Considering the following information from the Oracle data dictionary
When the following command is executed, to obtain the information
SELECT grantee,owner,table_name,grantor, privilege, grantable
FROM user_tabs_privs;
What is the SQL statements that have been issued to cause these grants to exist in the
dictionary? Also for each statement which user has executed the statement?
Review this example and compare it to your output; you'll see which command leads to which result.
User mike:
SQL> show user
USER is "MIKE"
SQL> SELECT grantee,owner,table_name,grantor, privilege, grantable
2 FROM user_tab_privs;
no rows selected
User scott will grant a few things to mike:
SQL> connect scott/tiger
Connected.
SQL> grant select on test to mike;
Grant succeeded.
SQL> grant delete on dept to mike with grant option;
Grant succeeded.
Back to mike, see what has happened:
SQL> connect mike/lion
Connected.
SQL> SELECT grantee,owner,table_name,grantor, privilege, grantable
2 FROM user_tab_privs;
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRANTABLE
------- ------ ---------- ---------- ---------- ----------
MIKE SCOTT DEPT SCOTT DELETE YES
MIKE SCOTT TEST SCOTT SELECT NO
SQL>
after you run the following steps, you can get the result you want
(1) firstly login as Ann,run the SQL statement:
grant select on project to Billy with grant option;
(2) still as Ann, runt the SQL statement:
grant delete on employee to marlam ;
(3) login as Billy, run the SQL statement:
grant select on project to leah ;
Related
I have a QUEUE_OWNER schema that has some queues. When I connect the application to that data source everything works fine and the app can read the from the queues.
I want to create a _USER schema that has access to the queues so I can connect the app to it and not directly to the _OWNER schema.
This is what I tried:
BEGIN
FOR Q IN (SELECT * FROM ALL_QUEUES WHERE owner = 'AQ_OWNER') LOOP
DBMS_OUTPUT.PUT_LINE('queue = ' ||Q.NAME);
DBMS_AQADM.GRANT_QUEUE_PRIVILEGE('ALL','AQ_OWNER.'||Q.NAME ,'AQ_USER',FALSE);
END LOOP;
END;
but when I put a message in the queue nothing happens in the app.
How about a little help of your DBA?
This is what my user SCOTT sees in all_queues:
SQL> select owner, name from all_queues;
OWNER NAME
------------------------------ ------------------------------
SYS SRVQUEUE
SYS SCHEDULER_FILEWATCHER_Q
SYS SCHEDULER$_EVENT_QUEUE
However, I'd like to see some other data. SYS almighty sees it all:
SQL> show user
USER is "SYS"
SQL> select owner, name from dba_queues;
OWNER NAME
------------------------------ ------------------------------
SYS SYS$SERVICE_METRICS
SYS AQ$_SYS$SERVICE_METRICS_TAB_E
SYSTEM DEF$_AQERROR
SYSTEM AQ$_DEF$_AQERROR_E
SYSTEM DEF$_AQCALL
SYSTEM AQ$_DEF$_AQCALL_E
SYS AQ$_KUPC$DATAPUMP_QUETAB_E
<snip>
Still connected as SYS, I'll create a view which show data only for owner I choose (there's nothing much to choose in my XE database so I'll use SYSTEM-owned values). Then grant select privilege to SCOTT:
SQL> create or replace view v_dba_queues as
2 select name
3 from dba_queues
4 where owner = 'SYSTEM';
View created.
SQL> grant select on v_dba_queues to scott;
Grant succeeded.
Back to SCOTT: to make my life simpler, I'll create a synonym first:
SQL> connect scott/tiger
Connected.
SQL> create synonym v_dba_queues for sys.v_dba_queues;
Synonym created.
Finally:
SQL> select * from v_dba_queues;
NAME
------------------------------
DEF$_AQERROR
AQ$_DEF$_AQERROR_E
DEF$_AQCALL
AQ$_DEF$_AQCALL_E
SQL>
Basically, you'd do the same; it's just that your view would contain data for owner = 'QUEUE_OWNER'. See if it helps.
