Grant and Revoke
Consider me as a SYS user and i grant privileges to a user1 WITH GRANT OPTION.
So, user1 can grant privileges to other users, lets it be user1 grant privileges to user2.
Can user1 grant privileges to user2 WITH GRANT OPTION?
Suppose if privileges for user1 is REVOKED, what happen to the privileges for user2 and user3(if user2 grant permissions) ?
Can i revoke only the WITH GRANT OPTION for user1?
As i am not a SYS user, i am not able to experiment all these things. Any help would be appreciated.
Thanks in Advance,
Edited by: user12504537 on Sep 27, 2011 11:27 PM
user12504537 wrote:
Consider me as a SYS user and i grant privileges to a user1 WITH GRANT OPTION.
So, user1 can grant privileges to other users, lets it be user1 grant privileges to user2.
Can user1 grant privileges to user2 WITH GRANT OPTION?
Suppose if privileges for user1 is REVOKED, what happen to the privileges for user2 and user3(if user2 grant permissions) ?
Can i revoke only the WITH GRANT OPTION for user1?
As i am not a SYS user, i am not able to experiment all these things. Any help would be appreciated.
Thanks in Advance,
Edited by: user12504537 on Sep 27, 2011 11:27 PM
Can user1 grant privileges to user2 WITH GRANT OPTION?Yes,user1 can grant user2 as grant option .
>Suppose if privileges for user1 is REVOKED, what happen to the privileges for user2 and user3(if user2 grant permissions) ?
revoking any grant WITH GRANT will cascade and revoke any and all privileges assigned by the privileged user
Check the below link :
difference between "WITH GRANT OPTION" and "WITH ADMIN OPTION"
--neeraj
Similar Messages
-
Hi,
Could anybody suggest on this please?
Can a user grant or revoke create session privliage to another user? If can what are the roles should the user have to grant or revoke create session privliage from another user.
thanks
kamaleshHello Kamalesh JK,
A user can grant any system or role privilege he received WITH ADMIN OPTION, and any object privilege he received WITH GRANT OPTION.
Ex:SQL> CREATE USER u1 IDENTIFIED BY u1;
User created.
SQL> GRANT CREATE SESSION TO u1 WITH ADMIN OPTION;
Grant succeeded.
SQL> CREATE USER u2 IDENTIFIED BY u2;
User created.
SQL> CONNECT u1/u1;
Connected.
SQL> GRANT CREATE SESSION TO u2;
Grant succeeded.Regards,
Yoann. -
Grant and revoke privilages from command line interface
hi all,
I have a lot of users that I need to give them a set of privileges to folders and containers of the repository, i thought that using the command line interface should help in loading a script.
i checked the manual for the syntax for such a command (i.e. to grant privileges) but i couldn't, searched the net and i didn't find anything.
So can we grant privileges from the command line interface and how ?
by the way is there anyway to create users from command line interface as well ?\
thanks in advance and have a good oneThe granting of access rights cannot be done with a CLI script in Designer. Instead you have to use the Designer API Pl/Sql packages.
For detailed information, refer to the "API and Model Reference Guide", which is
installed with the Designer Repository Documentation, or can be found on OTN > Doco > Designer site.
Scroll through that document to the Reference section. You will need to read up on two topics at least: Workarea and Container Context, Privileges and Access Rights.
To grant rights, the easiest way is to grant them "just like some existing ones".
To do this, you'll need a Pl/Sql procedure with 5 input parameters:
1) the workarea context
2) the container to look at
3) the user to look like
4) the container to grant access to
5) the user to grant access for
The Pl/Sql procedure then needs to make a series of Repository API package calls to set context and get container IRIDs:
JR_CONTEXT.Set_Workarea (workareaname) - to set the context workarea
JR_CONTEXT.Set_Working_Folder (sourcefoldername) - to specify the source container
JR_CONTEXT.Working_Folder (sourcefolderid) - to get the ID of the source container
JR_CONTEXT.Set_Working_Folder (targetfoldername) - to specify the target container
JR_CONTEXT.Working_Folder (targetfolderid) - to get the ID of the target container
OR you can just do a couple queries after you set the WA CONTEXT such as ...
Select IRID from CI_Application_Systems where NAME = <sourcefoldername>
Select IRID from CI_Application_Systems where NAME = <targetfoldername>
Then you get the list of rights desired, and grant them back to the target user.
JR_ACC_RIGHTS.Get_Acc_Rights (sourcefolderid, sourceusername) > AccessList
[gets list of existing rights for some user on a container]
JR_ACC_RIGHTS.Grant_Priv_List (targetfolderid, targetusername, AccessList, Cascade? = TRUE)
[to set the list of rights for a user against the target container and its subcontainers]
There are other ACC_RIGHTS packages, like Grant_Priv, Revoke_Prive, Revoke_Priv_List, etc that you can use as well to build up a set of access management scripts.
