Grant schema-level privileges to a Oracle user
Hi Experts,
Do we have easy way to grant all objects to user (select only) in one schema?
Thanks for help!
Jim
Thanks for help.
actually, this is a group user account as
CREATE USER user
IDENTIFIED BY appuser
DEFAULT TABLESPACE users
QUOTA 10M ON example
TEMPORARY TABLESPACE temp
QUOTA 5M ON system
PROFILE scapp_user
Do you need to assign quota and profile?
Also you need to access all data in database that i was told. this account should be grant a right to run view and procedures?
do i need to go to all_object to find it?
thanks for your suggestion in detail.
JIm
Similar Messages
-
Oracle grant schema level security
I am having more schemas for different applications in the same database.
Each time an object is created it access is granted to the appropriate role.
I don't like using the SELECT ANY TABLE privedge.
I would love to see a GRANT SELECT ON SCHEMA XXXX To ZZZZZ;
This would be almost like the SQL SERVER (YUK) DB_DATAREADER priviledge.
I have not seen anything to indicate Oracle 11g has this support.Are you just complaining or asking a question?
You can use
Something like:
create or replace trigger do_grant
after CREATE on schema
declare
l_str varchar2(255);
l_job number;
begin
if ( ora_dict_obj_type = 'TABLE' )
then
l_str := 'execute immediate "grant select on ' ||
ora_dict_obj_name ||
' to scott";';
dbms_job.submit( l_job, replace(l_str,'"','''') );
end if;
end;
/as posted here in asktom
http://asktom.oracle.com/pls/asktom/f?p=100:11:4434422967201937::::P11_QUESTION_ID:646423863863 -
Granting exp/imp privilege to externally authenticated user
DB version:11.2.0.2
OS : AIX 6.1
We have a DB User(schema) called OPS$appuser who is externally authenticated.
This user should be granted privilege to perform import of scott schema's dumpfile to another schema called appschema2.
This is what appuser will be doing at the unix command line
$ su - appuser
$ exp / owner=scott file=scott.dmp
$ imp / file=scott.dmp fromuser=scott touser=appschema2in short these are the DB schemas involved
OPS$appuser -- The user performing the exp and imp
scott -- The schema which is being exported
appschema2 -- The schema which OPS$appuser imports the contents in scott.dmp to.Due to security reasons, we can't grant IMP_FULL_DATABASE privilege to OPS$appuser. So, what privilege can I give to OPS$appuser to perform the above exp and imp tasks?
Hope the exp and imp sytax i've mentioned above are correctNone,as imp_full_database is required for this.
Also you would better use expdp and impdp using the network_link parameter.
Doing so, you could write a pl/sql procedure using the dbms_data_pump API to replace the command line cr*p and there will be no commandline access required anymore.
Sybrand Bakker
Senior Oracle DBA -
Grant specific column level privilege
without vpd how i will grant specific column level privilege to a particular user.
grant update(id) on a to scott;
it is working fine.
anybody can gv othr suggestn -
Minimum rights needed for Oracle user to run BO
Hi team,
One of my customer here made connection from BO XI installer to oracle database with this user B_A. Say this user is the admin user of CMS db. Now he finds that the user B_A user has schema role rights which customer doesn't want
and he wants to remove those rights.
he wants to know what are the minimum privileges or rights oracle user needs to keep BO XI running without problem and if he can remove those excess schema rights from that.
could some one please help me
Regards,
DVWell, Oracle DBA should be able to answer all those questions for the customer.
I'm not a DBA, so my unerstanding of Role is that they are the predefined collections of rights users have on the DB according to the usual roles users play.
So when DBA's are managing Oracle DB they don't have to assign each user every single right, but can just assign Roles, which will include most common rights....
If we're talking rights alone - BOE CMS DB user need create, delete, modify, expand, write, insert etc...
There is absolutly no reason why CMS DB schema owner cannot have all the default rights that come with Resource and Connect roles. -
Hello,
I´m with some doubts regarding an error that I´m facing right now. We need to setup a RMAN tool for we can do backup of our SAP system (with Oracle Database) but it show me the following error when I insert the user name PRDADM ( which is the <sid>adm).
I don´t know which user we need to use at this stage and which privileges it needs to work and make the backup action of this oracle database.
This is the error:
This user account does not have the privileges that are required to log on to the Oracle database.
In SQL Plus I checked which users I have in dba_users and this is the output:
SQL> select username from dba_users;
USERNAME
OPS$SAPSERVICEPRD
OPS$PT\PRDADM
OPS$PT\SAPSERVICEPRD
OUTLN
OPS$PRDADM
SAPR3SHD
DBSNMP
SYSMAN
SAPR3
OPS$LISES1001\SAPSERVICEPRD
MGMT_VIEW
OPS$LISES1001\PRDADM
OPS$ORAPRD
SYS
SYSTEM
DIP
TSMSYS
Can you help me please. Can you tell me which user I need to use?!
