One of the pitfalls in Oracle is the fact that sometimes you can select from a table if you run a query in SQLplus but that you can't when running the query from a stored procedure. In order to run a query from a stored procedure you need a direct grant for the object and not a grant obtained through a role.
If I see a table in the all_tables view, how can I know if I can see this table because of a direct grant or because of a role grant?
Look at ALL_TAB_PRIVS:
select grantee from all_tab_privs
where table_schema = 'SCOTT' and table_name='EMP'
and privilege = 'SELECT';
This shows all grantees, whether roles or users.
One method to see exactly what a procedure would see is to issue the command:
SET ROLE none
It disables all roles for your current session.
Related
I have an issue where I (as sysdba) granted a privilege to perform a select on any table to a user. I used the following query:
GRANT SELECT ANY TABLE TO BARTSIMPSON
I get the message that grant succeeded. But I don't see a record of this privilege in the dba_tab_privs. Why? Thanks in advance
You are looking in the wrong view. dba_tab_privs shows table privileges. select any table is a system privilege. You should look for it in dba_sys_privs.
I am trying to run below query in oracle db .
a. GRANT UPDATE ON MIC_COMMON_AT.SHL_PRODUCERS TO MIC_READWRITE_AT;
This query does not give any error and says GRANT SUCCEEDED.
b. But when I run below query to check this grant in sys.all_tab_privs for the role, to which this grant should have been added, it gives me 0 rows
SELECT * FROM sys.all_tab_privs
WHERE GRANTEE = 'MIC_READWRITE_AT';
I am not sure why the required grant for role(MIC_READWRITE_AT) is not getting inserted in sys.all_tab_privs table (query b returning 0 rows) - even though grant query for that role seems to execute successfully without any error (query a).
The user with which I am executing this query has been given dba role as default role, as well as it has the system privilege of 'GRANT ANY OBJECT PRIVILEGE' AND "GRANT ANY PRIVILEGE'.
What am I missing here?
all_tab_privs only includes object grants for which the current user is the object owner, grantor, or grantee. It won't show you grants on objects in other schemas. Try using the dba_tab_privs view instead.
In Oracle, I attempt to create a view like this
create view ddd as
select *
from myschema1.t1
join myschema2.t2
....
When I run this statement, I get an error ORA-01031 : insufficient privileges. If I just execute the query in Query Worksheet, however, it works.
Why does my CREATE VIEW statement fail and what privileges do I need in order to make the statement succeed?
In order to create a view that references myschema1.t1 and myschema2.t2, the user that owns the view has to be given access to those two tables directly, not via a role. My first guess is that you have been granted the privileges on the underlying table via a role. You can verify that in SQL*Plus by disabling roles and re-running the query. If you do
SQL> set role none;
SQL> select *
from myschema1.t1
join myschema2.t2 ...
does the query work? If not, then you only have the privileges granted via a role not directly. Note that if you want to be able to grant other users access to your view, you need to be granted privileges on the objects WITH GRANT OPTION.
GRANT SELECT ON myschema1.t1 TO <<user that will own the view>> WITH GRANT OPTION;
GRANT SELECT ON myschema2.t2 TO <<user that will own the view>> WITH GRANT OPTION;
If the problem is not with the privileges on the underlying objects, the problem is most likely that you have not been granted the CREATE VIEW privilege.
That sounds like you don't have the CREATE VIEW privilege. If you didn't have access to the tables, you should get ORA-00942: table or view does not exist.
I'm trying to create a view, and have distilled the problem down to the inability to create a view that references tables from a different schema.
For example, I can do:
select count(*) from otherschema.othertable;
and I can do:
create view foo as select count(*) as bar from oneofmytables;
But if I try:
create view foo as select count(*) as bar from otherschema.othertable;
I get an "insufficient privileges" error. What additional privileges do I need?
Do you have the grant to the other user's table directly? Or is it via a role? You will need the privilege to be granted directly in order to create an object (view, procedure, etc.) that references the other table. As a quick test, in SQL*Plus
SQL> set role none;
SQL> select count(*) from otherschema.othertable;
If that fails, then the problem is that you have been granted privileges on the table via a role.
I guess you have been given select right on otherschema.othertable via a role not via a direct grant.
If this is the case, you should connect as otheruser and then do a grant select on othertable to <your-schema>.
I believe that your DBA will need to grant you
create any view
privilege. Depending on the security restrictions at your site they may or not allow this. I typically do not
I have a homegrown Oracle role that was created long ago:
create role MyRole;
It's been granted the ability to select, insert, update, and delete from some tables and views.
grant select on sometable to MyRole;
grant insert on sometable to MyRole;
grant select on someothertable to MyRole;
-- etc.
How can I now enumerate the specific list of privileges that were granted to the role? I am interested in discovering the specific tables and the rights this role has with respect to each table. How can I recover this information?
You can simply search from data dictionary ROLE_TAB_PRIVS. And do like this
SELECT * FROM ROLE_TAB_PRIVS WHERE ROLE = 'MyRole';
this works well:
SELECT DBA_TAB_PRIVS.GRANTEE, TABLE_NAME, PRIVILEGE,DBA_ROLE_PRIVS.GRANTEE
FROM DBA_TAB_PRIVS, DBA_ROLE_PRIVS
WHERE DBA_TAB_PRIVS.GRANTEE = DBA_ROLE_PRIVS.GRANTED_ROLE
AND DBA_TAB_PRIVS.GRANTEE='<ENTER GROUP ROLE HERE>'
AND DBA_ROLE_PRIVS.GRANTEE = '<ENTER ROLE HERE>'
ORDER BY DBA_ROLE_PRIVS.GRANTEE