Hope this helps -
Re: audit using ddl trigger for dcl (grant and revoke)
Why are you trying to re-invent oracle's own auditing feature?
No, there is no way to unbranch.
I'll lock this branch and you can answer Ed on your original thread (I'll leave it to you to copy/paste Ed's question in your reply). -
Error while running Re-create grants and synonyms for APPS schema
Hi,
I have upgraded customer's Oracle Apps 11i (11.5.10) database to Oracle 10g R2. While executing '+Re-create grants and synonyms+ ' as given in Note: 362203.1, I am gettng error:
plus80 -s APPS/***** @E:\EBSTEST\ebstestappl\ad\11.5.0\admin\sql\adappsgs.pls &systempwd 1 INV APPLSYS APPS TRUE FALSE TRUE
Error:
Program exited with status 3
Cause: The program terminated, returning status code 3.
Action: Check your installation manual for the meaning of this code on this operating system.Connected.
old 2: ad_apps_private.create_grants_and_synonyms(&2,'&3','&4','&5','FALSE');
new 2: ad_apps_private.create_grants_and_synonyms(1,'INV','APPLSYS','APPS','FALSE');
begin
*+
ERROR at line 1:
ORA-20000: ORA-00955: name is already used by an existing
object:create_grants_and_synonyms(1,INV,APPLSYS,APPS): create_base_gs(INV,APPS): In Synonyms
Loop:create_synonym(INV,MTL_ONHAND_DISCREPANCY,APPS,MTL_ONHAND_DISCREPANCY):
do_apps_ddl(APPS,CREATE SYNONYM "MTL_ONHAND_DISCREPANCY" FOR INV."MTL_ONHAND_DISCREPANCY"):
ORA-06512: at line 5
MTL_ONHAND_DISCREPANCIES
I checked the database and there isn't MTL_ONHAND_DISCREPANCY synonym. But there is MTL_ONHAND_DISCREPANCIES synonym.
This is an upgraded instance from 11.0.3 and first time I am running Re-create grants and synonyms for APPS schema.
Plz let me know if anyone of you faced this issue.
Rgds,
ThiruHi,
there is no such table MTL_ONHAND_DISCREPANCY or synonym in Applications 11.5.10.2. Is that custom table created in your db?
After dropping this table from APPS schema 'Re-create grants and synonyms for APPS schema' went thru fine.Its correct
This table does not exist in INV schema in 11.5.10.2.
Could be possible that the consultant could have created this table in INV and APPS schema by mistake or whatever.Yes, with the same name, there might be table in APPS SCHEMA. When you run recreate grants and synonyms, adadmin tries to create synonym for that table in APPS schema. since there is object available with the same name in apps chema, you got that error. -
Error In Adadmin Re-Create Grants And Synonyms For Apps Schema
HI,
I upgraded the my DB from 9.2.6 to 10.2.4.It was sucessfull.
While doing Postupgradayion steps -
Recreate grants and synonym for apps
a. Log in to server with applmgr user
b. Execute adadmin
c. Choose -> Maintain Applications Database Entities menu
d. Choose -> Re-create grants and synonyms for APPS schema
2 workers got failed ...
i chked the worker log file i found
sqlplus -s APPS/***** @/stageAPP/stageappl/ad/11.5.0/admin/sql/adappsgs.pls &systempwd 1 PO APPLSYS APPS TRUE FALSE TRUE
Connected.
