In Oracle 19c database, how can I find out tablespace, schema, tables allowed to access, privileges assigned to a user grouping by that username ?
Are you looking for something like this?
Replace USER with the desired username
Granted Roles:
SELECT *
FROM DBA_ROLE_PRIVS
WHERE GRANTEE = 'USER';
Privileges Granted Directly To User:
SELECT *
FROM DBA_TAB_PRIVS
WHERE GRANTEE = 'USER';
Privileges Granted to Role Granted to User:
SELECT *
FROM DBA_TAB_PRIVS
WHERE GRANTEE IN (SELECT granted_role
FROM DBA_ROLE_PRIVS
WHERE GRANTEE = 'USER');
Granted System Privileges:
SELECT *
FROM DBA_SYS_PRIVS
WHERE GRANTEE = 'USER';
If you want to lookup for the user you are currently connected as, you can replace DBA in the table name with USER and remove the WHERE clause.
Related
I have grant Roles for users and grant some privs on Roles:
--Grant roles for users
GRANT DataEntry TO John, Joe, Lynn;
GRANT Supervisor TO Fred;
GRANT Management TO Amy, Beth;
--Grant on table to roles
GRANT SELECT, INSERT, UPDATE ON Attendance TO DataEntry;
GRANT SELECT, DELETE ON Attendance TO Supervisor;
GRANT SELECT ON Attendance TO Management;
However, when I query to dba_sys_privs table and select on John user, for example, I do not have privs which DataEntry role have? What happened with that problem?
John has been granted the role, not the privileges of the role directly. John will be able to take advantage of those privileges through the role. This means that if you were to revoke the role from the user, Oracle wouldn't need to go back and figure out which privileges were obtained through the role and revoke those too - this would be a challenge as a user might be granted multiple roles that provide the say privilege. It is much more efficient for Oracle to check if a user has access to a necessary privilege at parse time (which doesn't happen often).
If you want to see all the table privileges a user is able to use then you would need to look at both dba_tab_privs and dba_role_privs. Remember that a role can be granted another role so you would need to do a recursive query to identify all of those too:
with grantees (schema) as
(Select username schema
from dba_users
where username = 'JOHN'
union all
select rp.granted_role
from grantees g
join dba_role_privs rp
on g.schema = rp.grantee
)
select *
from dba_tab_privs sp
where sp.grantee in (select g.schema from grantees g)
In Oracle, I granted select on a table to a user by giving the following command:
GRANT SELECT ON DEPT TO HOMERSIMPSON;
Once I granted a select on the dept table to homersimpson, I queried the dba_sys_privs, there's no record of the privilege granted. I used the following query:
Select * from dba_sys_privs where grantee = 'HOMERSIMPSON';
Why is the privilege not reported on this table?
Thanks in advance.
You are granting a SELECT on a specific table. That's not a system priv. It is an object prv. Try looking at DBA_TAB_PRIVS.
For example, when I go to a table's properties in sql developer, I can see what are the users (owners) have been granted the access to this table.
If I want to use a query to find all these information for a group of tables and see what users have the access to them, which Oracle data dictionary table can I use?
That would be DBA_TAB_PRIVS for all objects or USER_TAB_PRIVS for the objects the current user is the owner, grantor, or grantee of.
A good thing with the dictionary is that you can select from it, literally. For example (which is kind of unreadable because I set columns to fit the screen; GUI is better for that):
SQL> select table_name, comments
2 from dictionary
3 where lower(comments) like '%grant%';
TABLE_NAME COMMENTS
-------------------- ------------------------------------------------------------
ALL_COL_PRIVS Grants on columns for which the user is the grantor, grantee
, owner,
or an enabled role or PUBLIC is the grantee
ALL_COL_PRIVS_MADE Grants on columns for which the user is owner or grantor
ALL_COL_PRIVS_RECD Grants on columns for which the user, PUBLIC or enabled role
is the grantee
ALL_TAB_PRIVS Grants on objects for which the user is the grantor, grantee
, owner,
or an enabled role or PUBLIC is the grantee
ALL_TAB_PRIVS_MADE User's grants and grants on user's objects
ALL_TAB_PRIVS_RECD Grants on objects for which the user, PUBLIC or enabled role
is the grantee
USER_AUDIT_STATEMENT Audit trail records concerning grant, revoke, audit, noaudi
t and alter system
USER_COL_PRIVS Grants on columns for which the user is the owner, grantor o
r grantee
USER_COL_PRIVS_MADE All grants on columns of objects owned by the user
USER_COL_PRIVS_RECD Grants on columns for which the user is the grantee
USER_ROLE_PRIVS Roles granted to current user
USER_SYS_PRIVS System privileges granted to current user
USER_TAB_PRIVS Grants on objects for which the user is the owner, grantor o
r grantee
USER_TAB_PRIVS_MADE All grants on objects owned by the user
USER_TAB_PRIVS_RECD Grants on objects for which the user is the grantee
COLUMN_PRIVILEGES Grants on columns for which the user is the grantor, grantee
, owner, or
an enabled role or PUBLIC is the grantee
ROLE_ROLE_PRIVS Roles which are granted to roles
ROLE_SYS_PRIVS System privileges granted to roles
ROLE_TAB_PRIVS Table privileges granted to roles
TABLE_PRIVILEGES Grants on objects for which the user is the grantor, grantee
, owner,
or an enabled role or PUBLIC is the grantee
20 rows selected.
SQL>
What is the query to get all objects with privileges under a specific role.
ROLE_NAME TABLE SELECT INSERT DELETE UPDATE EXECUTE
SELECT *
FROM DBA_TAB_PRIVS
WHERE GRANTEE='ROLE_NAME';
DBA_TAB_PRIVS describes all object grants in the database.
Or to get the grants for all the roles, you can use below query.
SELECT grantee role_name,table_name,privilege
FROM dba_tab_privs dtp,dba_roles dr
WHERE dtp.grantee=dr.role
ORDER BY role_name,table_name,privilege;
I have a homegrown Oracle role that was created long ago:
create role MyRole;
It's been granted the ability to select, insert, update, and delete from some tables and views.
grant select on sometable to MyRole;
grant insert on sometable to MyRole;
grant select on someothertable to MyRole;
-- etc.
How can I now enumerate the specific list of privileges that were granted to the role? I am interested in discovering the specific tables and the rights this role has with respect to each table. How can I recover this information?
You can simply search from data dictionary ROLE_TAB_PRIVS. And do like this
SELECT * FROM ROLE_TAB_PRIVS WHERE ROLE = 'MyRole';
this works well:
SELECT DBA_TAB_PRIVS.GRANTEE, TABLE_NAME, PRIVILEGE,DBA_ROLE_PRIVS.GRANTEE
FROM DBA_TAB_PRIVS, DBA_ROLE_PRIVS
WHERE DBA_TAB_PRIVS.GRANTEE = DBA_ROLE_PRIVS.GRANTED_ROLE
AND DBA_TAB_PRIVS.GRANTEE='<ENTER GROUP ROLE HERE>'
AND DBA_ROLE_PRIVS.GRANTEE = '<ENTER ROLE HERE>'
ORDER BY DBA_ROLE_PRIVS.GRANTEE