This question already has an answer here:
How can i see if an owner has permissions to execute a Store Procedure in Oracle
(1 answer)
Closed 3 years ago.
For a business need, I've tried to get the list of (users, roles, ..) whom have a privileges (execute, debug, ...) on an Oracle procedure on an Oracle database.
Firstly, I've tried to check its script creation but they didn't exist.
Now I want to get the query which can retreive me this information.
Simply, this query can be executed to get the needed result:
SELECT * FROM DBA_TAB_PRIVS
WHERE OWNER = 'OFFER'
and table_name ='PROC_NAME';
A procedure itself doesn't have any "privileges"; they are granted to user or to role.
The only privilege granted on a procedure is EXECUTE.
Related
This question already has answers here:
How to replicate schema with the same privileges of an existing account in oracle?
(2 answers)
Closed 10 months ago.
I have 2 user A and B. They all have some privileges of their own.
Now, i want to give all A's privileges to B.
Is there any way (instantly,...) to do that but write a script to give that grant for each user (by select from USER_SYS_PRIVS - i mean when i have a lot of privileges, it seems impossible to be done!?)?
Thanks in advance!
You can try something like this:
Get all privileges from AAA
SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT','AAA') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT','AAA') FROM DUAL;
SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT','AAA') FROM DUAL;
Change the DDL commands with the user 'BBB' and execute.
Or
expdp userid=system directory=DATA_PUMP_DIR dumpfile=AAA.dmp schemas=AAA
impdp userid=system directory=DATA_PUMP_DIR dumpfile=AAA.dmp
This question already has answers here:
Grant Select on all Tables Owned By Specific User
(5 answers)
Closed 5 years ago.
I am trying to give schema permissions on all tables in a single instance.
For example, I am in Schema A, and I need to access the tables in Schema A from Schema B.
I tried to grant select on A. * to B and I am getting an invalid table name.
Any idea why I'm getting this error?
Afaik, there's not a direct way to do this. The easiest shortcut I know is to run something like
select 'grant select on A.' || table_name || ' to B;'
from user_tables;
And then copy/paste the results and run that.
This question already has an answer here:
Allowing a users to select from a table
(1 answer)
Closed 8 years ago.
I am trying to grant a role to another user in Oracle. although I got : grant succeeded, it doesn't appear that the user got the role, can anyone help ?
SQL> select * from students;
no rows selected
SQL> Grant select on students to C##reine;
Grant succeeded.
SQL> disconnect
Disconnected from Oracle Database 12c Release 12.1.0.1.0 - 64bit Production
SQL> connect
Enter user-name: C##reine
Enter password:
Connected.
SQL> select * from students;
select * from students
*
ERROR at line 1:
ORA-00942: table or view does not exist
SQL>
I'm sure user C##reine has the role. If you log in as C##reine and try the following query you should see it:
SELECT * FROM User_Tab_Privs
WHERE Table_Name = 'STUDENTS';
The problem is that the table is in another schema, so C##reine needs to alias the table when querying (note that a comment posted after this answer provided the actual schema name):
SELECT * FROM C##jad.students;
To make the table visible to the user without aliasing, try this:
-- As user C##reine
CREATE SYNONYM STUDENTS FOR C##jad.STUDENTS;
User C##reine will need to have the CREATE SYNONYM system privilege.
The user needs to qualify the table with its owner schema:
select * from xyz.students
I've created a package that contains a stored procedure that I plan to invoke from a separate application. The stored procedure will return a sorted list of all the views and tables in the schema. To do that, it performs a simple select on the DBA_TABLES and DBA_VIEWS synonyms, as shown below:
CREATE OR REPLACE
PACKAGE BODY TITAN_ENTITY AS
PROCEDURE GETSCHEMAOBJECTS (RESULTS IN OUT T_CURSOR)
IS
V_CURSOR T_CURSOR;
BEGIN
OPEN V_CURSOR FOR
SELECT 'T' OBJECTTYPE, TABLE_NAME OBJECTNAME
FROM DBA_TABLES
WHERE OWNER = 'SONAR5'
UNION ALL
SELECT 'V' OBJECTTYPE, VIEW_NAME OBJECTNAME
FROM DBA_VIEWS
WHERE OWNER = 'SONAR5'
ORDER BY OBJECTNAME;
RESULTS := V_CURSOR;
END GETSCHEMAOBJECTS;
END TITAN_ENTITY;
I have verified that the synonyms in question exist, and are public:
CREATE PUBLIC SYNONYM "DBA_TABLES" FOR "SYS"."DBA_TABLES"
CREATE PUBLIC SYNONYM "DBA_VIEWS" FOR "SYS"."DBA_VIEWS"
My understanding is that, because they are public, I don't need any further permissions to get to them. If that understanding is incorrect, I wish someone would disabuse me of the notion and point me to more accurate data.
