Develop Reference

How can i restrict a user from creating tables in their own schema?

My user only has the privilege to create session, manage scheduler. But I can create tables in the schema, can I change that?
Thank you.

The if the user is able to create a table, then he has more privs than you claim. Here I create a user, grant him ONLY the privs you say, then connect as that user and try to create a table:
SQL> show user
USER is "SYSTEM"
SQL> create user beetle identified by bailey;
User created.
SQL> grant create session to beetle;
Grant succeeded.
SQL> grant manage scheduler to beetle;
Grant succeeded.
SQL> select privilege
2 from dba_sys_privs
3 where grantee='BEETLE';
PRIVILEGE
----------------------------------------
MANAGE SCHEDULER
CREATE SESSION
2 rows selected.
SQL> select granted_role
2 from dba_role_privs
3 where grantee='BEETLE';
no rows selected
SQL> select owner ||'.'||table_name,
2 privilege
3 from dba_tab_privs
4 where grantee='BEETLE';
no rows selected
SQL> -- -------- create the tables
SQL> conn beetle/bailey#pdb01
Connected.
SQL> create table my_test(dob date);
create table my_test(dob date)
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> -- -------- load tables
SQL> -- -------- Do the query
SQL> -- -------- clean up
SQL> conn system/halftrack#pdb01
Connected.
SQL> drop user beetle cascade;
User dropped.

Oracle19c -Create Role User Under the Tablespace

Hello How I can Create Roles with
ReadOnly(Select any Tables under the tablespace)
And
InsertUpdateRoleOnly(To insert and update Data ,not delete)
Under My tablespace with local access this users?

Tables are owned by someone. The owner grants privileges to other users or to roles; in your case, it'll be a role. As the role doesn't depend on a tablespace (you mentioned), you'd create it as simple as
create role r_read_only;
Then, the owner would grant SELECT privilege on its tables to that role, e.g.
grant select on emp to r_read_only;
grant select on dept to r_read_only;
Such a role would be granted to other users, e.g.
grant r_read_only to littlefoot;
and user littlefoot will be able to select from those tables.
The same goes for your another role, no difference:
create role r_upd_ins;
grant insert, update on emp to r_upd_ins;
grant r_upd_ins to bigfoot;

Privileges cannot be granted at the tablespace level. You must grant privileges to specific tables. e.g:
create role read_data_role;
grant select on [owner].[table_name] to read_data_role;
create role update_data_role;
grant insert, update on [owner].[table_name] to update_data_role;
grant read_data_role, update_data_role to [username];

What are roles and privileges to give a user in order to perform CRUD(on Oracle 12)

I'm creating a USER on Oracle 12 c database, using TOAD.
After creating the TABLESPACE, I'm creating the USER. I'm a little confusing about the many ROLES and PRIVILEGES that can be given to a USER.
What are the minimum/standard roles and privileges a user must be given in order to perform CRUD operation and being able to 'edit' the database (create or delete table, DROP the schema ecc) from TOAD?
Thank you

It depends on what operations are you going to perform. If you want to work only with tables in your own db schema, then the following privileges are usually enough to start:
grant create session to <your_user>;
grant create table to <your_user>;
You have the default rights to insert/update/delete/select tables which you own.
Tablespace quota:
alter user <your_user> quota unlimited on <your_tablespace_name>;
It's better to set the default tablespace for the user. In this case you can omit the tablespace name in a create table statement.
alter user <your_user> default tablespace <your_tablespace_name>;

A link to the documentation - Privileges
Grant the user the following privileges:
CREATE SESSION (in order to allow the user to connect to the database)
INSERT
UPDATE
DELETE
SELECT
Use the below command to grant privileges to the user (you need to login as SYS or SYSTEM or another user that has GRANT privilege):
GRANT CREATE SESSION, SELECT, UPDATE, DETETE, INSERT TO user_name

