Access to DBA_ROLE_PRIVS

Hello, this is a newbie DBA question, I am more of developer.
I have been trying to list all users with access to DBA_ROLE_PRIVS and I run the following query:
select distinct(grantee) from dba_role_privs
where connect_by_isleaf = 1
start with granted_role in ( select distinct(grantee) from dba_tab_privs where table_name = 'DBA_ROLE_PRIVS' )
connect by granted_role = prior grantee
order by grantee
The result of this query doesn't contain the current user who apparently has SELECT (also some other users who can SELECT from DBA_ROLE_PRIVS are not in the result either). What am I missing here.

Here is what is confusing me:
select distinct(grantee) from dba_tab_privs where table_name = 'DBA_ROLE_PRIVS'
returns 6 users (none of them is the current user) and one role - SELECT_CATALOG_ROLE which is not granted to the current user
select * from dba_sys_privs where grantee = <current user>
does not return any select privileges to the current user.
Then when does the current user gets the SELECT privilege on DBA_ROLE_PRIVS ?

Similar Messages

Granted roles as a non-dba user

One of the goals we are trying to do here is to let departments manage more of their roles by themselves. For instance, the sales department can manage the sales role, the customer service the customer service role, etc.
However, as these are non-dba users, they do not have access to DBA_ROLE_PRIVS. Is there any way for an administrator of a role to see who has this role?
For instance, as a quick example:
create user sales_admin identified by *****;
create role sales;
grant connect to sales_admin;
grant sales to sales_admin with admin option;
connect sales_admin/*****
grant sales to scott;
Is there any way for sales_admin to see who has the sales role? Or will they need to go to the DBA and ask for a list?

Granting "select any dictionary" privilege to sales_admin user is something that cannot be proposed ? Like this :
SYS@db102 SQL> get sales
1 create user sales_admin identified by sales_admin;
2 create role sales;
3 grant connect to sales_admin;
4 grant select any dictionary to sales_admin;
5 grant sales to sales_admin with admin option;
6 connect sales_admin/sales_admin
7 grant sales to scott;
8* select * from dba_role_privs where granted_role='SALES';
SYS@db102 SQL> @sales
User created.
Role created.
Grant succeeded.
Grant succeeded.
Grant succeeded.
Connected.
Grant succeeded.
GRANTEE                        GRANTED_ROLE                   ADM DEF
SYS                            SALES                          YES YES
SALES_ADMIN                    SALES                          YES YES
SCOTT                          SALES                          NO YES
SALES_ADMIN@db102 SQL>

Qury to Show DBA level access by user

Hi - is there a way to list usernames and access level, such as DBA (10g)?
Thanks

select grantee from dba_role_privs where granted_role = 'DBA'Of couse you need to be DBA yourself (at least have the select any data dictionary grant).

DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)