I have two Schema Schema-1 and Schema-2. I want to create one super User Who can access both Schema(Schema-1 and Schema-2).
I want to create a user with command in oracle 11g. It is possible?
Such an user already exists; it is called SYS, who owns the database. Though, it is not a very good idea to use it for daily jobs - you'd rather (as you wanted) create your own "superuser" who is capable of doing such things. For example:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> create user superuser identified by superman;
User created.
SQL> grant dba to superuser;
Grant succeeded.
OK, let's try it:
SQL> connect superuser/superman
Connected.
SQL> select count(*) From scott.emp;
COUNT(*)
----------
14
SQL> select table_name from dba_tables where owner = 'MIKE';
TABLE_NAME
------------------------------
EMP
DEPT
BONUS
SALGRADE
DUMMY
ABC
6 rows selected.
SQL> select * from mike.abc;
KEY ID SEQ THINGS DESCR
---------- ---------- ---------- ---------- ----------
1 1 0 Food Chicken
2 1 1 Cars BMW
3 1 2 Sport Soccer
4 2 0 Food Mutton
5 2 1 Cars Ford
6 2 2 Sport Tennis
6 rows selected.
SQL>
Now, is DBA right role for that user, I can't tell. Maybe it is not, so perhaps you'd rather grant only required set of privileges. Which set is it, I can't tell either.
Maybe it would be enough to grant e.g. select privileges to superuser for both schema1 and schema2 users' tables. Though, you can't do that in a single command - you'd have to do it separately for each user and for each of their tables (which means a lot of grant select statements). Let's try it:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> revoke dba from superuser;
Revoke succeeded.
SQL>
It is a boring job writing statement-by-statement, so I'll write code to write code for me:
SQL> select 'grant select on ' || owner ||'.' ||table_name || ' to superuser;' str
2 from dba_tables
3 where owner in ('SCOTT', 'MIKE')
4 order by owner, table_name;
STR
--------------------------------------------------------------------------------
grant select on MIKE.ABC to superuser;
grant select on MIKE.BONUS to superuser;
grant select on MIKE.DEPT to superuser;
<snip>
grant select on SCOTT.TEST_B to superuser;
grant select on SCOTT.TEST_D to superuser;
26 rows selected.
SQL>
OK; now copy/paste the above grant statements and run them.
SQL> grant select on MIKE.ABC to superuser;
Grant succeeded.
SQL> grant select on MIKE.BONUS to superuser;
Grant succeeded.
SQL> grant select on MIKE.DEPT to superuser;
Grant succeeded.
<snip>
SQL> grant select on SCOTT.TEST_B to superuser;
Grant succeeded.
SQL> grant select on SCOTT.TEST_D to superuser;
Grant succeeded.
SQL>
Does it work?
SQL> connect superuser/superman
ERROR:
ORA-01045: user SUPERUSER lacks CREATE SESSION privilege; logon denied
Warning: You are no longer connected to ORACLE.
SQL>
Aha! Not just yet! Revoking DBA revoked a large set of privileges, so superuser now exists as user, but can't do anything. So, let's let it connect to the database:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> grant create session to superuser;
Grant succeeded.
SQL> connect superuser/superman
Connected.
SQL> select * From scott.dept;
DEPTNO DNAME LOC
---------- -------------- -------------
10 ACCOUNTING NEW YORK
20 RESEARCH DALLAS
30 SALES CHICAGO
40 OPERATIONS BOSTON
SQL> select * From mike.abc;
KEY ID SEQ THINGS DESCR
---------- ---------- ---------- ---------- ----------
1 1 0 Food Chicken
2 1 1 Cars BMW
3 1 2 Sport Soccer
4 2 0 Food Mutton
5 2 1 Cars Ford
6 2 2 Sport Tennis
6 rows selected.
SQL>
Right; much better. That's what I meant by saying "grant only required set of privileges"; don't grant more privileges than someone really needs.
I have a view V1 in schema A. And want to select it from schema B.
view V1 include system dictionaries (dba_objects, sys.$views and others).
