Is there any way for me to see which DDL privileges I have in my own schema? I'm looking for a SELECT-type sentence.
I mean, how do I know if I can create, drop, alter, &c.?
Modification - 2019/Oct/24th - I think it would be simpler to understand "How can I know if I have the CREATE ANY TRIGGER privilege?".
Thanks in advance.
You should automagically have select privileges on tables in your own schema - they belong to you. You can figure out if you can create, drop, or alter objects based on the roles that have been granted to you. You can use a query like SELECT * FROM USER_ROLE_PRIVS; or select dbms_metadata.get_granted_ddl('ROLE_GRANT', user) from dual; to get a list of the roles that have been granted to you, and based on that, you'll know what kind of privileges you have within the database.
For example, if you see that you've been granted the "Resource" role, you will be able to do things like create tables, procedures, triggers, etc.
You can use a query like select * from session_privs; to see EVERY privilege that you have, but that will include privileges for the entire database, including privileges that are associated with a role. To see privileges that aren't associated with a role, you could use a query like SELECT * FROM USER_SYS_PRIVS;
you can get it with query on DBA_SYS_PRIVS, DBA_TAB_PRIVS, and DBA_ROLE_PRIVS to get information about user privileges about system, tables, and roles.
for example SELECT * FROM DBA_SYS_PRIVS;
Related
I'm trying to retrieve the CREATE table statement for multiple tables from oracle SQL Developer so I can run it in SQL Management to create new tables.
However, when highlighting multiple tables and right clicking > Quick DLL> Save to File, my file looks like this:
GRANT INSERT ON "OPSR"."BOOTH" TO "OPSWEB";
GRANT UPDATE ON "OPSR"."BOOTH" TO "OPSWEB";
GRANT SELECT ON "OPSR"."BOOTH" TO "OPSWEB";
GRANT DELETE ON "OPSR"."CAAR_BOOTH" TO "OPSWEB";
GRANT INSERT ON "OPSR"."CAAR_BOOTH" TO "OPSWEB";
GRANT SELECT ON "OPSR"."CAAR_BOOTH" TO "OPSWEB";
GRANT UPDATE ON "OPSR"."CAAR_BOOTH" TO "OPSWEB";
Why is there no CREATE table statements in here?
I'm connected as Opsweb and the only tables I can see are under the OPSR user.
You can't see the create DDL for other user's objects. SQL Developer is using dbms_metadata in the background, and from the documentation:
The object views of the Oracle metadata model implement security as follows:
Nonprivileged users can see the metadata of only their own objects.
Nonprivileged users can also retrieve public synonyms, system privileges granted to them, and object privileges granted to them or by them to others. This also includes privileges granted to PUBLIC.
If callers request objects they are not privileged to retrieve, no exception is raised; the object is simply not retrieved.
If nonprivileged users are granted some form of access to an object in someone else's schema, they will be able to retrieve the grant specification through the Metadata API, but not the object's actual metadata.
and so on. As the last bullet above says, you cen get the grants - which is what you are seeing now - but not the actual metadata.
If your user was granted the select_catalog_role you would be able to get the DDL for OPSR's objects, but you'd have to ask your DBA for that and it would probably be easier to connect as that user, or ask someone else who can to do that to perform the extract for you.
I created a user and granted him all permissions, i used: GRANT ALL PRIVILEGES TO user1;
but then i tried to select rows from a table that i created with the admin user like this:
select * from sys.table it gives me an error message table or view doesn't exist
then i did: Grant select on table to user1 and it worked.
so does all privileges not include select?
As is often the case, Oracle uses words "approximately".
In this case, ALL doesn't mean "all". From the documentation:
ALL PRIVILEGES
Specify ALL PRIVILEGES to grant all of the system privileges listed in
Table 18-1, except the SELECT ANY DICTIONARY, ALTER DATABASE LINK, and
ALTER PUBLIC DATABASE LINK privileges.
https://docs.oracle.com/en/database/oracle/oracle-database/12.2/sqlrf/GRANT.html#GUID-20B4E2C0-A7F8-4BC8-A5E8-BE61BDC41AC3
Notice the "except" part. "All" should mean "all", that is, "no exception"; yet........
Relevant to your question: ALL PRIVILEGES does not include SELECT ANY DICTIONARY. Most likely, whatever table or view you were trying to select from is a dictionary table (or view); which explains why granting ALL PRIVILEGES didn't work, but granting access directly on the table/view did.
If you want to grant access to all dictionary objects, you can grant SELECT ANY DICTIONARY to the user.
After you are done playing with these explicit grants, you may want to consider granting system roles to the users who need them (and only to those users), instead of hunting down all such exceptions.
I would like to know how the privilege SELECT ANY TABLE works internally in Oracle.
Is it treated as a single privilege? Or is it equivalent to make a GRANT SELECT ON MyTable TO MyUser for each table?
As example, I would like to know if this work :
GRANT SELECT ANY TABLE TO PUBLIC;
REVOKE ALL ON MY_TABLE FROM PUBLIC;
Would I still have access to MY_TABLE from any user after those queries?
Yes, all users would still be able to query MY_TABLE.
