I'm using Oracle's 10g version.
In the database, I would like to create a configuration table and fill it with data.
Then the other users can not change anything in it, and even better that it was not at all visible to other users. Is it possible to somehow hide the table?
Regards
Create a separate schema for that table. Create a package that provides an API to your configuration data (e.g. to get a value that is needed by another program).
Revoke CREATE SESSION privilege from that schema (i.e. just don't grant any privileges to the schema at all). Don't grant any privileges on the table. The only users who will be able to see the table are those with DBA privileges.
The only thing that database sessions will be able to do is execute the package, IF they have been granted EXECUTE privilege on it.
If you do not grant enough privileges to other users, they could not see your objects.
Related
I granted the CREATE SESSION privilege to a recently created database user, and I granted him the SELECT privilege on some objects for different database schemas.
I find an apps schema (SCHEMA#) in v$session that is different from the database USERNAME recently created, and I would like to understand the phenomenon.
I think that he executes alter session set current schema and I would like to know if is it possible to revoke alter session privilege in Oracle 11g.
The documentation for the alter session statement says:
To enable and disable the SQL trace facility, you must have ALTER SESSION system privilege.
To enable or disable resumable space allocation, you must have the RESUMABLE system privilege.
You do not need any privileges to perform the other operations of this statement unless otherwise indicated.
As you don't need any privileges to perform alter session set current_schema, there is nothing you can revoke to prevent that being done. If you had actually granted alter session - which you haven't, from what you said - then you could of course still revoke that, but it would make no difference to the ability to change the current schema.
But this isn't really a problem, and is mentioned in the security guide as a good thing:
For example, a given schema might own the schema objects for a specific application. If application users have the privileges to do so, then they can connect to the database using typical database user names and use the application and the corresponding objects. However, no user can connect to the database using the schema set up for the application. This configuration prevents access to the associated objects through the schema, and provides another layer of protection for schema objects. In this case, the application could issue an ALTER SESSION SET CURRENT_SCHEMA statement to connect the user to the correct application schema.
Your recently-created user does not have any additional privileges or abilities simply by changing their current schema. They have not 'become' that schema; they can still only do the things you specified by granting select privileges on objects. They can't see anything else, and can't do any more to the objects they can see. They haven't inherited any of the privileges that schema has - so they can't create or drop objects under that schema, for instance. (You would have to explicitly grant them additional any privileges, which presumably you have no intention of doing.)
What they can do is reference those objects without having to prefix them with the schema name, and without having to create synonyms. But they can still only select from them (if that is the only privilege you granted).
I want to import schema to my new host. First I had created new user account:
CREATE USER test IDENTIFIED BY test;
What kind of privileges I need to grant to have super role?
(create schema, tables, packages, triggers...etc)
It's one privilege to grant me access to all of them?
You should grant only those privileges that are required for a newly created user to work. One by one.
CREATE SESSION is the first one; without it, user can't even connect to the database.
CREATE TABLE is most probably also required, if user TEST is going to create his own tables.
That's enough to get it started. Once it appears that user needs to create a procedure, you'll grant CREATE PROCEDURE. And so forth.
There are/were roles named CONNECT and RESOURCE which contained the "most frequent" privileges one needed, but their use is - as far as I can tell & in my opinion - discouraged.
Is there a way to grant privileges of select, insert, update and delete to a user so that if we add a new table later, the user still have these privileges on the new table ?
Thanks for help,
The quickest and dirtiest way to go about something like this is to create a trigger on all create table statements in the DB, and then granting privileges on tables fitting your pre-defined conditions.
However, I don't see why not to add a grant command to every create table command ran in the system.
Bear in mind that DDLs and grant commands are not something to be taken lightly. Designing your schema and its privileges should be done with careful thought, and automating is a recipe for problems further down the road.
Although not a recommended practice for security reasons on a development instance this is acceptable
grant select, insert, update, delete any table to your_user;
I stress again that this allows that user access to any table in any schema except SYS and is not a best practice.
I would like to know if there is a way to grant permissions to, for example, create table on a schema, from a different user.
I want to do this without granting DBA role, nor granting "ANY" permissions (grant create any table to XXXX).
I use this occasionally to satisfy devs who want a read-only account. This will create DDL that will give appropriate select or execute permissions. It would not be difficult to modify that to include update and delete.
For our application we're using outsorced Oracle administration. Now we'd like to prevent external oracle administrator from changing our data (DELETE, INSERT, UPDATE).
Is there any way how to do it?
Is there possible to REVOKE eg. UPDATE ANY TABLE to SYS account and is this sufficient?
I have read the Oracle Security Guide but haven't found anything. Only a statement: Do not use a DBA role which contains eg. the UPDATE ANY TABLE privilege.
I see I also should REVOKE GRANT ANY PRIVILEGE ...
Simply I'd need a complex guide how to do it and I'm not able to find any document about it.
Thanks