I created a user "UserA" and granted it Create session, user, tablespace privileges.
Now logged in as "UserA", I have successfully created another user "UserB" but unable to run grant privileges to "UserB" with error: ORA-01031: insufficient privileges.
What privileges should "UserA" have to be able to run grant statements?
This is what you currently have (I presume so, as you didn't post what you exactly did):
Connected as a privileged user (sys), I'm creating a new user who's being granted create session and create user privileges:
SQL> connect sys#pdb1 as sysdba
Enter password:
Connected.
SQL> select tablespace_name from dba_tablespaces;
TABLESPACE_NAME
------------------------------
SYSTEM
SYSAUX
UNDOTBS1
TEMP
USERS
SQL> create user usera identified by usera
2 default tablespace users
3 temporary tablespace temp
4 quota unlimited on users;
User created.
SQL> grant create session, create user to usera;
Grant succeeded.
As usera has been granted the create user privilege, it is allowed to create a new user - userb:
SQL> connect usera/usera#pdb1
Connected.
SQL> create user userb identified by userb
2 default tablespace users
3 temporary tablespace temp
4 quota unlimited on users;
User created.
But, granting create session fails because usera isn't allowed to do that:
SQL> grant create session to userb;
grant create session to userb
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL>
So, what can you do?
One option is to use the with admin option; back to sys and re-grant it to usera:
SQL> connect sys#pdb1 as sysdba
Enter password:
Connected.
SQL> grant create session to usera with admin option;
Grant succeeded.
Can usera now grant create session to userb? Yes!
SQL> connect usera/usera#pdb1
Connected.
SQL> grant create session to userb;
Grant succeeded.
SQL>
Another option is to grant dba role to usera:
SQL> connect sys#pdb1 as sysdba
Enter password:
Connected.
Revoking create session from usera will cascade to userb who can't create session any more:
SQL> revoke create session from usera;
Revoke succeeded.
Only usera has create session privilege:
SQL> grant create session to usera;
Grant succeeded.
But, grant dba as well
SQL> grant dba to usera;
Grant succeeded.
Can usera now grant create session to userb? Yes!
SQL> connect usera/usera#pdb1
Connected.
SQL> grant create session to userb;
Grant succeeded.
SQL>
However: note that both with admin option and dba are powerful and - if you don't pay attention - you might have a security hole in your system. Leave powerful privileges to powerful users only; all the others shouldn't be doing such tasks.
I have a oracle 12c database .
I would like to grant sysdba to C##user1.
Here is user table.
When I execute this command I can get a error.
grant sysdba to c##user1 container=current
Error report -
SQL Error: ORA-65175: cannot grant SYSDBA privilege locally in the root
65175. 00000 - "cannot grant SYSDBA privilege locally in the root"
*Cause: An attempt was made to grant SYSDBA privilege locally in the root
of a multitenant container database (CDB).
*Action: While connected to the root, SYSDBA privilege can only be granted
commonly.
and when I execute this command , I can get 2 users of C##user1.
grant sysdba to c##user1 container=all
How can I grant sysdba to C##user1.
Thank you for viewing.
Pls help me.
Are you trying to grant sysdba to c##user1 at the Container or Root level? This is an important distinction within 12C, as the Container is logically separate from the rest of the CDB. The CON_ID column will tell you where each user resides - Con_ID=0 means that the row pertains to the entire CDB, whereas CON_ID=1 means that the row pertains to the root.
You currently have two "C##user1" users, one is a common user that is present in all containers (CON_ID=0,) and the other is a local user that is specific to the root.
You already have one "C##user1" user that has the SYSDBA privilege on the entire CDB, so if that's what you want, you can connect to the root and drop the local "C##user1" user. If you just wanted a local user with the SYSDBA privilege on that root only, I would recommend dropping the "C##user1" common user, then connecting to the root and granting sysdba to the local user there.
