Good morning,
I'm trying to understand one thing in Oracle database Roles and privileges:
So, i am trying to create two Roles: Programmer and Manager.
The idea for Programmer role users, is to create and insert into tables.
The idea for Manager role users, is to have acess to Programmer role privileges, PLUS update records.
And i thought that if i granted the Programmer role to Manager role, this last one could:
Create a table (from programmer role);
Insert into a table (from programmer role);
Update a record in the table (privilege set to the Manager role);
But through SQL developer, i grant Programmer role to Manager role, and when i connect to the database using a Manager User, i can't find tables created on SYSTEM.A (for example).
Do i need to grant explicity on Manager role also can create and insert? If so, what's the point of the inheritance?
SOLUTION
Programmer role: Insert && create table privileges;
Manager role: Update && Select any table privileges;
Since my goal was to put Manager users inherit Programmer role privileges, this can be achieved like this:
(After setting the roles and privileges):
DBA > ROLES > EDIT MANAGER ROLE > GRANTED ROLES > SELECT PROGRAMMER ROLE.
Disconnect any manager session, and re-connect.
Open a Manager SQL sheet and try to create a table and select, insert and update it. You'll see that Manager has adopter privileges from "programmer" role.
SQL is a non-procedural language. Having that said,you don't need to think about inheritance here. Instead, Grant create,insert and update privileges on manager role explicitly.
Here's what you can do:
1- Create programmer and manager role:
SQL> CREATE ROLE role_name IDENTIFIED by pass_word;
2- Then GRANT privileges (your requirement here) to each role:
SQL> GRANT privilege TO role_name;
3- Grant users(programmers & managers) privileges by granting each user(depends whether he is a manager or a programmer) to a particular role.
SQL> GRANT role_name TO user_name;
You may find the following link useful for more details:
http://docs.oracle.com/cd/B10501_01/server.920/a96521/privs.htm#21065
Related
Our DBA team created a role (standardRole) to easily managed the minimum system privileges in our organization, this role is having one system privilege currently which is the 'Create Session' privilege.
I created a user and grant him this role (standardRole), the user try to connect using Toad but he failed and this error message appeared - ORA-01045: user user1 lacks CREATE SESSION privilege; logon denied.
Then, I granted him the 'Create Session' Privilege directly this time in addition to the role that he is having already and he successfully connected to the database.
So, I am a little confused, why the 'Create Session' granted through the role in not working, but if its granted directly its working fine??!!
I tried to search about this topic in google, and I found some interesting information in Oracle Help Center, but to be honest I didn't understand it 100%.
We must to specify the role when granted to be Default, if the role is default the database will set the role automatically when the user create his session.
The user can also make the role enabled by using this command:
set role (role name)
You need to make the role as default.
To do this, run
ALTER USER DEFAULT ROLE CONNECT;
If there are several roles, then you need to execute
ALTER USER DEFAULT ROLE ALL;
I want to import schema to my new host. First I had created new user account:
CREATE USER test IDENTIFIED BY test;
What kind of privileges I need to grant to have super role?
(create schema, tables, packages, triggers...etc)
It's one privilege to grant me access to all of them?
You should grant only those privileges that are required for a newly created user to work. One by one.
CREATE SESSION is the first one; without it, user can't even connect to the database.
CREATE TABLE is most probably also required, if user TEST is going to create his own tables.
That's enough to get it started. Once it appears that user needs to create a procedure, you'll grant CREATE PROCEDURE. And so forth.
There are/were roles named CONNECT and RESOURCE which contained the "most frequent" privileges one needed, but their use is - as far as I can tell & in my opinion - discouraged.
Whenever I give a user "all privileges" in ORACLE (example below), what does this actually do?
My understanding is that it gives a user any privilege, e.g inserting, deleting etc within that schema but not to any schema in the DB?
grant all privileges to my_user;
You can grant all [privileges] on <some object>, but you aren't specifying an object; so you are granting system privileges:
The documentation for system privileges says:
Oracle Database provides the ALL PRIVILEGES shortcut for granting all the system privileges listed in Table 18-1, except the SELECT ANY DICTIONARY, ALTER DATABASE LINK, and ALTER PUBLIC DATABASE LINK privileges.
System privileges are not always restricted to a schema. That table includes a lot of ANY privileges, which are specifically not restricted to a schema. If you grant all privileges to a user they will be able to create or alter a table in any schema, for example. That probably isn't what you want.
There is no shortcut to grant only schema-restricted privileges. You'll need to grant CREATE TABLE, CREATE INDEX, etc. explicitly.
It's common practice to create a role to which you grant the necessary privileges, and then you just have to grant that role to your users. (Although you sometimes still need to grant privileges directly to users, e.g. if they are required in a stored procedure).
In Oracle, a table, 'MyTable' is owned by 'User1', how can I grant table access permission to another user, say 'User2' ?
In SQL server, we have some application access permission, does Oracle has something ?
You can grant SELECT privileges (or INSERT, UPDATE, DELETE, and a few others like REFERENCES) to a user
GRANT SELECT
ON user1.MyTable
TO user2
It would be more common, though, to create a role, grant the privileges to the role, and then grant the role to whatever users need it, i.e.
CREATE ROLE user1_select;
GRANT SELECT
ON user1.MyTable
TO user1_select;
GRANT user1_select
TO user2;
That makes it easier in the future to grant a single role to more users and to ensure that all the users with a specific job function have the same set of roles rather than trying to make sure that you've granted everyone access to exactly the same set of objects.
I'm using Oracle XE but I would like to log in as a user than can create tables, contraints etc., but who cannot view all of the other system tables and stuff that you see when you log in with the system account.
How can I achieve this?
You need to create a new user with:
CREATE USER xxx IDENTIFIED BY yyyy;
From there, issue GRANT for the privileges you want to give the user:
GRANT CREATE SESSION TO xxx;
GRANT CREATE TABLE TO xxx;
GRANT CREATE VIEW TO xxx;
etc.
See the SQL Reference documentation for all the privileges you can grant. User xxx will only be able to see their own objects and objects they have been granted privileges on.