I have table table1 and I want to grant SELECT to table1 to user user1.
I will use below query to grant SELECT.
grant select on table1 to user1;
But on production I don't know what all grant user1 has on table1.So What will happen if user1 already has SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER and INDEX grant on table1 and execute only SELECT grant.
The SELECT grant will be added, if it doesn't currently exist, to any existing grants for that user.
"If you grant a privilege to a user, then the database adds the privilege to the user's privilege domain."
See the following documentation for your version of the database (this one is 10g, but still applicable):
Applicable Oracle 10g documentation on grants
What will happen if user1 already has SELECT, INSERT, (...) grant on table1 and execute only SELECT grant.
Nothing will happen.
GRANT doesn't work as a switch (i.e. turns a privilege on - another GRANT turns it off - yet another turns it on ... - nope).
if you want to revoke a privilege, you'd do exactly that: REVOKE SELECT ON some_table FROM my_user;
will it be "double-granted" (so that you'd have to revoke it twice?) - nope, it won't
Therefore, if user is already granted SELECT privilege on that table, another grant is useless, but won't do any harm.
Related
Imagine a following situation: a database admin creates new user. Let's call him user1. Admin grants privilege A to user1 with grant option.
GRANT A TO user1
WITH GRANT OPTION
Now user1 grants mentioned privilege to user2:
GRANT A TO user2
WITH GRANT OPTION
Let's suppose that admin revokes A from user1:
REVOKE A FROM user1
What happens with user2 granted permissions? Are they still working? Are they deleted? Does the behavior depend on a platform, so it may differ on Oracle, MS SQL, MySQL etc. ? I know that you can specify, such a behavior by using CASCADE keyword in MS SQL, but I've heard, other platforms delete child-grants on default, when the parent is revoked.
In SQL Server revoking a permission from a principal who held that permission with grant option and who has granted that permission to other principals will fail with.
Msg 4611, Level 16, State 1, Line 16
To revoke or deny grantable privileges, specify the CASCADE option.
And to test this stuff on SQL Server create users without logins and use execute as to impersonate them and test the behavior and their effecitve permissions.
drop table if exists foo
create table foo(id int)
create user user1 without login
create user user2 without login
GRANT select on foo TO user1
WITH GRANT OPTION
execute as user='user1'
select * from foo;
GRANT select on foo TO user2
WITH GRANT OPTION
revert
revoke select on foo to user1 --fails
go
revoke select on foo to user1 cascade
execute as user='user2'
select * from foo; --fails
revert
As I understand in Oracle, one schema is only for one user and if you (granter) grant privileges to another user (grantee) to access that schema, that schema is copied to the grantee's schema while MySQL just provides access to access the database without copying.
E.g. If user1 is schema1 and if you grant privileges to user2 to access schema1. Will those tables in schema1 be copied to the schema (could be schema2) of user2. How does that work behind the scene?
And,
If I grant only select privileges to user2 to access user1.table1, Will table1 be copied to the schema of user2? Or does user2 only get access to table1 while table1 will still be in schema1?
GRANT SELECT ON user1.table1 TO user2;
Please help me understand how does oracle grant privileges works. Thank you.
that schema is copied to the grantee's schema
That's completely wrong.
The grantee only gets the privilege to access the tables in the other schema. To access the table the grantee needs to prefix the table reference with the grantor's schema:
e.g. user2 needs to run:
select *
from user1.table1;
Nothing is being copied, the query directly access the table in the other schema.
I have created a sample application to get schema of all objects and generate SQLfile, so I simply created two user, user 'SYSTEM' and 'SCOTT' , and user SYSTEM grant all privileges to access some of tables,views,function etc. to user SCOTT,
for grant privileges to user SCOTT use following oracle query
GRANT ALL ON table_name to username
But the problem is this query is not working for trigger and synonyms.
so anyone please suggest me how can I grant privileges on triggers and synonyms to user SCOTT.
But the problem is this query is not working for trigger and synonyms. so anyone please suggest me how can I grant privileges on triggers and synonyms to user SCOTT.
TRIGGER - You cannot t give grants for trigger. There is no such thing. Triggers fire automatically whenever the trigger event is done on the table on which the the trigger is created. You only need to grant privilege on the table.
SYNONYM - You just create a synonym for the schema.table and grant privilege on the table such that other users doesn't have to fully qualify the table and just use the synonym instead.
I'm currently dealing with some GRANT options using Oracle Database Express Edition 11g. Consider the following small code example where some users grant some privileges to other users:
-- User A
GRANT Select, Insert, Update, Delete ON T TO B,C WITH GRANT OPTION ;
-- User B
GRANT Select ON T TO C WITH GRANT OPTION ;
GRANT Insert ON T TO C ;
-- USer C
GRANT Select, Insert, Update ON T TO D ;
User A is the creator of Table T and performs the following REVOKE operation.
Now REVOKE Update ON T FROM C is performed. Since no constraint is specified, the REVOKE operation should either cancel, because otherwise there would be an abandoned UPDATE privilege at D, or delete the privileges of both C and D.
Now my question is: Is the REVOKE statement actually cancelled or removes both C and D privileges? Or in other words, is the result after executing that revoke statement that both C and D still have the UPDATE privilege or not?
Thanks in advance.
Revoke object privilege
If user has granted the privilege to other users or roles, then the database also revokes the privilege from those other users or roles.
The correct REVOKE statement is:
REVOKE object_priv [(column1, column2..)] ON [schema.]object
FROM {user, | role, |PUBLIC} [CASCADE CONSTRAINTS] [FORCE]
There is no RESTRICT in Oracle. The RESTRICT exists in PostgresSQL, MariaDB, etc.
However I think your intended way is just REVOKE Update ON T FROM C executed from A user.
After that there is no any error and users C and D do NOT have privilege to update T.
Fast :
GRANT SELECT ON SYSTEM.* TO appadmin;
I want to grant AppAdmin the rights of SELECT on all tables of the database
I'm using Oracle SQL, why does my statement not work ?
Using the ANY keyword in reference to a system privilege means that the user can perform the privilege on any objects owned by any user except for SYS. By default, if you are granted a privilege, you cannot assign your privilege to others. You cannot grant or revoke that privilege to or from anyone else.
Sometimes you want to grant privileges to users and have them be able to grant those privileges to other users. When this is the case, we include the with admin keyword in the grant command. When this keyword is used, it will allow the user granted the privilege to grant that privilege to other users.
Here is an example of the usage of the with admin option keyword.
GRANT SELECT ANY TABLE TO User;
GRANT SELECT ANY TABLE TO YOUR_USER;