I want to know the list of all users who have root (administrative) privilege in Oracle.
I would like it in a script or C++ application. Script is preferred.
Exactly what do you mean by "root" or "adminstrative" privileges in Oracle? Do you want the users granted SYSDBA? Or, in the older Oracle releases, there was the DBA role, which had an extensive set of privileges that gave the user the ability to do most anything. It has a reduced set of capabilities in 11g. The answer given by #client09 is valuable for identifying exactly what each user can do.
To me, the root user in Oracle is the SYSDBA account, by default the SYS user. Anyone granted this privilege can log in "AS SYSDBA", which gives that user complete control of the database. You can list the users granted this privilege via this select:
SELECT * FROM v$pwfile_users;
Interestingly enough, if I'm granted the SYSDBA role, and I log in as sysdba, the actual user in the Oracle session is SYS:
SQL> create user test identified by test;
User created.
SQL> grant create session to test;
Grant succeeded.
SQL> grant sysdba to test;
Grant succeeded.
SQL> connect test/test as sysdba
Connected.
SQL> select user from dual;
USER
------------------------------
SYS
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
SYS TRUE TRUE FALSE
TEST TRUE FALSE FALSE
Here is how you find privileges of your users:
select
lpad(' ', 2*level) || granted_role "User, his roles and privileges"
from
(
/* THE USERS */
select
null grantee,
username granted_role
from
dba_users
/* THE ROLES TO ROLES RELATIONS */
union
select
grantee,
granted_role
from
dba_role_privs
/* THE ROLES TO PRIVILEGE RELATIONS */
union
select
grantee,
privilege
from
dba_sys_privs
)
start with grantee is null
connect by grantee = prior granted_role;
This will show you which users have inflated privileges. You can execute this in a shell script by typing
sqlplus / as sysdba --(if you are root on the box)
spool user_privileges.txt
#whos_a_root.sql --(if that's what you call your script)
spool off
exit;
Related
Considering the following information from the Oracle data dictionary
When the following command is executed, to obtain the information
SELECT grantee,owner,table_name,grantor, privilege, grantable
FROM user_tabs_privs;
What is the SQL statements that have been issued to cause these grants to exist in the
dictionary? Also for each statement which user has executed the statement?
Review this example and compare it to your output; you'll see which command leads to which result.
User mike:
SQL> show user
USER is "MIKE"
SQL> SELECT grantee,owner,table_name,grantor, privilege, grantable
2 FROM user_tab_privs;
no rows selected
User scott will grant a few things to mike:
SQL> connect scott/tiger
Connected.
SQL> grant select on test to mike;
Grant succeeded.
SQL> grant delete on dept to mike with grant option;
Grant succeeded.
Back to mike, see what has happened:
SQL> connect mike/lion
Connected.
SQL> SELECT grantee,owner,table_name,grantor, privilege, grantable
2 FROM user_tab_privs;
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRANTABLE
------- ------ ---------- ---------- ---------- ----------
MIKE SCOTT DEPT SCOTT DELETE YES
MIKE SCOTT TEST SCOTT SELECT NO
SQL>
after you run the following steps, you can get the result you want
(1) firstly login as Ann,run the SQL statement:
grant select on project to Billy with grant option;
(2) still as Ann, runt the SQL statement:
grant delete on employee to marlam ;
(3) login as Billy, run the SQL statement:
grant select on project to leah ;
I have a QUEUE_OWNER schema that has some queues. When I connect the application to that data source everything works fine and the app can read the from the queues.
I want to create a _USER schema that has access to the queues so I can connect the app to it and not directly to the _OWNER schema.
This is what I tried:
BEGIN
FOR Q IN (SELECT * FROM ALL_QUEUES WHERE owner = 'AQ_OWNER') LOOP
DBMS_OUTPUT.PUT_LINE('queue = ' ||Q.NAME);
DBMS_AQADM.GRANT_QUEUE_PRIVILEGE('ALL','AQ_OWNER.'||Q.NAME ,'AQ_USER',FALSE);
END LOOP;
END;
but when I put a message in the queue nothing happens in the app.
How about a little help of your DBA?
This is what my user SCOTT sees in all_queues:
SQL> select owner, name from all_queues;
OWNER NAME
------------------------------ ------------------------------
SYS SRVQUEUE
SYS SCHEDULER_FILEWATCHER_Q
SYS SCHEDULER$_EVENT_QUEUE
However, I'd like to see some other data. SYS almighty sees it all:
SQL> show user
USER is "SYS"
SQL> select owner, name from dba_queues;
OWNER NAME
------------------------------ ------------------------------
SYS SYS$SERVICE_METRICS
SYS AQ$_SYS$SERVICE_METRICS_TAB_E
SYSTEM DEF$_AQERROR
SYSTEM AQ$_DEF$_AQERROR_E
SYSTEM DEF$_AQCALL
SYSTEM AQ$_DEF$_AQCALL_E
SYS AQ$_KUPC$DATAPUMP_QUETAB_E
<snip>
Still connected as SYS, I'll create a view which show data only for owner I choose (there's nothing much to choose in my XE database so I'll use SYSTEM-owned values). Then grant select privilege to SCOTT:
SQL> create or replace view v_dba_queues as
2 select name
3 from dba_queues
4 where owner = 'SYSTEM';
View created.
