Problem: I am working on a query that will produce a list of all Oracle users. I wish to determine in the query if they have the specific grant permissions for CONNECT and APPUSER and show them in a single table.
What I have tried: I am using one table, DBA_ROLE_PRIVS. This table shows all the information I need, but am failing to query it correctly. I can show all users who have permission to Connect with:
SELECT GRANTEE as "User Name", granted_role as "Connect"
FROM DBA_ROLE_PRIVS
WHERE GRANTED_ROLE='CONNECT';
I can also show users who have permission to APPUSER, simply by replacing CONNECT with APPUSER.
My problem is showing both permissions in one query. I have tried using different JOINs. However, using that seems to require two tables or more. I have researched a "self-join", but do not understand how to use two WHERE clauses. I have tried things like:
SELECT grantee as "User Name", t1.granted_role as "Connect", t2.granted_role as "APPUSER"
FROM t1.DBA_ROLE_PRIVS join t2.DBA_ROLE_PRIVS on t1.GRANTEE = t2.GRANTEE
WHERE t1.GRANTED_ROLE='CONNECT' and t2.GRANTED_ROLE='APP_USER';
I want my final query to show something like:
User Name Connect App User
---------- ---------- ----------
Bob CONNECT APPUSER
Sue APPUSER
Nick CONNECT APPUSER
Rob CONNECT
SELECT GRANTEE as "User Name", granted_role from DBA_ROLE_PRIVS where GRANTED_ROLE in ('CONNECT','APPUSER');
if you need one row for each user and two column for each access, you can use this
select c.GRANTEE as "User Name", a.granted_role as "Connect", c.granted_role as "APPUSER"
FROM
(SELECT GRANTEE, granted_role from DBA_ROLE_PRIVS where GRANTED_ROLE = 'CONNECT') a,
FULL OUTER JOIN
(SELECT GRANTEE, granted_role from DBA_ROLE_PRIVS where GRANTED_ROLE = 'APPUSER') c
on a.GRANTEE = c.GRANTEE;
Related
I am trying to export a schema/user in Oracle with its roles and system privileges. I don't want to export any data or any table. I have tried to export users using the following command.
expdp system/system#gisdblocal include=user DIRECTORY = TestBack
logfile=test12.log DUMPFILE=test12.dmp SCHEMAS=test_replication
When I import this in other database or in the same database with a different name i.e
impdp system/system#gisdblocal DIRECTORY = TestBack DUMPFILE = test12.dmp
SCHEMAS = test_replication REMAP_SCHEMA =
test_replication:test_replication_copy
the user or schema is created but it has not been granted any role or system privileges.
I am doing this because I have created a backup of a schema using the user that did not have the required rights DATAPUMP_IMP_FULL_DATABASE or DATAPUMP_EXP_FULL_DATABASE. When I restore that backup in another database, it says the user does not exist. Therefore, I am thinking to create a user with the same privileges first and then restore the backup.
Using SQL...
SELECT dbms_metadata.get_ddl('USER', :name)
FROM dual
UNION ALL
SELECT dbms_metadata.get_granted_ddl('ROLE_GRANT', grantee)
FROM dba_role_privs
WHERE grantee = :name
AND ROWNUM = 1
UNION ALL
SELECT dbms_metadata.get_granted_ddl('DEFAULT_ROLE', grantee)
FROM dba_role_privs
WHERE grantee = :name
AND ROWNUM = 1
UNION ALL
SELECT dbms_metadata.get_granted_ddl('SYSTEM_GRANT', grantee)
FROM dba_sys_privs sp,
system_privilege_map spm
WHERE sp.grantee = :name
AND sp.privilege = spm.name
AND spm.property <> 1
AND ROWNUM = 1
UNION ALL
SELECT dbms_metadata.get_granted_ddl('OBJECT_GRANT', grantee)
FROM dba_tab_privs
WHERE grantee = :name
AND ROWNUM = 1
UNION ALL
SELECT dbms_metadata.get_granted_ddl('TABLESPACE_QUOTA', username)
FROM dba_ts_quotas
WHERE username = :name
AND ROWNUM = 1
:name being...a bind variable for the USER you want to re-create.
I have a role in oracle database. The role was created by some user (unknown), but currently no user has admin option on the role.
I know that the role exists:
SELECT * FROM DBA_ROLES WHERE ROLE = 'roleName';
The query returns the role.
