What Oracle roles/privileges do I need to create a trigger on a table in another schema?
"in another schema?"
CREATE ANY TRIGGER. However, like any ANY privilege, it is VERY dangerous so a DBA is unlikely to give it to you.
The DBA could create that trigger for you or maybe give you the password to that schema to create the trigger there.
GRANT CREATE TRIGGER TO user_class;
Related
I want to import schema to my new host. First I had created new user account:
CREATE USER test IDENTIFIED BY test;
What kind of privileges I need to grant to have super role?
(create schema, tables, packages, triggers...etc)
It's one privilege to grant me access to all of them?
You should grant only those privileges that are required for a newly created user to work. One by one.
CREATE SESSION is the first one; without it, user can't even connect to the database.
CREATE TABLE is most probably also required, if user TEST is going to create his own tables.
That's enough to get it started. Once it appears that user needs to create a procedure, you'll grant CREATE PROCEDURE. And so forth.
There are/were roles named CONNECT and RESOURCE which contained the "most frequent" privileges one needed, but their use is - as far as I can tell & in my opinion - discouraged.
Is there a way to grant privileges of select, insert, update and delete to a user so that if we add a new table later, the user still have these privileges on the new table ?
Thanks for help,
The quickest and dirtiest way to go about something like this is to create a trigger on all create table statements in the DB, and then granting privileges on tables fitting your pre-defined conditions.
However, I don't see why not to add a grant command to every create table command ran in the system.
Bear in mind that DDLs and grant commands are not something to be taken lightly. Designing your schema and its privileges should be done with careful thought, and automating is a recipe for problems further down the road.
Although not a recommended practice for security reasons on a development instance this is acceptable
grant select, insert, update, delete any table to your_user;
I stress again that this allows that user access to any table in any schema except SYS and is not a best practice.
I would like to know if there is a way to grant permissions to, for example, create table on a schema, from a different user.
I want to do this without granting DBA role, nor granting "ANY" permissions (grant create any table to XXXX).
I use this occasionally to satisfy devs who want a read-only account. This will create DDL that will give appropriate select or execute permissions. It would not be difficult to modify that to include update and delete.
I'm using Oracle's 10g version.
In the database, I would like to create a configuration table and fill it with data.
Then the other users can not change anything in it, and even better that it was not at all visible to other users. Is it possible to somehow hide the table?
Regards
Create a separate schema for that table. Create a package that provides an API to your configuration data (e.g. to get a value that is needed by another program).
Revoke CREATE SESSION privilege from that schema (i.e. just don't grant any privileges to the schema at all). Don't grant any privileges on the table. The only users who will be able to see the table are those with DBA privileges.
The only thing that database sessions will be able to do is execute the package, IF they have been granted EXECUTE privilege on it.
If you do not grant enough privileges to other users, they could not see your objects.
For our application we're using outsorced Oracle administration. Now we'd like to prevent external oracle administrator from changing our data (DELETE, INSERT, UPDATE).
Is there any way how to do it?
Is there possible to REVOKE eg. UPDATE ANY TABLE to SYS account and is this sufficient?
I have read the Oracle Security Guide but haven't found anything. Only a statement: Do not use a DBA role which contains eg. the UPDATE ANY TABLE privilege.
I see I also should REVOKE GRANT ANY PRIVILEGE ...
Simply I'd need a complex guide how to do it and I'm not able to find any document about it.
Thanks