제품 : ORACLE SERVER
작성날짜 : 2005-11-23
DBMS_RLS를 이용한 FINE GRANED ACCESS CONTROL (FGAC)의 개념 및 사용방법 (8I ~ 10G)
=====================================================================
PURPOSE
여러 사용자가 같은 테이블을 조회하더라도, 각 사용자마다 자신의 정보만을
표시해 준다거나, 특정 시간 범위 내에서는 다른 조건의 데이타만 보여지는 등
row level의 security및 context를 지정하는 것이 8i부터
FGAC (Fine Graned Access Control)을 통해 가능해졌다.
이것은 VPD (Virtual Private Database)라는 용어로도 언급되어지는대,
dbms_rls pacakge를 통해 policy 및 predicate을 생성하여 사용되어진다.
Explanation & Examples
FGAC는 row level로 security 및 context를 부여하는 것으로 결국 tranparent하게
수행하는 SQL문장에 where절 조건을 추가하는 것이다.
이렇게 추가되는 where 조건을 predicate이라고 부른다.
1. FGAC의 간단한 예제
scott의 emp table에 대해서 login한 username과 같은 ename에 대한 정보만을
보여주는 예제를 제시한다. super_user라는 role을 가진 user에 대해서는
전체 emp table이 모두 display되는 방법도 첨부한다.
(1) dbms_rls package에 대한 실행 권한을 scott에게 부여한다.
SQL> grant execute on dbms_rls to scott;
(2) emp table의 ename에 해당하는 user몇명을 생성하고 권한을 부여한다.
SQL> create user king identified by king;
SQL> create user adams identified by adams;
SQL> grant connect to king, adams, james;
SQL> connect scott/tiger
SQL> grant select on emp to king, adams, james, eykim;
(3) scott user에서 다음과 같이 predicate을 포함한 function을 생성한다.
SQL> connect scott/tiger
SQL> create or replace function predicate
(obj_schema varchar2, obj_name varchar2)
return varchar2 is d_predicate varchar2(2000);
BEGIN
d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
RETURN d_predicate;
END predicate;
policy이 제대로 만들어졌는지 다음과 같이 scott user에서 확인한다.
SQL> select predicate('dummy','dummy') from dual;
PREDICATE('DUMMY','DUMMY')
ename = sys_context ('USERENV', 'SESSION_USER')
(4) 다음 문장을 system 혹은 scott user에서 실행한다.
이때 parameter의 의미는, object_schema, object_name, policy_name,
function_schema, policy_function 순이다. 이 외의 parameter가 더 있지만
나머지는 default값을 이용한다.
SQL> exec dbms_rls.add_policy('scott', 'emp', 'pol1', 'scott', 'predicate');
기존의 같은 policy name이 존재하는 경우에는 다음과 같이 지우고 새로 생성할
수 있다.
SQL> exec dbms_rls.drop_policy( 'SCOTT', 'EMP', 'pol1' );
(5) king/scott등 user로 접속하여 emp table을 조회해 본다.
SQL> connect king/king
SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7839 KING PRESIDENT 17-NOV-81 5000
10
SQL> connect scott/tiger
SQL> select * from emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7788 SCOTT ANALYST 7566 19-APR-87 3000
20
(6) emp table의 ename에 속해있지 않은 user로 접속하여 조회해 본다.
eykim user에 대해서 emp table의 select권한은 (2)번 단계에서 제공되었다.
SQL> connect eykim/eykim
SQL> select * from scott.emp;
no rows selected
(7) super_user라는 role을 생성하고 이 role을 가진 사용자는 모두 데이타가 조회
가능하도록 policy function을 변경하여 본다.
SQL> grant select on dba_role_privs to scott;
SQL> create or replace function predicate (obj_schema varchar2, obj_name varchar2)
return varchar2 is d_predicate varchar2(2000);
counter number;
begin
select count(*) into counter
from dba_role_privs
where granted_role='SUPER_USER'
and grantee = sys_context ('USERENV', 'SESSION_USER');
if counter = 1 then
d_predicate := '';
else
d_predicate := 'ename = sys_context (''USERENV'', ''SESSION_USER'')';
end if;
return d_predicate;
end predicate;
(8) king user에게 super_user role을 부여한 후 (5)번과 어떻게 결과가 다르게
나오는지 확인한다.
SQL> create role super_user;
SQL> grant super_user to king;
SQL> connect king/king
SQL> select * from emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
DEPTNO
7369 SMITH CLERK 7902 17-DEC-80 800
20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300
30
7902 FORD ANALYST 7566 03-DEC-81 3000
20
7934 MILLER CLERK 7782 23-JAN-82 1300
10
14 rows selected.
RELATED DOCUMENTS
<Note 67977.1> Oracle8i Fine Grained Access Control - Working Examples

