; grant create session to hr_junior; grant select on hr.regions to hr_junior; grant select on hr.locations to hr_junior; grant select on hr.countries to hr_junior; create role hr_senior; grant hr_junior to hr_senior with admin option; grant insert, update, delete on hr.employees to hr_senior; grant insert, update, delete on hr.job_history to hr_senior; create role hr_manager; grant hr_senior to hr_manager with admin option; grant all on hr.regions to hr_manager; grant all on hr.locations to hr_manager; grant all on hr.countries to hr_manager;
But it does not show what role contains other roles (for example, it does not show that have contains hrsenior) I would like to have a showing SQL query thatcol role format a12 col owner format a12 col table_name format a12 col column_name format a12 col privilege format a15 col grantable format a3 select role , owner , table_name , column_name , privilege , grantable from role_tab_privs where role = 'HR_MANAGER' order by owner , table_name , column_name , privilege; select role , privilege , admin_option from role_sys_privs where role = 'HR_MANAGER' order by privilege , admin_option;
Question: is it possible to write a query that displays the roles that contain other roles and, if so, what is the application?hr_manager contains hr_senior hr_senior contains hr_junior hr_junior does not contain any roles
Thank you very much for your help,
John.Hello
The question: is it possible to write a query that displays the roles that contain other roles and, if so, what is the application?
select * from dba_role_privs where grantee in (select role from dba_roles) order by grantee;
DWDB.UTAC.COM.SG$SYS> create role main_role; Role created. DWDB.UTAC.COM.SG$SYS> create role sub_role1; Role created. DWDB.UTAC.COM.SG$SYS> create role sub_role2; Role created. DWDB.UTAC.COM.SG$SYS> grant sub_role1 to main_role; Grant succeeded. DWDB.UTAC.COM.SG$SYS> grant sub_role2 to main_role; Grant succeeded. DWDB.UTAC.COM.SG$SYS> grant sub_role2 to sub_role1; Grant succeeded. DWDB.UTAC.COM.SG$SYS> select * from dba_role_privs where grantee in (select role from dba_roles) order by grantee; GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- DBA DELETE_CATALOG_ROLE YES YES DBA EXECUTE_CATALOG_ROLE YES YES DBA EXP_FULL_DATABASE NO YES DBA GATHER_SYSTEM_STATISTICS NO YES DBA IMP_FULL_DATABASE NO YES DBA JAVA_ADMIN NO YES DBA JAVA_DEPLOY NO YES DBA OLAP_DBA NO YES DBA SCHEDULER_ADMIN YES YES DBA SELECT_CATALOG_ROLE YES YES DBA WM_ADMIN_ROLE NO YES DBA XDBADMIN NO YES DBA XDBWEBSERVICES NO YES EXECUTE_CATALOG_ROLE HS_ADMIN_ROLE NO YES EXP_FULL_DATABASE EXECUTE_CATALOG_ROLE NO YES EXP_FULL_DATABASE SELECT_CATALOG_ROLE NO YES IMP_FULL_DATABASE EXECUTE_CATALOG_ROLE NO YES IMP_FULL_DATABASE SELECT_CATALOG_ROLE NO YES JAVASYSPRIV JAVAUSERPRIV NO YES LOGSTDBY_ADMINISTRATOR RESOURCE NO YES *MAIN_ROLE SUB_ROLE1 NO YES* *MAIN_ROLE SUB_ROLE2 NO YES* OLAP_DBA SELECT_CATALOG_ROLE NO YES OLAP_USER CONNECT NO YES OLAP_USER OEM_MONITOR NO YES OLAP_USER RESOURCE NO YES OLAP_USER SELECT_CATALOG_ROLE NO YES SELECT_CATALOG_ROLE HS_ADMIN_ROLE NO YES *SUB_ROLE1 SUB_ROLE2 NO YES* XDBADMIN XDBWEBSERVICES NO YES 30 rows selected.
Salman
Published by: Salman Qureshi Sep 20, 2010 13:01
Published by: Salman Qureshi Sep 20, 2010 13:02 added example
-
granting of all roles except 2
Hi guys,.
I have two special roles that does not have my user. Other than that, my user should be able to grant all other roles (including the all new created in the future) to other users, including himself.
I can't grant grant any role to X, this means that X can then give these two special roles! so, how can I work around this problem?
Thank youYou can't unless you use a DDL event trigger
http://www.psoug.org/reference/ddl_trigger.htmlor write a stored procedure that allows the user to control the privileges submitted as input parameters and a list hardcoded these privileges that can be granted.
