In Oracle, when I run:
GRANT SELECT on MYSCHEMA.ORDERS to APP_USER;
What query can I run in Oracle to check if this grant exists? I would like to validate that this grant is correctly created in our development, QA, and production databases.
You can get that from the all_tab_privs performance view, or the user_ or dba_ equivalents depending on your situation and privileges:
select *
from all_tab_privs
where table_schema = 'MYSCHEMA'
and table_name = 'ORDERS'
and grantee = 'APP_USER';
To see everyone who has access, leave off the grantee filter. Note though that the grantee may be (and quite probably should be) a role, not an individual user. In that case you'd need to see who has that role granted to get the full picture, and roles can be granted to roles, so that can get a bit recursive.
Execute the following (if you are logged in as app_user) :-
select owner from user_tab_privs where table_name='Order' and grantee='App_user' and owner='MySchema';
If you are logged in as dba, then execute following :-
select owner from dba_tab_privs where table_name='Order' and grantee='App_user' and owner='MySchema';
If the grant was successful, then the above sql statements should have non-null output.
Related
That's it:
How to know if I can delete with my oracle user? Without actually deleting anything?
I'm using a database that I don't own, nor have full access.
This information is available in the data-dictionary.
You can check for direct grants to you via:
SELECT OWNER, TABLE_NAME
FROM USER_TAB_PRIVS
WHERE PRIVILEGE = 'DELETE';
You can also check for privileges accessible through a ROLE by:
SELECT ROLE, TABLE_SCHEMA, TABLE_NAME
FROM SESSION_ROLES
INNER JOIN ALL_TAB_PRIVS
ON SESSION_ROLES.ROLE = ALL_TAB_PRIVS.GRANTEE
AND PRIVILEGE = 'DELETE';
I'm currently trying to grant a couple of simple privileges to an Oracle database user.
I have tried the following queries:
grant all privileges to <username>
grant alter session to <username>
The second privilege is the one I actually need, but I decided simply to try and give the user all privileges to see if that would work. When I check the user's permissions using
select * from user_sys_privs;
everything seems to say NO.
I've even tried to grant the user dba privileges and that still fails. My end goal is to run scripts that require these permissions to be turned on.
Any help is greatly appreciated.
everything seems to say NO
You're looking at the wrong thing. If the user_sys_privs view lists ALTER SESSION:
select * from user_sys_privs where privilege = 'ALTER SESSION';
USERNAME PRIVILEGE ADM COM
-------------------- ------------- --- ---
MY_USER ALTER SESSION NO NO
then the user does have that privilege.
The NO entries don't mean the privilege is not granted. The columns that is showing you are:
desc user_sys_privs
Name Null? Type
----------------------------------------------------------------- -------- --------------------------------------------
USERNAME VARCHAR2(128)
PRIVILEGE VARCHAR2(40)
ADMIN_OPTION VARCHAR2(3)
COMMON VARCHAR2(3)
and they are described in the documentation:
ADMIN_OPTION - Indicates whether the grant was with the ADMIN option (YES) or not (NO)
COMMON - Indicates how the grant was made. Possible values:
YES if the privilege was granted commonly (CONTAINER=ALL was used)
NO if the privilege was granted locally (CONTAINER=ALL was not used)
As you didn't specify the admin option or any other modifiers, it's correct that both of those flags are set to NO.
What's probably confusing you is that all privileges are listed when you query for your user, because you did grant all privileges to <username>. You probably want to revoke all of those privileges, and only grant the specific ones the user actually needs. You'll then see a much shorter list when you query user_sys_privs - possibly only that single entry, depending on what else you need to retain for the user.
You might also want to consider using roles, though you sometimes need to have privileges granted directly anyway - if a stored procedure relies on them.
Consider the case : In a database , I have two users A and B and their corresponding schema.
I want to know , How can I get the information : what permissions are there for USER A in Schema B .
Consider the case : We have two users and their associated scehmas. We have user A and user B. In A, say we have TB1 TB2, in B,say we have TBa, TBb. Now I want to know how can I find what privileges User A has on Schema B.
