I would like to know if there is a way to grant permissions to, for example, create table on a schema, from a different user.
I want to do this without granting DBA role, nor granting "ANY" permissions (grant create any table to XXXX).
I use this occasionally to satisfy devs who want a read-only account. This will create DDL that will give appropriate select or execute permissions. It would not be difficult to modify that to include update and delete.
Related
I have an Oracle user user1 and a schema schema1. I want to give permissions insert, update and delete to this user on this schema.
I only find in the documentation that I can give permissions on this schema tables.
Is there a way to give permission on whole schema?
You can add roles and privileges to the user or use the grant command.
https://docs.oracle.com/javadb/10.8.3.0/ref/rrefsqljgrant.html
You can also use the GRANT ALL PRIVILEGES TO {USERNAME} command.
I want to import schema to my new host. First I had created new user account:
CREATE USER test IDENTIFIED BY test;
What kind of privileges I need to grant to have super role?
(create schema, tables, packages, triggers...etc)
It's one privilege to grant me access to all of them?
You should grant only those privileges that are required for a newly created user to work. One by one.
CREATE SESSION is the first one; without it, user can't even connect to the database.
CREATE TABLE is most probably also required, if user TEST is going to create his own tables.
That's enough to get it started. Once it appears that user needs to create a procedure, you'll grant CREATE PROCEDURE. And so forth.
There are/were roles named CONNECT and RESOURCE which contained the "most frequent" privileges one needed, but their use is - as far as I can tell & in my opinion - discouraged.
Whenever I give a user "all privileges" in ORACLE (example below), what does this actually do?
My understanding is that it gives a user any privilege, e.g inserting, deleting etc within that schema but not to any schema in the DB?
grant all privileges to my_user;
You can grant all [privileges] on <some object>, but you aren't specifying an object; so you are granting system privileges:
The documentation for system privileges says:
Oracle Database provides the ALL PRIVILEGES shortcut for granting all the system privileges listed in Table 18-1, except the SELECT ANY DICTIONARY, ALTER DATABASE LINK, and ALTER PUBLIC DATABASE LINK privileges.
System privileges are not always restricted to a schema. That table includes a lot of ANY privileges, which are specifically not restricted to a schema. If you grant all privileges to a user they will be able to create or alter a table in any schema, for example. That probably isn't what you want.
There is no shortcut to grant only schema-restricted privileges. You'll need to grant CREATE TABLE, CREATE INDEX, etc. explicitly.
It's common practice to create a role to which you grant the necessary privileges, and then you just have to grant that role to your users. (Although you sometimes still need to grant privileges directly to users, e.g. if they are required in a stored procedure).
Is there a way to grant privileges of select, insert, update and delete to a user so that if we add a new table later, the user still have these privileges on the new table ?
Thanks for help,
The quickest and dirtiest way to go about something like this is to create a trigger on all create table statements in the DB, and then granting privileges on tables fitting your pre-defined conditions.
However, I don't see why not to add a grant command to every create table command ran in the system.
Bear in mind that DDLs and grant commands are not something to be taken lightly. Designing your schema and its privileges should be done with careful thought, and automating is a recipe for problems further down the road.
Although not a recommended practice for security reasons on a development instance this is acceptable
grant select, insert, update, delete any table to your_user;
I stress again that this allows that user access to any table in any schema except SYS and is not a best practice.
I'm using Oracle's 10g version.
In the database, I would like to create a configuration table and fill it with data.
Then the other users can not change anything in it, and even better that it was not at all visible to other users. Is it possible to somehow hide the table?
Regards
Create a separate schema for that table. Create a package that provides an API to your configuration data (e.g. to get a value that is needed by another program).
Revoke CREATE SESSION privilege from that schema (i.e. just don't grant any privileges to the schema at all). Don't grant any privileges on the table. The only users who will be able to see the table are those with DBA privileges.
The only thing that database sessions will be able to do is execute the package, IF they have been granted EXECUTE privilege on it.
If you do not grant enough privileges to other users, they could not see your objects.