Want to get the list users with select access to v$ synonyms and v$ views

I've to write a sql (DB 11.1) to get the list of users who has select access to v$ synonym and v$ views. I've written the following sqls to do this but they both return the same result and I don't know how to verify it. It will be a great help if you could validate the sqls and let me know if something is wrong. Thanks for the help.
-- v$ views
select 'vview',
substr(SYS_CONNECT_BY_PATH(c, '->'),3,512) path, c
from (select null p, view_name c
from dba_views
where view_name like ('V$%')
union all
select -- users/roles and roles granted
granted_role p,
grantee c
from dba_role_privs
where granted_role != 'DBA'
union all
select -- users/roles with select on DBA views
table_name p, grantee c
from dba_tab_privs
where privilege = 'SELECT'
and table_name like ('V$%'))
where (c = 'PUBLIC' OR c in (select username from dba_users))
AND c NOT IN('MDSYS','DMSYS','CTXSYS','WMSYS','ORDSYS','OLAPSYS','DBSNMP')
start with p is null connect by p = prior c
-- v$ synonyms
select 'vsynonyms',
substr(SYS_CONNECT_BY_PATH(c, '->'),3,512) path, c
from (select null p, SYNONYM_NAME c
from ALL_SYNONYMS
where table_name like ('V$%')
union all
select -- users/roles and roles granted
granted_role p,
grantee c
from dba_role_privs
where granted_role != 'DBA'
union all
select -- users/roles with select on DBA views
table_name p, grantee c
from dba_tab_privs
where privilege = 'SELECT'
and table_name like ('V$%'))
where (c = 'PUBLIC' OR c in (select username from dba_users))
AND c NOT IN('MDSYS','DMSYS','CTXSYS','WMSYS','ORDSYS','OLAPSYS','DBSNMP')
start with p is null connect by p = prior c

I've modified the sql to include GV$ and all select [any] privs.
select 'vview',
substr(SYS_CONNECT_BY_PATH(c, '->'),3,512) path, c
from (select null p, view_name c
from dba_views
where view_name like ('V$%') OR view_name like ('GV$%')
union all
select -- users/roles and roles granted
granted_role p,
grantee c
from dba_role_privs
where granted_role != 'DBA'
union all
select -- users/roles with select on DBA views
table_name p, grantee c
from dba_tab_privs
where privilege like 'SELECT%'
and table_name like ('V$%') OR table_name like ('GV$%') )
where (c = 'PUBLIC' OR c in (select username from dba_users))
AND c NOT IN('MDSYS','DMSYS','CTXSYS','WMSYS','ORDSYS','OLAPSYS','DBSNMP')
start with p is null connect by p = prior c
union
select 'vsynonyms',
substr(SYS_CONNECT_BY_PATH(c, '->'),3,512) path, c
from (select null p, SYNONYM_NAME c
from ALL_SYNONYMS
where table_name like ('V$%') OR table_name like ('GV$%')
union all
select -- users/roles and roles granted
granted_role p,
grantee c
from dba_role_privs
where granted_role != 'DBA'
union all
select -- users/roles with select on DBA views
table_name p, grantee c
from dba_tab_privs
where privilege like 'SELECT%'
and table_name like ('V$%') OR table_name like ('GV$%') )
where (c = 'PUBLIC' OR c in (select username from dba_users))
AND c NOT IN('MDSYS','DMSYS','CTXSYS','WMSYS','ORDSYS','OLAPSYS','DBSNMP')
start with p is null connect by p = prior c

Table Access Path

Hi,
I am using oracle 10g on windowz xp. I am giving below query :
SQL> ED
Wrote file afiedt.buf
1 SELECT GRANTEE,PRIVILEGE,GRANTABLE FROM DBA_TAB_PRIVS
2 WHERE
3 OWNER='SCOTT' AND
4* TABLE_NAME='EMP'
SQL> /
GRANTEE                        PRIVILEGE                                GRA
HR                             SELECT                                   YES
TEST                           SELECT                                   NO
TESTROLE                       SELECT                                   NO
TESTROLE                       UPDATE                                   NO
SQL>But i need output in below manner :
GRANTEE                        PRIVILEGE                                GRA
HR (DIRECT)                    SELECT                                   YES
TEST (DIRECT)                  SELECT                                   NO
TEST (THROUGH-->TESTROLE)      SELECT                                   NO
ABC (THROUGH-->TESTROLE)       UPDATE                                   NOI mean how do i know that which user is having which privilege on scott.emp through direct access or through a role. If user is having direct privilege it should be (USERNAME (DIRECT)) in GRANTEE column else (USERNAME (THROUGH-->ROLENAME).
Thanks in advance.

