These two privileges don't get granted to the DBA:
SYSDBA
SYSOPER
SQL and GUI attempts to grant these privileges return successful messages, but they remain revoked. While signed in as SYS:
Signing in as SYS
Bookshop_DBA privileges appear as such
Granting with GUI
Granting with SQL
Result for both
Messages are returned to say that granting is successful but no changes are made.
Please show us what you're actually doing.
If you're using the dialog as shown, and getting problems, you should be able to report an any ORA- errors.
For example:
And you don't have to guess what SQL Developer is actually doing - click on the SQL page of the edit user dialog.
Before going further, please consider:
you should in general NEVER login as SYSDBA - unless you need to actually shut down or alter a database. Don't use it as an all powerful PRIV to get around security/grant issues
you should know what you're doing before you grant it to someone, or even use it yourself. Read the docs, then read them again. Otherwise, this is how you do very, very bad things to your database.
Running this code from a non-privileged user:
-- SYSTEM PRIVILEGES
GRANT SYSDBA TO "user" ;
GRANT SYSOPER TO "user" ;
Error starting at line : 6 in command -
GRANT SYSDBA TO "user"
Error report -
ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to perform a database operation without
the necessary privileges.
*Action: Ask your database administrator or designated security
administrator to grant you the necessary privileges
Error starting at line : 7 in command -
GRANT SYSOPER TO "user"
Error report -
ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to perform a database operation without
the necessary privileges.
*Action: Ask your database administrator or designated security
administrator to grant you the necessary privileges
So, how do we get around this?
You need to do this for the user who is performing the grants - and you better REALLY trust this user, if you're going to let them do this SYSDBA...
GRANT SYSDBA TO "*user*" WITH ADMIN OPTION;
But, that's NOT ENOUGH.
Per the DOCS:
Because SYSDBA and SYSOPER are the most powerful database privileges,
the WITH ADMIN OPTION is not used in the GRANT statement. That is, the
grantee cannot in turn grant the SYSDBA or SYSOPER privilege to
another user. Only a user currently connected as SYSDBA can grant or
revoke another user's SYSDBA or SYSOPER system privileges. These
privileges cannot be granted to roles, because roles are available
only after database startup. Do not confuse the SYSDBA and SYSOPER
database privileges with operating system roles.
So, in SQL Developer, disconnect.
Change your connection properties:
Now that you're connected as SYSDBA, you can do...perilous things...like grant that to someone else.
PS - Don't ever GRANT SYS anything to a demo schema like HR. And don't have these demo schemas in production environments, they're only there as learning resources.
It may be due to the user you are connected with. SYSDBA and SYSOPER privs can only be granted by a SYSDBA user.
Related
I have a oracle 12c database .
I would like to grant sysdba to C##user1.
Here is user table.
When I execute this command I can get a error.
grant sysdba to c##user1 container=current
Error report -
SQL Error: ORA-65175: cannot grant SYSDBA privilege locally in the root
65175. 00000 - "cannot grant SYSDBA privilege locally in the root"
*Cause: An attempt was made to grant SYSDBA privilege locally in the root
of a multitenant container database (CDB).
*Action: While connected to the root, SYSDBA privilege can only be granted
commonly.
and when I execute this command , I can get 2 users of C##user1.
grant sysdba to c##user1 container=all
How can I grant sysdba to C##user1.
Thank you for viewing.
Pls help me.
Are you trying to grant sysdba to c##user1 at the Container or Root level? This is an important distinction within 12C, as the Container is logically separate from the rest of the CDB. The CON_ID column will tell you where each user resides - Con_ID=0 means that the row pertains to the entire CDB, whereas CON_ID=1 means that the row pertains to the root.
You currently have two "C##user1" users, one is a common user that is present in all containers (CON_ID=0,) and the other is a local user that is specific to the root.
You already have one "C##user1" user that has the SYSDBA privilege on the entire CDB, so if that's what you want, you can connect to the root and drop the local "C##user1" user. If you just wanted a local user with the SYSDBA privilege on that root only, I would recommend dropping the "C##user1" common user, then connecting to the root and granting sysdba to the local user there.
The article I linked to is titled "Overview of the Multitenant Architecture", I would suggest giving it a review before you make a decision either way.
under cdb connection try it
grant sysdba to c##user1 container=all
I need your serious help here!
I need to run multiple grant execute query for sys object to one of my user.
grant execute on SYS.dbms_system to $(User);
grant execute on SYS.dbms_flashback to $(User);
But, as what I know, in order to grant privileges to sys object for Oracle RDS, we need use procedure rdsadmin.rdsadmin_util.grant_sys_object to achieve.
I construct my new query, as following:
begin
rdsadmin.rdsadmin_util.grant_sys_object('DBMS_SYSTEM', '$(User)');
end;
But, I hit an error,
SQL Error: ORA-20199: Error in rdsadmin_util.grant_sys_object.
