We Keep Coding

User with no privileges can alter table in oracle

I'm trying to do a test to prove the privileges of the users. I have one user with just one privilege (execute programs) but when I try this, this user can alter table:
SHOW USER;
CONNECT USER1/USER1;
CREATE TABLE TEST_TABLE (colum int); //Insufficient privileges
SHOW USER;
ALTER TABLE TABLE_TESTING ADD TESTING varchar(255);
So, I'm getting insufficient privileges on create table but when I do ALTER TABLE the user can do it and I don't know why because I select only the privilege of execute programs

This is how I see it: follow the example.
As a privileged user (SYS in my XE database), I'll create user and grant only two privileges: create session (so that user could connect to the database) and create table (so that it can create tables):
SQL> show user
USER is "SYS"
SQL>
SQL> create user timer identified by timer
2 default tablespace users
3 temporary tablespace temp
4 quota unlimited on users;
User created.
SQL> grant create session, create table to timer;
Grant succeeded.
Connecting as newly created user and creating a simple table:
SQL> connect timer/timer
Connected.
SQL> create table test (id number);
Table created.
Back to SYS: this time, revoking create table privilege:
SQL> connect sys as sysdba
Enter password:
Connected.
SQL> revoke create table from timer;
Revoke succeeded.
Back to timer: creating table won't succeed (as I don't have that privilege any more):
SQL> connect timer/timer
Connected.
SQL> create table test_table (colum int);
create table test_table (colum int)
*
ERROR at line 1:
ORA-01031: insufficient privileges
But, I can still alter previously created tables. Why? Because I own them and I can do whatever I want with them:
SQL> alter table test add testing varchar2(20);
Table altered.
I suggest you talk to your DBA to see what's really going on.

That might be because the user has the rights to execute which means he's able to alter tables by executing code, but he is not allowed to create new tables explicitly. See: https://docs.oracle.com/cd/B19306_01/network.102/b14266/authoriz.htm#DBSEG5000

Oracle: How can you clean up every grant a user has?

I'm looking for a quick easy way to revoke every privilege a user has to tables, views, etc. Is there any simple magic that can do this?
The purpose of doing this is to start fresh on what access should have.

When you find out which privileges user has, e.g.
SQL> select * From user_sys_privs;
USERNAME PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
SCOTT CREATE DATABASE LINK NO
SCOTT CREATE ROLE NO
SCOTT CREATE VIEW NO
SCOTT CREATE TYPE NO
SCOTT CREATE PROCEDURE NO
SCOTT UNLIMITED TABLESPACE NO
SCOTT CREATE PUBLIC SYNONYM NO
SCOTT CREATE TABLE NO
SCOTT CREATE TRIGGER NO
SCOTT CREATE SEQUENCE NO
SCOTT CREATE SESSION NO
11 rows selected.
SQL>
then write query which will write some code for you:
SQL> select 'revoke ' || privilege || ' from scott;'
2 from user_sys_privs;
'REVOKE'||PRIVILEGE||'FROMSCOTT;'
--------------------------------------------------------
revoke CREATE DATABASE LINK from scott;
revoke CREATE VIEW from scott;
revoke CREATE ROLE from scott;
revoke UNLIMITED TABLESPACE from scott;
revoke CREATE PROCEDURE from scott;
revoke CREATE TYPE from scott;
revoke CREATE PUBLIC SYNONYM from scott;
revoke CREATE TABLE from scott;
revoke CREATE TRIGGER from scott;
revoke CREATE SESSION from scott;
revoke CREATE SEQUENCE from scott;
11 rows selected.
SQL>
Now copy/paste those revoke statements and run them.
However, that's not all. User can have additional privileges, so - as a privileged user - query DBA_SYS_PRIVS, DBA_ROLE_PRIVS, DBA_TAB_PRIVS.
In order not to think too much :), have a look at how Pete Finnigan did that. Script dates from 2003, but - it'll give you idea how to do it.
Also, probably the simplest way to do it would be to drop that user (but that's, I suppose, not an option).

