I have created a user, let's call him C##USER from sysdba. Now, I'm trying to create another user from C##USER. Problem is I keep getting the following error:
ORA-01031: insufficient privileges
I have granted C##USER all privileges and have set the default role to ALL. Nothing works yet...
Any ideas? Thanks in advance.
You just need a CREATE USER system privilege BUT don't forget to use CONTAINERclause which should be set to ALL, if you omit this clause then the grantee will have CREATE USER system privilege on the current container.
Specify CONTAINER = ALL to commonly grant a system privilege, object privilege on a common object, or role, to a common user or common role
GRANT
When a common user account is created, the account is created in all of the open pluggable databases. So the user who is creating this new user must have CREATE USER system privilege on all containers.
SQL> grant create user to c##user container=all;
Grant succeeded.
SQL> conn c##user
Enter password:
Connected.
SQL> create user c##user2 identified by user2;
User created.
I want to grant to a role the CREATE USER privilege, such they can create new users. Moreover, I want to grant them the privilege to grant these new users the CREATE SESSION privilege.
Is it possible without granting them ALL PRIVILEGES or ADMIN OPTION or something too general?
Thanks!
Query to grant session privilege,
GRANT CREATE SESSION TO USER;
Whenever I give a user "all privileges" in ORACLE (example below), what does this actually do?
My understanding is that it gives a user any privilege, e.g inserting, deleting etc within that schema but not to any schema in the DB?
grant all privileges to my_user;
You can grant all [privileges] on <some object>, but you aren't specifying an object; so you are granting system privileges:
The documentation for system privileges says:
Oracle Database provides the ALL PRIVILEGES shortcut for granting all the system privileges listed in Table 18-1, except the SELECT ANY DICTIONARY, ALTER DATABASE LINK, and ALTER PUBLIC DATABASE LINK privileges.
System privileges are not always restricted to a schema. That table includes a lot of ANY privileges, which are specifically not restricted to a schema. If you grant all privileges to a user they will be able to create or alter a table in any schema, for example. That probably isn't what you want.
There is no shortcut to grant only schema-restricted privileges. You'll need to grant CREATE TABLE, CREATE INDEX, etc. explicitly.
It's common practice to create a role to which you grant the necessary privileges, and then you just have to grant that role to your users. (Although you sometimes still need to grant privileges directly to users, e.g. if they are required in a stored procedure).
I need to use dbms_lock.sleep procedure from user usr1. I can't login as sys, but I have a password for user usr2 which have "grant any object privilege" privilege. However, when I'm logged in as usr2 and try to issue
grant execute on sys.dbms_lock to usr1
I get the ORA-01031 "insufficient privileges" exception. The same works with a test package on another user. Are the system packages treated specially, or have I missed something?
The system packages are treated specially, depending on the value of the initialisation parameter O7_DICTIONARY_ACCESSIBILITY. If that is FALSE, which is the default since Oracle 9i, then ANY privileges don't apply to the data dictionary. The documentation refers to this as 'dictionary protection'.
The closest I can find in the security guide - here and here - only refer to tables as examples.
Oracle Support note 174753.1, however, explicitly states that dictionary protection supersedes grant any object privilege. I'm not allowed to quote that but it explains what you're seeing; it might be worth looking up if you have access to it.
So, the only way for usr2 to be able to grant execute on sys.dbms_lock to usr1 is for the DBA to have done grant execute on sys.dbms_lock to usr2 with grant option.
As Ben says, you'll have to either get the DBA to grant the permission to usr1 directly, or add the with grant option to the privileges granted to usr2; or have usr2 create a wrapper procedure around the dbms_lock call and grant permissions on that to usr1.
It sounds as though SYS hasn't been granted the DBA role or that SYS doesn't have the GRANT ANY OBJECT privilege. To quote from the documentation
To grant an object privilege, you must own the object, or the owner of
the object must have granted you the object privileges with the GRANT
OPTION, or you must have been granted the GRANT ANY OBJECT PRIVILEGE
system privilege. If you have the GRANT ANY OBJECT PRIVILEGE, then you
can grant the object privilege only if the object owner could have
granted the same object privilege.
This implies that you can't grant execute on dbms_lock because SYS wouldn't have been able to do so.
On installation SYS is automatically granted the DBA role so maybe someone's been changing this or created another user with the DBA role.
Either way you're going to have to get your DBA involved if you only have access to these two users. Ask them to grant execute on the packages you need to the users that need it. It's up to them to give you a good reason why they won't grant you execute on the packages you need in order to do your job.
If you can't get full access to dbms_lock you can always create a procedure in another user that wraps dbms_lock.sleep you need and then grant execute on that procedure alone.
Can someone advise me on how to create a user in Oracle 11g and only grant that user the ability only to execute one particular stored procedure and the tables in that procedure.
I am not really sure how to do this!
Connect as SYSTEM.
CREATE USER username IDENTIFIED BY apassword;
GRANT CONNECT TO username;
GRANT EXECUTE on schema.procedure TO username;
You may also need to:
GRANT SELECT [, INSERT] [, UPDATE] [, DELETE] on schema.table TO username;
to whichever tables the procedure uses.
Follow the below steps for creating a user in Oracle.