Now here's my problem: I can open a worksheet in Oracle SQL Developer and select from these tables just fine. I get meaningful data just fine (567 rows, as a matter of fact). But when I try to execute the stored procedure, Oracle complains with a compilation error, as shown below:
Error(9,8): PL/SQL: SQL Statement ignored
Error(10,16): PL/SQL: ORA-00942: table or view does not exist
When I double-click on that second error message, SQL Developer takes me to the first FROM clause ("FROM DBA_TABLES").
So I'm fairly stumped. I know SQL Server pretty well, and I'm new to Oracle, so please bear with me. If you could provide some clues, or point me in the right direction, I'd really appreciate it.
Thanks in advance!
Use ALL_TABLES and ALL_VIEWS instead of DBA_TABLES and DBA_VIEWS. ALL_% views should be accessible to all users.
If you select from a table or a view in a stored PL/SQL-procedure or a stored PL/SQL-function you need a direct grant. A grant via a database role isn't enough.
You probably need a direct grant on view dba_tables. (public) synonyms are just (public) synonyms. You need directly granted select rights.
See here: http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:48704116042682#48798240264807
Edit: Sorry, I glossed over the part where you seem to say that you can select from DBA_TABLES directly. Most likely the issue is that your privileges are granted through a role as someone else answered. But it's still worth explaining that your understanding of PUBLIC synonyms is incomplete, and that using ALL_TABLES would be better if it accomplishes what you need.
The synonym being PUBLIC only means that all users can reference the synonym; it does not grant them any access to the object that the synonym refers to.
What you would do to most directly solve this error is grant SELECT privilege on the SYS views to the user(s) that will run this procedure. However, I think that is a very bad idea.
As suggested by Raimonds, consider whether you can get what you need from USER_TABLES or ALL_TABLES instead. What user is calling this procedure, and what access does that user have to SONAR5's tables?
Generally, if your application is interested in a table, presumably it has some privileges on it, in which case is should be listed in ALL_TABLES.
I have two users Bob and Alice in Oracle, both created by running the following commands as sysdba from sqlplus:
create user $blah identified by $password;
grant resource, connect, create view to $blah;
I want Bob to have complete access to Alice's schema (that is, all tables), but I'm not sure what grant to run, and whether to run it as sysdba or as Alice.
Happy to hear about any good pointers to reference material as well -- don't seem to be able to get a good answer to this from either the Internet or "Oracle Database 10g The Complete Reference", which is sitting on my desk.
AFAIK you need to do the grants object one at a time.
Typically you'd use a script to do this, something along the lines of:
SELECT 'GRANT ALL ON '||table_name||' TO BOB;'
FROM ALL_TABLES
WHERE OWNER = 'ALICE';
And similar for other db objects.
You could put a package in each schema that you need to issue the grant from which will go through all call each GRANT statement via an EXECUTE IMMEDIATE.
e.g.
PROCEDURE GRANT_TABLES
IS
BEGIN
FOR tab IN (SELECT table_name
FROM all_tables
WHERE owner = this_user) LOOP
EXECUTE IMMEDIATE 'GRANT SELECT, INSERT, UPDATE, DELETE ON '||tab.table_name||' TO other_user';
END LOOP;
END;
There are many things to consider. When you say access, do you want to prefix the tables with the other users name? You can use public synonyms so that you can hide the original owner, if that is an issue. And then grant privs on the synonym.
You also want to plan ahead as best you can. Later, will you want Frank to be able to access Alice's schema as well? You don't want to have to regrant privileges on N number of tables. Using a database role would be a better solution. Grant the select to role "ALICE_TABLES" for example and when another user needs access, just grant them privilege to the role. This helps to organize the grants you make inside the DB.
Another solution if you have different owner:
BEGIN
FOR x IN (SELECT owner||'.'||table_name ownertab
FROM all_tables
WHERE owner IN ('A', 'B', 'C', 'D'))
LOOP
EXECUTE IMMEDIATE 'GRANT SELECT ON '||x.ownertab||' TO other_user';
END LOOP;
END;