old 2: ad_apps_private.create_grants_and_synonyms(&2,'&3','&4','&5','FALSE');
new 2: ad_apps_private.create_grants_and_synonyms(1,'PO','APPLSYS','APPS','FALSE');
begin
ERROR at line 1:
ORA-20000: ORA-00955: name is already used by an existing
object:create_grants_and_synonyms(1,PO,APPLSYS,APPS): create_base_gs(PO,APPS):
In Synonyms
Loop:create_synonym(PO,XXGOD_SEQ_DECORTIMESHEET_HDR,APPS,XXGOD_SEQ_DECORTIMESHEE
T_HDR): do_apps_ddl(APPS,CREATE SYNONYM "XXGOD_SEQ_DECORTIMESHEET_HDR" FOR
PO."XXGOD_SEQ_DECORTIMESHEET_HDR"):
ORA-06512: at line 5
Workaround $adctrl
Control
Worker Code Context Filename Status
1 Run Grants/Synonyms R115 adappsgs.pls FAILED
2 Run Grants/Synonyms R115 Wait
3 Run Grants/Synonyms R115 Wait
4 Run Grants/Synonyms R115 Wait
5 Run Grants/Synonyms R115 Wait
6 Run Grants/Synonyms R115 Wait
7 Run Grants/Synonyms R115 Wait
8 Run Grants/Synonyms R115 Wait
9 Run Grants/Synonyms R115 Wait
10 Run Grants/Synonyms R115 Wait
11 Run Grants/Synonyms R115 Wait
12 Run Grants/Synonyms R115 Wait
13 Run Grants/Synonyms R115 Wait
14 Run Grants/Synonyms R115 Wait
15 Run Grants/Synonyms R115 Wait
16 Run Grants/Synonyms R115 Wait
SQL> select owner, object_type from dba_objects where object_name = 'XXGOD_SEQ_DECORTIMESHEET_HDR';
OWNER OBJECT_TYPE
PO SEQUENCE
APPS SEQUENCE
Its Cutom Object .. I think i need to drop/rename anyone .. which one i should drop / rename .
Or
Is it possible to skip the failed workers .. if do .. please give me the steps ...
ThanksHi;
There is 8 option(hidden) avaliable but i suggest dont use this option.(As you mention its a custom,if you belive it wont problem you can use this hidden option or drop 'XXGOD_SEQ_DECORTIMESHEET_HDR' and recreate it later,its own your risk) By the way please check below notes which is similar error like yours
Run Adadmin To Recreate Grants And Synonyms ORA-20000 ORA-00955 In Synonyms Loop:create_synonym(GL,PLAN_TABLE,APPS,PLAN_TABLE) [ID 437714.1]
ADADMIN MAINTAINING APPLICATIONS GRANTS AND SYNONYMS APP-931 ORA-955 ORA-20000 [ID 1014455.102]
Regard
Helios -
Script to create grants and synonyms for objects in database
Hello,
We are building a patch to be applied to the production environment. I want to create a script/sql query that builds a list of grants and synonyms for all the objects created after august 09.
for ex:
create or replace synonym abc for schema_name.abc;
Grant execute on abc to user_xyz;
How can I use Oracle's data dictionary to do this?
thankzHi,
You'll probably want to use these views:
user_objects - includes created (DATE) column.
user_synonyms
user_tab_privs - not just tables (e.g., includes EXECUTE privileges on functions).
Data dictionary views beginning with 'user_' cover objects owned by the current user only.
Almost all of the data dictionary views (and all of the three mentioned above) also have 'all_' and 'dba_' versions.
For example:
all_objects inculdes everything in user_objects, plus objects in other schemas on which the current user has privileges.
dba_objects include every object in the database. (Not everyone is allowed to see the dba_ views.)
Here's one of many possible ways to use these views:
SELECT 'GRANT '
|| privilege
|| ' ON "'
|| table_name
|| '" TO '
|| grantee
|| CASE
WHEN grantable = 'YES'
THEN ' WITH GRANT OPTION;'
ELSE ';'
END
FROM user_tab_privs
WHERE table_name IN ( -- Only interested in objects created after August 9
SELECT object_name
FROM all_objects
WHERE created >= TO_DATE ( '10-Aug-2009'
, 'DD-Mon-YYYY'
; -
Do I need to reapply grants and synonyms. Altering Rename for other schema
Hi,
We are following the process to replace some tables in UAT/PROD with new structure of tables.
So for example for Table A in Schema A:
Step1- Create TableA_NEW with the required structure and partitions.
Step2- Insert into TableA_NEW Select * from TableA.
Step3- Alter Table TableA Rename to TableA_OLD --Take Backup of TableA
Step4- Alter Table TableA_NEW Rename to TableA --Change the New table ti Original Table
Now do I need to reapply all the grants and synonyms originally applied to TableA.
When I test in Dev, all the grants and synonyms still hold. But I can't take any chances for UAT/PROD.
Also when I rollback these changes and Rename the tables back to Original table.
Then do I need to Reapply all the grants and synonyms originally applied to TableA.
Please suggest..user8941550 wrote:
Hi,
We are following the process to replace some tables in UAT/PROD with new structure of tables.
So for example for Table A in Schema A:
Step1- Create TableA_NEW with the required structure and partitions.
Step2- Insert into TableA_NEW Select * from TableA.
Step3- Alter Table TableA Rename to TableA_OLD --Take Backup of TableA
Step4- Alter Table TableA_NEW Rename to TableA --Change the New table ti Original Table
Now do I need to reapply all the grants and synonyms originally applied to TableA.