I kept thinking there was some sort of REVOKE ALL command
Alas, no. Privileges are revoked (and granted) atomically, which is the way it should be. Wanting to revoke all privileges from a user is a product of the same mindset which lead to granting too many and/or too powerful privileges in the first place.
There are three classes of granted privilege:
role
system (CREATE TABLE, CREATE SESSION, etc)
object access (tables, views, procedures etc in other schemas)
Each has a different set of views over the data dictionary.
USER_ROLE_PRIVS ( also ALL_, DBA_ )
USER_SYS_PRIVS ( also ALL_, DBA_ )
USER_TABLE_PRIVS ( also ALL_, DBA_ )
We can use these views to generate REVOKE statements. It seems peculiar to do this as the user in question. So, a a power user (i.e. a DBA) execute something like this:
begin
dbms_output.put_line('Revoking granted roles ...');
for r in ( select * from dba_role_privs
where grantee = 'JOESOAP' )
loop
dbms_output.put_line('revoke ' || r.granted_role ||' from ' || r.grantee ||';');
end loop;
dbms_output.put_line('Revoking granted system privileges ...');
for r in ( select * from dba_sys_privs
where grantee = 'JOESOAP' )
loop
dbms_output.put_line('revoke ' || r.privilege ||' from ' || r.grantee ||';');
end loop;
dbms_output.put_line('granted access privileges ...');
for r in ( select * from dba_tab_privs
where grantee = 'JOESOAP' )
loop
dbms_output.put_line('revoke ' || r.privilege || ' on ' || r.owner||'.'||r.table_name ||' from ' || r.grantee ||';');
end loop;
end;
/
This will output commands to the screen - use an IDE like SQL Developer to make this less tricky - which you can review and save as an executable script. I suggest you do this rather than have the loops EXECUTE IMMEDIATE simply because you need to have a record of what privileges you've zapped, and also to stop you accidentally de-authorising something or somebody which might come back to bite you later.
In fact, rather than revoking all privileges and re-granting some of them it would be better to see all the privileges the user has and just revoke the ones which shouldn't have been granted.

how to access another user1s table in sql developer database?

BBMA.SALES_BKP TABLE IS THERE IN BBMP SCHEMA(user)
I WANT TO ACCESS "SALES_BKP TABLE" through DUMMY(its different user)

Here's how.
SQL> create user dummy identified by dummy
2 default tablespace user_data
3 temporary tablespace temp
4 quota unlimited on user_data;
User created.
SQL> grant create session, create table to dummy;
Grant succeeded.
SQL> create user bbma identified by bbma
2 default tablespace user_data
3 temporary tablespace temp
4 quota unlimited on user_data;
User created.
SQL> grant create session to bbma;
Grant succeeded.
Now, create table and let another user select from it.
SQL> connect dummy/dummy#orcl
Connected.
SQL> create table sales_bkp(id number, value number);
Table created.
SQL> insert into sales_bkp values (1, 100);
1 row created.
SQL> grant select on sales_bkp to bbma; --> this
Grant succeeded.
SQL> connect bbma/bbma#orcl
Connected.
SQL> select * from dummy.sales_bkp; --> note owner name
ID VALUE
---------- ----------
1 100
SQL>

How to prevent a user from using space in a tablespace?

I tried the following commands,but i can still insert into the table on appts. Why?
MICHAEL#orcl#SQL> alter user michael quota 0M on appts;
User altered.
MICHAEL#orcl#SQL> select tablespace_name,max_bytes from user_ts_quotas;
TABLESPACE_NAME , MAX_BYTES
------------------------------,----------------
APPTS , 0
MICHAEL#orcl#SQL> select tablespace_name,table_name from user_tables;
TABLESPACE_NAME ,TABLE_NAME
------------------------------,------------------------------
APPTS ,TEST_D
....
MICHAEL#orcl#SQL> insert into test_d values(292,'Test',500,2100);
1 row created.

What about using ALTER TABLESPACE to make it read only? You could enter:
ALTER TABLESPACE APPTS READ ONLY

How to create a new schema/new user in Oracle Database 11g?

I have applied for an internship in a company and as a question they have asked me to create a schema for their company with certain requirements and mail them the DDL file. I have installed Oracle database 11g Express edition, but how do I create a new schema in Oracle database 11g? I have searched in the net for a solution but I could not understand what to do. And after creating a schema, which file should I mail them?

