Hello How I can Create Roles with
ReadOnly(Select any Tables under the tablespace)
And
InsertUpdateRoleOnly(To insert and update Data ,not delete)
Under My tablespace with local access this users?
Tables are owned by someone. The owner grants privileges to other users or to roles; in your case, it'll be a role. As the role doesn't depend on a tablespace (you mentioned), you'd create it as simple as
create role r_read_only;
Then, the owner would grant SELECT privilege on its tables to that role, e.g.
grant select on emp to r_read_only;
grant select on dept to r_read_only;
Such a role would be granted to other users, e.g.
grant r_read_only to littlefoot;
and user littlefoot will be able to select from those tables.
The same goes for your another role, no difference:
create role r_upd_ins;
grant insert, update on emp to r_upd_ins;
grant r_upd_ins to bigfoot;
Privileges cannot be granted at the tablespace level. You must grant privileges to specific tables. e.g:
create role read_data_role;
grant select on [owner].[table_name] to read_data_role;
create role update_data_role;
grant insert, update on [owner].[table_name] to update_data_role;
grant read_data_role, update_data_role to [username];
Related
I have grant Roles for users and grant some privs on Roles:
--Grant roles for users
GRANT DataEntry TO John, Joe, Lynn;
GRANT Supervisor TO Fred;
GRANT Management TO Amy, Beth;
--Grant on table to roles
GRANT SELECT, INSERT, UPDATE ON Attendance TO DataEntry;
GRANT SELECT, DELETE ON Attendance TO Supervisor;
GRANT SELECT ON Attendance TO Management;
However, when I query to dba_sys_privs table and select on John user, for example, I do not have privs which DataEntry role have? What happened with that problem?
John has been granted the role, not the privileges of the role directly. John will be able to take advantage of those privileges through the role. This means that if you were to revoke the role from the user, Oracle wouldn't need to go back and figure out which privileges were obtained through the role and revoke those too - this would be a challenge as a user might be granted multiple roles that provide the say privilege. It is much more efficient for Oracle to check if a user has access to a necessary privilege at parse time (which doesn't happen often).
If you want to see all the table privileges a user is able to use then you would need to look at both dba_tab_privs and dba_role_privs. Remember that a role can be granted another role so you would need to do a recursive query to identify all of those too:
with grantees (schema) as
(Select username schema
from dba_users
where username = 'JOHN'
union all
select rp.granted_role
from grantees g
join dba_role_privs rp
on g.schema = rp.grantee
)
select *
from dba_tab_privs sp
where sp.grantee in (select g.schema from grantees g)
There are 3 schemas: DEMO1, DEMO2, DEMO3
I want to grant DEMO1 permissions to perform all the operations on DEMO2 and not DEMO3.
ALL Operations means: Select, Update, Insert, Delete
How can I grant the privileges for that in Oracle SQL Developer?
You can't really do that. With many DDL privileges - as astentx pointed out - you either are constrained to what you own, or you can affect ANY table in the system, not just one other user. There's no middle ground unless you're also working with add-on enterprise products like Database Vault. If you're talking about DML (insert, update, delete of data), then grant the specific table privileges to a role and grant the role to DEMO1.
create role demo2_dml;
grant insert, update, delete on demo2.table_a to demo2_dml;
grant insert, update, delete on demo2.table_b to demo2_dml;
...
grant role demo2_dml to demo1;
alter user demo1 default role all;
Alternatively, if you must have DDL privileges as well, you could give DEMO1 proxy privileges to become DEMO2 and assume all of its privileges on its objects.
alter user demo2 grant connect through demo1;
Then connect using demo1[demo2] as the username, with demo1's password:
connect demo1[demo2]/demo1password#database_service
demo1 then becomes demo2 (without needing to know demo2's password) and can do anything demo2 would be able to do. demo1 would not have access to its own objects while doing this, however.
I create user A and B with system admin
-- CREATE USER1 SQL
CREATE USER USERA IDENTIFIED BY 123456 ;
GRANT CREATE SESSION TO USERA;
CREATE USER USERB IDENTIFIED BY 123456 ;
GRANT CREATE SESSION TO USERB;
and set Privileges to USERA
-- SYSTEM PRIVILEGES USERA
GRANT CREATE TABLE TO USERA;
GRANT DELETE ANY TABLE TO USERA;
GRANT GRANT ANY PRIVILEGE TO USERA;
and create table by USERA
CREATE TABLE tableA
(ID VARCHAR2(5)
, DATA VARCHAR2(20) );
and create Privileges to USERB by USERA set select tableA
GRANT SELECT ON tableA to USERB;
but USERB can't select tableA
ERROR:ORA-00942: table or view does not exist
How do I solve the problem?
If you don't specify the owner for a table, Oracle will assume the owner is the current user.
select * from usera.tablea;
To avoid this issue, it's usually recommended to create a local synonym (owned by userb):
create synonym userb.tablea for usera.tablea;
Now, userb can query the table:
select * from tablea;
I have a data table called Employees. Say I want to grant only all DML privileges to an user called Shelby. Does this statement work?
grant all on employees to shelby;
But doesn't that grant a lot more than just DML privileges? What is the proper way to do it?
Now lets say I want to grant only all DBA privileges to Shelby. I wrote the statement:
grant dba on employees to shelby;
But this returns the error "missing or invalid privilege". How do I fix this?
If you want to give "system" privileges ("global" privileges)
grant dba to shelby;
if you want to give "object" privileges (on particular objects, tables, views, etc..)
grant select on employees to shelby;
grant insert on employees to shelby;
grant update, alter on employees to shelby;
I am trying to grant access to a table from schema1 to schema2 (oracle10g).
I created a synonym on schema2:
CREATE SYNONYM schema2.table FOR schema1.table;
The synonym was created succesfully.
Then I tried to grant select on the same table:
grant select on schema1.table to schema2;
I got:
ORA-00942: table or view does not exist
This doesn't make sense to me. I was able to create the synonym but not the grant. What I am doing wrong?
I am not able to get the table from schema2:
select * from table;
ORA-00942: table or view does not exist
If I have "CREATE ANY SYNONYM| rights, I can create the synonym for the table in schema 1 in schema 2 without needing grants on the underlying objects. If I don't have rights on the schema1 table (GRANT WITH GRANT OPTION) to re-grant it to another user, then I can't also do the grant from this user.
Solution, log in as schema1 and do the grant there and then the synonym will work under schema2, or ensure that the user I AM logged in under has the rights to confer the grant on the schema1 object.
Per your comment:
Log in as schema1 and grant whichever operations you want schema2 to have on your table.
e.g)
SQL> GRANT SELECT, INSERT, UPDATE, DELETE on TABLE to SCHEMA2;
SCHEMA2 will then be able to see the table through its synonym, and be permitted those operations on it.
If SCHEMA2 is going to use this table in a view that it will then be granting select access to other schemas to use, then you need to add "WITH GRANT OPTION" to the initial grant from schema1 or schema2 will not be able to re-grant permissions on to other users.
You can create synonyms for objects that don't actually exist e.g.
create synonym flub for blib;
...so the fact that you were able to create a synonym does not mean the objects exists.