No user has admin option
SELECT rp.grantee, rp.granted_role, rp.admin_option
FROM dba_role_privs rp
JOIN dba_users u
ON rp.grantee = u.username
WHERE admin_option = 'YES'
AND rp.granted_role = 'roleName'
ORDER BY grantee, granted_role;
The query returns nothing
I need drop the role.
I don't know, how this situation appeared, because for all other roles, some user with admin option exists. Could someone help me?
Thanks
I'll start by laying out what I'm trying to do and then I'll list the code I've made so far.
I'm coding in Oracle PL/SQL on the Application Express Platform
I have two tables: USERS and LEADS.
Leads Columns: LEADID, COMPANYNAME, CONTACTNAME, OWNER
Users Columns: EMAIL, SUPER, ROLE
Foreign Keys:
OWNER is a foreign key that refers to EMAIL in USERS
SUPER is a foreign key that refers to EMAIL in USERS
SUPER is the supervisor of a given person. ROLE is their position in the company
There are about 5 levels. 'PEON','MGR','DIR','SRDIR','VP'
Peons are the only people with leads assigned to them.
I'm trying to generate a report that returns rows containing the following
SUBORDINATE, NUMLEADS
Subordinate is anyone directly under the user using the application. I have code for that
select U.EMAIL as Subordinate
from USERS U
WHERE lower(v('APP_USER')) = U.SUPER
Numleads is all the leads created by peons under the subordinate's organization. I currently have code to list the number of peons under the current user
select count(*)
from USERS U2
where U2.ROLE = 'PEON'
start with lower(v('APP_USER')) = U2.EMAIL
connect by NOCYCLE prior U2.email = U2.super
I'm part of the way there, but I'm confused how to reference the result of a query in a recursive sequence. I know I need to query all PEONS under the subordinates of the current user, JOIN them with all leads they're associated with, and then count the number of leads. But i'm not sure how to order that in SQL.
Your help is much appreciated
EDIT: Answer figured out thanks to JBrooks
select U.EMAIL as Sub, count(*) as CreatedAllTime
from USERS U
left join USERS UPEON
on UPEON.EMAIL in
(
select UPEON2.EMAIL
from USERS UPEON2
where UPEON2.ROLE = 'PEON'
start with U.EMAIL = UPEON2.EMAIL
connect by NOCYCLE prior UPEON2.email = UPEON2.super
)
left join LEADS L
on UPEON.EMAIL = L.OWNER
where U.EMAIL in
(
select U2.EMAIL as Sub
from USERS U2
WHERE lower(v('APP_USER')) = U2.SUPER
)
group by U.EMAIL
select U2.Email as Subordinate,
count(*) as NumLeads
from USERS U2
left join LEADS l
on U2.Email = l.Owner
where U2.ROLE = 'PEON'
and lower(v('APP_USER')) in
(select EMAIL
from USERS S
START WITH lower(v('APP_USER')) = lower(S.SUPPER)
CONNECT BY PRIOR EMAIL = SUPPER)
group by U2.Email
order by U2.Email
I have a role in Oracle and I would like to know the user who created it.
select * from DBA_ROLES ;
select * from sys.user$ ;
The queries were not of much help for me.
Any ideas ?
If you have auditing turned on then you should be able to see this information in DBA_AUDIT_TRAIL:
SELECT
username
,extended_timestamp
,owner
,obj_name
,action_name
FROM dba_audit_trail
WHERE action = 52 --CREATE ROLE
ORDER BY timestamp;
Check the value of audit_trail to see if it is on:
SELECT value
FROM v$parameter
WHERE NAME = 'audit_trail'
;
This article explains auditing a bit more.
You can get help from below query.
SQL> SELECT rp.grantee, rp.granted_role, rp.admin_option
FROM dba_role_privs rp
JOIN dba_users u
ON rp.grantee = u.username
WHERE admin_option = 'YES'
ORDER BY grantee, granted_role; 2 3 4 5 6
GRANTEE GRANTED_ROLE ADM
------------------------------ ---------------------------------------- ---
ADMIN1 DBA YES
CTXSYS CTXAPP YES
LBACSYS LBAC_DBA YES
SPATIAL_CSW_ADMIN_USR SPATIAL_CSW_ADMIN YES
SYS ADM_PARALLEL_EXECUTE_TASK YES
SYS APPLICATION_TRACE_VIEWER YES
SYS AQ_ADMINISTRATOR_ROLE YES
This question already has answers here:
How to show all privileges from a user in oracle?
