До Oracle 9 Release 9.2 надо было обращаться от имени учетной записи, чтобы задать привилегии и выполнить операторы DDL для объектов, содержащихся в схеме данных. Начиная с Oracle 9 Release 9.2, привилегия GRANT ANY OBJECT PRIVILEGE (GAOP) позволяет ее обладателю создавать объекты и контролировать привилегии в схемах, к которым он не подключен. Поэтому никому, даже администраторам, не надо будет подключаться к схеме для данных.
Privileges in an Oracle Database
System Privileges
Here are some common system priveleges:
- ADVISOR
- ALTER DATABSE
- ALTER SYSTEM
- AUDIT SYSTEM
- CREATE DATABASE LINK
- CREATE TABLE
- CREATE ANY INDEX
- CREATE SESSION
- CREATE TABLESPACE
- CREATE USER
- DROP USER
- INSERT ANY TABLE
- SELECT ANY DICTIONARY - This is a system-level privilege that is always active and allows the grantee to create objects. Also, it should be granted to developers to compile a code with a named object, the user must have been granted privileges by direct grant, not through the roles. SELECT ANY DICTIONARY allows select from all SYS owner tables such as
TAB$, USER$, etc. This is not possible in the SELECT_CATALOG_ROLE. The SELECT ANY DICTIONARY is a system privilege, which remains active throughout the
sessions and allows the user to create stored objects on objects on
which it has privileges as a result of the grant (Difference between Select Any Dictionary and Select_Catalog_Role).
Granting All System Privileges
You can grant all system privileges to a user (except SELECT ANY DICTIONARY privilege), by specifying:
GRANT ALL PRIVILEGES TO scott;
ALL PRIVILEGES itself isn't a system privilege - it's a convenient way to grant all privileges in one step. You can revoke all system privileges similary, by using statement:
REVOKE ALL PRIVILEGES FROM scott;
Granting Any Object System Privilege
The GRANT ANY OBJECT PRIVILEGE privilege is a special system privilege that lets the grantee grant(and revoke) object privileges for objects in any schema.
- A user with the GRANT ANY OBJECT PRIVILEGE system privilege can grant and revoke any object privilege as if he were the actual object owner.
- A user with the GRANT ANY OBJECT PRIVILEGE system privilege can create
and drop any object in any schema as if he were the actual object owner.
- All users with SYSDBA privilege automatically have the GRANT ANY OBJECT PRIVILEGE privilege.
- When you connect as sysdba(user SYS), you are automatically granted this role with ADMIN OPTION.
GRANT grant any object privilege TO scott;
REVOKE grant any object privilege FROM scott;
System Role Privileges
- SELECT_CATALOG_ROLE - This role grants SELECT privileges on the data dictionary views. This is a role, which is a collection of privileges. A role can be specifically enabled or disabled and this role cannot be used to create any objects (tables).
- EXECUTE_CATALOG_ROLE - This role grants EXECUTE privileges on packages and procedures in the data dictionary.
- DELETE_CATALOG_ROLE - This role enables users to delete records from the audit table, called SYS.AUD$.
You can also use the SELECT ANY DICTIONARY system privilege to grant a user (usually developers, which need compile procedures) the privilege to select data from any object in the SYS schema inside procedures code instead of SELECT_CATALOG_ROLE role, because to compile a code with a named object, the user must have been granted privileges by direct grant, not through the roles (
Difference between Select Any Dictionary and Select_Catalog_Role).
The SYSDBA and SYSOPER System Privileges
You can't use with ADMIN OPTION when granting these roles; only a user connected as SYSDBA can grant (or revoke) these privileges to other users; and you can't grant this system privilege to role.
The SYSDBA system privilege includes the RESTRICTED SESSION privilege and has all system privileges with ADMIN OPTION, including the SYSOPER system privilege. The SYSDBA privilege lets you do the following:
Perform STARTUP and SHUTDOWN operations
Use the ALTER DATABASE command to open, mount, back up, or change a character set
Use the CREATE DATABASE command
Perform ARCHIVELOG and RECOVERY operations
Create an SPFILE
The SYSOPER privilege similarly includes the RESTRICTED SESSION privilege, and it lets you do the following:
- Perform STARTUP and SHUTDOWN operations
- Use the ALTER DATABASE command to open, mount, or back up
- Perform ARCHIVELOG and RECOVERY operations
- Create an SPFILE
List the system privileges assigned to a user
SELECT LPAD(' ', 2*level) || granted_role "USER PRIVS"
FROM (
SELECT NULL grantee, username AS GRANTED_ROLE
FROM dba_users
WHERE username LIKE UPPER('%&uname%')
UNION
SELECT grantee, granted_role
FROM dba_role_privs
UNION
SELECT grantee, privilege
FROM dba_sys_privs)
START WITH grantee IS NULL
CONNECT BY grantee = prior granted_role;