I have created a common user c##user and it has been assigned the following permissions:
GRANT CREATE SESSION TO c##user CONTAINER=ALL;
GRANT SET CONTAINER TO c##user CONTAINER=ALL;
GRANT SELECT ON V_\$DATABASE TO c##user CONTAINER=ALL;
GRANT FLASHBACK ANY TABLE TO c##user CONTAINER=ALL;
GRANT SELECT ANY TABLE TO c##user CONTAINER=ALL;
GRANT SELECT_CATALOG_ROLE TO c##user CONTAINER=ALL;
GRANT EXECUTE_CATALOG_ROLE TO c##user CONTAINER=ALL;
GRANT SELECT ANY TRANSACTION TO c##user CONTAINER=ALL;
GRANT SELECT ANY DICTIONARY TO c##user CONTAINER=ALL;
GRANT LOGMINING TO c##user CONTAINER=ALL;
GRANT CREATE TABLE TO c##user CONTAINER=ALL;
GRANT ALTER ANY TABLE TO c##user CONTAINER=ALL;
GRANT LOCK ANY TABLE TO c##user CONTAINER=ALL;
GRANT CREATE SEQUENCE TO c##user CONTAINER=ALL;
GRANT EXECUTE ON DBMS_LOGMNR TO c##user CONTAINER=ALL;
GRANT EXECUTE ON DBMS_LOGMNR_D TO c##user CONTAINER=ALL;
GRANT SELECT ON V_\$LOGMNR_LOGS TO c##user CONTAINER=ALL;
GRANT SELECT ON V_\$LOGMNR_CONTENTS TO c##user CONTAINER=ALL;
GRANT SELECT ON V_\$LOGFILE TO c##user CONTAINER=ALL;
GRANT SELECT ON V_\$ARCHIVED_LOG TO c##user CONTAINER=ALL;
GRANT SELECT ON V_\$ARCHIVE_DEST_STATUS TO c##user CONTAINER=ALL;
But yet when I connect with this user to the CDB$ROOT and run SELECT * FROM V$CONTAINERS the only row that is returned is the one for the CDB$ROOT but there is an ORCLPDB1 that is open and available. If I execute:
ALTER SESSION SET CONTAINER=ORCLPDB1;
SELECT * FROM V$CONTAINERS;
Then the query only returns information for ORCLPDB1 as the documentation says it should. But why when I am connected to the CDB root and I run the same query against V$CONTAINERS do I not see any PDBs?
It's my understaning that the common user should see ORCLPDB1 in the V$CONTAINERS view only when I am connected to the CDB$ROOT but that's not happening. Is there a permission problem here that I don't see?
UPDATE
It looks like the common user must be explicitly given access to container data using the following executed by an administrator for the V$CONTAINERS view to return results besides the current container.
ALTER USER c##user SET CONTAINER_DATA=(CDB$ROOT,ORCLPDB1) CONTAINER=CURRENT;
Is that the expected way to handle this?
Yes, this is expected behavior of the system.
As per Oracle documentation:
Extended data-linked Oracle-supplied data dictionary objects
This type of object stores data pertaining to the CDB root, as well as
data pertaining to individual PDBs.
When this type of object is queried from the CDB root, only data
pertaining to the CDB root is returned.
So v$container is an extended data objects as it contains data about both root as well as other PDBs and hence by default it will only show data about the root.
ALTER USER c##user SET CONTAINER_DATA=(CDB$ROOT,ORCLPDB1) CONTAINER=CURRENT;
Above alter will enable system to show data about ORCLPDB1 PDB as well and if you again alter it as below it will show data of ROOT only
ALTER USER c##user SET CONTAINER_DATA=(CDB$ROOT) CONTAINER=CURRENT;
Related
I created a user "UserA" and granted it Create session, user, tablespace privileges.
Now logged in as "UserA", I have successfully created another user "UserB" but unable to run grant privileges to "UserB" with error: ORA-01031: insufficient privileges.
What privileges should "UserA" have to be able to run grant statements?
This is what you currently have (I presume so, as you didn't post what you exactly did):
Connected as a privileged user (sys), I'm creating a new user who's being granted create session and create user privileges:
SQL> connect sys#pdb1 as sysdba
Enter password:
Connected.
SQL> select tablespace_name from dba_tablespaces;
TABLESPACE_NAME
------------------------------
SYSTEM
SYSAUX
UNDOTBS1
TEMP
USERS
SQL> create user usera identified by usera
2 default tablespace users
3 temporary tablespace temp
4 quota unlimited on users;
User created.
SQL> grant create session, create user to usera;
Grant succeeded.
As usera has been granted the create user privilege, it is allowed to create a new user - userb:
SQL> connect usera/usera#pdb1
Connected.
SQL> create user userb identified by userb
2 default tablespace users
3 temporary tablespace temp
4 quota unlimited on users;
User created.
But, granting create session fails because usera isn't allowed to do that:
SQL> grant create session to userb;
grant create session to userb
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL>
So, what can you do?
One option is to use the with admin option; back to sys and re-grant it to usera:
SQL> connect sys#pdb1 as sysdba
Enter password:
Connected.
SQL> grant create session to usera with admin option;
Grant succeeded.
Can usera now grant create session to userb? Yes!
SQL> connect usera/usera#pdb1
Connected.
SQL> grant create session to userb;
Grant succeeded.
SQL>
Another option is to grant dba role to usera:
SQL> connect sys#pdb1 as sysdba
Enter password:
Connected.
