Managing Privileges
DownLoad Link at the Last:
Youtube Video Link:
Objectives
After completing this lesson, you should be able to do the following:
Identify system and object privileges
Grant and revoke privileges
Managing Privileges
Two types of Oracle user privileges:
System: Enables users to perform particular actions in the database
Object: Enables users to access and manipulate a specific object
Privileges
A privilege is a right to execute a particular type of SQL statement or to access another user’s object. These include the right to:
Connect to a database
Create a table
Select rows from another user’s table
Execute another user’s stored procedure
System privileges:
Each system privilege allows a user to perform a particular database operation or class of database operations; for example, the privilege to create tablespaces is a system privilege.
Object privileges:Each object privilege allows a user to perform a particular action on a specific object, such as a table, view, sequence, procedure, function, or package.
A DBA’s control of privileges includes:
Providing a user the right to perform a type of operation
Granting and revoking access to perform system functions
Granting privileges directly to users or to roles
Granting privileges to all users (PUBLIC)
System Privileges
There are more than 100 distinct system privileges.
The ANY keyword in privileges signifies that users have the privilege in any schema.
The GRANT command adds a privilege to a user or a group of users.
The REVOKE command deletes the privileges.
System Privileges
Privileges can be classified as follows:
Privileges that enable system-wide operations; for example, CREATE SESSION, CREATE TABLESPACE
Privileges that enable management of objects in a user’s own schema; for example, CREATE TABLE
Privileges that enable management of objects in any schema; for example, CREATE ANY TABLE
Privileges can be controlled with the DDL commands GRANT and REVOKE, which add and revoke system privileges to the user or to a role. For more information on roles, refer to the “Managing Roles” lesson.
System Privileges: Examples
System Privileges: Examples
There is no CREATE INDEX privilege.
CREATE TABLE includes the CREATE INDEX and the ANALYZE commands. The user must have a quota for the tablespace or must have been granted UNLIMITED TABLESPACE.
Privileges such as CREATE TABLE, CREATE PROCEDURE, or CREATE CLUSTER include dropping these objects.
UNLIMITED TABLESPACE cannot be granted to a role.
The DROP ANY TABLE privilege is necessary to truncate a table in another schema.
Granting System Privileges
Use the SQL statement GRANT to grant system privileges to users.
The grantee can further grant the system privilege to other users with the ADMIN option. Exercise caution when granting system privileges with the ADMIN option. Such privileges are usually reserved for security administrators and are rarely granted to other users.
GRANT {system_privilege|role}
[, {system_privilege|role} ]...
TO {user|role|PUBLIC}
[, {user|role|PUBLIC} ]...
[WITH ADMIN OPTION]
where:
system_privilege: Specifies the system privilege to be granted
role: Specifies the role name to be granted
PUBLIC: Grants system privilege to all users
WITH ADMIN OPTION: Enables the grantee to further grant the privilege or role to other users or roles
Granting System Privileges
Using Oracle Enterprise Manger to Grant System Privilege
From the OEM Console:
Navigate to Databases > Security > Users.
Select the user who will be granted the privilege.
5. Click the System Privileges tab on the detail side of the console.
6. Select the system privileges that you want to grant. Optionally, check the Admin Option box.
7. Click Apply.
SYSDBA and SYSOPER
Privileges
SYSDBA and SYSOPER Privileges
Only database administrators should have the capability to connect to a database with administrator privileges. Connecting as SYSDBA provides a user with unrestricted privileges to perform any operation on a database or on the objects within a database.
System Privilege Restrictions
O7_DICTIONARY_ACCESSIBILITY parameter
Controls restrictions on SYSTEM privileges
If set to TRUE, allows access to objects in SYS schema
The default is FALSE: ensures that system privileges that allow access to any schema do not allow access to SYS schema
System Privilege Restrictions
The dictionary protection mechanism in Oracle9i prevents unauthorized users from accessing dictionary objects.
Access to dictionary objects is restricted to the roles SYSDBA and SYSOPER. System privileges that provide access to objects in other schemas do not give you access to dictionary objects. For example, the SELECT ANY TABLE privilege allows you to access views and tables in other schemas, but does not enable you to select dictionary objects (base tables, views, packages, and synonyms).
If the parameter is set to TRUE, access to objects in SYS schema is allowed (Oracle7 behavior). If this parameter is set to FALSE, SYSTEM privileges that allow access to objects in other schemas do not allow access to objects in the dictionary schema.
For example, if O7_DICTIONARY_ACCESSIBILITY=FALSE, then the SELECT ANY TABLE statement will allow access to views or tables in any schema except the SYS schema (for example, dictionaries could not be accessed). The system privilege, EXECUTE ANY PROCEDURE will allow access on the procedures in any other schema except in the SYS schema.
Revoking System Privileges
Revoking System Privileges
System privileges can be revoked using the REVOKE SQL statement. Users with the ADMIN OPTION for a system privilege can revoke the privilege from any other database user. The revoker does not have to be the same user who originally granted the privilege.
REVOKE {system_privilege|role}
[, {system_privilege|role} ]...
FROM {user|role|PUBLIC}
[, {user|role|PUBLIC} ]...
Note:
The REVOKE command can only revoke privileges that have been granted directly with a GRANT command.
Revoking system privileges may have an effect on some dependent objects. For example, if SELECT ANY TABLE is granted to a user, and that user has created procedures or views that use a table in some other schema, then revoking the privilege invalidates those procedures or views.
Using Oracle Enterprise Manager to Revoke System Privileges
From the OEM Console:
Navigate to Databases > Security > Users.