Hello Anuragji,
Yes, your query is taking care of it, but i have a little question (basic) :
SQL> select t.grantee, null Through, t.privilege, t.grantable
2       from dba_tab_privs t
3       where t.grantee in (select username from dba_users) and owner = 'SCOTT' and table_name = 'EMP'
4 union all
5 select r.grantee, tr.grantee Through, tr.privilege, tr.grantable
6       from dba_tab_privs tr, dba_role_privs r
7       where r.granted_role=tr.grantee and owner = 'SCOTT' and table_name = 'EMP';
GRANTEE                        THROUGH                        PRIVILEGE                                GRA
HR                                                            SELECT                                   YES
TEST                                                          SELECT                                   NO
SYS                            TESTROLE                       SELECT                                   NO
HR                             TESTROLE                       SELECT                                   NO
SYS                            TESTROLE                       UPDATE                                   NO
HR                             TESTROLE                       UPDATE                                   NO
6 rows selected.
SQL> show user;
USER is "SYS"
SQL> delete from scott.emp;
15 rows deleted.
SQL> rollback;
Rollback complete.My question is if sys is not having delete privilege on scott.emp as output shown above, then how 15 rows deleted?
Thank you again for your replies.

How to give select on DBA_ROLE_PRIVS to the endusers?

I' like to give select only on DBA_ROLE_PRIVS to enduser but the problem is that the SYS can create public synonym for DBA_ROLE_PRIVS and can give the privileges to other users but other users can not use these privileges; they can not see the content from the view DBA_ROLE_PRIVS (my public synonym DBA_ROLE_PRIVS with select privileges to other endusers). Could anyone give me some ideas? (10g).
Thanks!
m.
Edited by: marussig on Sep 22, 2008 4:46 PM
Edited by: marussig on Sep 22, 2008 4:53 PM

Why do you want users to access DBA_ROLE_PRIVS ?
If you really really need to grant them access, create a public synonym and grant them SELECT on that public synonym.
C:\>sqlplus
SQL*Plus: Release 10.2.0.3.0 - Production on Mon Sep 22 22:00:26 2008
Copyright (c) 1982, 2006, Oracle. All Rights Reserved.
Enter user-name: / as sysdba
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> create public synonym d_r_p for dba_role_privs;
Synonym created.
SQL> grant select on d_r_p to public;
Grant succeeded.
SQL> create user abc identified by xyz;
User created.
SQL> grant create session to abc;
Grant succeeded.
SQL> connect abc/xyz
Connected.
SQL> select count(*) from d_r_p;
COUNT(*)
108
SQL> desc d_r_p
Name Null? Type
GRANTEE VARCHAR2(30)
GRANTED_ROLE NOT NULL VARCHAR2(30)
ADMIN_OPTION VARCHAR2(3)
DEFAULT_ROLE VARCHAR2(3)
SQL>
Hemant K Chitale
http://hemantoracledba.blogspot.com

Priviledges required for dba_role_privs table

Hi Friends ,
I want one help ..
i am executing the query "select * from dba_role_privs" from sql developer worksheet..but when i am using same query in package which is in same schema .. when i am compiling this package ..this gave me error "table or view does not exist" meanwhile when i am using "DBA_USERS " table in package..it doesn't give error for this table while compiling the package..
i already provided "SELECT_CATALOG_ROLE" to schema..
which grants needs to give schema for accessing the table dba_role_privs?
can you please tell me why is this happening ?