Personally, I find the idea of giving any person, other than a DBA or trusted security agent, the ability to grant privileges a violation of governance and security practices and would discourage you to do except in a procedure as described above.
-
What privileges granted to select from all the PDB files
Why the two selected does not return the same result? Or if you want the broader question - what privileges granted to select from all the PDB files.
I want to leave common user that I created to select and see all of the synonyms of all PDB files.
conn / as sysdba
create user c##nir identified by c##nir container=all;
grant connect,dba,resource to c##nir container=all;
grant select on cdb_synonyms to c##nir container=all;
select CON_ID from cdb_synonyms group by CON_ID;
CON_ID
----------
1
4
11
10
14
5
8
13
3
7
15
6
12
9
conn c##nir/c##nir
select CON_ID from cdb_synonyms group by CON_ID;
CON_ID
----------
1
select CON_ID from containers(dba_synonyms) group by CON_ID
*
ERROR at line 1:
ORA-00942: table or view does not existYou must use the CONTAINER_DATA clause:
ALTER USER ##nir set container_data = container c all = current;
After running the above command, try to select again to cdb_synonyms and you will see the data of all containers.
Read more in my Post of Blog
-
What is the difference between the granting of privileges directly and by role
When you want to create a view in the schema to user1, this user must be granted by the right to select on the table user2.t2, but not via a role, what is the difference?
Y at - it of the other privileges that must be granted directly?The same answer I gave here already 100 s of the time:
The views are compiled objects.
Roles are volatile, can change after compilation.Result: Stored procedures, functions, packages and views of the roles to ignore .
And of course, the user who creates the view should have the System CREATE VIEW privilege.
Most of the questions here can easily be answered by applicants, with little effort. Documentation is necessary and some industry and eagerness to learn.
----------------
Sybrand Bakker
Senior Oracle DBA -
Find privileges granted explicitly to the outside roles
Hi gurus,
Is there a query to find explicit privileges(select,insert...) granted to users outside the roles?
Thank youMaybe like this
Select the dealer | "have privilege | privilege | "on" | owner | '.' || table-name
of dba_tab_privs
When the dealer not in ('SYS', 'SYSTEM', 'GENERAL', S / ', 'PUBLIC')
and dealer not in (select dba_roles role)
/Be careful with the PUBLIC!
-
Object-level privileges granted...
Hello
I want to grant object-level privileges to some user so that he can view (select) any object which resides under another user. Don't select any option from the table.
I tried in vain to do something like that.
Kind regardsWhy do you have thousands of tables in a schema?
And Yes quite easy to grant privileges in this way
Connect the schema that you want to grant of in.
-- 'Granting select on tables and views to scott' declare v_sql varchar2(4000); begin for cur in ( select object_name from user_objects where object_type in ('TABLE','VIEW','MATERIALIZED VIEW') ) loop v_sql := 'grant select on '||cur.object_name||' to scott'; execute immediate v_sql; end loop; end; /
If I were you, I would create a role.
And then grant privileges to this role.
He can then grant this role to users.
And it's much easier than the grant select on thousands of tablesPublished by: Keith Jamieson on August 28, 2012 10:02
-
Create the privilege granted procedure, but cannot create the procedure
I have a user that I have given the following privileges:
CREATE THE SESION
SELECT ANY TABLE
CREATE A PROCEDURE
CREATE PROCEDURE
RUN THE PROGRAM
RUN THE PROCEDURE
But when I try to create a procedure with this user I get, error proveleges not enough. What I am doing wrong?What's wrong? You open the doors of barn proverbial ito security. This isn't how security should be made - allowing a schema create any code of procedure anywhere in the database. Or select data from any table.
How do you think that Sony's PS network has been hacked and millions of stolen credit card data users?
By this precarious type of stuff-security approach to security.
A schema has the minimum privileges in order to achieve its goals and its requirements. Nothing more.
For example
// standard logical database schema, 10Gb space allocation create user HRDB identified by
default tablespace USERS quota 10G on USERS; // configure the basic security layer for the schema grant create session, --// allow client-server connections to schema create table, create trigger, --// allow to create standard db objects create sequence, create view, --// allow access to defining extended objects create procedure --// allow creating stored proc code to HRDB; In addition, you can decide on assign a profile of resources and specific roles and so on. In some cases, you can also leave the schema create types, synonyms and private database links, views materialized, etc.
Don't grant access. No access to the SYS code and objects. By default. Everything else is a security exception requiring a valid justification.
