so I want to grant an update to a user account like this
grant update on stuff to admin1;
but after I select * from admin1.stuff, an error "table or view does not exist". how can I see the data table in the user account
Presume you're currently connected as user nanatua and ran
grant update on stuff to admin1;
It lets user admin1 to update values in table stuff you own. Nothing else.
If you want to let it query (select) data from that table, you have to grant it:
grant select on stuff to admin1;
Then connect as admin1 and run
select * from nanatua.stuff;
Not vice versa! as you tried to; command you used (select * from admin1.stuff) means that user admin1 owns the table, but it is not.
Related
How to create database link to access dba tables from another user (which has no dba rights)? I want to take back up of sys.aud$ table in another tablespace which belongs to a user, but I am unable to access it.
you dont need to create a link. You my just grant select on this table/view to any user or create view and grant select on view. eg:
connect sys/<pass> as sysdba
grant select on sys.aud$ to NON_DBA_USER;
or create view with some restrictions:
create view view_to_grant_with_rest as select * from sys.aud$ where rownum < 11;
grant select on view_to_grant_with_rest to NON_DBA_USER;
I have a schema A with a view VIEW. (A.VIEW)
This view reads the data from a table TABLE in schema B (B.TABLE).
I have to allow an user (C user) to select data from view A.VIEW:
select * from A.VIEW;
When the user makes this query, receive the message "ORA-01031 insufficient privileges".
I have already given the grant:
GRANT select on B.TABLE to A (with user sys);
GRANT select on B.TABLE to C;
GRANT select on A.VIEW to C;
So keep giving the same error.
I saw on the net that the problem is solved by assigning the grant:
GRANT select on B.TABLE to A WITH GRANT OPTION;
I don't want assign grant option: it's possible?
Thank you in advance
In Oracle, I attempt to create a view like this
create view ddd as
select *
from myschema1.t1
join myschema2.t2
....
When I run this statement, I get an error ORA-01031 : insufficient privileges. If I just execute the query in Query Worksheet, however, it works.
Why does my CREATE VIEW statement fail and what privileges do I need in order to make the statement succeed?
In order to create a view that references myschema1.t1 and myschema2.t2, the user that owns the view has to be given access to those two tables directly, not via a role. My first guess is that you have been granted the privileges on the underlying table via a role. You can verify that in SQL*Plus by disabling roles and re-running the query. If you do
SQL> set role none;
SQL> select *
from myschema1.t1
join myschema2.t2 ...
does the query work? If not, then you only have the privileges granted via a role not directly. Note that if you want to be able to grant other users access to your view, you need to be granted privileges on the objects WITH GRANT OPTION.
GRANT SELECT ON myschema1.t1 TO <<user that will own the view>> WITH GRANT OPTION;
GRANT SELECT ON myschema2.t2 TO <<user that will own the view>> WITH GRANT OPTION;
If the problem is not with the privileges on the underlying objects, the problem is most likely that you have not been granted the CREATE VIEW privilege.
That sounds like you don't have the CREATE VIEW privilege. If you didn't have access to the tables, you should get ORA-00942: table or view does not exist.
I have tables in Schema A. I created views in Schema B using the tables in schema A.
I want to grant permissions to a user to select the data from view in Schema B.
For this to work i know we have to enable the grant option on tables in Schema A to user B.
But I want to do it in a single script (This script has to be in schema B). Is there a way to do this using the user name/password of schema A.
It's not unusual to want to have a single script to deploy a change. The thing is, such a script needs to be run by a power user, because it needs to have system privileges at the ANY level. This usually means a DBA account, preferably an application account but otherwise SYSTEM or SYS.
So the script you want would look like this:
grant select on user_a.t23 to user_b
/
grant select on user_a.t42 to user_b
/
create view user_b.v_69 as
select t23.col1, t42.col2
from user_a.t42
join user_a.t23
on (t42.id = t23.id)
/
grant select on user_b.v_69 to user_c
/
A common scenario is that we have a suite of individual scripts which have been written to be run by different users but which we now need to bundle up into a single deployment. The original scripts don't contain the schema names, and there are many good reasons why we wouldn't want to hardcode them in the scripts.
