GRANT ROLE_BLAH_GENERAL TO BLAH_USER
I encountered this error
ORA-01932: ADMIN option not granted for role 'ROLE_BLAH_GENERAL'
Then I reformed the query to
GRANT ROLE_BLAH_GENERAL TO BLAH_USER WITH ADMIN OPTION;
I then encountered
ORA-01932: ADMIN option not granted for role 'ROLE_BLAH_GENERAL'
Where am I going wrong?
The user that issues the GRANT needs to have been granted the role WITH ADMIN OPTION. Otherwise, the user doesn't have permission to grant the role to others.
If you want user FOO, for example, to be able to grant the ROLE_BLAH_GENERAL role to other users, the DBA would need to
GRANT role_blah_general
TO foo
WITH ADMIN OPTION;
Once that is done, FOO should be able to grant the role to other users
GRANT role_blah_general
TO blah_user
Of course, you may prefer that the DBA that granted ROLE_BLAH_GENERAL to FOO be the one to grant the role to BLAH_USER so that FOO doesn't need the role WITH GRANT OPTION.
Related
I've created a user with a default tablespace. I've granted create session to that user and then added them to a role GRANT xxxx_role TO myuser;
However when I run SELECT * FROM USER_ROLE_PRIVS, there are no rows of data, meaning the user isn't assigned to any roles. It says that the grant succeeded. What am I doing wrong? I've done this as a SYSTEM user which should have carte blanche permissions.
user_role_privs shows roles granted to the current user. dba_role_privs shows roles granted to all users. You probably want to be querying dba_role_privs.
If you are logged in as system and do the grant, you should see a row in dba_role_privs for myuser. You won't see rows in user_role_privs for any user other than system. If you log in as myuser after the grant is done, you will see a row in user_role_privs.
How to grant read and create Views privilege to a role?
Here are the steps I've done:
Grant statement to the role "CUSTOM_ROLE":
GRANT SELECT ON MY_VIEW_1 to CUSTOM_ROLE;
Assign the role to a user id:
GRANT CUSTOM_ROLE TO USERID_123;
Error:
01924. 00000 - "role '%s' not granted or does not exist"
*Cause: Either the role was not granted to the user, or the role did not exist.
*Action: Create the role or grant the role to the user and retry
the operation.
Please kindly help. Thank you.
Create the role prior granting to it. The message says the role doesn't exist.
I would suggest You to check existence of the role using:
select role from dba_roles where role = 'CUSTOM_ROLE';
If this query won't return any rows then use
CREATE ROLE custom_role;
to create it.
See this:
https://www.techonthenet.com/oracle/roles.php
For details
I want to know once you create a user role and add some privileges as:
CREATE ROLE usern NOT IDENTIFIED ;
GRANT SELECT ANY DICTIONARY TO usern ;
GRANT SELECT ON t90022.temptable TO usern ;
Can you edit the user role and just state the privilege as follows?
GRANT SELECT ON 90888.temptable2 TO usern ;
Will the user role be updated or do you need to drop and create the user role again?
PS: I don't have privileges to try this out. So please help
Granting privileges in Oracle is cumulative. You do not have to re-grant privileges already granted, and in fact must revoke them explicitly to remove them.
How to grant the privilege of giving the privilege of creating a session to a user or role in Oracle?
You would use the WITH ADMIN OPTION option in the GRANT statement
GRANT CREATE SESSION TO <<username>> WITH ADMIN OPTION
You can grant system privileges with or without the admin option. The default being without admin option.
GRANT CREATE SESSION TO username
or with admin option:
GRANT CREATE SESSION TO username WITH ADMIN OPTION
The Grantee with the ADMIN OPTION can grant and revoke privileges to other users
grant CREATE SESSION
Ref.. http://ss64.com/ora/grant.html
HTH,
Kent
I have created a new database user. I found that the account can select data of other schemas' tables. So how can I restrict the new account to only manipulate its owned tables?
You can't. You can use REVOKE in certain cases but the most important thing to remember about REVOKE is that it can only revoke a permission that was explicitly GRANTed. Every database has GLOBAL permissions not tied to any specific schema and granted to PUBLIC. These permissions are inherited by all ROLES as long as they (the permissions) are in effect.
You can revoke certain PRIVILEGES such as SELECT, DELETE, INSERT etc. but you have to do it on an object level for every schema. What this means is, if a new table gets added to any of these schemas, the user will by default have access to it, unless the PRIVILEGES on that new table for that user are REVOKED.
As per Oracle documentation below are pre-requisites to REVOKE-
Prerequisites
To revoke a system privilege, you must have been granted the privilege with the ADMIN OPTION.
To revoke a role, you must have been granted the role with the ADMIN OPTION. You can revoke any role if you have the GRANT ANY ROLE system privilege.
To revoke an object privilege, you must previously have granted the object privilege to the user and role or you must have the GRANT ANY OBJECT PRIVILEGE system privilege. In the latter case, you can revoke any object privilege that was granted by the object owner or on behalf of the owner--that is, by a user with the GRANT ANY OBJECT PRIVILEGE. However, you cannot revoke an object privilege that was granted by way of a WITH GRANT OPTION grant.