Generally speaking a schema in oracle is the same as a user. Oracle Database automatically creates a schema when you create a user. A file with the DDL file extension is an SQL Data Definition Language file.
Creating new user (using SQL Plus)
Basic SQL Plus commands:
- connect: connects to a database
- disconnect: logs off but does not exit
- exit: exits
Open SQL Plus and log:
/ as sysdba
The sysdba is a role and is like "root" on unix or "Administrator" on Windows. It sees all, can do all. Internally, if you connect as sysdba, your schema name will appear to be SYS.
Create a user:
SQL> create user johny identified by 1234;
View all users and check if the user johny is there:
SQL> select username from dba_users;
If you try to login as johny now you would get an error:
ERROR:
ORA-01045: user JOHNY lacks CREATE SESSION privilege; logon denied
The user to login needs at least create session priviledge so we have to grant this privileges to the user:
SQL> grant create session to johny;
Now you are able to connect as the user johny:
username: johny
password: 1234
To get rid of the user you can drop it:
SQL> drop user johny;
That was basic example to show how to create a user. It might be more complex. Above we created a user whose objects are stored in the database default tablespace. To have database tidy we should place users objects to his own space (tablespace is an allocation of space in the database that can contain schema objects).
Show already created tablespaces:
SQL> select tablespace_name from dba_tablespaces;
Create tablespace:
SQL> create tablespace johny_tabspace
2 datafile 'johny_tabspace.dat'
3 size 10M autoextend on;
Create temporary tablespace (Temporaty tablespace is an allocation of space in the database that can contain transient data that persists only for the duration of a session. This transient data cannot be recovered after process or instance failure.):
SQL> create temporary tablespace johny_tabspace_temp
2 tempfile 'johny_tabspace_temp.dat'
3 size 5M autoextend on;
Create the user:
SQL> create user johny
2 identified by 1234
3 default tablespace johny_tabspace
4 temporary tablespace johny_tabspace_temp;
Grant some privileges:
SQL> grant create session to johny;
SQL> grant create table to johny;
SQL> grant unlimited tablespace to johny;
Login as johny and check what privileges he has:
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
With create table privilege the user can create tables:
SQL> create table johny_table
2 (
3 id int not null,
4 text varchar2(1000),
5 primary key (id)
6 );
Insert data:
SQL> insert into johny_table (id, text)
2 values (1, 'This is some text.');
Select:
SQL> select * from johny_table;
ID TEXT
--------------------------
1 This is some text.
To get DDL data you can use DBMS_METADATA package that "provides a way for you to retrieve metadata from the database dictionary as XML or creation DDL and to submit the XML to re-create the object.".
(with help from http://www.dba-oracle.com/oracle_tips_dbms_metadata.htm)
For table:
SQL> set pagesize 0
SQL> set long 90000
SQL> set feedback off
SQL> set echo off
SQL> SELECT DBMS_METADATA.GET_DDL('TABLE',u.table_name) FROM USER_TABLES u;
Result:
CREATE TABLE "JOHNY"."JOHNY_TABLE"
( "ID" NUMBER(*,0) NOT NULL ENABLE,
"TEXT" VARCHAR2(1000),
PRIMARY KEY ("ID")
USING INDEX PCTFREE 10 INITRANS 2 MAXTRANS 255
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DE
FAULT CELL_FLASH_CACHE DEFAULT)
TABLESPACE "JOHNY_TABSPACE" ENABLE
) SEGMENT CREATION IMMEDIATE
PCTFREE 10 PCTUSED 40 INITRANS 1 MAXTRANS 255 NOCOMPRESS LOGGING
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DE
FAULT CELL_FLASH_CACHE DEFAULT)
TABLESPACE "JOHNY_TABSPACE"
For index:
SQL> set pagesize 0
SQL> set long 90000
SQL> set feedback off
SQL> set echo off
SQL> SELECT DBMS_METADATA.GET_DDL('INDEX',u.index_name) FROM USER_INDEXES u;
Result:
CREATE UNIQUE INDEX "JOHNY"."SYS_C0013353" ON "JOHNY"."JOHNY_TABLE" ("ID")
PCTFREE 10 INITRANS 2 MAXTRANS 255
STORAGE(INITIAL 65536 NEXT 1048576 MINEXTENTS 1 MAXEXTENTS 2147483645
PCTINCREASE 0 FREELISTS 1 FREELIST GROUPS 1 BUFFER_POOL DEFAULT FLASH_CACHE DE
FAULT CELL_FLASH_CACHE DEFAULT)
TABLESPACE "JOHNY_TABSPACE"
More information:
DDL
http://docs.oracle.com/cd/B12037_01/server.101/b10759/statements_1001.htm
DBMS_METADATA
http://www.dba-oracle.com/t_1_dbms_metadata.htm
http://docs.oracle.com/cd/E11882_01/appdev.112/e25788/d_metada.htm#ARPLS026
http://docs.oracle.com/cd/B28359_01/server.111/b28310/general010.htm#ADMIN11562
Schema objects
http://docs.oracle.com/cd/B19306_01/server.102/b14220/schema.htm
Differences between schema and user
https://dba.stackexchange.com/questions/37012/difference-between-database-vs-user-vs-schema
Difference between a user and a schema in Oracle?
Privileges
http://docs.oracle.com/cd/E11882_01/timesten.112/e21642/privileges.htm#TTSQL338
Creating user/schema
http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_8003.htm
http://www.techonthenet.com/oracle/schemas/create_schema.php
Creating tablespace
http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_7003.htm#i2231734
SQL Plus commands
http://ss64.com/ora/syntax-sqlplus.html

