system privilege issue - oracle

I have the user for example HR which has been granted very powerful system privilege "GRANT ANY PRIVILEGE"...This user used this privilege and granted some privileges to other users...Now I want to revoke "GRANT ANY PRIVILEGE" from HR and also identify what privileges and to whom did HR user grant(I want to revoke from them this privileges).
I know that oracle saves just grantee and privilege not grantor for system privileges(unlike object privileges) in the metadata...
If you have some idea please answer..
Thank you very much in previous.

ALL_COL_PRIVS view will show grantor
ALL_TAB_PRIVS view will show grantor
TABLE_PRIVILEGES view will show grantor
plus the USER versions of those..
edit:
to find the list of object privileges granted by HR use a query like this:
select * from all_tab_privs where grantor = 'HR';
i do not know of a way to check system level object grants

Related

Granting role doesn't stick

I've created a user with a default tablespace. I've granted create session to that user and then added them to a role GRANT xxxx_role TO myuser;
However when I run SELECT * FROM USER_ROLE_PRIVS, there are no rows of data, meaning the user isn't assigned to any roles. It says that the grant succeeded. What am I doing wrong? I've done this as a SYSTEM user which should have carte blanche permissions.
user_role_privs shows roles granted to the current user. dba_role_privs shows roles granted to all users. You probably want to be querying dba_role_privs.
If you are logged in as system and do the grant, you should see a row in dba_role_privs for myuser. You won't see rows in user_role_privs for any user other than system. If you log in as myuser after the grant is done, you will see a row in user_role_privs.

How to grant select on dba_users for role?

It is possible to make grant select on dba_users to role? I trying to give access for users and all works fine, but when i try to do this for all group, this access didnt work.
Privileges which are granted through a role do not apply inside PL/SQL blocks. You have to grant the privilege to each USER individually.
See How Roles Work in PL/SQL Blocks

grant user roles in oracle

I want to know once you create a user role and add some privileges as:
CREATE ROLE usern NOT IDENTIFIED ;
GRANT SELECT ANY DICTIONARY TO usern ;
GRANT SELECT ON t90022.temptable TO usern ;
Can you edit the user role and just state the privilege as follows?
GRANT SELECT ON 90888.temptable2 TO usern ;
Will the user role be updated or do you need to drop and create the user role again?
PS: I don't have privileges to try this out. So please help
Granting privileges in Oracle is cumulative. You do not have to re-grant privileges already granted, and in fact must revoke them explicitly to remove them.

Add Select and Write Privileges to User for Specific Table Names

I have created a new user using the below in sql developer (Oracle 11g). I have only two tables titled FEED_DATA_A and FEED_DATA_B that I want this user to be able to select, update and insert into. Can someone help me understand the SQL to create the proper privileges to accomplish that? I'm currently logged in as the system user.
CREATE USER "USER_A" IDENTIFIED BY "test123";
If you want to grant the privileges directly to the user
GRANT select, update, insert
ON table_owner.feed_data_a
TO user_a;
GRANT select, update, insert
ON table_owner.feed_data_b
TO user_a;
More commonly, though, you would create a role, grant the role to the user, and grant the privileges to the role. That makes it easier in the future when there is a new user created that you want to have the same privileges as USER_A to just grant a couple of roles rather than figuring out all the privileges that potentially need to be granted. It also makes it easier as new tables are created and new privileges are granted to ensure that users that should have the same privileges continue to have the same privileges.
CREATE ROLE feed_data_role;
GRANT select, update, insert
ON table_owner.feed_data_a
TO feed_data_role;
GRANT select, update, insert
ON table_owner.feed_data_b
TO feed_data_role;
GRANT feed_data_role
TO user_a

How to prevent users from selecting other schemas' tables?

I have created a new database user. I found that the account can select data of other schemas' tables. So how can I restrict the new account to only manipulate its owned tables?
You can't. You can use REVOKE in certain cases but the most important thing to remember about REVOKE is that it can only revoke a permission that was explicitly GRANTed. Every database has GLOBAL permissions not tied to any specific schema and granted to PUBLIC. These permissions are inherited by all ROLES as long as they (the permissions) are in effect.
You can revoke certain PRIVILEGES such as SELECT, DELETE, INSERT etc. but you have to do it on an object level for every schema. What this means is, if a new table gets added to any of these schemas, the user will by default have access to it, unless the PRIVILEGES on that new table for that user are REVOKED.
As per Oracle documentation below are pre-requisites to REVOKE-
Prerequisites
To revoke a system privilege, you must have been granted the privilege with the ADMIN OPTION.
To revoke a role, you must have been granted the role with the ADMIN OPTION. You can revoke any role if you have the GRANT ANY ROLE system privilege.
To revoke an object privilege, you must previously have granted the object privilege to the user and role or you must have the GRANT ANY OBJECT PRIVILEGE system privilege. In the latter case, you can revoke any object privilege that was granted by the object owner or on behalf of the owner--that is, by a user with the GRANT ANY OBJECT PRIVILEGE. However, you cannot revoke an object privilege that was granted by way of a WITH GRANT OPTION grant.

Resources