I have a user on DB1 with only SELECT privileges.
I have a DBLink to DB2 created on DB1.
What are the priveleges that the user will have on DB2 tables? Do they depend on his priveleges on DB2?
Thank you
If you look at the syntax of a database link, the privileges one has with the database link are dependent on the database user which is being used
to connect with the database being linked.
For example, with the database link below, the apps database account is being used on the db2 database.
Thus whatever privileges are granted to apps#db2, system or object, these are the privileges which user1#db1, the owner of the dblink, has through this database link.
CREATE DATABASE LINK user1.db1_to_db2.cm.big_company.com
CONNECT TO apps IDENTIFIED BY VALUES apps_password USING '(DESCRIPTION=
(ADDRESS_LIST=
(ADDRESS=(PROTOCOL=tcp)(HOST=hostname.cm.big_company.com)(PORT=1577))
)
(CONNECT_DATA=
(SERVICE_NAME=db2)
)
)';
Related
I can't grant select on some tables (say SYS.AQ$SCHEDULER_EVENT_QTAB).
However, I can see these tables in dba_objects.
I've an absolutely free autonomous database on Oracle cloud.
What should I do?
The ADMIN user does not have privileges to grant access to SYS objects in an Autonomous Database. Because of the shared nature of autonomous database services, full access to the SYS schema is not possible. If access to the tables or views in question cannot be obtained from an existing pre-defined role, then you will not be able to access them directly. From the documentation:
Because Oracle Autonomous Database imposes security controls and
performs administrative database tasks for you, the ADMIN user does
not have as many privileges as the SYS user. Here is a list of the
privileges that the ADMIN user does not have but that the SYS user in
an Oracle Database does have:
ALTER LOCKDOWN PROFILE
BACKUP ANY TABLE
BECOME USER
CREATE ANY JOB
CREATE ANY LIBRARY
CREATE LIBRARY
CREATE LOCKDOWN PROFILE
CREATE PLUGGABLE DATABASE
DEQUEUE ANY QUEUE
DROP LOCKDOWN PROFILE
EM EXPRESS CONNECT
ENQUEUE ANY QUEUE
EXPORT FULL DATABASE
FLASHBACK ANY TABLE
FLASHBACK ARCHIVE ADMINISTER
GRANT ANY PRIVILEGE
GRANT ANY ROLE
IMPORT FULL DATABASE
INHERIT ANY PRIVILEGES
LOGMINING
MANAGE ANY FILE GROUP
MANAGE ANY QUEUE
MANAGE FILE GROUP
USE ANY JOB RESOURCE
USE ANY SQL TRANSLATION PROFILE
i tried to update table wwv_flow_item_list in Oracle autonomus database on cloud but i get error insuficient privileges. I cant even select data from those tables (all wwv prefix). User is ADMIN. which user have rights to perform these tasks ?
When i use query bellow to display pluggable in Oracle 12c with user "sys as sysdba"
select name from v$containers;
I displayed all pluggable. But when i connect with user normal. I display CDB$ROOT only.
I want to use user normal to display all pluggable. what do I need grant permission for user normal to display all pluggable same as "sys as dba"?
Thanks a lot
Only users in the container database will be able to see pluggable databases; so you would need to create a user ID in the container database, and grant that user the role SELECT_CATALOG_ROLE and CREATE SESSION and then log into the container database with that new user ID, and you should be good.
By design and intent, users created in a pluggable database cannot see other pluggable database contents. That's one of the main benefits; isolation.
What is the purpose of connect role in oracle.
select * from role_sys_privs where role='CONNECT';
ROLE PRIVILEGE ADMIN_OPTION
CONNECT CREATE SESSION NO
So based on the above information it is used to create session.
But i can find users who don't have the role of CONNECT but can still access the database.
So what is this CREATE SESSION about? and what can it do? is it necessary for all the users?
According to the Database Security Guide, the CONNECT ROLE was changed in Oracle Database 10.2:
The CONNECT role was originally established a special set of privileges.
These privileges were as follows:
ALTER SESSION
CREATE SESSION
CREATE CLUSTER
CREATE SYNONYM
CREATE DATABASE LINK
CREATE TABLE
CREATE SEQUENCE
CREATE VIEW
Beginning in Oracle Database 10g Release 2, the CONNECT role has only the CREATE SESSION privilege, all other privileges are removed.
I'm using Oracle XE but I would like to log in as a user than can create tables, contraints etc., but who cannot view all of the other system tables and stuff that you see when you log in with the system account.
How can I achieve this?
You need to create a new user with:
CREATE USER xxx IDENTIFIED BY yyyy;
From there, issue GRANT for the privileges you want to give the user:
GRANT CREATE SESSION TO xxx;
GRANT CREATE TABLE TO xxx;
GRANT CREATE VIEW TO xxx;
etc.
See the SQL Reference documentation for all the privileges you can grant. User xxx will only be able to see their own objects and objects they have been granted privileges on.