Revoking create session from usera will cascade to userb who can't create session any more:
SQL> revoke create session from usera;
Revoke succeeded.
Only usera has create session privilege:
SQL> grant create session to usera;
Grant succeeded.
But, grant dba as well
SQL> grant dba to usera;
Grant succeeded.
Can usera now grant create session to userb? Yes!
SQL> connect usera/usera#pdb1
Connected.
SQL> grant create session to userb;
Grant succeeded.
SQL>
However: note that both with admin option and dba are powerful and - if you don't pay attention - you might have a security hole in your system. Leave powerful privileges to powerful users only; all the others shouldn't be doing such tasks.
I'm attempting to run the following command as I am trying to get logminer to log my database. When I run the following command, I get a response of Insufficient Privileges
ALTER DATABASE ADD SUPPLEMENTAL LOG DATA;
I have to run it as a specific user, so I need to know what Granted Roles and/or System Privileges are required to run this statement.
I'm not a DBA (and stuff like that are supposed to be run by DBA), but: privileged user should grant you (as you said that you'll be running it yourself) the ALTER DATABASE privilege:
scott is just a poor user:
SQL> show user
USER is "SCOTT"
SQL>
SQL> alter database add supplemental log data;
alter database add supplemental log data
*
ERROR at line 1:
ORA-01031: insufficient privileges
A privileged user is SYS (if you don't have any other):
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> grant alter database to scott;
Grant succeeded.
Back to scott, re-run the statement:
SQL> connect scott/tiger
Connected.
SQL> alter database add supplemental log data;
Database altered.
SQL>
That's the minimum. You could have also granted the DBA role to scott, with the same effect (regarding this very statement, but - DBA is much more powerful):
To illustrate it, revoke the privilege first:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> revoke alter database from scott;
Revoke succeeded.
Does it still work? Of course not:
SQL> connect scott/tiger
Connected.
SQL> alter database add supplemental log data;
alter database add supplemental log data
*
ERROR at line 1:
ORA-01031: insufficient privileges
Grant DBA role:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> grant dba to scott;
Grant succeeded.
Does it work now? Yes, it does:
SQL> connect scott/tiger
Connected.
SQL> alter database add supplemental log data;
Database altered.
SQL>
I have created a user, let's call him C##USER from sysdba. Now, I'm trying to create another user from C##USER. Problem is I keep getting the following error:
ORA-01031: insufficient privileges
I have granted C##USER all privileges and have set the default role to ALL. Nothing works yet...
Any ideas? Thanks in advance.
You just need a CREATE USER system privilege BUT don't forget to use CONTAINERclause which should be set to ALL, if you omit this clause then the grantee will have CREATE USER system privilege on the current container.
Specify CONTAINER = ALL to commonly grant a system privilege, object privilege on a common object, or role, to a common user or common role
GRANT
When a common user account is created, the account is created in all of the open pluggable databases. So the user who is creating this new user must have CREATE USER system privilege on all containers.
SQL> grant create user to c##user container=all;
Grant succeeded.
SQL> conn c##user
Enter password:
Connected.
SQL> create user c##user2 identified by user2;
User created.
I've created two users using the below statements using the System user. I want the ADMIN_USER to have all privileges and this user will create a set of tables. I have an external process that is pumping in data for two of my tables created by the ADMIN_USER. The question I have is if the ADMIN_USER creates all the table structures, how do I give EXTERNAL_USER the capability to read, update and insert into TABLE_A and TABLE_B only? Would I run the grant statements when I'm logged in as ADMIN_USER or the SYSTEM user? I'm using Oracle 11g.
Created both while logged in as SYSTEM User:
create user "ADMIN_USER" identified by "p#ssword123";
grant create session, grant any privilege to ADMIN_USER;
create user "EXTERNAL_USER" identified by "p#ssword321";
Logged in as ADMIN_USER:
GRANT create session, select, update, insert
ON TABLE_A
TO EXTERNAL_USER;
GRANT create session, select, update, insert
ON TABLE_B
TO EXTERNAL_USER;
First off, it is terribly unlikely that you want to grant ADMIN_USER the GRANT ANY PRIVILEGE privilege. The user doesn't require any privileges in order to grant object-level privileges on tables that the user owns. The ANY privileges are terribly powerful. A user that can grant any privilege to another user can make any user (including the user itself) a DBA. That is not what you want.
Realistically, as SYSTEM, you want to grant the system privileges that you want the users to have. As the object owner, you would then grant the object-level privileges.
As SYSTEM
CREATE USER admin_user
IDENTIFIED BY "p#ssword123"
DEFAULT TABLESPACE tablespace_name
QUOTA 10M ON tablespace_name;
CREATE USER external_user IDENTIFIED BY "p#ssword321";
GRANT CREATE SESSION, CREATE TABLE TO admin_user;
GRANT CREATE SESSION TO external_user;
As ADMIN_USER
<<create the tables>>
GRANT select, insert, update
ON table_a
TO external_user;
GRANT select, insert, update
ON table_b
TO external_user;
A DBA should also be able to grant object-level privileges. It's generally preferable to use the object owner account for that.
I need to grant privileges to all users, I can do:
GRANT select on table TO user1;
GRANT select on table TO user2;
...
But there are many users. How can I grant this privilege to all users at once?
I tried:
GRANT select on table TO ALL;
But that doesn't work.
grant select on table to public;
But be careful when you do that -- make sure it's what you really want to do.
You should use roles.
Grant permission to roles.
grant roles to users.