One way to build that master script is to use change the CURRENT_SCHEMA syntax:
alter session set current_schema=USER_A
/
#run_grants_to_userb.sql
alter session set current_schema=USER_B
/
#create_view69.sql
#run_grants_to_userc.sql
We still need a DBA user to run the master script. One advantage of switching the current schema is that it allows us to deploy objects like database links, which through a quirk of syntax cannot have the schema name in their declaration. One gotcha is that the user doesn't change, so a script which employs the USER pseudo-column may produce unwanted results.
Simply Run the query
GRANT INSERT, SELECT, UPDATE, DELETE ON TABLE1 TO SCHEMA2;
Only by connecting as user A at some point. You can still do it in one script if you really want to:
connect userA/passwordA
grant select on my_table to userB;
connect userB/passwordB
create view my_view as select * from userA.my_table;
Of course now you have a script lying around which exposes two sets of user credentials to anyone who can read it. So something to think hard about before doing in production, for example.
If you want other users to be able to select from the view, you don't need to grant explicit permissions on userA.my_table to them; as long as the view owner can see the underlying table, other users just need to be able to see the view. Which is often kinda the point (or one of them) as you can restrict the view to only expose selected data from the underlying table to the rest of the world. I assume you have a reason for not creating the view in schema A.
I'm not sure if you're really asking about granting select to user B with admin option so that user B can then grant select on user A's table to other people. If that's possible, it doesn't sound like a good idea, and isn't necessary for the view to work.
Let user A grant select on his tables to B and include the 'grant option'.
As user A:
GRANT select ON table TO user_b WITH GRANT OPTION;
Let user B grant select on his views to user A and include the 'grant option'.
As user B:
GRANT select ON view TO user_a WITH GRANT OPTION;
As user A:
GRANT select on user_b.view TO user_c;
This allows user A to pass this grant on to other users.
When I try to execute a view that includes tables from different schemas an ORA-001031 Insufficient privileges is thrown. These tables have execute permission for the schema where the view was created. If I execute the view's SQL Statement it works. What am I missing?
Finally I got it to work. Steve's answer is right but not for all cases. It fails when that view is being executed from a third schema. For that to work you have to add the grant option:
GRANT SELECT ON [TABLE_NAME] TO [READ_USERNAME] WITH GRANT OPTION;
That way, [READ_USERNAME] can also grant select privilege over the view to another schema
As the table owner you need to grant SELECT access on the underlying tables to the user you are running the SELECT statement as.
grant SELECT on TABLE_NAME to READ_USERNAME;
Q. When is the "with grant option" required ?
A. when you have a view executed from a third schema.
Example:
schema DSDSW has a view called view_name
a) that view selects from a table in another schema (FDR.balance)
b) a third shema X_WORK tries to select from that view
Typical grants:
grant select on dsdw.view_name to dsdw_select_role;
grant dsdw_select_role to fdr;
But: fdr gets
select count(*) from dsdw.view_name;
ERROR at line 1:
ORA-01031: insufficient privileges
issue the grant:
grant select on fdr.balance to dsdw with grant option;
now fdr:
select count(*) from dsdw.view_name;
5 rows
Let me make a recap.
When you build a view containing object of different owners, those other owners have to grant "with grant option" to the owner of the view. So, the view owner can grant to other users or schemas....
Example:
User_a is the owner of a table called mine_a
User_b is the owner of a table called yours_b
Let's say user_b wants to create a view with a join of mine_a and yours_b
For the view to work fine, user_a has to give "grant select on mine_a to user_b with grant option"
Then user_b can grant select on that view to everybody.
If the view is accessed via a stored procedure, the execute grant is insufficient to access the view. You must grant select explicitly.
If the view is accessed via a stored procedure, the execute grant is insufficient to access the view. You must grant select explicitly.
simply type this
grant all on to public;
To use a view, the user must have the appropriate privileges but only for the view itself, not its underlying objects. However, if access privileges for the underlying objects of the view are removed, then the user no longer has access. This behavior occurs because the security domain that is used when a user queries the view is that of the definer of the view. If the privileges on the underlying objects are revoked from the view's definer, then the view becomes invalid, and no one can use the view. Therefore, even if a user has been granted access to the view, the user may not be able to use the view if the definer's rights have been revoked from the view's underlying objects.
Oracle Documentation
http://docs.oracle.com/cd/B28359_01/network.111/b28531/authorization.htm#DBSEG98017
you may also create view with schema name
for example create or replace view schema_name.view_name as select..