When I test in Dev, all the grants and synonyms still hold. But I can't take any chances for UAT/PROD.
Also when I rollback these changes and Rename the tables back to Original table.
Then do I need to Reapply all the grants and synonyms originally applied to TableA.
Please suggest..
Step1- Create TableA_NEW with the required structure and partitions. New table - does not have grants
Step2- Insert into TableA_NEW Select * from TableA.
Step3- Alter Table TableA Rename to TableA_OLD --Take Backup of TableA Renamed table keeps grants. Synonym not valid at this point
Step4- Alter Table TableA_NEW Rename to TableA --Change the New table ti Original Table New table still does not have grants, synonym now valid
So, grants disappear but synonym will be valid at end of process. -
Grants and Snynyms -ORA-01031: insufficient privileges
Hi
I did a script for DBA to execute, this script contain GRANTS and creation of the synonyms, the Owner
of tableS is OLOGBGF
I create synonym as :
CREATE OR REPLACE SYNONYM ULOGBGF.ZBI_STOCK FOR OLOGBGF.ZBI_STOCK;
CREATE OR REPLACE SYNONYM ULOGBGF.ZBI_STOCK FOR OLOGBGF.ZBI_STOCK
Why did not work, see code below
thank you in advance
Script executado.
SQL> select * from global_name;
GLOBAL_NAME
ISLQ.WORLD
SQL> PROMPT **********************************
SQL> PROMPT GRANTS/SYNONYMS
GRANTS/SYNONYMS
SQL> PROMPT **********************************
SQL> GRANT SELECT, INSERT, UPDATE, DELETE ON OLOGBGF.TEMPO_FILA TO ULOGBGF;
Grant succeeded.
SQL> GRANT DELETE, INSERT, SELECT, UPDATE ON OLOGBGF.ZBI_STOCK TO ULOSBGF;
Grant succeeded.
SQL> CREATE OR REPLACE SYNONYM ULOGBGF.TEMPO_FILA FOR OLOGBGF.TEMPO_FILA;
CREATE OR REPLACE SYNONYM ULOGBGF.TEMPO_FILA FOR OLOGBGF.TEMPO_FILA
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> CREATE OR REPLACE SYNONYM ULOGBGF.ZBI_STOCK FOR OLOGBGF.ZBI_STOCK;
CREATE OR REPLACE SYNONYM ULOGBGF.ZBI_STOCK FOR OLOGBGF.ZBI_STOCK
ERROR at line 1:
ORA-01031: insufficient privilegesCheck the privileges that have been granted to the user running the script.
For example, if "HEMANT" is running the script :
select granted_role from dba_role_privs where grantee = 'HEMANT'
union
select privilege from dba_sys_privs where grantee = 'HEMANT'
order by 1;Hemant K Chitale
http://hemantoracledba.blogspot.com -
Recreate Grants and Synonyms for APPS schema
Hi,
how can I Recreate Grants and Synonyms for APPS schema ?
Many thanks.Hi,
You can recreate grants and sysnonyms through adadmin utility.
Navigation : adadmin - > Maintain Applications Database Entities menu - > Re-create grants and synonyms for APPS schema.
Rgds,
S.Jai
Shanthi Gears (LTD) -
Hi,
could any one please answer to these queries.
1.)what is the difference between normal grants and permissions & public grants and permissions?
2.)what is the sql to find out public permissions/grants in databaseHi,
could any one please answer to these queries.
1.)what is the difference between normal grants and
permissions & public grants and permissions?
You may be granted Permissions to write or read from certain folder or to access or execute certain objects.
A privilege granted to normal user (private) is only to that specified user. A grant to Public means every user in the database has access to it (for security, this is not recommended unless you know what you are doing)
2.)what is the sql to find out public
permissions/grants in databaseQuery the DBA_xxx_PRIVS views
DBA_AQ_AGENT_PRIVS
DBA_COL_PRIVS
DBA_ROLE_PRIVS
DBA_SYS_PRIVS
DBA_TAB_PRIVS
E.g
SQL> select * from dba_tab_privs where grantee ='PUBLIC'; -
Need to find out how to implement grants and permissions for a Page. Which module/responsibility/navigation path we have to select to set this
Hi,
could any one please answer to these queries.
1.)what is the difference between normal grants and
permissions & public grants and permissions?
You may be granted Permissions to write or read from certain folder or to access or execute certain objects.
