I have a homegrown Oracle role that was created long ago:
create role MyRole;
It's been granted the ability to select, insert, update, and delete from some tables and views.
grant select on sometable to MyRole;
grant insert on sometable to MyRole;
grant select on someothertable to MyRole;
-- etc.
How can I now enumerate the specific list of privileges that were granted to the role? I am interested in discovering the specific tables and the rights this role has with respect to each table. How can I recover this information?
You can simply search from data dictionary ROLE_TAB_PRIVS. And do like this
SELECT * FROM ROLE_TAB_PRIVS WHERE ROLE = 'MyRole';
this works well:
SELECT DBA_TAB_PRIVS.GRANTEE, TABLE_NAME, PRIVILEGE,DBA_ROLE_PRIVS.GRANTEE
FROM DBA_TAB_PRIVS, DBA_ROLE_PRIVS
WHERE DBA_TAB_PRIVS.GRANTEE = DBA_ROLE_PRIVS.GRANTED_ROLE
AND DBA_TAB_PRIVS.GRANTEE='<ENTER GROUP ROLE HERE>'
AND DBA_ROLE_PRIVS.GRANTEE = '<ENTER ROLE HERE>'
ORDER BY DBA_ROLE_PRIVS.GRANTEE
Related
I have grant Roles for users and grant some privs on Roles:
--Grant roles for users
GRANT DataEntry TO John, Joe, Lynn;
GRANT Supervisor TO Fred;
GRANT Management TO Amy, Beth;
--Grant on table to roles
GRANT SELECT, INSERT, UPDATE ON Attendance TO DataEntry;
GRANT SELECT, DELETE ON Attendance TO Supervisor;
GRANT SELECT ON Attendance TO Management;
However, when I query to dba_sys_privs table and select on John user, for example, I do not have privs which DataEntry role have? What happened with that problem?
John has been granted the role, not the privileges of the role directly. John will be able to take advantage of those privileges through the role. This means that if you were to revoke the role from the user, Oracle wouldn't need to go back and figure out which privileges were obtained through the role and revoke those too - this would be a challenge as a user might be granted multiple roles that provide the say privilege. It is much more efficient for Oracle to check if a user has access to a necessary privilege at parse time (which doesn't happen often).
If you want to see all the table privileges a user is able to use then you would need to look at both dba_tab_privs and dba_role_privs. Remember that a role can be granted another role so you would need to do a recursive query to identify all of those too:
with grantees (schema) as
(Select username schema
from dba_users
where username = 'JOHN'
union all
select rp.granted_role
from grantees g
join dba_role_privs rp
on g.schema = rp.grantee
)
select *
from dba_tab_privs sp
where sp.grantee in (select g.schema from grantees g)
In Oracle, I granted select on a table to a user by giving the following command:
GRANT SELECT ON DEPT TO HOMERSIMPSON;
Once I granted a select on the dept table to homersimpson, I queried the dba_sys_privs, there's no record of the privilege granted. I used the following query:
Select * from dba_sys_privs where grantee = 'HOMERSIMPSON';
Why is the privilege not reported on this table?
Thanks in advance.
You are granting a SELECT on a specific table. That's not a system priv. It is an object prv. Try looking at DBA_TAB_PRIVS.
I'm wondering if there's a way to set up a user with dba-like read-only privileges.
In my use-case, I'm trying to fetch some data from of schema from SYS.ALL_ARGUMENTS table.
I'm using this statements to create my user:
CREATE USER bbb IDENTIFIED BY bbb;
/
GRANT CREATE SESSION TO bbb;
/
grant select any table to bbb WITH ADMIN OPTION;
/
grant select on SYS.ALL_ARGUMENTS to bbb;
when I try to run the following statement to fetch data of HR schema:
SELECT * FROM SYS.ALL_ARGUMENTS a WHERE a.OWNER = 'HR' ORDER BY SEQUENCE;
I get nothing. If I set my user with DBA role or IMP_FULL_DATABASE role, i manage to get this data but then my user has privileges I don't want him to have.
Privilege SELECT ANY TABLE does not include dictionary views. Run
GRANT SELECT ANY DICTIONARY TO bbb;
in order to grant full read access.
What is the query to get all objects with privileges under a specific role.
ROLE_NAME TABLE SELECT INSERT DELETE UPDATE EXECUTE
SELECT *
FROM DBA_TAB_PRIVS
WHERE GRANTEE='ROLE_NAME';
DBA_TAB_PRIVS describes all object grants in the database.
Or to get the grants for all the roles, you can use below query.
SELECT grantee role_name,table_name,privilege
FROM dba_tab_privs dtp,dba_roles dr
WHERE dtp.grantee=dr.role
ORDER BY role_name,table_name,privilege;
One of the pitfalls in Oracle is the fact that sometimes you can select from a table if you run a query in SQLplus but that you can't when running the query from a stored procedure. In order to run a query from a stored procedure you need a direct grant for the object and not a grant obtained through a role.
If I see a table in the all_tables view, how can I know if I can see this table because of a direct grant or because of a role grant?
Look at ALL_TAB_PRIVS:
select grantee from all_tab_privs
where table_schema = 'SCOTT' and table_name='EMP'
and privilege = 'SELECT';
This shows all grantees, whether roles or users.
One method to see exactly what a procedure would see is to issue the command:
SET ROLE none
It disables all roles for your current session.