It's a working example:
CREATE USER auto_exchange IDENTIFIED BY 123456;
GRANT RESOURCE TO auto_exchange;
GRANT CONNECT TO auto_exchange;
GRANT CREATE VIEW TO auto_exchange;
GRANT CREATE SESSION TO auto_exchange;
GRANT UNLIMITED TABLESPACE TO auto_exchange;

Let's get you started. Do you have any knowledge in Oracle?
First you need to understand what a SCHEMA is.
A schema is a collection of logical structures of data, or schema objects. A schema is owned by a database user and has the same name as that user. Each user owns a single schema. Schema objects can be created and manipulated with SQL.
CREATE USER acoder; -- whenever you create a new user in Oracle, a schema with the same name as the username is created where all his objects are stored.
GRANT CREATE SESSION TO acoder; -- Failure to do this you cannot do anything.
To access another user's schema, you need to be granted privileges on specific object on that schema or optionally have SYSDBA role assigned.
That should get you started.

SQL> select Username from dba_users
2 ;
USERNAME
------------------------------
SYS
SYSTEM
ANONYMOUS
APEX_PUBLIC_USER
FLOWS_FILES
APEX_040000
OUTLN
DIP
ORACLE_OCM
XS$NULL
MDSYS
USERNAME
------------------------------
CTXSYS
DBSNMP
XDB
APPQOSSYS
HR
16 rows selected.
SQL> create user testdb identified by password;
User created.
SQL> select username from dba_users;
USERNAME
------------------------------
TESTDB
SYS
SYSTEM
ANONYMOUS
APEX_PUBLIC_USER
FLOWS_FILES
APEX_040000
OUTLN
DIP
ORACLE_OCM
XS$NULL
USERNAME
------------------------------
MDSYS
CTXSYS
DBSNMP
XDB
APPQOSSYS
HR
17 rows selected.
SQL> grant create session to testdb;
Grant succeeded.
SQL> create tablespace testdb_tablespace
2 datafile 'testdb_tabspace.dat'
3 size 10M autoextend on;
Tablespace created.
SQL> create temporary tablespace testdb_tablespace_temp
2 tempfile 'testdb_tabspace_temp.dat'
3 size 5M autoextend on;
Tablespace created.
SQL> drop user testdb;
User dropped.
SQL> create user testdb
2 identified by password
3 default tablespace testdb_tablespace
4 temporary tablespace testdb_tablespace_temp;
User created.
SQL> grant create session to testdb;
Grant succeeded.
SQL> grant create table to testdb;
Grant succeeded.
SQL> grant unlimited tablespace to testdb;
Grant succeeded.
SQL>

From oracle Sql developer, execute the below in sql worksheet:
create user lctest identified by lctest;
grant dba to lctest;
then right click on "Oracle connection" -> new connection, then make everything lctest from connection name to user name password. Test connection shall pass. Then after connected you will see the schema.