To be brief, I won't explain why I want to do this, just what I want to do.
I have two users (which I use as schemas) A and B. Both have a table USERS. Both USERS tables have a columns ID. Every A.USERS.ID is found in B.USERS.ID and every B.USERS.ID is found in A.USERS.ID (I put constraints on that). The only other shared columns between A.USERS and B.USERS is NAME and AGE.
EDIT: To make this clearer... The problem I have is that the values of NAME and AGE are not the same between schemas A and B. For example, user ID 723 in A has A.NAME='John Vincent'. In B, the B.NAME='JJ Vincent'. I want NAME and AGE to be the same at all times. So, I figure that I need to store it in one place and make it visible in two places.
When I let someone query B.USERS, I want B.USERS.NAME and B.USERS.AGE to actually be A.USERS.NAME and A.USERS.AGE. This is the query that I could use if I had permission to query both A and B:
select B.ID, A.NAME, A.AGE from B.USERS join A.USERS on B.USERS.ID=A.USERS.ID
However, I don't want to grant access to A to everyone. I only want to grant access to B (similarly, some people only have access to A and those people are the only ones I want to update the values of NAME and AGE).
I know I can't make just 2 columns be a view. Is there some other trick to make NAME and AGE be a view of A, but have permissions of B? I hope that I've explained enough to make sense. Just trying to avoid writing a dissertation.
You can grant update, insert, delete on B and A to whomever should be able to get to either or. If you want limited view based on your query, you can grant access solely to a view without granting access to the tables.
If you need column specific update access to B, then you can do "column level security" in oracle.
Something like "grant update (column_name) on table_name to user_name", and you'll have granted access to update only "column_name" in that table.
Related
I get the a query file and commit it but I have to choose the schema before it, to not get the following error; do you have any idea how to do it?
Thanks for your interest.
INSERT INTO LEAD_ACTV_CONFIG (
*
ERROR at line 1:
ORA-00942: table or view does not exist
I don't know jenkins so I hope the following makes sense. Sorry if it does not.
In order for INSERT to work, you must be connected to a database (i.e. one of its users). That user should contain LEAD_ACTV_CONFIG table, or it must be available to it (which means that some other user, who owns it, has granted the current user access privileges).
Now, if LEAD_ACTV_CONFIG is your own table, then your INSERT INTO would work properly; you don't need any additional privileges as you own the table so you can do anything with it.
If it is someone else's table, then either precede table name with owner name, such as INSERT INTO littlefoot.lead_actv_config (as if I own it), or create a synonym for that table in your schema:
create synonym lead_actv_config for littlefoot.lead_actv_config;
and access it just as you've posted in your question: insert into lead_actv_config
I have a certain requirement where in I have been given a table name say ABC, i want to find out which all procedures,packages,mv's,functions refer to that particular table 'ABC' or do a insert or update on that table. Is there any way or query to find this.
Since I cannot look up the code of every object in the schema, I am searching for another way.
You may use Oracle System view dba_dependencies (check with your dba if you don't have access to this view).
select *
from dba_dependencies
where referenced_name='ABC'
and referenced_type='TABLE';
Beware, your objects may also use synonyms. So a second list could come with:
select *
from dba_dependencies
where referenced_name='ABC'
and referenced_type='SYNONYM';
I need to get a list of all users and their tables and details.
For Example : https://www.google.com/search?q=oracle+user&source=lnms&tbm=isch&sa=X&ved=0ahUKEwi-td2pjcPMAhXEFh4KHdMAAVcQ_AUIBygB&biw=1175&bih=621#tbm=isch&q=oracle+user++sql+developer&imgrc=Qvmfp57HchgwgM%3A
In the above screen towards left there is red color symbol (User) , SO i need the username, associated tables(under that user) and atrributes in that table. Is this possible. for all users.
Thanks
Addy
ALL USERS, ALL TABLES, 'and details'
So do you really want ALL the users? Because many users are system users - users that own objects that the database itself uses, SYS being the biggest example. You could have dozens of these accounts. I'm guessing you don't want them.
All tables, tables in the recycle bin, tables there for materialized views, do you want those too?
And 'details'. Do you want their created date, their columns, their storage parameters? The more you want, the bigger and uglier your query is going to get.
All that being said, you pointed to a screenshot of Oracle SQL Developer. It contains a data modeling feature. Use it. Reverse engineer the users you really want into a data model. And then use the data dictionary reports it offers to give you the info you want.
You have to figure out what you REALLY want first though.
I talk about how to do the RE in the data modeler here.
You can start from this:
select *
from dba_tables t
inner join dba_tab_columns
using(owner, table_name)
This will give all the tables and columns, with some informations about tablespace, the type of the columns, and so on
This shows all the users and all their tables except for SYS and SYSTEM
SELECT owner, table_name
FROM All_All_Tables
WHERE owner NOT IN ('SYS','SYSTEM')
ORDER BY 1,2
Runs on Oracle 10, 11
Referring to here and here
Would a user need both SELECT /INSERT/DELETE/UPDATE, etc. privileges on the view AND on the underlying table to be able to perform these actions ? Or privileges on EITHER table/view is enough ?