-
Quota of tablespace Grant to the role of Oracle
Hello
Is it possible to give tablespace quotas to a role instead of the oracle user?
As:
ALTER USER USER_NAME QUOTA UNLIMITED ON NOM_TABLESPACE;
Thank youIs it possible to give tablespace quotas to a role instead of the oracle user?
N °
-
Role permissions for the same object more
Hello everyone,
I work in a large company with lots of data and Oracle DB base, specifically
the management of the security services account (accounts, roles, privileges, etc...).
In a few DB, we have a role named RO ALFA READ, with grant select on table TABLE_32.
The ROLE of ALPHA, or better, the ROLE ALFA users grant specifically also in the array of objects.
This is the final situation:
SQL > SELECT * FROM DBA_ROLE_PRIVS WHERE DEALER = "TIZIO";
DEALER GRANTED_ROLE SMA DEF
------------------------------ ------------------------------ --- ---
TIZIO CONNECT YES
TIZIO RESOURCE NO YES
TIZIO DBA NO YES
TIZIO SELECT_CATALOG_ROLE NO YES
TIZIO AQ_ADMINISTRATOR_ROLE NO YES
TIZIO RO_ALFA_READ NO YES
SQL > c.role.tab
1 * SELECT * FROM DBA_tab_PRIVS WHERE DEALER = "TIZIO".
SQL > r
1 * SELECT * FROM DBA_tab_PRIVS WHERE DEALER = "TIZIO".
DEALERSHIP OWNER TABLE_NAME GRANTOR PRIVILEGE
------------------------------ ------------------------------ ------------------------------ --------------------------------
TIZIO SYS TABLE_32 SYS SELECT
In your view, why the engineer decided to give this privilege 'double' on the table?
Thank you!
Perhaps because the privileges granted through a role are not used during the execution of a procedure:
[oracle@db11204 ~] $ sqlplus / as sysdba
SQL * more: Production of liberation 11.2.0.4.0 Thu Aug 20 23:48:31 2015
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11 g Enterprise Edition Release 11.2.0.4.0 - 64 bit Production
With partitioning, OLAP, Data Mining and Real Application Testing options
SQL > create user t1 identified by t1.
Created by the user.
SQL > create user t2 identified by t2;
Created by the user.
SQL > grant connect, resource for t1, t2;
Grant succeeded.
SQL > create table t1.tt (ID);
Table created.
SQL > insert into t1.tt values (2);
1 line of creation.
SQL > commit;
Validation complete.
SQL > create role role1.
Created role.
SQL > grant select on t1.tt to role1.
Grant succeeded.
SQL > grant role1 at t2;
Grant succeeded.
SQL > conn t2/t2
Connected.
SQL > select * from t1.tt;
ID
----------
2
SQL > conn / as sysdba
Connected.
SQL > grant create procedure at t2;
Grant succeeded.
SQL > conn t2/t2
Connected.
SQL > create procedure p1 is
2 start
3 run immediately "select * from t1.tt';"
4 end;
5.
Created procedure.
SQL > set serveroutput on
SQL > exec p1
BEGIN p1; END;
*
ERROR on line 1:
ORA-00942: table or view does not exist
ORA-06512: at the 'T2 '. "P1", line 3
ORA-06512: at line 1
SQL > select * from t1.tt;
ID
----------
2
SQL > show user
The USER is 'T2 '.
SQL >
Maybe you are looking for
-
Why when I try to print a web page only offers save the page and then save it not?
Up to two web days ago pages printed fine for me, now, I only gave the option to save as a print job. XPS file - and then save it. If I cancel, it tells me that there is an unknown printer failure but testing printer just fine.
-
HP Pavilion Notebook 15-ab210t: upgrade Ram on HP Pavilion Notebook 15-ab210tx
I'm about to buy a laptop HP Pavilion 15-ab210tx, which is a product imported from Thailand. I would like to know how many memory modules that it? and what Ram is this support. There 6500U Intel i7 processor. I would really appreciate if someone boug
-
How I choose a monkey for example string = 3 fr.o.m. Chain: (Apple = 2, bananas = 4, = 3, blue monkey = 8)They are separated by commas.
-
How to check if a custom Attachment Manager is installed
Hey guys,. I have critical app run for our sales outside the field people and it uses an Attachment Manager custom that autoruns to the startup of the phone. I want to check that the Manager is registered when they launch the actual application, so
-
I've set to upgrade to W8 can I transfer my old W7 license on another machine?
I have a pc 3 for W7 license, but I updated all the machines to W8. Can I transfer a license to another machine?