A privilege granted to normal user (private) is only to that specified user. A grant to Public means every user in the database has access to it (for security, this is not recommended unless you know what you are doing)
2.)what is the sql to find out public
permissions/grants in databaseQuery the DBA_xxx_PRIVS views
DBA_AQ_AGENT_PRIVS
DBA_COL_PRIVS
DBA_ROLE_PRIVS
DBA_SYS_PRIVS
DBA_TAB_PRIVS
E.g
SQL> select * from dba_tab_privs where grantee ='PUBLIC'; -
I created a custom security extension following the steps listed in the Readme_Security Extension Sample. It works fine if I login as the user that is specified AdminConfiguration section of the rsreportserver.config file but if I
log in as another user, I get this error: User '' does not have required permissions. Verify that sufficient permissions have been granted and Windows User Account Control (UAC) restrictions have been addressed. I've added the user to both System Administrator
and System User roles to try to get it to work but still no luck.
Does anyone know how to fix this?
Thanks.Hi MetronM,
The issue is due to that user have no permission to access the report server. In report manager, Reporting Services includes predefined roles that we can assign to users and groups to provide immediate access to a report server. Each role defines a collection
of related tasks.
You can refer to the following steps to assign corresponding role to the user.
Open report manager.
Click “Folder Setting” button.
Click “New Role Assignment” icon.
Type the user name and select the corresponding role.
There is an article about Granting Permissions on a Native Mode Report Server, you can refer to it.
http://technet.microsoft.com/en-us/library/ms156014.aspx
Regards,
Alisa Tang
Alisa Tang
TechNet Community Support -
GRANT to PUBLIC and REVOKE for USER
Hi
Is it possible to revoke grant for a particular user for which PUBLIC have access? I understand, the PUBLIC grant supersedes all ROLE level security, but I am just intrigued to know is there a way to revoke the grants from a particular user ( and still leave it for PUBLIC to access them?)
I might sound funny - I am sorry, if I have asked a silly question.
I am using Oracle 9.2.
Warm Regards
Guruhi
there is no such question as silly
please be clear that is public is a profile that a user is assigned or what?
check the sites
http://www.psoug.org/reference/roles.html
http://www.dba-oracle.com/art_builder_security.htm -
Oracle users and revoking privileges
Hello,
To test out some error conditions in an application, I'd like to temporarily revoke a privilege on a table from a database user.
I am trying to do that, logged into SQL*Plus as "sys" or "system", and running the command:
REVOKE UPDATE ON USERX.TABLE_A FROM USERX;
However, this is failing with the following message:
ORA-01927: cannot REVOKE privileges you did not grant
I've also tried logging into my server as oracle, typing "sqlplus /nolog" at the command line, then "connect internal as sysdba;" from the SQL*Plus prompt, and then running the REVOKE command, but that results in the same error message.
So basically my question is: if neither the "sys" nor the "system" user is able to revoke the privilege from the "userx" user (because they did not specifically grant it), how would I determine which oracle user would be able to do this? Or how else would I go about revoking the privilege?
I'm running Oracle8i Enterprise Edition Release 8.1.6.1.0 on Linux.
Thanks for your help with this. I am not very familiar with Oracle DBA concepts.Hello,
I am fully agree with Eric....Yes! a User created a table means...the User is OWNER of the table....and that means......the User is by default having the privilege of DML operations...i belive...OK
And the privilege which you have not granted...then how could you revoke them...Whether it may b e SYS or SYSTEM or for that matter any User a/c.
If you really want to restrict the restrict option on table owned by your User, then i can suggest to put a Schema Level Trigger on DML action. This will be fired when update in invoked on table by the user and there you can have your STOP mechanism.....BUT..this is not really suggested.
Regards,
Kamesh Rastogi
Oracle - DBA
Maybe you are looking for
-
Para entender todo o contexto, antes deem uma olhada na discussão abaixo. Production in specific plant O cenário da discussão anterior funcionou. Agora preciso saber se é possível configurarmos o material para se comportar da seguinte forma: Obs.: pa
-
I am trying to sync an 32gb instead of my 8 gb anyone now how it is not syncing?
-
Get Rid of Duplicate Message Copies
This is not another ' ... receiving multiple copies ...' thread; I managed to do this to myself or, more specifically, to my wife's mailbox. The 'how' part is unclear, and would probably bore everyone to tears; suffice it to say it occurred during a
-
Problem in SNMP4J Installation
Hello everyone, I'm working on developing an SNMPv3 based NMS software for a Licensed Band cellular Radio Backhaul, using SNMP4J. My major concern in this project is to do both, manager as well as the agent part. Being a beginner, I'm facing problem
-
TS3276 How do I cancel an operation in iCloud mail once it has begun?
I have sent an email in icloud mail with too large an attachment. As a result in Account info under quota limits, "[icloud] is calculating sizes" and has been doing so for several hours. Nothing, including restarting my iMac can stop the little circl