Question about registration granted to other roles roles
HelloI'm trying find out what query lists the roles that are contained in other roles or, in other words, the roles have been granted to other roles.
Consider the following scenario:
create role hr_junior;
grant create session to hr_junior;
grant select on hr.regions to hr_junior;
grant select on hr.locations to hr_junior;
grant select on hr.countries to hr_junior;
create role hr_senior;
grant hr_junior to hr_senior with admin option;
grant insert, update, delete on hr.employees to hr_senior;
grant insert, update, delete on hr.job_history to hr_senior;
create role hr_manager;
grant hr_senior to hr_manager with admin option;
grant all on hr.regions to hr_manager;
grant all on hr.locations to hr_manager;
grant all on hr.countries to hr_manager;
I have a query that will show me what system and object privileges have been assigned to a role, for example:col role format a12
col owner format a12
col table_name format a12
col column_name format a12
col privilege format a15
col grantable format a3
select role
, owner
, table_name
, column_name
, privilege
, grantable
from role_tab_privs
where role = 'HR_MANAGER'
order by owner
, table_name
, column_name
, privilege;
select role
, privilege
, admin_option
from role_sys_privs
where role = 'HR_MANAGER'
order by privilege
, admin_option;
But it does not show what role contains other roles (for example, it does not show that have contains hrsenior) I would like to have a showing SQL query thathr_manager contains hr_senior
hr_senior contains hr_junior
hr_junior does not contain any roles
Question: is it possible to write a query that displays the roles that contain other roles and, if so, what is the application?Thank you very much for your help,
John.
Hello
The question: is it possible to write a query that displays the roles that contain other roles and, if so, what is the application?
select * from dba_role_privs where grantee in (select role from dba_roles) order by grantee;
DWDB.UTAC.COM.SG$SYS> create role main_role;
Role created.
DWDB.UTAC.COM.SG$SYS> create role sub_role1;
Role created.
DWDB.UTAC.COM.SG$SYS> create role sub_role2;
Role created.
DWDB.UTAC.COM.SG$SYS> grant sub_role1 to main_role;
Grant succeeded.
DWDB.UTAC.COM.SG$SYS> grant sub_role2 to main_role;
Grant succeeded.
DWDB.UTAC.COM.SG$SYS> grant sub_role2 to sub_role1;
Grant succeeded.
DWDB.UTAC.COM.SG$SYS> select * from dba_role_privs where grantee in (select role from dba_roles) order by grantee;
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
DBA DELETE_CATALOG_ROLE YES YES
DBA EXECUTE_CATALOG_ROLE YES YES
DBA EXP_FULL_DATABASE NO YES
DBA GATHER_SYSTEM_STATISTICS NO YES
DBA IMP_FULL_DATABASE NO YES
DBA JAVA_ADMIN NO YES
DBA JAVA_DEPLOY NO YES
DBA OLAP_DBA NO YES
DBA SCHEDULER_ADMIN YES YES
DBA SELECT_CATALOG_ROLE YES YES
DBA WM_ADMIN_ROLE NO YES
DBA XDBADMIN NO YES
DBA XDBWEBSERVICES NO YES
EXECUTE_CATALOG_ROLE HS_ADMIN_ROLE NO YES
EXP_FULL_DATABASE EXECUTE_CATALOG_ROLE NO YES
EXP_FULL_DATABASE SELECT_CATALOG_ROLE NO YES
IMP_FULL_DATABASE EXECUTE_CATALOG_ROLE NO YES
IMP_FULL_DATABASE SELECT_CATALOG_ROLE NO YES
JAVASYSPRIV JAVAUSERPRIV NO YES
LOGSTDBY_ADMINISTRATOR RESOURCE NO YES
*MAIN_ROLE SUB_ROLE1 NO YES*
*MAIN_ROLE SUB_ROLE2 NO YES*
OLAP_DBA SELECT_CATALOG_ROLE NO YES
OLAP_USER CONNECT NO YES
OLAP_USER OEM_MONITOR NO YES
OLAP_USER RESOURCE NO YES
OLAP_USER SELECT_CATALOG_ROLE NO YES
SELECT_CATALOG_ROLE HS_ADMIN_ROLE NO YES
*SUB_ROLE1 SUB_ROLE2 NO YES*
XDBADMIN XDBWEBSERVICES NO YES
30 rows selected.