It is happening because
a) You don't consult documentation prior to asking a question
if you would have done so you would have avoided to ask a question which has been asked and answered 99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999 times before, by people, who like you, don't read documentation.
If you would have done so you would also have known
b) Roles are ignored in stored procedures as roles are volatile.
There are two solutions to this one
1) Grant the privilege to the user invoking the procedure directly. This is the worst solution you can think of, as your grants will get out of control.
2) create the procedure with authid current_user
Sybrand Bakker
Senior Oracle DBA

User privilege to access schema ?

Hello experts ...
how can we find the simple information about :
for example a user scott has privilege to connect schema (like create session privilege he has) ...
like that i want know how many schema's connect privilege he has .... in wiich data dictionary we get this information and what is query ....
how to get this information ??????
thankssss

Hi,
1) very first i wana to know how to give 1 particular schema privilege for example scott schema .. to multiple users (not only access the tables privilege) the complete connect role to multiple users.Refer to : http://download.oracle.com/docs/cd/B28359_01/network.111/b28531/authorization.htm
2)second which users having which schema's connect privilege ..SELECT * FROM dba_role_privs WHERE granted_role='CONNECT'
- Pavan Kumar N

Why self-defined access sequences of free goods can not work?

Hi gurus,
I have maintained access sequences of free goods self-defined.but when i creat the SO it does not work!
when i used the standard access sequences ,it is OK .
Can anybody tell me why?
thanks in advance

Dear Sandy,
Go to V/N1 transaction select your self defined access sequence then go in to the accesses and fields and check all fields are activated.
Make sure that these fields are flowing in your sales order.
I hope this will help you,
Regards,
Murali.

Partner application access to portal login info

How can an SSO partner application (Java) tell whether or not a user has logged in to Portal?
I need to log activity in a public application servlet, so I'd like to log the user as PUBLIC if not logged in or as their actual userid.
I don't seem to have access to this info until the user has visited a secure part of the app.
Any pointers would be appreciated.
Thanks
Rob

DIY answer ...
The cludge I used to get round this was ...
Make a PL/SQL item which displays a Login or Logout link as appropriate, based on the current userid from portal.wwctx_api.get_user.
The login link goes to a secure portal page called FORCE_LOGIN, passing a URL parameter called nextPageURL which contains the URL of the next page to show after the login is complete. You can use portal.wwpro_api_parameters.get_value( '_pageid', 'a'); to help build the current page URL if you want to retun to the current page.
The FOIRCE_LOGIN page contains a PL/SQL item which builds an IFRAME whos src is a URL to my app servlet ForceLoginServlet, passing on the nextPageURL parameter. Use portal.wwpro_api_parameters.get_value( 'nextPageURL', 'a'); to help with that.
The ForceLoginServlet is a secure servlet (set up in web.xml) so that forces a silent authentication to my app. All the servlet does is display HTML to redirect back to the URL in nextPageURL.
Horrible! But it does the job.
Anyone who know a better way of doing this, please tell me.
Rob

How to allow access to web service running under ApplicationPoolIdentity

Hi All,
I have a WCF web service hosted in IIS 7 (or maybe 7.5, whichever comes with Windows server 2008 R2) using DefaultAppPool running under ApplicationPoolIdentity per Microsoft's recommendation. The web service needs to call a stored procedure to insert data
to a db. The web server is on a different VM than the database server. The db server is running SQL 2008 R2. Both VMs run Windows server 2008 R2.
When the web service tries to connect to db, it encounters this exception:
Exception in InsertToDb()System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
Here's the connection string in web.config:
Application Name=somewebservice;Server=somewebserver;Integrated Security=SSPI;Database=somedatabase;Connection Timeout=60"
How should I configure SQL security to make this work?
Thanks in advanced.