For example : User A is writing : select * from B.TBb This means USER A is accessing User B's table so , it shows he has SELECT Privilege. I want to know what all privileges User A has on Schema B.
Which query shall be executed to get the list of privileges that User A has on Schema B.
You can use these queries:
select * from all_tab_privs;
select * from dba_sys_privs;
select * from dba_role_privs;
Each of these tables have a grantee column, you can filter on that in the where criteria:
where grantee = 'A'
To query privileges on objects (e.g. tables) in other schema I propose first of all all_tab_privs, it also has a table_schema column.
If you are logged in with the same user whose privileges you want to query, you can use user_tab_privs, user_sys_privs, user_role_privs. They can be queried by a normal non-dba user.
Use example with from the post of Szilágyi Donát.
I use two querys, one to know what roles I have, excluding connect grant:
SELECT * FROM USER_ROLE_PRIVS WHERE GRANTED_ROLE != 'CONNECT'; -- Roles of the actual Oracle Schema
Know I like to find what privileges/roles my schema/user have; examples of my roles ROLE_VIEW_PAYMENTS & ROLE_OPS_CUSTOMERS. But to find the tables/objecst of an specific role I used:
SELECT * FROM ALL_TAB_PRIVS WHERE GRANTEE='ROLE_OPS_CUSTOMERS'; -- Objects granted at role.
The owner schema for this example could be PRD_CUSTOMERS_OWNER (or the role/schema inself).
Regards.
Login into the database. then run the below query
select * from dba_role_privs where grantee = 'SCHEMA_NAME';
All the role granted to the schema will be listed.
Thanks Szilagyi Donat for the answer. This one is taken from same and just where clause added.
How can I check a permission granted for particular sequence and assign permission to particular sequence from SQL*Plus?
To grant a permission:
grant select on schema_name.sequence_name to user_or_role_name;
To check which permissions have been granted
select * from all_tab_privs where TABLE_NAME = 'sequence_name'
Just another bit. in some case i found no result on all_tab_privs! i found it indeed on dba_tab_privs. I think so that this last table is better to check for any grant available on an object (in case of impact analysis). The statement becomes:
select * from dba_tab_privs where table_name = 'sequence_name';
What query can I run to simply see whether a user has privelege to execute a stored procedure.
lets say user is UserA and stored procedure name is my_stored_proc
I want to know whether UserA has execute permission on my_stored_proc
UserA is not the owner of the storedproc. Some other owner grants him the permission.
To account for grants through a role:
select grantee, table_name, privilege
from dba_tab_privs
where
table_name = 'my_stored_proc'
and
owner = 'ownerOfObject'
and
(grantee = 'userA'
or
grantee in
(select granted_role
from dba_role_privs
where grantee = 'userA'
)
)
You could try
select ap.*
from All_Procedures ap
where ap.owner = 'UserA'
This only tells you if UserA is the owner. I suppose UserA could still have permission even if not the owner. Not sure how to check for that.
EDIT:
Other tables to check are
USER_SYS_PRIVS
USER_TAB_PRIVS
USER_ROLE_PRIVS
ROLE_SYS_PRIVS
ROLE_TAB_PRIVS
I've rarely queried these so I'm not exactly sure how to find what you're looking for, but I would start with these.
Got it...
SELECT * FROM DBA_TAB_PRIVS A WHERE GRANTEE = 'UserA' AND GRANTOR = 'someoneelse' and privilege = 'EXECUTE'
This is what worked for me, I wanted to find all SPs that I have access to:
select * from USER_TAB_PRIVS where GRANTEE='______' and PRIVILEGE='EXECUTE'
Columns in USER_TAB_PRIVS include GRANTEE, OWNER, GRANTOR, TABLE_NAME (in this case, the SP name) and PRIVILEGE, so in my opinion, this is perfect.
My understanding is that dpbradley and Omnipresent's answers won't work for a normal user because they can't access DBA_* tables.