Salman
Published by: Salman Qureshi Sep 20, 2010 13:01
Published by: Salman Qureshi Sep 20, 2010 13:02 added example
Tags: Database
Similar Questions
-
More questions about registration of the plugin on a Production Server package
I tried to review other messages (as well as the documentation for VMware) regarding the plugins installation/registration on [the customer] production servers. Specifically, I was looking at this recent announcement:
The following response was a very good point, but I was looking for a little more in detail about how other developers are doing this installation/registration:
laurentsd: as a plugin developer, you are responsible to write an installer that customers will run to register your plugin package. You do not want to treat to run a java program directly :-) The installation program should be easy to use.
I was curious to know how many people have their customers to install a Web Client plugin.
The States of doc SDK - Tutorial.html in the 'record of your plugin...» "article for the mode of production (step 1), you can:"
Use a script program or installer to create the object of Extension data programmatically and enter this data object using the ExtensionManager.registerExtension method
This means that the .zip file must be placed on a server access with HTTPS access.
[Variant 1]: are most of the people having the client stores the .zip file in a HTTPS server in the customer environment? If Yes, then I guess that the installer prompts the user to specify the URL to the zip file, which is then rolled into the Extension data' things "programmatically.
[Variant 2]: or, most people hold their own on their own server HTTPS .zip file by using an installation program with hard coded URL value in the .zip file, and having the user simply launch the installer without entering any additional data?
Or maybe there is an Option of [3] that I have not yet thought?
It seems that [option2] is obviously easier for the customer, but makes it harder to make a plugin that everyone has access to. [Variant 1] requires a bit of work for the customer, but allows the developer to restrict access to the plugin for customers who have paid for the product. Certainly the installer can block based on the license key, but anyone with some knowledge of vSphere Client Web plugins as well as documentation 'Save your plugin package' could take a plugin .zip file and install it manually without an official Installer (when the .zip is hosted to the public).
You must take the URL of the ZIP file as an input for your script so that all options can be supported. If the zip file is hosted in the customer environment, then the URL should point to that. If you host the zip file on your own server, then the URL should point to your server.
You should code hard not URL that you have mentioned in the #2 option, because there are several companies and agencies Government which do not allow to connect outside of their network.
-
Question about registration of vista Toshiba - Satellite A200-1CR
Hi all
In my laptop Toshiba vista registration component config.exe program does not work.
Please help me? How can I make this work?
Hello
You received the Toshiba Recovery CD with your beautiful Sat A200.
I would recommend setting the notebook back to factory and after the new OS installation check settings if the Toshiba vista registration tool is working properly.In other cases, you can visit Toshiba Europe site and register for your laptop on the Toshiba site!
Good luck
-
question about registration of CA
I have a large company of a dmvpn star site. We are currently using psk for IKE authentication. We seek to put in place an internal PKI infrastructure for IKE authentication. I configured an internal root CA and 2 secondary cases on the routers from 1941 to this effect. We expect use PEIE autoenrollment for routers of the head of Star network to register for these internal certification authorities. My question is which of these cases should I have my routers register to? Or can I have a few routers join sup - A1 and some apply to sup - A2 and maybe a few to root-CA?
enrollment url http://rootCA:80
enrollment url http://subCA1:80
enrollment url http://subCA2:80
???
Hello
There is no problem from the point of view of IPsec to register for the two subCAs.
The CERT_REQ payload will be sent for two subCAs in Main Mode 3 and 4 message.
(Note: If you want to change this behavior, you can select the profile of isakmp particular trustpoint inside)
Nowayds it is more important to the highly available as CA (ISMA) CRL itself.
Two subCAs means do not rely on a unique material to provide functions to update the registration/CRL.
Note that you can chain up to the root certificates, which should allow essentially rays are registered to the subCA1 to establish IPsec with subCA2.
I have not tried to do it with the SCEP Protocol... not sure if you can do it automatically...