SQL> grant select on v_dba_queues to scott;
Grant succeeded.
Back to SCOTT: to make my life simpler, I'll create a synonym first:
SQL> connect scott/tiger
Connected.
SQL> create synonym v_dba_queues for sys.v_dba_queues;
Synonym created.
Finally:
SQL> select * from v_dba_queues;
NAME
------------------------------
DEF$_AQERROR
AQ$_DEF$_AQERROR_E
DEF$_AQCALL
AQ$_DEF$_AQCALL_E
SQL>
Basically, you'd do the same; it's just that your view would contain data for owner = 'QUEUE_OWNER'. See if it helps.
In Oracle, when I run:
GRANT SELECT on MYSCHEMA.ORDERS to APP_USER;
What query can I run in Oracle to check if this grant exists? I would like to validate that this grant is correctly created in our development, QA, and production databases.
You can get that from the all_tab_privs performance view, or the user_ or dba_ equivalents depending on your situation and privileges:
select *
from all_tab_privs
where table_schema = 'MYSCHEMA'
and table_name = 'ORDERS'
and grantee = 'APP_USER';
To see everyone who has access, leave off the grantee filter. Note though that the grantee may be (and quite probably should be) a role, not an individual user. In that case you'd need to see who has that role granted to get the full picture, and roles can be granted to roles, so that can get a bit recursive.
Execute the following (if you are logged in as app_user) :-
select owner from user_tab_privs where table_name='Order' and grantee='App_user' and owner='MySchema';
If you are logged in as dba, then execute following :-
select owner from dba_tab_privs where table_name='Order' and grantee='App_user' and owner='MySchema';
If the grant was successful, then the above sql statements should have non-null output.
I have a package that compiles fine in another 11g environment.
When I try to compile it in my XE 10g environment w/ a DBA User, I get the ORA-00942 error.
FOR r IN (SELECT DISTINCT job_name jname
FROM dba_scheduler_jobs
^
WHERE job_name LIKE p_job_prefix || '%')
LOOP
...
When I execute a direct select on the table there is no issue.
Select * from dba_scheduler_jobs;
Error Text:
Line: 34 Column: 34 Error: PL/SQL: ORA-00942: table or view does not exist
In order to reference an object in a definer's rights stored procedure (the default), the owner of the procedure has to have direct access to the object. The privilege cannot be granted through a role, even a very powerful role like SYSDBA.
You probably want to grant the owner of this procedure the SELECT ANY DICTIONARY privilege
GRANT select any dictionary
TO <<owner of procedure>>
You could also grant the privileges on each object (i.e. DBA_SCHEDULER_JOBS) individually but if you've already granted this user the SYSDBA privilege, you're probably not overly concerned with restricting grants.
What query can I run to simply see whether a user has privelege to execute a stored procedure.
lets say user is UserA and stored procedure name is my_stored_proc
I want to know whether UserA has execute permission on my_stored_proc
UserA is not the owner of the storedproc. Some other owner grants him the permission.
To account for grants through a role:
select grantee, table_name, privilege
from dba_tab_privs
where
table_name = 'my_stored_proc'
and
owner = 'ownerOfObject'
and
(grantee = 'userA'
or
grantee in
(select granted_role
from dba_role_privs
where grantee = 'userA'
)
)
You could try
select ap.*
from All_Procedures ap
where ap.owner = 'UserA'
This only tells you if UserA is the owner. I suppose UserA could still have permission even if not the owner. Not sure how to check for that.
EDIT:
Other tables to check are
USER_SYS_PRIVS
USER_TAB_PRIVS
USER_ROLE_PRIVS
ROLE_SYS_PRIVS
ROLE_TAB_PRIVS
I've rarely queried these so I'm not exactly sure how to find what you're looking for, but I would start with these.
Got it...
SELECT * FROM DBA_TAB_PRIVS A WHERE GRANTEE = 'UserA' AND GRANTOR = 'someoneelse' and privilege = 'EXECUTE'
This is what worked for me, I wanted to find all SPs that I have access to:
select * from USER_TAB_PRIVS where GRANTEE='______' and PRIVILEGE='EXECUTE'
Columns in USER_TAB_PRIVS include GRANTEE, OWNER, GRANTOR, TABLE_NAME (in this case, the SP name) and PRIVILEGE, so in my opinion, this is perfect.
My understanding is that dpbradley and Omnipresent's answers won't work for a normal user because they can't access DBA_* tables.