Can you grant privilege to allows the creation of a global temporary table ONLY, i.e. without CREATE TABLE?
The background of this stems from security models that don't allow 'CREATE TABLE'... I can't find a reference to any specific privileges.
I can't find a reference to any specific privileges.
Because, as far as I know, there is none. You'll still have to grant CREATE TABLE privilege to a user so he could create TEMPORARY tables.
In order to prevent a user from creating regular tables, and allow him to create only temporary tables you might consider the following:
Grant CREATE TABLE privilege to a user and revoke quota on a specific tablespace.
alter user <<user_name>> quota 0M on <<tablespace>>;
It might be the user's default tablespace or a different one.
In Oracle's versions with no DEFFERED_SEGMENT_CREATION it'll be enough for the user to see space quota exceeded for tablespace when he/she tries to create a regular table.
In Oracle's version with DEFFERED_SEGMENT_CREATION a user will still be able to create regular tables, but will not be able populate them. The second the user tries to execute an INSERT statement the space quota exceeded for tablespace appears.
So you might consider setting deferred_segment_creation parameter to false.
alter system set deferred_segment_creation = false;
Related
I have a quick question about assigning quotas to users on tablespaces. Does a user require quota in order to select, update and insert data into a table stored in x tablespace? Do I need to grant that user quota on that x tablespace?
Thanks
The schema needs a quota, explicit or unlimited, in order to be able to create objects within that tablespace, such as tables and indexes.
It is the owner of the table who needs the quota, not the user who modifies it by adding rows.
I am new to PL/SQL Developer, and I used the File->New->Table option to create a new table. After using the GUI to set up my table descriptions, when I click "apply" I get the error "no privileges on table space".
I tried googling a solution and I read that I need to give the owner of the schema privileges to modify this table. How do I determine who the owner of a schema is so that I can give them privileges?
Is there another solution to this issue that I do not know of?
You have created the table, so it belongs to you, there is no need to grant something on schema level.
A different story altogether is the tablespace in which the table is created. There, you need a quota. With a privileged user, you can give the quote like so:
alter user <your-username>
quota unlimited on <tablespace-name>;
You need someone with sysdba privileges on the database your schema belongs to (typically a DBA) to grant your schema the necessary privileges to create objects (tables, procedures etc), along with a quota on the tablespace in question.
I have very basic question related to tablespaces.
When I was creating a user, I was asked to assign a default tablespace for this account. So, I assigned a previously created tablespace (TABLESPACE1).
If I create another user and assign a different tablespace (TABLESPACE2) for this user, then will I not be able to see tables created in TABLESPACE1?
If I create a user having access to both tablespaces (TABLESPACE1 and TABLESPACE2)
then for that user, there is another new database, but it is not actually new.
Could somebody help me to understand table space concept here.
Tablespaces are a storage concept only. They don't play a role in what user can see what tables.
You can set a default tablespace for a user, and you can allow them (or not) to create objects in specific tablespaces, but that is unrelated to what tables they have access to.
Table (and object in general) access is managed with grants. Tablespaces are for physical storage. The two are essentially unrelated.
Is it possible to force all create table statements to use a specific database.tablespace by passing a parameter to the JDBC URL? For example instead of manually specifying it as follows
CREATE TABLE Message (id INTEGER NOT NULL, created TIMESTAMP, message VARCHAR(255),PRIMARY KEY (id)) in DATABASE.TABLESPACE
I'd like to specify "database.tablespace" in the connection URL and execute
CREATE TABLE Message (id INTEGER NOT NULL, created TIMESTAMP, message VARCHAR(255), PRIMARY KEY (id))
DB2 lacks entirely the concept you require. It handles the first tablespace the user has access rights to as "the default":
IF table space IBMDEFAULTGROUP (over which the user
has USE privilege) exists with sufficient page size
THEN choose it
ELSE IF a table space (over which the user has USE privilege)
exists with sufficient page size (see below when
multiple table spaces qualify)
THEN choose it
ELSE return an error (SQLSTATE 42727)
Thus the way to achieve what you require is to remove access privileges from all but one tablespace, ie.
-- repeat for all tablespaces
revoke use of tablespace myspace1 from public
revoke use of tablespace myspace1 from user/group xxx
-- and make sure the ones you really need have access rights
grant use of tablespace myspace1 to user creatoruser
Naturally this requires that you plan your actions well, but the approach works.
A third party product we have at my company uses Oracle as a backend. I'm attempting to log into the Oracle database and look at the schema and data. I've logged in as sys/sysdba, created a user with a default tablespace of that created by the application, and granted the user all necessary permissions to query the structures. I've also set O7_DICTIONARY_ACCESSIBILITY to true to allow querying of the data dictionary objects.
After logging in as the user and querying User_Tables nothing is returned. But when I query DBA_Tables the tables I'd expect to find are returned. I'm new to Oracle so I'm not quite certain how a non-system table can be in the tablespace, but not a user_table.
More importantly, how do you query the data in these tables? Whenever I attempt a simple "Select *" from the tables I get a "table or view does not exist" error.
Thanks in advance.
The default tablespace you set for a user controls what tablespace objects owned by that user are created in. It has nothing to do with what objects they can query.
USER_TABLES returns information about the tables that a particular user owns. It does not sound like your user owns any tables, so you would expect that to be empty.
ALL_TABLES returns information about the tables that a particular user has access to. If you granted the appropriate privileges, your user should see the tables in this data dictionary view.
DBA_TABLES returns information about every table in the database even if you don't necessarily have access to the underlying table.
If you are trying to query data from one of the tables, are you specifying the schema name (the OWNER column in ALL_TABLES)? If you do not own an object, you generally need to use fully qualified names to reference it, i.e.
SELECT *
FROM schema_owner.table_name
You can avoid using fully qualified names if
You create a synonym (public or private) for the object
You change the CURRENT_SCHEMA for the session. This changes the default schema that a name is resolved under. It does not affect permissions and privileges. You can change the current schema with the command
ALTER SESSION SET current_schema = new_schema_name
You would have to do this for each session the user creates-- potentially in a login trigger.