Marcin
-
Questions about registration of the catalogues, changes
Hello-, I save all my pictures from LR and records to 2 back ups - each an external hard drive.
I'll be getting a new hard drive installed in my laptop so will have to re - install LR.
My question is: my ratings pictures, changes, cultures, folder names and important content of the catalogues will be on 2 external hard drives.
I know that the photos are saved but wonder about the rest of the above - especially the catalogues.
Group discussion thanks.
kathyt. YYC
One thing you want to make sure, is that you restore your photos from your backup disk has the EXACT structure of folders of your internal drive is now all of your photos are EXACTLY in the same place when restore you them. This is very important!
With regard to the sides, etc. This is in your catalog (LRCAT) file. Copy your LRCAT file to your backup drives, and then restore the LRCAT file to the original location on your new internal drive.
-
Question about registration of EBS web page
HelloI have been using Open script 12.3 for the automation of the e - Business suite.
When tried to save the actions performed with EBS\Forms, a problem as web page interactions are not saved. However, the actions of forms are saved.
However, the normal web page navigation are saved with the help of the web registration.
Kind regards
Biki
Hello
Problem has been resolved. Change the settings options of the Internet Local Intranet.
Steps to reproduce:
1. go to internet options
2. go to Security tab
3. Select the internet zone and goto at the personal level. Identify all the properties and try to reproduce the same on the local intranet.
4. Goto to Local intranet custom level and make the change similar to the internet.
Thank you
Biki
-
Question about registration of the compositions
Hello
I wonder if there is a way I can quickly save an individual publication with its assets within a project. For example: I have a project of 'Active' that I keep open as a composition in the project, I'm working on so I can quickly grab the goods I use a lot. Sometimes, I'll create a new asset for the job I want to add to my "assets". AEP' but I can not simply copy the layers in my 'Active' composition and then save the comp. like it's own .aep file. Instead, I need to save a project, delete everything except my asset mix and then save as Assets.aep and re - open my current project.
Is it possible to export or save an individual model, from a project with a lot of comps, as is the project?
Hope that makes sense...
Thank you
Paul
Not directly. In a project file duplicated (of security), you remove all unwanted comps, then select all the searched comps and use project reduce.
-
granting of all roles except 2
Hi guys,.
I have two special roles that does not have my user. Other than that, my user should be able to grant all other roles (including the all new created in the future) to other users, including himself.
I can't grant grant any role to X, this means that X can then give these two special roles! so, how can I work around this problem?
Thank youYou can't unless you use a DDL event trigger
http://www.psoug.org/reference/ddl_trigger.htmlor write a stored procedure that allows the user to control the privileges submitted as input parameters and a list hardcoded these privileges that can be granted.
Personally, I find the idea of giving any person, other than a DBA or trusted security agent, the ability to grant privileges a violation of governance and security practices and would discourage you to do except in a procedure as described above.
-
Question about user SYS and ROLES
Hello
When I create a role, such as:
I see that as soon as the role is created, it is automatically granted to the SYS.create role atestrole;
I thought that, given the fact that SYS has already all the privileges system and object in existence, that the automatic grant was superfluous and unnecessary. To test this, I have revoked the role of 'atestrole' of SYS and then tried to give "atestrole" as user SYS to SCOTT. As expected, SYS has been able to give "atestrole" SCOTT.
At this point, it seems that the automatic granting of new roles to SYS does not SYS, being able to do something that he would be able to do otherwise.
Question: SYS automatically grant all newly created roles, cause SYSTEM to have a few abilities that he would or not is superfluous (as seems to be)?
Thank you for your help,
John.
PS: the new roles are automatically awarded to SYS by Oracle itself, it is not something to be done "manually".
Published by: 440bx - 11 GR 2 on 20 Sep, 2010 08:23 - added PS.I don't know if it will clear the cloud or not! but the result is "a user who creates a role is granted also that default role.