Now, I granted privileges by request to my admin.
grant select on dba_objects to A
grant select on sys.$views to A
grant select on dba_objects to B
grant select on sys.$views to B
grant select on A.V1 to B
But have error: insufficient privileges
I understand, that need option: with grant option
grant select on dba_objects to A with grant option
grant select on sys.$views to A with grant option
But my administrator can't give with grant option.
Have any ideas, how to do select to view from another schema without with admin option?
Thanks!
For dictionary objects use create view & public synonym combination in sys, and then you may use it in any ordinary schema :
SQL> create or replace view v_objects as select * from dba_objects;
SQL> create or replace synonym v_objects2 for v_objects;
SQL> grant select on v_objects2 to A with grant option;
SQL> conn A/pwdA
SQL> create or replace view v_objectsA as select * from sys.v_objects2;
SQL> conn B/pwdB
SQL> create or replace view v_objectsB as select * from sys.v_objects2;
This question already has an answer here:
Allowing a users to select from a table
(1 answer)
Closed 8 years ago.
I am trying to grant a role to another user in Oracle. although I got : grant succeeded, it doesn't appear that the user got the role, can anyone help ?
SQL> select * from students;
no rows selected
SQL> Grant select on students to C##reine;
Grant succeeded.
SQL> disconnect
Disconnected from Oracle Database 12c Release 12.1.0.1.0 - 64bit Production
SQL> connect
Enter user-name: C##reine
Enter password:
Connected.
SQL> select * from students;
select * from students
*
ERROR at line 1:
ORA-00942: table or view does not exist
SQL>
I'm sure user C##reine has the role. If you log in as C##reine and try the following query you should see it:
SELECT * FROM User_Tab_Privs
WHERE Table_Name = 'STUDENTS';
The problem is that the table is in another schema, so C##reine needs to alias the table when querying (note that a comment posted after this answer provided the actual schema name):
SELECT * FROM C##jad.students;
To make the table visible to the user without aliasing, try this:
-- As user C##reine
CREATE SYNONYM STUDENTS FOR C##jad.STUDENTS;
User C##reine will need to have the CREATE SYNONYM system privilege.
The user needs to qualify the table with its owner schema:
select * from xyz.students
I want to know the list of all users who have root (administrative) privilege in Oracle.
I would like it in a script or C++ application. Script is preferred.
Exactly what do you mean by "root" or "adminstrative" privileges in Oracle? Do you want the users granted SYSDBA? Or, in the older Oracle releases, there was the DBA role, which had an extensive set of privileges that gave the user the ability to do most anything. It has a reduced set of capabilities in 11g. The answer given by #client09 is valuable for identifying exactly what each user can do.
To me, the root user in Oracle is the SYSDBA account, by default the SYS user. Anyone granted this privilege can log in "AS SYSDBA", which gives that user complete control of the database. You can list the users granted this privilege via this select:
SELECT * FROM v$pwfile_users;
Interestingly enough, if I'm granted the SYSDBA role, and I log in as sysdba, the actual user in the Oracle session is SYS:
SQL> create user test identified by test;
User created.
SQL> grant create session to test;
Grant succeeded.
SQL> grant sysdba to test;
Grant succeeded.
SQL> connect test/test as sysdba
Connected.
SQL> select user from dual;
USER
------------------------------
SYS
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS TRUE TRUE FALSE
TEST TRUE FALSE FALSE
Here is how you find privileges of your users:
select
lpad(' ', 2*level) || granted_role "User, his roles and privileges"
from
(
/* THE USERS */
select
null grantee,
username granted_role
from
dba_users
/* THE ROLES TO ROLES RELATIONS */
union
select
grantee,
granted_role
from
dba_role_privs
/* THE ROLES TO PRIVILEGE RELATIONS */
union
select
grantee,
privilege
from
dba_sys_privs
)
start with grantee is null
connect by grantee = prior granted_role;
This will show you which users have inflated privileges. You can execute this in a shell script by typing
sqlplus / as sysdba --(if you are root on the box)
spool user_privileges.txt
#whos_a_root.sql --(if that's what you call your script)
spool off
exit;