--Connect as System user
CONNECT <USER-NAME>/<PASSWORD>#<DATABASE NAME>;
--Create user query
CREATE USER <USER NAME> IDENTIFIED BY <PASSWORD>;
--Provide roles
GRANT CONNECT,RESOURCE,DBA TO <USER NAME>;
--Provide privileges
GRANT CREATE SESSION, GRANT ANY PRIVILEGE TO <USER NAME>;
GRANT UNLIMITED TABLESPACE TO <USER NAME>;
--Provide access to tables.
GRANT SELECT,UPDATE,INSERT ON <TABLE NAME> TO <USER NAME>;
The Oracle documentation is comprehensive, online and free. You should learn to use it. You can find the syntax for CREATE USER here and for GRANT here,
In order to connect to the database we need to grant a user the CREATE SESSION privilege.
To allow the new user rights on a stored procedure we need to grant the EXECUTE privilege. The grantor must be one of these:
the procedure owner
a user granted execute on that procedure with the WITH ADMIN option
a user with the GRANT ANY OBJECT privilege
a DBA or other super user account.
Note that we would not normally need to grant rights on objects used by a stored procedure in order to use the procedure. The default permission is that we execute the procedure with the same rights as the procedure owner and, as it were, inherit their rights when executing the procedure. This is covered by the AUTHID clause. The default is definer (i.e. procedure owner). Only if the AUTHID is set to CURRENT_USER (the invoker, that is our new user) do we need to grant rights on objects used by the procedure. Find out more.
Don't use these approach in critical environment like TEST and PROD. Below steps are just suggested for local environment. For my localhost i create the user via these steps:
IMPORTANT NOTE : Create your user with SYSTEM user credentials.Otherwise you may face problem when you run multiple application on same database.
CONNECT SYSTEM/<<System_User_Password>>#<<DatabaseName>>; -- connect db with username and password, ignore if you already connected to database.
Then Run below script
CREATE USER <<username>> IDENTIFIED BY <<password>>; -- create user with password
GRANT CONNECT,RESOURCE,DBA TO <<username>>; -- grant DBA,Connect and Resource permission to this user(not sure this is necessary if you give admin option)
GRANT CREATE SESSION TO <<username>> WITH ADMIN OPTION; --Give admin option to user
GRANT UNLIMITED TABLESPACE TO <<username>>; -- give unlimited tablespace grant
EDIT: If you face a problem about oracle ora-28001 the password has expired also this can be useful run
select * from dba_profiles;-- check PASSWORD_LIFE_TIME
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED; -- SET IT TO UNLIMITED
As previously mentioned multiple times in the comments, the use of the CONNECT, RESOURCE and DBA roles is discouraged by Oracle.
You have to connect as SYS to create your role and the user(s) which are given this role. You can use SQL Developer or SQL*Plus as you prefer. Do not forget to mention the SYSDBA role in the logon string. The connect_identifier uses different syntaxes.
sqlplus sys/<<password>>#<<connect_identifier>> as sysdba
Let's say you have a 12cR1 like the one provided as a VM with the "Oracle Technology Network Developer Day". The connect strings might be (to connect to the provided PDB) :
sqlplus sys/oracle#127.0.0.1/orcl as sysdba
sqlplus sys#"127.0.0.1/orcl" as sysdba -- to avoid putting the pw in clear
Note that under Unix, the quotes have to be escaped otherwise they will be consumed by the shell. Thus " becomes \".
Then you create the role MYROLEand grant it other roles or privileges. I added nearly the bare minimum to do something interesting :
create role myrole not identified;
grant create session to myrole;
grant alter session to myrole;
grant create table to myrole;
Next your create the user MYUSER. The string following identified by which is the password is case-sensitive. The rest is not. You could also use SQL delimited identifiers (surrounded by quotes ") instead of regular identifiers which are converted tu uppercase and subject to a few limitations. The quota could be unlimited instead of 20m.
create user myuser identified by myuser default tablespace users profile default account unlock;
alter user myuser quota 20m on users;
grant myrole to myuser;
Eventually, you connect as your new user.
Please note that you could also alter the default profile or provide another one to customize some settings as the expiration period of passwords, the number of permitted failed login attempts, etc.
CREATE USER USER_NAME IDENTIFIED BY PASSWORD;
GRANT CONNECT, RESOURCE TO USER_NAME;
CREATE USER books_admin IDENTIFIED BY MyPassword;
GRANT CONNECT TO books_admin;
GRANT CONNECT, RESOURCE, DBA TO books_admin;
GRANT CREATE SESSION GRANT ANY PRIVILEGE TO books_admin;
GRANT UNLIMITED TABLESPACE TO books_admin;
GRANT SELECT, INSERT, UPDATE, DELETE ON schema.books TO books_admin;
https://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1006107
https://chartio.com/resources/tutorials/how-to-create-a-user-and-grant-permissions-in-oracle/
First step:
Connect to a database using System/Password;
second Step:
create user username identified by password; (syntax)
Ex: create user manidb idntified by mypass;
third Step:
grant connect,resource to username; (Syntax)
Ex: grant connect,resource to manidb;
step 1 .
create user raju identified by deshmukh;
step 2.
grant connect , resource to raju;
step 3.
grant unlimitted tablespace to raju;
step4.
grant select , update , insert , alter to raju;