I want to grant to a role the CREATE USER privilege, such they can create new users. Moreover, I want to grant them the privilege to grant these new users the CREATE SESSION privilege.
Is it possible without granting them ALL PRIVILEGES or ADMIN OPTION or something too general?
Thanks!
Query to grant session privilege,
GRANT CREATE SESSION TO USER;
Related
I have created a user, let's call him C##USER from sysdba. Now, I'm trying to create another user from C##USER. Problem is I keep getting the following error:
ORA-01031: insufficient privileges
I have granted C##USER all privileges and have set the default role to ALL. Nothing works yet...
Any ideas? Thanks in advance.
You just need a CREATE USER system privilege BUT don't forget to use CONTAINERclause which should be set to ALL, if you omit this clause then the grantee will have CREATE USER system privilege on the current container.
Specify CONTAINER = ALL to commonly grant a system privilege, object privilege on a common object, or role, to a common user or common role
GRANT
When a common user account is created, the account is created in all of the open pluggable databases. So the user who is creating this new user must have CREATE USER system privilege on all containers.
SQL> grant create user to c##user container=all;
Grant succeeded.
SQL> conn c##user
Enter password:
Connected.
SQL> create user c##user2 identified by user2;
User created.
I granted CREATE ANY TABLE privilege to allow another user to create tables for my user. Ok. That worked. I want to allow this same user, after they created the table, to grant select privilege to public. But the Oracle says: insufficient privileges.
How can I grant select privileges to a table I have just created?
How do I revoke all privileges for a user in SQLPlus?
I'm logged in as sysdba and I would like to revoke all privileges for a regular user.
I googled this query
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...
but I don't understand what should I put for user, etc.
Here answer depends on whether you want to revoke system privileges or object privileges.
There is syntax change for the both.
But as you are logging through sysdba i am guessing that you want to revoke system privileges.
revoke sysdba from user_name;
Here replace user_name with your actual user. like
revoke sysdba from nagendra;
Updated :
And to revoke all system privileges we can use :
revoke all privileges from user_name
object privilege means previleges on tables procedures functions and to revoke this use :
revoke all on object_name from public
Example
revoke all on nagendra_table from public
This will remove all existing privilegs on table nagendra_table from all users
user is the name of the use you want to revoke the privileges from. The grant option clause is MySQL syntax, and does not exist in Oracle Enterprise Databases. So, if I'd like to revoke all of r_mat's privileges, I'd use:
REVOKE ALL PRIVILEGES FROM r_mat;
I've created two users using the below statements using the System user. I want the ADMIN_USER to have all privileges and this user will create a set of tables. I have an external process that is pumping in data for two of my tables created by the ADMIN_USER. The question I have is if the ADMIN_USER creates all the table structures, how do I give EXTERNAL_USER the capability to read, update and insert into TABLE_A and TABLE_B only? Would I run the grant statements when I'm logged in as ADMIN_USER or the SYSTEM user? I'm using Oracle 11g.
Created both while logged in as SYSTEM User:
create user "ADMIN_USER" identified by "p#ssword123";
grant create session, grant any privilege to ADMIN_USER;
create user "EXTERNAL_USER" identified by "p#ssword321";
Logged in as ADMIN_USER:
GRANT create session, select, update, insert
ON TABLE_A
TO EXTERNAL_USER;
GRANT create session, select, update, insert
ON TABLE_B
TO EXTERNAL_USER;
First off, it is terribly unlikely that you want to grant ADMIN_USER the GRANT ANY PRIVILEGE privilege. The user doesn't require any privileges in order to grant object-level privileges on tables that the user owns. The ANY privileges are terribly powerful. A user that can grant any privilege to another user can make any user (including the user itself) a DBA. That is not what you want.
Realistically, as SYSTEM, you want to grant the system privileges that you want the users to have. As the object owner, you would then grant the object-level privileges.
As SYSTEM
CREATE USER admin_user
IDENTIFIED BY "p#ssword123"
DEFAULT TABLESPACE tablespace_name
QUOTA 10M ON tablespace_name;
CREATE USER external_user IDENTIFIED BY "p#ssword321";
GRANT CREATE SESSION, CREATE TABLE TO admin_user;
GRANT CREATE SESSION TO external_user;
As ADMIN_USER
<<create the tables>>
GRANT select, insert, update
ON table_a
TO external_user;
GRANT select, insert, update
ON table_b
TO external_user;
A DBA should also be able to grant object-level privileges. It's generally preferable to use the object owner account for that.
In Oracle, a table, 'MyTable' is owned by 'User1', how can I grant table access permission to another user, say 'User2' ?
In SQL server, we have some application access permission, does Oracle has something ?
You can grant SELECT privileges (or INSERT, UPDATE, DELETE, and a few others like REFERENCES) to a user
GRANT SELECT
ON user1.MyTable
TO user2
It would be more common, though, to create a role, grant the privileges to the role, and then grant the role to whatever users need it, i.e.
CREATE ROLE user1_select;
GRANT SELECT
ON user1.MyTable
TO user1_select;
GRANT user1_select
TO user2;
That makes it easier in the future to grant a single role to more users and to ensure that all the users with a specific job function have the same set of roles rather than trying to make sure that you've granted everyone access to exactly the same set of objects.