Whenever I give a user "all privileges" in ORACLE (example below), what does this actually do?
My understanding is that it gives a user any privilege, e.g inserting, deleting etc within that schema but not to any schema in the DB?
grant all privileges to my_user;
You can grant all [privileges] on <some object>, but you aren't specifying an object; so you are granting system privileges:
The documentation for system privileges says:
Oracle Database provides the ALL PRIVILEGES shortcut for granting all the system privileges listed in Table 18-1, except the SELECT ANY DICTIONARY, ALTER DATABASE LINK, and ALTER PUBLIC DATABASE LINK privileges.
System privileges are not always restricted to a schema. That table includes a lot of ANY privileges, which are specifically not restricted to a schema. If you grant all privileges to a user they will be able to create or alter a table in any schema, for example. That probably isn't what you want.
There is no shortcut to grant only schema-restricted privileges. You'll need to grant CREATE TABLE, CREATE INDEX, etc. explicitly.
It's common practice to create a role to which you grant the necessary privileges, and then you just have to grant that role to your users. (Although you sometimes still need to grant privileges directly to users, e.g. if they are required in a stored procedure).
Related
I have an Oracle user user1 and a schema schema1. I want to give permissions insert, update and delete to this user on this schema.
I only find in the documentation that I can give permissions on this schema tables.
Is there a way to give permission on whole schema?
You can add roles and privileges to the user or use the grant command.
https://docs.oracle.com/javadb/10.8.3.0/ref/rrefsqljgrant.html
You can also use the GRANT ALL PRIVILEGES TO {USERNAME} command.
I granted CREATE ANY TABLE privilege to allow another user to create tables for my user. Ok. That worked. I want to allow this same user, after they created the table, to grant select privilege to public. But the Oracle says: insufficient privileges.
How can I grant select privileges to a table I have just created?
I would like to know if there is a way to grant permissions to, for example, create table on a schema, from a different user.
I want to do this without granting DBA role, nor granting "ANY" permissions (grant create any table to XXXX).
I use this occasionally to satisfy devs who want a read-only account. This will create DDL that will give appropriate select or execute permissions. It would not be difficult to modify that to include update and delete.
I've created two users using the below statements using the System user. I want the ADMIN_USER to have all privileges and this user will create a set of tables. I have an external process that is pumping in data for two of my tables created by the ADMIN_USER. The question I have is if the ADMIN_USER creates all the table structures, how do I give EXTERNAL_USER the capability to read, update and insert into TABLE_A and TABLE_B only? Would I run the grant statements when I'm logged in as ADMIN_USER or the SYSTEM user? I'm using Oracle 11g.
Created both while logged in as SYSTEM User:
create user "ADMIN_USER" identified by "p#ssword123";
grant create session, grant any privilege to ADMIN_USER;
create user "EXTERNAL_USER" identified by "p#ssword321";
Logged in as ADMIN_USER:
GRANT create session, select, update, insert
ON TABLE_A
TO EXTERNAL_USER;
GRANT create session, select, update, insert
ON TABLE_B
TO EXTERNAL_USER;
First off, it is terribly unlikely that you want to grant ADMIN_USER the GRANT ANY PRIVILEGE privilege. The user doesn't require any privileges in order to grant object-level privileges on tables that the user owns. The ANY privileges are terribly powerful. A user that can grant any privilege to another user can make any user (including the user itself) a DBA. That is not what you want.
Realistically, as SYSTEM, you want to grant the system privileges that you want the users to have. As the object owner, you would then grant the object-level privileges.
As SYSTEM
CREATE USER admin_user
IDENTIFIED BY "p#ssword123"
DEFAULT TABLESPACE tablespace_name
QUOTA 10M ON tablespace_name;
CREATE USER external_user IDENTIFIED BY "p#ssword321";
GRANT CREATE SESSION, CREATE TABLE TO admin_user;
GRANT CREATE SESSION TO external_user;
As ADMIN_USER
<<create the tables>>
GRANT select, insert, update
ON table_a
TO external_user;
GRANT select, insert, update
ON table_b
TO external_user;
A DBA should also be able to grant object-level privileges. It's generally preferable to use the object owner account for that.
In Oracle, a table, 'MyTable' is owned by 'User1', how can I grant table access permission to another user, say 'User2' ?
In SQL server, we have some application access permission, does Oracle has something ?
You can grant SELECT privileges (or INSERT, UPDATE, DELETE, and a few others like REFERENCES) to a user
GRANT SELECT
ON user1.MyTable
TO user2
It would be more common, though, to create a role, grant the privileges to the role, and then grant the role to whatever users need it, i.e.
CREATE ROLE user1_select;
GRANT SELECT
ON user1.MyTable
TO user1_select;
GRANT user1_select
TO user2;
That makes it easier in the future to grant a single role to more users and to ensure that all the users with a specific job function have the same set of roles rather than trying to make sure that you've granted everyone access to exactly the same set of objects.