The article I linked to is titled "Overview of the Multitenant Architecture", I would suggest giving it a review before you make a decision either way.
under cdb connection try it
grant sysdba to c##user1 container=all
I have created a user, let's call him C##USER from sysdba. Now, I'm trying to create another user from C##USER. Problem is I keep getting the following error:
ORA-01031: insufficient privileges
I have granted C##USER all privileges and have set the default role to ALL. Nothing works yet...
Any ideas? Thanks in advance.
You just need a CREATE USER system privilege BUT don't forget to use CONTAINERclause which should be set to ALL, if you omit this clause then the grantee will have CREATE USER system privilege on the current container.
Specify CONTAINER = ALL to commonly grant a system privilege, object privilege on a common object, or role, to a common user or common role
GRANT
When a common user account is created, the account is created in all of the open pluggable databases. So the user who is creating this new user must have CREATE USER system privilege on all containers.
SQL> grant create user to c##user container=all;
Grant succeeded.
SQL> conn c##user
Enter password:
Connected.
SQL> create user c##user2 identified by user2;
User created.
How do I revoke all privileges for a user in SQLPlus?
I'm logged in as sysdba and I would like to revoke all privileges for a regular user.
I googled this query
REVOKE ALL PRIVILEGES, GRANT OPTION FROM user [, user] ...
but I don't understand what should I put for user, etc.
Here answer depends on whether you want to revoke system privileges or object privileges.
There is syntax change for the both.
But as you are logging through sysdba i am guessing that you want to revoke system privileges.
revoke sysdba from user_name;
Here replace user_name with your actual user. like
revoke sysdba from nagendra;
Updated :
And to revoke all system privileges we can use :
revoke all privileges from user_name
object privilege means previleges on tables procedures functions and to revoke this use :
revoke all on object_name from public
Example
revoke all on nagendra_table from public
This will remove all existing privilegs on table nagendra_table from all users
user is the name of the use you want to revoke the privileges from. The grant option clause is MySQL syntax, and does not exist in Oracle Enterprise Databases. So, if I'd like to revoke all of r_mat's privileges, I'd use:
REVOKE ALL PRIVILEGES FROM r_mat;
Can someone advise me on how to create a user in Oracle 11g and only grant that user the ability only to execute one particular stored procedure and the tables in that procedure.
I am not really sure how to do this!
Connect as SYSTEM.
CREATE USER username IDENTIFIED BY apassword;
GRANT CONNECT TO username;
GRANT EXECUTE on schema.procedure TO username;
You may also need to:
GRANT SELECT [, INSERT] [, UPDATE] [, DELETE] on schema.table TO username;
to whichever tables the procedure uses.
Follow the below steps for creating a user in Oracle.
--Connect as System user
CONNECT <USER-NAME>/<PASSWORD>#<DATABASE NAME>;
--Create user query
CREATE USER <USER NAME> IDENTIFIED BY <PASSWORD>;
--Provide roles
GRANT CONNECT,RESOURCE,DBA TO <USER NAME>;
--Provide privileges
GRANT CREATE SESSION, GRANT ANY PRIVILEGE TO <USER NAME>;
GRANT UNLIMITED TABLESPACE TO <USER NAME>;
--Provide access to tables.
GRANT SELECT,UPDATE,INSERT ON <TABLE NAME> TO <USER NAME>;
The Oracle documentation is comprehensive, online and free. You should learn to use it. You can find the syntax for CREATE USER here and for GRANT here,
In order to connect to the database we need to grant a user the CREATE SESSION privilege.
To allow the new user rights on a stored procedure we need to grant the EXECUTE privilege. The grantor must be one of these:
the procedure owner
a user granted execute on that procedure with the WITH ADMIN option
a user with the GRANT ANY OBJECT privilege
a DBA or other super user account.
Note that we would not normally need to grant rights on objects used by a stored procedure in order to use the procedure. The default permission is that we execute the procedure with the same rights as the procedure owner and, as it were, inherit their rights when executing the procedure. This is covered by the AUTHID clause. The default is definer (i.e. procedure owner). Only if the AUTHID is set to CURRENT_USER (the invoker, that is our new user) do we need to grant rights on objects used by the procedure. Find out more.