(7 answers)
Closed 2 years ago.
I am using Linux, Oracle10g.
I have created one user called test. and granted create session and select any dictionary permission to the same user.
i also granted sysdba and sysoper roles to the same users.
Now i want to display all the privileges and roles granted to the user.
I found following query but it shows only create session and select dictionary privileges.
select privilege
from dba_sys_privs
where grantee='SAMPLE'
order by 1;
please help to resolve the issue.
Thanks
In addition to VAV's answer, The first one was most useful in my environment
select * from USER_ROLE_PRIVS where USERNAME='SAMPLE';
select * from USER_TAB_PRIVS where Grantee = 'SAMPLE';
select * from USER_SYS_PRIVS where USERNAME = 'SAMPLE';
Look at http://docs.oracle.com/cd/B10501_01/server.920/a96521/privs.htm#15665
Check USER_SYS_PRIVS, USER_TAB_PRIVS, USER_ROLE_PRIVS tables with these select statements
SELECT * FROM USER_SYS_PRIVS;
SELECT * FROM USER_TAB_PRIVS;
SELECT * FROM USER_ROLE_PRIVS;
None of the other answers worked for me so I wrote my own solution:
As of Oracle 11g.
Replace USER with the desired username
Granted Roles:
SELECT *
FROM DBA_ROLE_PRIVS
WHERE GRANTEE = 'USER';
Privileges Granted Directly To User:
SELECT *
FROM DBA_TAB_PRIVS
WHERE GRANTEE = 'USER';
Privileges Granted to Role Granted to User:
SELECT *
FROM DBA_TAB_PRIVS
WHERE GRANTEE IN (SELECT granted_role
FROM DBA_ROLE_PRIVS
WHERE GRANTEE = 'USER');
Granted System Privileges:
SELECT *
FROM DBA_SYS_PRIVS
WHERE GRANTEE = 'USER';
If you want to lookup for the user you are currently connected as, you can replace DBA in the table name with USER and remove the WHERE clause.
Combining the earlier suggestions to determine your personal permissions (ie 'USER' permissions), then use this:
-- your permissions
select * from USER_ROLE_PRIVS where USERNAME= USER;
select * from USER_TAB_PRIVS where Grantee = USER;
select * from USER_SYS_PRIVS where USERNAME = USER;
-- granted role permissions
select * from ROLE_ROLE_PRIVS where ROLE IN (select granted_role from USER_ROLE_PRIVS where USERNAME= USER);
select * from ROLE_TAB_PRIVS where ROLE IN (select granted_role from USER_ROLE_PRIVS where USERNAME= USER);
select * from ROLE_SYS_PRIVS where ROLE IN (select granted_role from USER_ROLE_PRIVS where USERNAME= USER);
IF privileges are given to a user through some roles, then below SQL can be used
select * from ROLE_ROLE_PRIVS where ROLE = 'ROLE_NAME';
select * from ROLE_TAB_PRIVS where ROLE = 'ROLE_NAME';
select * from ROLE_SYS_PRIVS where ROLE = 'ROLE_NAME';
SELECT *
FROM DBA_ROLE_PRIVS
WHERE UPPER(GRANTEE) LIKE '%XYZ%';
select *
from ROLE_TAB_PRIVS
where role in (
select granted_role
from dba_role_privs
where granted_role in ('ROLE1','ROLE2')
)
always make SQL re-usuable: -:)
-- ===================================================
-- &role_name will be "enter value for 'role_name'".
-- Date: 2015 NOV 11.
-- sample code: define role_name=&role_name
-- sample code: where role like '%&&role_name%'
-- ===================================================
define role_name=&role_name
select * from ROLE_ROLE_PRIVS where ROLE = '&&role_name';
select * from ROLE_SYS_PRIVS where ROLE = '&&role_name';
select role, privilege,count(*)
from ROLE_TAB_PRIVS
where ROLE = '&&role_name'
group by role, privilege
order by role, privilege asc
;
The only visible result I was able to understand was first to connect with the user I wanted to get the rights, then with the following query:
SELECT GRANTEE, PRIVILEGE, TABLE_NAME FROM USER_TAB_PRIVS;