Here's a suggestion you might (or might not) want to follow.
As a privileged user (such as SYS), check tablespaces available in your database. I'm using 11g XE (Express Edition) which shows the following:
SQL> show user
USER is "SYS"
SQL> select tablespace_name from dba_tablespaces;
TABLESPACE_NAME
------------------------------
SYSTEM
SYSAUX
UNDOTBS1
TEMP --> temporary
USERS --> my data
Now, create a user:
SQL> create user mdp identified by pdm
2 default tablespace users
3 temporary tablespace temp
4 quota unlimited on users;
User created.
Quite a long time ago, there were two popular predefined roles named CONNECT and RESOURCE which were granted some of the most frequent privileges so people just loved to grant those roles to newly created users.
Nowadays, you shouldn't be doing that: grant only minimal set of privileges your user might need. The first one is CREATE SESSION; without it, your user won't even be able to establish a connection.
SQL> grant create session to mdp;
Grant succeeded.
Then, you'll want to create some tables so - grant it:
SQL> grant create table to mdp;
Grant succeeded.
OK, let's connect as newly created user and do something:
SQL> connect mdp/pdm#xe
Connected.
SQL> create table test (id number);
Table created.
SQL> insert into test id values (1);
1 row created.
SQL> drop table test;
Table dropped.
SQL>
Nice; I can create tables, insert/update/delete/select from them. For beginning, that's quite enough. However, when it turns out that you'd want to, for example, create a view, it won't work until you grant it that privilege:
SQL> create view v_dual as select * From dual;
create view v_dual as select * From dual
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> connect sys#xe as sysdba
Enter password:
Connected.
SQL> grant create view to mdp;
Grant succeeded.
SQL> connect mdp/pdm#xe
Connected.
SQL> create view v_dual as select * From dual;
View created.
SQL>
And so forth; don't grant anything just because you might need it - grant it if & when you need it. Especially pay attention to system privileges which can potentially be dangerous if you don't know what you're doing.

create Oracle db DBA Role with read only priviliges

I'm wondering if there's a way to set up a user with dba-like read-only privileges.
In my use-case, I'm trying to fetch some data from of schema from SYS.ALL_ARGUMENTS table.
I'm using this statements to create my user:
CREATE USER bbb IDENTIFIED BY bbb;
/
GRANT CREATE SESSION TO bbb;
/
grant select any table to bbb WITH ADMIN OPTION;
/
grant select on SYS.ALL_ARGUMENTS to bbb;
when I try to run the following statement to fetch data of HR schema:
SELECT * FROM SYS.ALL_ARGUMENTS a WHERE a.OWNER = 'HR' ORDER BY SEQUENCE;
I get nothing. If I set my user with DBA role or IMP_FULL_DATABASE role, i manage to get this data but then my user has privileges I don't want him to have.

Privilege SELECT ANY TABLE does not include dictionary views. Run
GRANT SELECT ANY DICTIONARY TO bbb;
in order to grant full read access.

create table to a role and role to user in oracle

i am creating a role name developer
create role developer ;
grant create session,create table to developer
then again i am creating a user
create user dhoni identified by dhoni
granting the role to dhoni
grant role developer to dhoni ;
create table xx(sno number(11));
it not create the table
the error
ORA-01031: insufficient privileges

grant role developer to dhoni ;
That's invalid - it should be
grant developer to dhoni;
Then your create table will work.

May be below solution will help.
SQL> show user
USER is "SYS"
SQL>
SQL> create role developer;
Role created.
SQL> grant create session,create table to developer;
Grant succeeded.
SQL> create user dhoni identified by dhoni;
User created.
SQL> grant developer to dhoni;
Grant succeeded.
SQL> conn dhoni/dhoni
Connected.
SQL> show user
USER is "DHONI"
SQL> CREATE TABLE Persons (
PersonID int,
LastName varchar(255),
FirstName varchar(255),
Address varchar(255),
City varchar(255)
); 2 3 4 5 6 7
Table created.
SQL>