Don't use these approach in critical environment like TEST and PROD. Below steps are just suggested for local environment. For my localhost i create the user via these steps:
IMPORTANT NOTE : Create your user with SYSTEM user credentials.Otherwise you may face problem when you run multiple application on same database.
CONNECT SYSTEM/<<System_User_Password>>#<<DatabaseName>>; -- connect db with username and password, ignore if you already connected to database.
Then Run below script
CREATE USER <<username>> IDENTIFIED BY <<password>>; -- create user with password
GRANT CONNECT,RESOURCE,DBA TO <<username>>; -- grant DBA,Connect and Resource permission to this user(not sure this is necessary if you give admin option)
GRANT CREATE SESSION TO <<username>> WITH ADMIN OPTION; --Give admin option to user
GRANT UNLIMITED TABLESPACE TO <<username>>; -- give unlimited tablespace grant
EDIT: If you face a problem about oracle ora-28001 the password has expired also this can be useful run
select * from dba_profiles;-- check PASSWORD_LIFE_TIME
ALTER PROFILE DEFAULT LIMIT PASSWORD_LIFE_TIME UNLIMITED; -- SET IT TO UNLIMITED
As previously mentioned multiple times in the comments, the use of the CONNECT, RESOURCE and DBA roles is discouraged by Oracle.
You have to connect as SYS to create your role and the user(s) which are given this role. You can use SQL Developer or SQL*Plus as you prefer. Do not forget to mention the SYSDBA role in the logon string. The connect_identifier uses different syntaxes.
sqlplus sys/<<password>>#<<connect_identifier>> as sysdba
Let's say you have a 12cR1 like the one provided as a VM with the "Oracle Technology Network Developer Day". The connect strings might be (to connect to the provided PDB) :
sqlplus sys/oracle#127.0.0.1/orcl as sysdba
sqlplus sys#"127.0.0.1/orcl" as sysdba -- to avoid putting the pw in clear
Note that under Unix, the quotes have to be escaped otherwise they will be consumed by the shell. Thus " becomes \".
Then you create the role MYROLEand grant it other roles or privileges. I added nearly the bare minimum to do something interesting :
create role myrole not identified;
grant create session to myrole;
grant alter session to myrole;
grant create table to myrole;
Next your create the user MYUSER. The string following identified by which is the password is case-sensitive. The rest is not. You could also use SQL delimited identifiers (surrounded by quotes ") instead of regular identifiers which are converted tu uppercase and subject to a few limitations. The quota could be unlimited instead of 20m.
create user myuser identified by myuser default tablespace users profile default account unlock;
alter user myuser quota 20m on users;
grant myrole to myuser;
Eventually, you connect as your new user.
Please note that you could also alter the default profile or provide another one to customize some settings as the expiration period of passwords, the number of permitted failed login attempts, etc.
CREATE USER USER_NAME IDENTIFIED BY PASSWORD;
GRANT CONNECT, RESOURCE TO USER_NAME;
CREATE USER books_admin IDENTIFIED BY MyPassword;
GRANT CONNECT TO books_admin;
GRANT CONNECT, RESOURCE, DBA TO books_admin;
GRANT CREATE SESSION GRANT ANY PRIVILEGE TO books_admin;
GRANT UNLIMITED TABLESPACE TO books_admin;
GRANT SELECT, INSERT, UPDATE, DELETE ON schema.books TO books_admin;
https://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1006107
https://chartio.com/resources/tutorials/how-to-create-a-user-and-grant-permissions-in-oracle/
First step:
Connect to a database using System/Password;
second Step:
create user username identified by password; (syntax)
Ex: create user manidb idntified by mypass;
third Step:
grant connect,resource to username; (Syntax)
Ex: grant connect,resource to manidb;
step 1 .
create user raju identified by deshmukh;
step 2.
grant connect , resource to raju;
step 3.
grant unlimitted tablespace to raju;
step4.
grant select , update , insert , alter to raju;