Grant privileges on Roles but user cannot be granted - oracle

I have grant Roles for users and grant some privs on Roles:
--Grant roles for users
GRANT DataEntry TO John, Joe, Lynn;
GRANT Supervisor TO Fred;
GRANT Management TO Amy, Beth;
--Grant on table to roles
GRANT SELECT, INSERT, UPDATE ON Attendance TO DataEntry;
GRANT SELECT, DELETE ON Attendance TO Supervisor;
GRANT SELECT ON Attendance TO Management;
However, when I query to dba_sys_privs table and select on John user, for example, I do not have privs which DataEntry role have? What happened with that problem?

John has been granted the role, not the privileges of the role directly. John will be able to take advantage of those privileges through the role. This means that if you were to revoke the role from the user, Oracle wouldn't need to go back and figure out which privileges were obtained through the role and revoke those too - this would be a challenge as a user might be granted multiple roles that provide the say privilege. It is much more efficient for Oracle to check if a user has access to a necessary privilege at parse time (which doesn't happen often).
If you want to see all the table privileges a user is able to use then you would need to look at both dba_tab_privs and dba_role_privs. Remember that a role can be granted another role so you would need to do a recursive query to identify all of those too:
with grantees (schema) as
(Select username schema
from dba_users
where username = 'JOHN'
union all
select rp.granted_role
from grantees g
join dba_role_privs rp
on g.schema = rp.grantee
)
select *
from dba_tab_privs sp
where sp.grantee in (select g.schema from grantees g)

Related

In Oracle 19c database, how can I find out tablespace, schema, tables allowed to access, privileges assigned to a user grouping by that username?

In Oracle 19c database, how can I find out tablespace, schema, tables allowed to access, privileges assigned to a user grouping by that username ?
Are you looking for something like this?
Replace USER with the desired username
Granted Roles:
SELECT *
FROM DBA_ROLE_PRIVS
WHERE GRANTEE = 'USER';
Privileges Granted Directly To User:
SELECT *
FROM DBA_TAB_PRIVS
WHERE GRANTEE = 'USER';
Privileges Granted to Role Granted to User:
SELECT *
FROM DBA_TAB_PRIVS
WHERE GRANTEE IN (SELECT granted_role
FROM DBA_ROLE_PRIVS
WHERE GRANTEE = 'USER');
Granted System Privileges:
SELECT *
FROM DBA_SYS_PRIVS
WHERE GRANTEE = 'USER';
If you want to lookup for the user you are currently connected as, you can replace DBA in the table name with USER and remove the WHERE clause.

What Oracle dictionary table contains table privilege information?

For example, when I go to a table's properties in sql developer, I can see what are the users (owners) have been granted the access to this table.
If I want to use a query to find all these information for a group of tables and see what users have the access to them, which Oracle data dictionary table can I use?
That would be DBA_TAB_PRIVS for all objects or USER_TAB_PRIVS for the objects the current user is the owner, grantor, or grantee of.
A good thing with the dictionary is that you can select from it, literally. For example (which is kind of unreadable because I set columns to fit the screen; GUI is better for that):
SQL> select table_name, comments
2 from dictionary
3 where lower(comments) like '%grant%';
TABLE_NAME COMMENTS
-------------------- ------------------------------------------------------------
ALL_COL_PRIVS Grants on columns for which the user is the grantor, grantee
, owner,
or an enabled role or PUBLIC is the grantee
ALL_COL_PRIVS_MADE Grants on columns for which the user is owner or grantor
ALL_COL_PRIVS_RECD Grants on columns for which the user, PUBLIC or enabled role
is the grantee
ALL_TAB_PRIVS Grants on objects for which the user is the grantor, grantee
, owner,
or an enabled role or PUBLIC is the grantee
ALL_TAB_PRIVS_MADE User's grants and grants on user's objects
ALL_TAB_PRIVS_RECD Grants on objects for which the user, PUBLIC or enabled role
is the grantee
USER_AUDIT_STATEMENT Audit trail records concerning grant, revoke, audit, noaudi
t and alter system
USER_COL_PRIVS Grants on columns for which the user is the owner, grantor o
r grantee
USER_COL_PRIVS_MADE All grants on columns of objects owned by the user
USER_COL_PRIVS_RECD Grants on columns for which the user is the grantee
USER_ROLE_PRIVS Roles granted to current user
USER_SYS_PRIVS System privileges granted to current user
USER_TAB_PRIVS Grants on objects for which the user is the owner, grantor o
r grantee
USER_TAB_PRIVS_MADE All grants on objects owned by the user
USER_TAB_PRIVS_RECD Grants on objects for which the user is the grantee
COLUMN_PRIVILEGES Grants on columns for which the user is the grantor, grantee
, owner, or
an enabled role or PUBLIC is the grantee
ROLE_ROLE_PRIVS Roles which are granted to roles
ROLE_SYS_PRIVS System privileges granted to roles
ROLE_TAB_PRIVS Table privileges granted to roles
TABLE_PRIVILEGES Grants on objects for which the user is the grantor, grantee
, owner,
or an enabled role or PUBLIC is the grantee
20 rows selected.
SQL>