Select the user from whom the privilege is to be revoked.
Click the System Privileges page on the detail side of the console.
Select the system privilege that is to be revoked and click the up arrow.
Click Apply.
Revoking System Privileges
with the ADMIN OPTION
Revoking System Privileges
There are no cascading effects when a system privilege is revoked, regardless of whether it was given the ADMIN OPTION.
Read through the following steps that illustrate this.
Scenario
1. The DBA grants the CREATE TABLE system privilege to Jeff with the ADMIN OPTION.
2. Jeff creates a table.
3. Jeff grants the CREATE TABLE system privilege to Emi.
4. Emi creates a table.
5. The DBA revokes the CREATE TABLE system privilege from Jeff.
The result
Jeff’s table still exists, but no new tables can be created.
Emi’s table still exists and she still has the CREATE TABLE system privilege.
Object Privileges
Object Privileges
An object privilege is a privilege or right to perform a particular action on a specific table, view, sequence, procedure, function, or package. Each object has a particular set of grantable privileges. The table above lists the privileges for various objects. Note that the only privileges that apply to a sequence are SELECT and ALTER. UPDATE, REFERENCES, and INSERT can be restricted by specifying a subset of updateable columns. SELECT can be restricted by creating a view with a subset of columns and by granting the SELECT privilege on the view. A grant on a synonym is converted to a grant on the base table that is referenced by the synonym.
Note: This slide does not provide a complete list of object privileges.
Granting Object Privileges
Granting Object Privileges
GRANT { object_privilege [(column_list)]
[, object_privilege [(column_list)] ]...
|ALL [PRIVILEGES]}
ON [schema.]object
TO {user|role|PUBLIC}[, {user|role|PUBLIC} ]...
[WITH GRANT OPTION]
where:
object_privilege: Specifies the object privilege to be granted
column_list: Specifies a table or view column (This can be specified only when granting the INSERT, REFERENCES, or UPDATE privileges.)
ALL: Grants all privileges for the object that have been granted WITH GRANT OPTION
ON object: Identifies the object on which the privileges are to be granted
WITH GRANT OPTION: Enables the grantee to grant object privileges to other users or roles
Use the GRANT statement to grant object privileges.
To grant privileges, the object must be in your schema or you must have been given the privilege with the GRANT OPTION.
By default, if you own an object, all privileges on that object are automatically acquired.
Use caution when granting privileges on your objects to other users when security is a concern.
Using Oracle Enterprise Manager to Grant Object Privileges
From the OEM Console:
Navigate to Databases > Security > Users.
Select the user who will be granted the privilege.
Click the Object Privileges tab on the detail side of the console.
Expand the schema and object folders for which the object privilege is being granted.
Select the privilege to be granted from the Available Privileges field and click the down arrow.
Optionally, select the Grant Option check box.
Click Apply.
Revoking Object Privileges
Revoking Object Privileges
The REVOKE statement is used to revoke object privileges. To revoke an object privilege, the revoker must be the original grantor of the object privilege being revoked.
Use the following command to revoke an object privilege:
REVOKE { object_privilege
[, object_privilege ]...
| ALL [PRIVILEGES] }
ON [schema.]object
FROM {user|role|PUBLIC}
[, {user|role|PUBLIC} ]...
[CASCADE CONSTRAINTS]
where:
object_privilege: Specifies the object privilege to be revoked
ALL: Revokes all object privileges that are granted to the user
ON: Identifies the object on which the object privileges are revoked
FROM: Identifies users or roles from which the object privileges are revoked
CASCADE CONSTRAINTS: Drops any referential integrity constraints that the revoke has defined using REFERENCES or ALL privileges
Restriction:
Grantors can revoke object privileges from only those users to whom they have granted privileges.
Using Oracle Enterprise Manager to Revoke Object Privileges
From the OEM Console:
Navigate to Databases > Security > Users.
Select the user from whom the privilege is to be revoked.
Click the Object Privileges tab on the detail side of the console.
Select the object privilege that is to be revoked and click the up arrow.
Click Apply.
WITH GRANT OPTION
Revoking Object Privileges (continued)
Cascading effects can be observed when revoking a system privilege that is related to a DML operation. For example, if SELECT ANY TABLE is granted to a user, and that user has created procedures that use the table, all procedures that are contained in the user’s schema must be recompiled before they can be used again.
Revoking object privileges will also cascade when given WITH GRANT OPTION.
Read through the following steps that illustrate this.
Scenario:
Jeff is granted the SELECT object privilege on EMPLOYEES with the GRANT OPTION.
Jeff grants the SELECT privilege on EMPLOYEES to Emi.
Later, the SELECT privilege is revoked from Jeff. This revoke is cascaded to Emi as well.
Obtaining Privileges Information
Information about privileges can be obtained by querying the following views:
DBA_SYS_PRIVS
SESSION_PRIVS
DBA_TAB_PRIVS
DBA_COL_PRIVS
Obtaining Privileges Information
DBA_SYS_PRIVS: Lists system privileges granted to users and roles
SESSION_PRIVS: Lists the privileges that are currently available to the user
DBA_TAB_PRIVS: Lists all grants on all objects in the database
DBA_COL_PRIVS: Describes all object-column grants in the database
In this lesson, you should have learned how to:
Identify system and object privileges
Grant and revoke privileges
Practice 16 Overview
Practice 16 Overview
Note: Practice can be accomplished using SQL*Plus or using Oracle Enterprise Manager and SQL*Plus Worksheet.
Download Link:
0 Comments