In other words, consider a user A owning the table T and the view V (constructed from T). Can a user B with SELECT right on V execute a SELECT if he does not SELECT right on T, and vice-versa ? If he could, wouldn't that mean the View privilege "overrides" the table privilege, as A does not give him right over T ?
Update
In a related question, how about synonym ? From what I understand in a book, users need both SELECT privileges on the synonym and the underlying table. This will be different from views.
On the other hand, Oracle seems to indicate that synonyms behave similar to views.
A user can be granted the SELECT privilege on a synonym or a view
without being explicitly granted the SELECT privilege on the
originating table
Update 2
Following everyone's answer that we only need the privileges on view to select the table (at least what the view sees from the table) and no privilege on table is needed, let's consider this scenario :
Table T belongs to A
A GRANT SELECT ON T to B (without GRANT OPTION)
B CREATE VIEW V AS SELECT * FROM A.T
B GRANT SELECT ON V TO C
C performing SELECT * FROM B.V
According to what you have said, C will be able to select from V, therefore equivalent to selecting from T. Is it that cheating ? B is effectively letting C seeing A.T although C does not have the right on T and B does not have GRANT OPTION. Is there a security hole somewhere ?
One of the fundamental uses of views is to protect privacy. A base table may have confidential information that some users don't need to see (for example, in an employee table, you may have salary). Some users need access to query (select), or to update, only certain fields from the base table, without having access to the full information. For example: select phone number, or update address (but no access to see salary or bonus). Then one would create a view and give those users "select" and "update" privileges on the view only, and not on the base table. (The select still goes against the base table, but the COLUMNS will be limited to those included in the view... updates can/will be made to the base table, but again, only for values in the columns included in the view.) The view can limit not only the columns, but also the rows - for example, with a WHERE clause in the view, you may exclude the CEO from the view completely.
So, one of the main uses of views is based exactly on that: some users may have privileges on the view, but not on the base table.
Yes. Usually the view runs as the view owner, and the user runs with permission on the view. So user b only needs access to the view.
However when looking at this sort of question, you may want to look into row level security as well. This works by granting access to a portion of the table to a given user or group (i.e. effectively enforcing where clauses at the end of queries). Depending on your use case, it may be simpler or more complex to manage.
I have tables in Schema A. I created views in Schema B using the tables in schema A.
I want to grant permissions to a user to select the data from view in Schema B.
For this to work i know we have to enable the grant option on tables in Schema A to user B.
But I want to do it in a single script (This script has to be in schema B). Is there a way to do this using the user name/password of schema A.
It's not unusual to want to have a single script to deploy a change. The thing is, such a script needs to be run by a power user, because it needs to have system privileges at the ANY level. This usually means a DBA account, preferably an application account but otherwise SYSTEM or SYS.
So the script you want would look like this:
grant select on user_a.t23 to user_b
/
grant select on user_a.t42 to user_b
/
create view user_b.v_69 as
select t23.col1, t42.col2
from user_a.t42
join user_a.t23
on (t42.id = t23.id)
/
grant select on user_b.v_69 to user_c
/
A common scenario is that we have a suite of individual scripts which have been written to be run by different users but which we now need to bundle up into a single deployment. The original scripts don't contain the schema names, and there are many good reasons why we wouldn't want to hardcode them in the scripts.
One way to build that master script is to use change the CURRENT_SCHEMA syntax:
alter session set current_schema=USER_A
/
#run_grants_to_userb.sql
alter session set current_schema=USER_B
/
#create_view69.sql
#run_grants_to_userc.sql
We still need a DBA user to run the master script. One advantage of switching the current schema is that it allows us to deploy objects like database links, which through a quirk of syntax cannot have the schema name in their declaration. One gotcha is that the user doesn't change, so a script which employs the USER pseudo-column may produce unwanted results.
Simply Run the query
GRANT INSERT, SELECT, UPDATE, DELETE ON TABLE1 TO SCHEMA2;
Only by connecting as user A at some point. You can still do it in one script if you really want to:
connect userA/passwordA
grant select on my_table to userB;
connect userB/passwordB
create view my_view as select * from userA.my_table;
Of course now you have a script lying around which exposes two sets of user credentials to anyone who can read it. So something to think hard about before doing in production, for example.
If you want other users to be able to select from the view, you don't need to grant explicit permissions on userA.my_table to them; as long as the view owner can see the underlying table, other users just need to be able to see the view. Which is often kinda the point (or one of them) as you can restrict the view to only expose selected data from the underlying table to the rest of the world. I assume you have a reason for not creating the view in schema A.
I'm not sure if you're really asking about granting select to user B with admin option so that user B can then grant select on user A's table to other people. If that's possible, it doesn't sound like a good idea, and isn't necessary for the view to work.
Let user A grant select on his tables to B and include the 'grant option'.
As user A:
GRANT select ON table TO user_b WITH GRANT OPTION;
Let user B grant select on his views to user A and include the 'grant option'.
As user B:
GRANT select ON view TO user_a WITH GRANT OPTION;
As user A:
GRANT select on user_b.view TO user_c;
This allows user A to pass this grant on to other users.