So, if you created the ROLE with SYS is authorized for SYS otherwise DO NOT default. See the example below.SQL> conn sys@xe as sysdba Enter password: ****** Connected. SQL> CREATE ROLE TEST_ROLE_GRANT1; Role created. SQL> set line 1000 SQL> SELECT * FROM dba_role_privs 2 WHERE GRANTED_ROLE='TEST_ROLE_GRANT1'; GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- SYS TEST_ROLE_GRANT1 YES YES SQL> conn system@xe Enter password: ****** Connected. SQL> CREATE ROLE TEST_ROLE_GRANT2; Role created. SQL> SELECT * FROM dba_role_privs 2 WHERE GRANTED_ROLE='TEST_ROLE_GRANT2'; GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- SYSTEM TEST_ROLE_GRANT2 YES YES SQL> conn hr@xe Enter password: ** Connected. SQL> CREATE ROLE TEST_ROLE_GRANT3; Role created. SQL> SELECT * FROM dba_role_privs 2 WHERE GRANTED_ROLE='TEST_ROLE_GRANT3'; GRANTEE GRANTED_ROLE ADM DEF ------------------------------ ------------------------------ --- --- HR TEST_ROLE_GRANT3 YES YES SQL>
-
Hello
Quick question on the privileges granted to a role...
Scenario 1:
---------------
create the CONNECT_ROLE role.
Grant connect to connect_role;
Grant, alter session to CONNECT_ROLE statement.
grant create cluster to CONNECT_ROLE;
grant create procedure CONNECT_ROLE;
grant create sequence to CONNECT_ROLE;
grant create synonym of CONNECT_ROLE;
grant create table CONNECT_ROLE;
grant create trigger to CONNECT_ROLE;
create grant type to CONNECT_ROLE.
grant create view to CONNECT_ROLE;
grant debug connect session to the CONNECT_ROLE;
grant connect_role to tom, mike;
Scenario 2:
---------------
create the dev_role role.
Grant select on scott.emp to dev_role;
Grant execute on rich.emp_pkg to dev_role;
grant dev_role to tom, mike;
To display the privileges that have been granted to a role, I created the following view.
CREATE OR REPLACE VIEW CHECK_PRIVS
(username, rolename, privilege)
AS
SELECT DECODE (SA1. GRANTEE #, 1, 'PUBLIC', U1.NAME), SUBSTR (U2.NAME, 1, 20),.
SUBSTR (SPM.NAME, 1: 27)
OF SYS. SYSAUTH$ SA1, SYS. SYSAUTH$ SA2, SYS. USER$ U1,
SYS. USER$ U2, SYS. SYSTEM_PRIVILEGE_MAP SPM
WHERE SA1. DEALER # = U1. THE USER #.
AND SA1. PRIVILEGE # = U2. THE USER #.
AND U2. USER # = SA2. DEALER #.
AND SA2. PRIVILEGE # = SPM. PRIVILEGE
UNION
SELECT U.NAME, NULL, SUBSTR(SPM.NAME,1,27)
OF SYS. SYSTEM_PRIVILEGE_MAP SPM, SYS. SYSAUTH$ SA, SYS. THE USER$ U
WHERE SA. GRANTEE #= U.USER #.
AND SA. PRIVILEGE #= SPM. PRIVILEGE
I get the correct results of the esteem for the #1 scenario, but I don't get any results for the #2 sight. Am I missing something here?
Thanks for your time.Object level of subsidies are not access privileges.
Oracle already provide views to display system object and the level of privileges such as dba_tab_privs and dba_sys_privs so why do you need to create your own point of view?
HTH - Mark D Powell.
-
I bought a Dell installation disk and I want to use it to install a better version of Windows on my Dell PC. I have windows Vista and I want to use it to update my OS Windows7 Home Premium. However, the license type is SLP:OEM and no detail... not sure what SLP: OEM means... I thought that the OS discs are the same. Someone told me no retail editions are not suitable for a new OS, but I'm confused. The disc says, Windows 7 Home premium 64-bit, but didn't holograms who have all MS OS disks and the disk is labeled for use with a Dell system only, if the means it will work very well on my Dell PC? The label does not which brand or model this disc is for, but said only for the Dell PC which is my PC. I'm assuming, the disk won't work on all Dells, maybe someone can offer suggestions, any help is much appreciated. Thank you!