You are looking at different privilege types:
The main types of user privileges are as follows:
System privileges—A system privilege gives a user the ability to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the system privilege CREATE TABLE permits a user to create tables in the schema associated with that user, and the system privilege CREATE USER permits a user to create database users.
Object privileges—An objectprivilege gives a user the ability to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects. The privilege to select rows from the EMPLOYEES table or to delete rows from the DEPARTMENTS table are examples of object privileges.
SELECT ANY TABLE is a system privilege that allows the grantee to:
Query tables, views, or materialized views in any schema except SYS. Obtain row locks using a SELECT ... FOR UPDATE.
When you grant that it is a standalone single privilege, visible in dba_sys_privs. When Oracle decides if the user is allowed to access a table it can look first at system privleges, and only goes on to look for specific object privileges (visible in dba_tab_privs) if there isn't a system privilege that allows the action being performed.
System privileges are not translated into individual privileges on each object in the database - maintaining that would be horrible, as creating a new object would have to automatically figure out who should be granted privileges on it based on the system privilege; and it would mean that you couldn't tell the difference between that and individually granted privileges. So, for instance, if you explicitly granted select privs on a specific table, then the user was granted SELECT ANY TABLE, and then they had SELECT ANY TABLE revoked - what happens to the previous explicit grant?
Your scenario is basically the same, except you've specifed all privileges on the object to be revoked. If those are the only two commands involved then PUBLIC has no explicit privileges on MY_TABLE so revoking doesn't really do anything; but if any explicit privileges on that table had been granted then they would be revoked. That has no impact on the higher-level SELECT ANY TABLE system privileg though.
Privileges are cummulative; revoking a privilege on a specific object doesn't block access to that object, it just removes one possible access route.
Incidentally, hopefully you've used a contrived example, as such powerful system privileges should be granted sparingly and only when really needed. Letting any user query any table in your database potentially blows a big hole in the security model. Again from the docs:
Oracle recommends that you only grant the ANY privileges to trusted users
and
Oracle recommends against granting system privileges to PUBLIC.
and read more in the database security guide.
SELECT
D.OS_USERNAME
,D.terminal AS MACHINE
,D.OBJ_NAME
,D.ACTION_NAME
,D.timestamp
,D.Sql_Text
FROM DBA_AUDIT_TRAIL D
WHERE D.OWNER = 'HRADMIN'
AND D.ACTION_NAME LIKE '%INSERT%'
AND D.OS_USERNAME NOT IN ('MuhammadJav','zeeshankh1');
this query give me record
I want to apply limit or restriction so that only D.OS_USERNAME ('MuhammadJav','zeeshankh1','Alikh1') can run insert,update,delete,alter statements but other user can't insert,update,delete,alter the data.
In Oracle, the privilege to insert, update or delete are managed on the user or role level. Those users are database users, just like your HRADMIN.
If the operating systems users like MuhammadJav, zeeshankh1, Alikh1 use the same oracle account, things become much more difficult.
DML statements like 'ALTER' or 'CREATE' are handled totally different. A user like 'HRADMIN' can do what he/she wants with the tables and other objects in it's own schema. It is possible, but very difficult to prevent this.
So, the traditional solution is to give MuhammadJav, zeeshankh1, Alikh1 their own oracle accounts and grant them the privileges you want as user HRADMIN:
GRANT INSERT,UPDATE,DELETE ON HRADMIN.your_table_name TO MUHAMMADJAV;
GRANT INSERT,UPDATE,DELETE ON HRADMIN.your_table_name TO ZEESHANKH1;
etc
I'm trying to create a role to give a few users permission to create and alter views, procedures and tables.
I don't want these users to be able to select from/update/delete/alter etc. any table in the database, there are tables we want to keep control of - but they should have full permissions on any objects they create.
I've given the users permissions to create views etc. and that works fine, but they can't then select from views they then create. Is it possible to do this?
-- ADDED 25/july/2013
Example:
An example user Mike has specific permissions granted on a handful of tables. All Grant, no Deny.
No other database level permissions beyond "connect"
Plus is a member of public (not altered - no denys), plus 3 other roles we have set up
Role: Standard_Reader
Specific Select permissions on a number of tables. All Grant, no Deny.
No other database level permissions
Role: SensitiveDemographicsReader
Specific Select permissions on sensitive tables. All Grant, no Deny
Role: Analyst
No Specific securables
Database level permissions:
Create Function
Create Procedure
Create Table
Create View
This user can create a table or view, but once created, can't select from it.
Is it possible to set up SQL server so that whenever a user user creates a table or view they then have permissions to select from it (assuming they have permissions on underlying tables in view)
-- EDIT
After some investigation it has become apparent that for some reason in our database, ownership of objects is not acruing to their creators.
Found using this code
select so.name, su.name, so.crdate from sysobjects so join sysusers su on so.uid = su.uid
order by so.crdate
All owners, with a couple of exceptions are DBO.
I can't understand why ownership is not passing to the creators of objects. Any idea what could cause this?
Sounds like what you're using to deny them in the first place is overriding the default settings. Can you post more information on what permissions the users have?
Can't comment :(
I would comment but lack privileges; have you taken a look at MySQL table permissions? It's a rather good system.
you need to grant SELECT on the schema to user/group:
GRANT SELECT ON SCHEMA::dbo TO User/Group;