ORA-20900: You do not have permission to grant: to SYS object: DBMS_SYSTEM ORA-06512: at "RDSADMIN.RDSADMIN_UTIL", line 234 ORA-20900:
You do not have permission to grant: to SYS object: DBMS_SYSTEM ORA-06512: at line 2
Anyone have clue how do I solve this? Please help!
Let's assume you have run the procedure correctly and you have included the execute privilege in the call. This error
ORA-20900: You do not have permission to grant: to SYS object: DBMS_SYSTEM
means you do not have sufficient permission to grant privileges on DBMS_SYSTEM. You may think you have that privilege but you don't.
Two possible explanations:
your granting user doesn't have its permission WITH GRANT OPTION and lacks the GRANT ANY PRIVILEGE power role.
your granting user gained its privileges through a role. We cannot use permissions granted through a role in PL/SQL, because of the Oracle security model. To do this permissions must be granted directly to the user.
"there is so many limitation within amazon RDS service ... it is such a huge disappointment from this service. "
It's the difference between IaaS and PaaS. The Amazon RDS offering is managed databases as a service. So it is quite reasonable for them to lock SYS, etc. SYS is for installing, configuring and patching the database, which are tasks undertaken by Amazon. (Many places use SYS for doing regular DBA tasks: they shouldn't.) If you want to do installing, configuring and patching for yourself then you need a different style of cloud service.
I have Oracle 11G SE1 on AWS RDS.
I'm trying to do :
CREATE RESTORE POINT RestorePointName GUARANTEE FLASHBACK DATABASE;
and I'm getting :
Error at Command Line:1 Column:1
Error report:
SQL Error: ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to change the current username or password
without the appropriate privilege. This error also occurs if
attempting to install a database without the necessary operating
system privileges.
When Trusted Oracle is configure in DBMS MAC, this error may occur
if the user was granted the necessary privilege at a higher label
than the current login.
*Action: Ask the database administrator to perform the operation or grant
the required privileges.
For Trusted Oracle users getting this error although granted the
the appropriate privilege at a higher label, ask the database
administrator to regrant the privilege at the appropriate label.
I'm logged in as the admin user.
i was running an insert query on a synonym i got ORA-01031 in sql developer, we are accessing almost all tables through synonym only, but only this one in the schema gave ORA-0103 error. Please guide.
Error report: SQL Error: ORA-01031: insufficient privileges
01031. 00000 - "insufficient privileges"
*Cause: An attempt was made to change the current username or password
without the appropriate privilege. This error also occurs if
attempting to install a database without the necessary operating
system privileges.
When Trusted Oracle is configure in DBMS MAC, this error may occur
if the user was granted the necessary privilege at a higher label
than the current login.
*Action: Ask the database administrator to perform the operation or grant
the required privileges.
For Trusted Oracle users getting this error although granted the
the appropriate privilege at a higher label, ask the database
administrator to regrant the privilege at the appropriate label.
did you execute something like:
GRANT select, insert, update, delete on Table to your_synonym_user;
and this line should be executed by the Table owner or the user with that permission.
It looks very much like the permissions you have to either the underlying table, or the synonym are insufficient, or possibly that your password has expired?
Im very new to Oracle so can anyone please explain about sys and system users?
And also I read these users are granted DBA role . Whether DBA and SYSDBA roles are same ?
(1)
http://www.adp-gmbh.ch/ora/misc/sys_system_internal.html
SYS
SYS is the owner of the database and the owner of the data dictionary.
Never ever create objects in the SYS schema.
The objects belonging to SYS cannot be exported.
SYSTEM
SYSTEM is a privileged administration user, and typically owns Oracle provided tables other than the dictionary. Don't create your own objects under SYSTEM.
(2)
Not, these're not same. There's a big difference between them
For sysdba role, you can look to documentation
http://download.oracle.com/docs/cd/B19306_01/server.102/b14231/dba.htm#sthref137
And from documentation we see that:
The DBA role does not include the SYSDBA or SYSOPER system privileges
Additional differences between a user with the SYSDBA system privilege and a user with DBA role are that a SYSDBA authenticates via the password file and can edit tables in the SYS schema such as USER$, plus the SYSDBA connection will show as SYS and will be audited as SYS in mandatory audit. Of course most SYSDBA users have also been granted the DBA role as well. The difference with actual SYS is that they HAVE to logon as SYSDBA whereas a different DBA user granted SYSDBA system privilege can choose not to…
http://www.oracleforensics.com/wordpress/index.php/2008/09/21/bypassing-ora-01997/
Please read the Oracle documentation. Administrators Guide is a good place to start.
SYSDBA has additional abilities.