I have a few other questions about Windows 7, can I ask you about this on your Web site? Do not know how to contact you on your website. I can see other people responding to your articles, but that's all. I thought that maybe their might be a forum to post a question... Thank you for everything.
You can comment on my site but comments will be public and it is easier to answer questions in the forums.
If you want to be more precise, you can post in the Dell Community Forums. :
http://en.community.Dell.com/support-forums/software-OS/
There are also ways to private message me there is something I don't think that can be done by non-moderateurs on Microsoft Answers. However, I prefer answering questions on the forum:
http://en.community.Dell.com/members/natakuc4
Concerning the compatibility with Windows 7, I have listed a full pilot system here compliment:
Theres nothing to worry about your circuit board, the only driver who can break your system's BIOS update. I only list the last official update BIOS list Dell in my unofficial driver sets.
The webcam should be covered by Dell Webcam Central but what is the monitor?
http://ftp.Dell.com/Monitors/Dell_SX2210-Monitor_Webcam%20SW%20RC1.1_%20R230103.exe
The main difficulty is to get a genuine product key Windows 7 64 bit. The time now it's easier to buy the 64-bit Windows 8.1. No matter if you buy Windows 7 or 8.1 64-bit both going to Windows 10 free when the RTM is out.
-
Is it not view DBA_ see the privileges granted to a role?
DB version: 11.2
I couldn't find DBA_ views that would list all the privileges granted to a role. Finally, I had to assign the role to a user and then sign in as a user who has granted and then query view ROLE_TAB_PRIVS. A DBA, I can not connect in business patterns to check for this.
The scenario
==============
SCOTT schema has two tables: HRTB_EMP_MASTER and HELLOWORLD
I want to grant SELECT on these two tables privileges to another user called TESTUSER but not directly. through roles
Since I couldn't find a DBA view that will have the privileges granted to a role, I have granted the role to the user, I had to open a session to the user (against our security policy) and the querySQL> conn / as sysdba Connected. SQL> grant create role to testuser; Grant succeeded. SQL> conn testuser/test123 Connected. SQL> SQL> create role testuser_ro; Role created. SQL> conn / as sysdba Connected. SQL> grant select on scott.hrtb_emp_master to testuser_ro; --- > Granting the SELECT priv to the role first Grant succeeded. SQL> grant select on scott.helloworld to testuser_ro; Grant succeeded. SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT'; ----> This won't work because I am connected as SYS ----> ROLE_TAB_PRIVS is user specific view no rows selected
ROLE_TAB_PRIVS.
SQL > grant testuser_ro to testuser;
Grant succeeded.
SQL > PRIVILEGE OF ROLE_TAB_PRIVS, TABLE_NAME, OWNER, SELECT ROLE where owner = 'SCOTT ';
no selected line
SQL> conn testuser/test123 Connected. SQL> SELECT ROLE, OWNER, TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS where owner = 'SCOTT'; ROLE OWNER TABLE_NAME PRIVILEGE --------------- --------------- -------------------- ---------- TESTUSER_RO SCOTT HELLOWORLD SELECT TESTUSER_RO SCOTT HRTB_EMP_MASTER SELECT
You must look for beneficiary, no owner
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production With the Partitioning, OLAP, Data Mining and Real Application Testing options SQL> create role r1; Role created. SQL> grant select on sys.v$database to r1; grant select on sys.v$database to r1 * ERROR at line 1: ORA-02030: can only select from fixed tables/views SQL> grant select on sys.v_$database to r1; Grant succeeded. SQL> select grantee, privilege, owner, table_name from dba_tab_privs where grantee='R1'; GRANTEE PRIVILEGE OWNER TABLE_NAME --------------- ---------------------------------------- --------------- ------------------------------ R1 SELECT SYS V_$DATABASE
-
Block a privs of roles that has been granted to another role
I don't think that I have which explains very well in the title...
create the role role_a;
Grant select, insert and update on the table to role_a;
Grant select, insert, update the table to role_a b;
Grant select, insert, update the table to role_a c;
create the role role_b;
grant role_a to role_b;
revoke the insertion, update table b of role_b;
What I have to do is revoke the insertion, update role_b.