Kind regards,
samid raifHello samid,
Try this...
In Symantec tool (Backup Exec) you have to insert the following information:
In "Database Access" tab, you must use an OS user with the required privileges which are described in the following article from Symantec:
http://www.symantec.com/docs/TECH63665
In "Oracle" tab you need to add which oracle db instance you want to connect and also you need to insert an oracle user! For this I would suggest you to create a specific user for this backup procedure (<orauser>):
create user <orauser> identified by <orauser password>;
Then you need to add the required privileges for this oracle user, which are mentioned in the following article from Symantec:
http://www.symantec.com/docs/TECH82892
Now I guess you have all you need to run a backup without problems!
Kind regards,
João Dimas -
Linux non-oracle user cannot connect to database using TNS
LS,
I've installed Oracle 11gR2 on a linux box (name="ilmserver") running CentOS 5.4 (based on RHEL).
Created user "oracle" and groups "oinstall" and "dba".
Installation under user "oracle" went fine, and logged in as "oracle" user I can - naturally - access the database easily (via SQL+, or using SQL Developer it works via Basic, TNS, and Advanced (=jdbc)).
I have a second user on the linux box called "informatica", on which I have installed Informatica ILM 5.3.2, which uses the Oracle database as its repository.
The "informatica" user has been granted the same groups as the "oracle" user, i.e. "oinstall" and "dba".
I have severe problems accessing the Oracle database as the "informatica" user.
Using SQL Developer I can access the database using the "Basic" method, but not TNS.
But guess what: for ILM to work to its fullest extent I need to implement an environment variable called TNS_ADMIN.
I have implemented it, it sits in bash_profile and as such works fine:
+[informatica@ilmserver ~]$ echo $TNS_ADMIN+
+/home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin+
But as for being able to access it:
+[informatica@ilmserver ~]$ cat $TNS_ADMIN/tnsnames.ora+
cat: /home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/tnsnames.ora: Permission denied
Somehow I thought that granting "oinstall" group to "informatica" user would take care of this. Obviously it doesn't. I also granted "dba" group to "informatica", to no avail apparently.
This is then - I assume - also the reason that when I want to connect using TNS from within SQL Developer, the dropdown list is empty (because it's not able to read TNSNAMES.ORA).
Does anyone know how to resolve this issue?
Thanks heaps!
Cheers, PatrickJust ran all+ commands for oracle user:
*[oracle@ilmserver ~]$ id*
uid=502(oracle) gid=504(oinstall) groups=503(dba),504(oinstall),505(asmdba),506(asmadmin) context=user_u:system_r:unconfined_t
*[oracle@ilmserver ~]$ env | sort*
COLORTERM=gnome-terminal
CVS_RSH=ssh
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-m8BEsoxTeM,guid=7c9a73a7390af7742e606e004e571934
DESKTOP_SESSION=default
DESKTOP_STARTUP_ID=
DISPLAY=:0.0
G_BROKEN_FILENAMES=1
GDMSESSION=default
GDM_XSERVER_LOCATION=local
GNOME_DESKTOP_SESSION_ID=Default
GNOME_KEYRING_SOCKET=/tmp/keyring-TQlAPU/socket
GTK_RC_FILES=/etc/gtk/gtkrc:/home/oracle/.gtkrc-1.2-gnome2
HISTSIZE=1000
HOME=/home/oracle
HOSTNAME=ilmserver
INPUTRC=/etc/inputrc
JAVA_HOME=/usr/java/jdk1.7.0
LANG=en_US.UTF-8
LESSOPEN=|/usr/bin/lesspipe.sh %s
LOGNAME=oracle
LS_COLORS=no=00:fi=00:di=00;34:ln=00;36:pi=40;33:so=00;35:bd=40;33;01:cd=40;33;01:or=01;05;37;41:mi=01;05;37;41:ex=00;32:*.cmd=00;32:*.exe=00;32:*.com=00;32:*.btm=00;32:*.bat=00;32:*.sh=00;32:*.csh=00;32:*.tar=00;31:*.tgz=00;31:*.arj=00;31:*.taz=00;31:*.lzh=00;31:*.zip=00;31:*.z=00;31:*.Z=00;31:*.gz=00;31:*.bz2=00;31:*.bz=00;31:*.tz=00;31:*.rpm=00;31:*.cpio=00;31:*.jpg=00;35:*.gif=00;35:*.bmp=00;35:*.xbm=00;35:*.xpm=00;35:*.png=00;35:*.tif=00;35:
MAIL=/var/spool/mail/oracle
ORACLE_BASE=/home/oracle/app/oracle
ORACLE_HOME=/home/oracle/app/oracle/product/11.2.0/dbhome_1
ORACLE_HOSTNAME=ilmserver
ORACLE_SID=orcl
PATH=/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/oracle/bin:/usr/java/jdk1.7.0/bin:/usr/sbin:/sbin:/home/oracle/app/oracle/product/11.2.0/dbhome_1/bin
PWD=/home/oracle
SESSION_MANAGER=local/ilmserver:/tmp/.ICE-unix/14477
SHELL=/bin/bash
SHLVL=2
SSH_AGENT_PID=14513
