im using oracle db v21c , after trying to create a role student with privs 'create session , create table , create view ' a granted that role to a user 'user3' but when trying to connect with that user i got ora-01045. i checked that privs granted to that role and everything seems normal , i have tried using granting the role the privileges with admin option and nothing happens . I used select * from dba_sys_privs where grantee='student' and all seems good . The role is created with system and so the user because at first i was trying to create the role with scott , but get an error insufficient privileges, but scott have the privilege to create role.
Roles are not active by default. You must either alter the user to set a default role (and then login again), or alter the user's current session to set a current role:
alter user user3 default role all;
or
set role student;
Related
I have to create a rol with the only privilege of CREATE SESSION, i have already created but when i give the role to the user I can not connnect to de DB because the user lacks of CREATE SESSION privilege.
This is what I tried:
But at the end when I try to connect with the user alvaro_rol I recive this message: and it was supossed to connect to the DB because I create de role, I grant the CONNECT privilege to the role, i give the role to the user alvaro_rol and finaly I activate the role with the comand set role and I don know what to do next.
Thanks in advance!
You will need to give the user the session privilege, either directly or through a non-password-protected role. The security guide says (emphasis added):
You can protect a role authorized by the database by assigning the role a password. If a user is granted a role protected by a password, then you can enable or disable the role by supplying the proper password for the role in the SET ROLE statement. You cannot authenticate a password-authenticated role on logon, even if you add it to the list of default roles. You must explicitly enable it with the SET ROLE statement using the required password.
Since you can't supply the role password during login/connect, you will have to connect first - which requires the session privilege - and then use
set role rol_conexion identified by conexion;
Currently setting that role would be a bit pointless, but in reality you would have a role providing other privileges that need to sit behind the role authorisation - and not create session.
I've created a user with a default tablespace. I've granted create session to that user and then added them to a role GRANT xxxx_role TO myuser;
However when I run SELECT * FROM USER_ROLE_PRIVS, there are no rows of data, meaning the user isn't assigned to any roles. It says that the grant succeeded. What am I doing wrong? I've done this as a SYSTEM user which should have carte blanche permissions.
user_role_privs shows roles granted to the current user. dba_role_privs shows roles granted to all users. You probably want to be querying dba_role_privs.
If you are logged in as system and do the grant, you should see a row in dba_role_privs for myuser. You won't see rows in user_role_privs for any user other than system. If you log in as myuser after the grant is done, you will see a row in user_role_privs.
is there a way to create a new admin user/role that can have access to all the existing tables.
If another user create a new table, the admin user should be able to also have permissions to the new table.
Right now, the only way is giving explicitly the list of the tables:
mclient -f "csv" -s "select name from sys.tables where system=false" | xargs -I '{}' mclient -s 'set schema "'$MONETDB_SCHEMA'"; grant select on "{}" to "pm-usecase"'
but if a new table is created by another user, then we need to grant access to the new table again.
We wondered the same thing but the only option is to make a role:
CREATE ROLE test_role;
Create a schema with the role authorisation present:
CREATE SCHEMA new_schema AUTHORIZATION test_role;
Grant the role to the users using the schema:
GRANT test_role TO test_user;
Now if the user test_user uses the set role test_role command in a sql session he will be able to access tables created by other users without having to be granted the privilege.
At the moment there seems to be no blanket option to make a user able to do this in all schema's. A solution could be to create all tables with one specific table role authorization.
There is a built-in role called sysadmin:
grant sysadmin to <user>
However, you would still need to set the role on your connection to activate the permissions.
Three days ago, I created another user, it's ok. Now I create another user, not working. I don't know what I missed.
This time I did:
CREATE USER TESTDB identified by N2dTlOBFRZ9x;
GRANT CONNECT, RESOURCE TO TESTDB;
GRANT CREATE SESSION TO TESTDB;
GRANT UNLIMITED TABLESPACE TO TESTDB;
GRANT CREATE TABLE to TESTDB;
GRANT CREATE VIEW to TESTDB;
I can create a view, named viewTest, save it.
TESTDB viewTest
select * from PRODDB.employee
Then open viewTest, it says insufficient privileges.
I have another user. let's call it PRODDB. This is online database
The user I created 3 days ago, is OKDB.
Today I created one another, TESTDB.
In OKDB, I created a view (viewTest) and I can open it.
select * from PRODDB.employee;
But in TESTDB, cannot open.
Thank you for the update! I believe this is a permissions issue.
In OKDB, I created a view and I can open it. select * from
PRODDB.employee;
But in TESTDB, cannot open.
So in this example, there are three users: 1. PRODDB, 2. OKDB, and 3. TESTDB.
The view is named Employee and was created under the PRODDB schema; PRODDB.EMPLOYEE.
If OKDB can query PRODDB.EMPLOYEE, one of two things have to be true. Either: 1. OKDB was granted privileges on PRODDB.EMPLOYEE directly (e.g. grant select on PRODDB.EMPLOYEE to OKDB;), or 2. OKDB has elevated privileges through a role that enables the user to query that view (e.g. grant DBA to OKDB, which will allow OKDB to query any table in the database.)
If TESTDB can't query the view, I would bet that the necessary privileges have not been granted to the user. To fix this, I would recommend checking the privileges and roles that have been granted to the OKDB user and then granting the same privilege(s) to TESTDB. If this is something work related, you may have to work with another DBA if you do not have permission to issue grants.
I want to know once you create a user role and add some privileges as:
CREATE ROLE usern NOT IDENTIFIED ;
GRANT SELECT ANY DICTIONARY TO usern ;
GRANT SELECT ON t90022.temptable TO usern ;
Can you edit the user role and just state the privilege as follows?
GRANT SELECT ON 90888.temptable2 TO usern ;
Will the user role be updated or do you need to drop and create the user role again?
PS: I don't have privileges to try this out. So please help
Granting privileges in Oracle is cumulative. You do not have to re-grant privileges already granted, and in fact must revoke them explicitly to remove them.