Database

Muhammad Ashar Javed

Managing Privileges
Objectives
 After completing this lesson, you should be able to do
the following:
 Identify system and object privileges
 Grant and revoke privileges
Privileges
 A privilege is a right to execute a particular type of SQL
statement or to access another user’s object.
 These include the right to:
 Connect to a database
 Create a table
 Select rows from another user’s table
 Execute another user’s stored procedure
Managing Privileges
 Two types of Oracle user privileges:
 System: Enables users to perform particular actions in the
database
 Object: Enables users to access and manipulate a specific
object
 A DBA’s control of privileges includes:
 Providing a user the right to perform a type of operation
 Granting and revoking access to perform system functions
 Granting privileges directly to users or to roles
 Granting privileges to all users (PUBLIC)
System Privileges
 There are over 100 distinct system privileges
 The ANY keyword in the privileges signifies that users
have the privilege in any schema
 DDL
 The GRANT command adds a privilege to a user or a
group of users
 The REVOKE command deletes the privileges
System Privileges
 The privileges can be classified as follows:
 Privileges enabling system wide operations; for example,
CREATE SESSION, CREATE TABLESPACE
 Privileges enabling management of objects in a user’s own
schema; for example, CREATE TABLE
 Privileges enabling management of objects in any schema;
for example, CREATE ANY TABLE
System Privileges: Examples
System Privileges: Examples
 There is no CREATE INDEX privilege.
 CREATE TABLE includes the CREATE INDEX and the
ANALYZE commands. The user must have a quota for the
tablespace or must have been granted UNLIMITED
TABLESPACE.
 Privileges such as CREATE TABLE, CREATE
PROCEDURE, or CREATE CLUSTER include the dropping
of these objects.
 UNLIMITED TABLESPACE cannot be granted to a role.
 For truncating a table in another schema, the DROP ANY
TABLE privilege is necessary
Granting System Privileges
 Use the SQL statement GRANT to grant system privileges to
users
 The grantee can further grant the system privilege to other
users with the ADMIN option.
 Exercise caution when granting system privileges with the
ADMIN option.
 Such privileges are usually reserved for security
administrator and rarely granted to other users
Granting System Privileges
GRANT {system_privilege|role}
[, {system_privilege|role} ]...
TO {user|role|PUBLIC}
[, {user|role|PUBLIC} ]...
[WITH ADMIN OPTION]
 where:
 system_privilege specifies the system privilege to be granted role
specifiesthe role name to be granted
 PUBLIC grants system privilege to all users
 WITH ADMIN OPTION enables the grantee to further grant the privilege
or role to other users or roles
SYSDBA and SYSOPER
Privileges
SYSDBA and SYSOPER
Privileges
 The system privileges SYSDBA and SYSOPER were
introduced to specify the authentication by using a password
file
 Only database administrators should have the capability to
connect to a database with administrator privileges
 Connecting as SYSDBA gives a user unrestricted privileges
to perform any operation on a database or the objects within
a database
System Privilege Restrictions
 The dictionary protection mechanism in Oracle prevents
unauthorized users from accessing dictionary objects
 Access to dictionary objects is restricted to the roles
SYSDBA and SYSOPER
 System privileges providing access to objects in other
schemas do not give you access to dictionary objects
 For example, the SELECT ANY TABLE privilege allows you to
access views and tables in other schemas, but does not enable
you to select dictionary objects
System Privilege Restrictions
 If the parameter is set to TRUE, access to objects in SYS
schema is allowed
 If this parameter is set to FALSE, SYSTEM privileges that
allow access to objects but in other schemas do not allow
access to objects in the dictionary schema
 O7_DICTIONARY_ACCESSIBILITY parameter
Revoking System Privileges
 System privileges can be revoked using the SQL statement
REVOKE
 Any user with the ADMIN OPTION for a system privilege can
revoke the privilege from any other database user
REVOKE {system_privilege|role}
[, {system_privilege|role} ]...
FROM {user|role|PUBLIC}
[, {user|role|PUBLIC} ]...
 REVOKE CREATE TABLE FROM emi;
Object Privileges
 An object privilege is a privilege or right to perform a
particular action on a specific table, view, sequence,
procedure, function, or package.
 Each object has a particular set of grantable privileges
Granting Object Privileges
GRANT { object_privilege [(column_list)]
[, object_privilege [(column_list)] ]...
|ALL [PRIVILEGES]}
ON [schema.]object
TO {user|role|PUBLIC}[, {user|role|PUBLIC} ]...
[WITH GRANT OPTION]
 object_privilege specifies the object privilege to be granted
 Column_list specifies a table or view column
 ALL grants all privileges for the object that have been granted WITH
GRANT OPTION
 ON object identifies the object on which the privileges are to be granted
 WITH GRANT OPTION enables the grantee to grant the object
privileges to other users or roles
Granting Object Privileges
 GRANT EXECUTE ON dbms_output TO jeff;
 GRANT UPDATE ON emi.customers TO jeff WITH GRANT
OPTION;
Revoking Object Privileges
REVOKE { object_privilege
[, object_privilege ]...
| ALL [PRIVILEGES] }
ON [schema.]object
FROM {user|role|PUBLIC}
[, {user|role|PUBLIC} ]...
[CASCADE CONSTRAINTS]
 where:
 object_privilege specifies the object privilege to be granted
 ALL revokes all object privileges that are granted to the user
 ON identifies the object on which the object privileges are revoked
 FROM identifies users or roles from which the object privileges are revoked
 CASCADE CONSTRAINTS drops any referential integrity constraints that
the revoke has defined using REFERENCES or ALL privileges
Revoking Object Privileges
REVOKE SELECT ON emi.orders FROM jeff;