This example is simple, but I hope you get the gist of the problem.I believe that the suggestion that would be rather than to revoke the privileges of role_b, you must create a new role_c role, and then grant privileges on tables & c to c role.
You cannot revoke the privileges to a role that are not directly granted to the role. If you can not role_b have a subset of the privileges granted to role_a by granting the role and removal of individual privileges. You must create a new role (role_c) which includes the subset of privileges you want and grant this new role_c to role_b. You can also, of course, just grant the privileges on tables role_b has & c directly rather than role_a.
Justin
-
Display of metadata to fetch the privileges granted to a role
Hello
I have a doubt in the display of the metadata of the roles, please give me more details on the same.
According to dba_roles, I could see the list of roles and to dba_role_privs, I could see the list of users who got this role.
Now, I would like to make a list of the privileges granted to this role. What metadata view I could find this information, please help.
Thank you.In addition to SY's message:
to find out which data dictionary tables can help you:SELECT * FROM dict WHERE table_name LIKE'%ROLE%'
-
Questions about new HA in vsphere features 5
Hello!
I have a few questions about new ha features in vsphere 5
I found, there is a master ha in the cluster that monitors other hosts and protected virtual machines through two type of heartbeats (network and data store) and move the VMS if necessary. If this host fails, an election is held and new master ha is determined by vcenter server.
Ok! What happens if we install vCenter Server as a virtual machine inside the host who is the master ha in a cluster. If this host fails (something like a power cut) its agent goes too far and also the vcenter is destroyed. So, who's going to hold the election and introduce the new ha so that the old ha and vCenter are out of the game.
I know that ha staff are not entirely dependent on vCenter and runs if the host taking vcenter is far (restart vms including vcenter or moved to another host on another) but I think this one is different because of the new role of master
My next question is on the different types of events, which can arrive at the slave of the hosts and do their partitioned or isolation. I'll ask them later (once this question is answered
Thanks to you all
you mean master election (who needs to know the host object id in the cluster and the number of data warehouses connected and...) is performed by agents themselves? and he needs no intervention vcenter?
No fix - no intervention from vCenter for an election of master.
and another thing. When the host with vCenter machine on it and the role of chess master, how other officers find that the master is absent? is not the work of vcenter to notice and say to others when master does not work?
Is not work of vCenter - is the work of the master and the process of hearbeating among the slaves.
what I doubt is that: If slave hosts loose connectivity with the master, they think that they are faulty and should present themselves as isolated or partitioned and it is the duty of the vcenter to know when the captain does not work! can you please correct me here
See above - is not vCenter work to determine which node is failed or isolated - it's the work of agents FDM.
You should read the book of Duncan: http://www.amazon.com/dp/B005C1SARM/ref=as_li_tf_til?tag=yellowbricks-20&camp=0&creative=0&linkCode=as1&creativeASIN=B005C1SARM&adid=16Q69JRGDTX1DHPRKTQM
It covers all this in depth.
Maybe you are looking for
-
How can I get rid of the tooltip improve boring Images?
The ToolTip of the images improve is so boring!How can I get rid of him?
-
I can't make phone calls. Calls cut.
Hello I can do Skype Skype calls but cannot call some phone numbers in Turkey. I tried on my mobile phone Android and Windows client. I have a Skype credit, and there is no problem on the network connection, when I call another Skype account. Version
-
Re: Satellite a200. Resetting or freezing when power cord plugged
Hey,. Ive recently had my computer cleaned after that I had problems with it cutting cause of overheating. It allows to cut while loading Vista too I thought only a dust problem.However after it has been cleaned professionally and reformat the comput
-
I already sent my phone to apple service center I am able to ask the service center to fix at the service of my phone that I would not be able to collect my phone on the estimated time
-
Microsoft wireless mouse 6000 v2 just stopped working
I bought 6000 Microsoft wireless mouse and keyboard a year ago and just mouse combo has randomly stopped working. I turned off my computer and the next day it turned on and the mouse does not work now. -J' put in new batteries and re-synced it and wh