Oracle19c -Create Role User Under the Tablespace

Hello How I can Create Roles with
ReadOnly(Select any Tables under the tablespace)
And
InsertUpdateRoleOnly(To insert and update Data ,not delete)
Under My tablespace with local access this users?
Tables are owned by someone. The owner grants privileges to other users or to roles; in your case, it'll be a role. As the role doesn't depend on a tablespace (you mentioned), you'd create it as simple as
create role r_read_only;
Then, the owner would grant SELECT privilege on its tables to that role, e.g.
grant select on emp to r_read_only;
grant select on dept to r_read_only;
Such a role would be granted to other users, e.g.
grant r_read_only to littlefoot;
and user littlefoot will be able to select from those tables.
The same goes for your another role, no difference:
create role r_upd_ins;
grant insert, update on emp to r_upd_ins;
grant r_upd_ins to bigfoot;
Privileges cannot be granted at the tablespace level. You must grant privileges to specific tables. e.g:
create role read_data_role;
grant select on [owner].[table_name] to read_data_role;
create role update_data_role;
grant insert, update on [owner].[table_name] to update_data_role;
grant read_data_role, update_data_role to [username];

How to assign all the privileges of existing user to new user in Oracle 11g?

I have a user 'abc'. Now I have created new user xyz. Can I assign all privileges of user 'abc' to new user 'xyz' in one go? Please help me.
In connection to #Littlefoot answer.
you can copy the user privileges from one of the tables in the answer here How to find the privileges and roles granted to a user in Oracle?
for the first user and copy them into a script that will grant the second user the desired privileges. its a bit of a workaround but it should work just fine
As far as I can tell - no, you can't.
But, you could if you
created role(s)
granted privileges to those roles
grant roles to user abc
then, after creating user xyz, you'd just grant those roles to it
If you want to do it "manually", you'll first have to find out what privileges abc has, and then grant them to xyz.
Where to look at? Dictionary has a wide choice, e.g.
SQL> select table_name, substr(comments, 1, 50) || ' ...' comments
2 From dictionary where lower(table_name) like '%priv%';
TABLE_NAME COMMENTS
------------------------------ -------------------------------------------------------
ALL_COL_PRIVS Grants on columns for which the user is the granto ...
ALL_COL_PRIVS_MADE Grants on columns for which the user is owner or g ...
ALL_COL_PRIVS_RECD Grants on columns for which the user, PUBLIC or en ...
ALL_REPGROUP_PRIVILEGES Information about users who are registered for obj ...
ALL_TAB_PRIVS Grants on objects for which the user is the granto ...
ALL_TAB_PRIVS_MADE User's grants and grants on user's objects ...
ALL_TAB_PRIVS_RECD Grants on objects for which the user, PUBLIC or en ...
ALL_XSC_AGGREGATE_PRIVILEGE All privileges that make up an aggregate privilege ...
ALL_XSC_PRIVILEGE All mappings of privileges to security classes in ...
USER_AQ_AGENT_PRIVS ...
USER_COL_PRIVS Grants on columns for which the user is the owner, ...
USER_COL_PRIVS_MADE All grants on columns of objects owned by the user ...
USER_COL_PRIVS_RECD Grants on columns for which the user is the grante ...
USER_GOLDENGATE_PRIVILEGES Details about goldengate privileges ...
USER_NETWORK_ACL_PRIVILEGES User privileges to access network hosts through PL ...
USER_REPGROUP_PRIVILEGES Information about users who are registered for obj ...
USER_ROLE_PRIVS Roles granted to current user ...
USER_RSRC_CONSUMER_GROUP_PRIVS Switch privileges for consumer groups for the user ...
USER_RSRC_MANAGER_SYSTEM_PRIVS system privileges for the resource manager for the ...
USER_SYS_PRIVS System privileges granted to current user ...
USER_TAB_PRIVS Grants on objects for which the user is the owner, ...
USER_TAB_PRIVS_MADE All grants on objects owned by the user ...
USER_TAB_PRIVS_RECD Grants on objects for which the user is the grante ...
COLUMN_PRIVILEGES Grants on columns for which the user is the granto ...
ROLE_ROLE_PRIVS Roles which are granted to roles ...
ROLE_SYS_PRIVS System privileges granted to roles ...
ROLE_TAB_PRIVS Table privileges granted to roles ...
SESSION_PRIVS Privileges which the user currently has set ...
TABLE_PRIVILEGES Grants on objects for which the user is the granto ...
29 rows selected.
SQL>

How can I enumerate the list of privileges granted to an Oracle role?

I have a homegrown Oracle role that was created long ago:
create role MyRole;
It's been granted the ability to select, insert, update, and delete from some tables and views.
grant select on sometable to MyRole;
grant insert on sometable to MyRole;
grant select on someothertable to MyRole;
-- etc.
How can I now enumerate the specific list of privileges that were granted to the role? I am interested in discovering the specific tables and the rights this role has with respect to each table. How can I recover this information?
You can simply search from data dictionary ROLE_TAB_PRIVS. And do like this
SELECT * FROM ROLE_TAB_PRIVS WHERE ROLE = 'MyRole';
this works well:
SELECT DBA_TAB_PRIVS.GRANTEE, TABLE_NAME, PRIVILEGE,DBA_ROLE_PRIVS.GRANTEE
FROM DBA_TAB_PRIVS, DBA_ROLE_PRIVS
WHERE DBA_TAB_PRIVS.GRANTEE = DBA_ROLE_PRIVS.GRANTED_ROLE
AND DBA_TAB_PRIVS.GRANTEE='<ENTER GROUP ROLE HERE>'
AND DBA_ROLE_PRIVS.GRANTEE = '<ENTER ROLE HERE>'
ORDER BY DBA_ROLE_PRIVS.GRANTEE

Resources