Thanks for the link Dan. Maybe I'm the one who cause the confusion :)
If I understand you(and Erland) correctly, you suggest using a custom, domain account for application pool identity. However, if we do that, our IT will need to maintain those accounts, and they don't want that. So I'm choosing a built-in account called
ApplicationPoolIdentity as the application pool identity, but it's not working. Network Service, on the other hand, works, but my boss wants us to follow MS's best practice.
What's puzzling is that according to this: http://learn.iis.net/page.aspx/624/application-pool-identities/, both Network Service and ApplicationPoolIdentity uses machine account to access network resource (like db in this case), but in my case, Network Service
works, but not ApplicationPoolIdentity.
Hallo Stephen,
with respect - it seems to me that only idiots are working at your IT ;)... It is absolutely useful to work with "service accounts" created within the domain. That's the only way to manage and control accounts!
If you want to "pass through" the identity of the web user (SSO) you have to check whether the app pool is set to "allow impersonate". As far as I understand the ApplicationPoolIdentity-function the app pool will create a unique user named as the service.
I assume that will not work with the connection to the sql server because this user is unknown.
Local Service will not work because it's restriction is located to the local machine.
Network Service will work because access to network resources will be available.
So my recommendation is to use a dedicated service account or impersonation:
http://msdn.microsoft.com/en-us/library/xh507fc5.aspx
Uwe Ricken
MCITP Database Administrator 2005
MCITP Database Administrator 2008
MCITS Microsoft SQL Server 2008, Database Development
db Berater GmbH
http://www-db-berater.de

How to let SAP user use SSO to access Application in DMZ?

Hi All,
Our J2EE application is running on a system in DMZ which can not be connected with LDAP. So I am wondering if it's possible to let SAP user use SSO to access our application.
After talking with my colleague I think the only way is to import SSO public key to our WebAS and create user in UME and then assign user to the corresponding public key, but anybody know where to download SSP verification file or is it allowed to download and import into another system at all?
Regards,
Bin

Hi,
Take a look at this example, it uses property nodes to select tha
active plot and then changes the color of that plot.
If you want to make the number of plots dynamic you could use a for
loop and an array of color boxes.
I hope this helps.
Regards,
Juan Carlos
N.I.
Attachments:
Changing_plot_color.vi ‏38 KB

How do I access the web utility with model cisco sf302-08p ?

Hi,i have a problem with the model Cisco SB SF302-08PP Switch , i connect a cable rj45 to my pc and configure the adapter local area connection (ip address:192.168.1.252), the LEDs blink green, and go to the address bar and get the IP by default, which according to the manual is 192.168.1.254 and the result is: page not found. Is there any way to change the web utility? How do I access the web utility?

restore the switch by holding more than 30 seconds and try accessing with ip 192.168.1.254. username and password is "cisco". before change your base ip to 192.168.1.2-253.try to ping and check the connectivity

MS ACCESS, NULL, and '%'

I am using a prepared statement to query my access database which contains personal data first name, last name, address, city, state, etc.... I allow the user to search the database by any of these fields (or any combination of them) by making the default values for any empty fields '%'. Here's my select statement.
stmt =conn.prepareStatement("SELECT * FROM Data1 WHERE first_name LIKE ? AND last_name LIKE ? AND city LIKE ? ....");
stmt.setString(1, firstNameField.getText()+"%");
stmt.setString(2, lastNameField.getText()+"%");
stmt.setString(3, cityField.getText()+"%");
This worked but didn't return a record if ANY of their values are NULL. So I changed my select statement to allow for NULL values.
stmt =conn.prepareStatement("SELECT * FROM Data1 WHERE (first_name LIKE ? OR first_name IS NULL) AND (last_name LIKE ? OR last_name IS NULL) AND (city LIKE ? OR city IS NULL) ....");
stmt.setString(1, firstNameField.getText()+"%");
stmt.setString(2, lastNameField.getText()+"%");
stmt.setString(3, cityField.getText()+"%");
This fixed that problem, but now it ALWAYS returns the records with NULL fields. I want it to only match NULL fields if the coressponding JTextField is left blank. Can anyone tell me a good way to do this?

How can I create it dynamically and still keep the
speed of a prepared statement??Unless you are doing block inserts in a loop you are probably not going to see any speed improvement anyways.
But as I said you can simply create all the combinations and then use an array to keep track of them.

Access to DBA_ROLE_PRIVS

Similar Messages

Maybe you are looking for