I have created a audit policy "select_action_on_tables" by user_a.
create audit policy select_action_on_tables
actions select on user_a.test_table1;
And i grant "audit_admin" to user_b.
grant audit_admin to user_b;
but user_b unable to alter the "select_action_on_tables" with ORA-01031: insufficient privileges error.
alter audit policy select_action_on_tables add actions select on user_a.test_table2;
Do i miss any privileges need for user_b to alter an audit polity? Thank you.
AUDIT_ADMIN is a role, and roles are not activated by default. You either need to alter the user to make the role active by default, or alter the session to activate the role:
alter user user_b default role audit_admin [, role1, role2, ...];
alter user user_b default role all;
alter session set role audit_admin;
See documentation here:
https://docs.oracle.com/en/database/oracle/oracle-database/19/sqlrf/ALTER-USER.html#GUID-9FCD038D-8193-4241-85CD-2F4723B27D44
https://docs.oracle.com/en/database/oracle/oracle-database/19/sqlrf/SET-ROLE.html#GUID-863F9B6F-82B4-4C49-8E3A-3BA33AE79CAB
Also note that a role cannot be activated in existing sessions when first assigned. The designated user must start a new session in order to inherit the new privileges.
Related
im using oracle db v21c , after trying to create a role student with privs 'create session , create table , create view ' a granted that role to a user 'user3' but when trying to connect with that user i got ora-01045. i checked that privs granted to that role and everything seems normal , i have tried using granting the role the privileges with admin option and nothing happens . I used select * from dba_sys_privs where grantee='student' and all seems good . The role is created with system and so the user because at first i was trying to create the role with scott , but get an error insufficient privileges, but scott have the privilege to create role.
Roles are not active by default. You must either alter the user to set a default role (and then login again), or alter the user's current session to set a current role:
alter user user3 default role all;
or
set role student;
I've created a user with a default tablespace. I've granted create session to that user and then added them to a role GRANT xxxx_role TO myuser;
However when I run SELECT * FROM USER_ROLE_PRIVS, there are no rows of data, meaning the user isn't assigned to any roles. It says that the grant succeeded. What am I doing wrong? I've done this as a SYSTEM user which should have carte blanche permissions.
user_role_privs shows roles granted to the current user. dba_role_privs shows roles granted to all users. You probably want to be querying dba_role_privs.
If you are logged in as system and do the grant, you should see a row in dba_role_privs for myuser. You won't see rows in user_role_privs for any user other than system. If you log in as myuser after the grant is done, you will see a row in user_role_privs.
I have following commands in a script :
ALTER SESSION SET CONTAINER = orclpdb
ALTER session set "_ORACLE_SCRIPT"=true;
CREATE PROFILE test_profile LIMIT password_life_time unlimited;
CREATE USER test IDENTIFIED BY test123
PROFILE test_profile
while dropping user using:
ALTER SESSION SET CONTAINER = orclpdb;
DROP USER test cascade;
I am getting :
ora-28014 cannot drop administrative users
My first concern is how this test user is getting administrative privilege.
Secondly is there anyway better way to do this.
The reason why the user is becoming ADMIN is due that the fact that you are using the underscore parameter _oracle_script=true
ORA-28014: Cannot Drop Administrative Users (Doc ID 1566042.1)
https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=267287602351459&id=1566042.1&_afrWindowMode=0&_adf.ctrl-state=w6ehg2ftt_53
As Oracle states in that document:
Users are considered administrative users when are created using the
script catcon.pl, or in that session the parameter "_oracle_script"
is set to TRUE.
You should not use it when you are creating users or anything else for that matter, unless you need to drop an administrative user, which in that case you have to.
To avoid this, when creating users avoid the use of the _oracle_script parameter altogether.
I want to know once you create a user role and add some privileges as:
CREATE ROLE usern NOT IDENTIFIED ;
GRANT SELECT ANY DICTIONARY TO usern ;
GRANT SELECT ON t90022.temptable TO usern ;
Can you edit the user role and just state the privilege as follows?
GRANT SELECT ON 90888.temptable2 TO usern ;
Will the user role be updated or do you need to drop and create the user role again?
PS: I don't have privileges to try this out. So please help
Granting privileges in Oracle is cumulative. You do not have to re-grant privileges already granted, and in fact must revoke them explicitly to remove them.
I have created a new user using the below in sql developer (Oracle 11g). I have only two tables titled FEED_DATA_A and FEED_DATA_B that I want this user to be able to select, update and insert into. Can someone help me understand the SQL to create the proper privileges to accomplish that? I'm currently logged in as the system user.
CREATE USER "USER_A" IDENTIFIED BY "test123";
If you want to grant the privileges directly to the user
GRANT select, update, insert
ON table_owner.feed_data_a
TO user_a;
GRANT select, update, insert
ON table_owner.feed_data_b
TO user_a;
More commonly, though, you would create a role, grant the role to the user, and grant the privileges to the role. That makes it easier in the future when there is a new user created that you want to have the same privileges as USER_A to just grant a couple of roles rather than figuring out all the privileges that potentially need to be granted. It also makes it easier as new tables are created and new privileges are granted to ensure that users that should have the same privileges continue to have the same privileges.
CREATE ROLE feed_data_role;
GRANT select, update, insert
ON table_owner.feed_data_a
TO feed_data_role;
GRANT select, update, insert
ON table_owner.feed_data_b
TO feed_data_role;
GRANT feed_data_role
TO user_a