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
SSH_AUTH_SOCK=/tmp/ssh-INwup14477/agent.14477
TERM=xterm
TNS_ADMIN=/home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin
USERNAME=oracle
USER=oracle
_=/usr/bin/env
WINDOWID=24117329
XAUTHORITY=/tmp/.gdm9ITN0V
XMODIFIERS=@im=none
*[oracle@ilmserver ~]$ ls -l /home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/tnsnames.ora*
-rw-r----- 1 oracle oinstall 879 Aug 24 21:39 /home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/tnsnames.ora
*[oracle@ilmserver ~]$ ls -ld /home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/*
drwxr-xr-x 3 oracle oinstall 4096 Aug 24 21:39 /home/oracle/app/oracle/product/11.2.0/dbhome_1/network/admin/
*[oracle@ilmserver ~]$ ls -ld /home/oracle/app/oracle/product/11.2.0/dbhome_1/*
drwxr-xr-x 74 oracle oinstall 4096 Aug 23 19:00 /home/oracle/app/oracle/product/11.2.0/dbhome_1/
*[oracle@ilmserver ~]$ ls -ld /home/oracle/app/oracle/product/11.2.0/*
drwxr-xr-x 3 oracle oinstall 4096 Aug 23 18:21 /home/oracle/app/oracle/product/11.2.0/
[*oracle@ilmserver ~]$ ls -ld /home/oracle/app/oracle/product/*
drwxr-xr-x 3 oracle oinstall 4096 Aug 23 18:21 /home/oracle/app/oracle/product/
*[oracle@ilmserver ~]$ ls -ld /home/oracle/app/oracle/*
drwxr-xr-x 10 oracle oinstall 4096 Aug 24 17:29 /home/oracle/app/oracle/
*[oracle@ilmserver ~]$ ls -ld /home/oracle/app/*
drwxr-xr-x 4 oracle oinstall 4096 Aug 23 18:21 /home/oracle/app/
*[oracle@ilmserver ~]$ ls -ld /home/oracle/*
drwx------ 22 oracle oinstall 4096 Aug 25 20:55 /home/oracle/
Naturally the "oracle" user has full access to its own directories.
A thought just occurred to me. I assume that theoretically it's possible to grant read privilige to informatica user on all these directories... would that do the trick?
But even if so, makes me wonder whether that is "best practice".
Also, I cannot imagine I'm the first person to encounter this scenario, and therefore there must be some standard approach to enable this.
Any suggestions/thoughts?
As for the TNSNAMES.ORA suggestion, I guess that is possible. Makes administration of TNSNAMES a bit more cumbersome though, as in, 2 files to maintain... risk of getting out of sync when making 'quick and dirty' changes without thinking things through too much (which shouldn't happen... but sometimes does anyway).
I'd prefer a solution where "informatica" has genuine access to TNSNAMES.ORA.
Thanks, Patrick
ps the bold bits with env.var LS_COLORS are unintentional, but don't know how to turn that off -
How grant all the privilege of a specific schema to a user?
How grant all the privilege of a specific schema to a user?
I already create a new schema and import the neccessary data for that schema.
Now I want to assign all the privilege for that schema to user HR (let user HR become the owner of that schema). How to deal with it?
Edited by: qkc on May 13, 2011 10:45 AMqkc wrote:
How grant all the privilege of a specific schema to a user?
I already create a new schema and import the neccessary data for that schema.
Now I want to assign all the privilege for that schema to user HR (let user HR become the owner of that schema). How to deal with it?
Edited by: qkc on May 13, 2011 10:45 AMThere is no way - by definition - that one user can "become the owner" of another schema. A schema is, by definition, the collection of objects that belong to one owner.
but perhaps that is just semantics in the context of what you really want.
use sql to build sql:
spool doit.sql
select 'grant select on someuser.' || table_name || ' to someotheruser;'
from dba_tables
where owner = 'SOMEUSER';
spool off -
Oracle Unix 9 - slow granting Schema object to User
I have a problem. I can't figure out why granting schema object to users take longer time. here is my codes:
DECLARE
alert_button NUMBER;
CURSOR Teller_Cur IS SELECT * FROM TELLER_M;
BEGIN
alert_button := Show_Alert('AlertOK');
IF alert_button = ALERT_BUTTON1 THEN
FOR Teller_Rec IN Teller_Cur LOOP
Message('Setting table access for ' || Teller_Rec.Teller_ID || ' in progress, please wait....', No_acknowledge);
IF :DTABLE IS NOT NULL THEN
-- Granting Schema object to new User
IF SUBSTR(:DTABLE, 1, 4) = 'TEMP' THEN
Forms_DDL('GRANT SELECT, INSERT, UPDATE, DELETE ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
ELSE
IF Teller_Rec.SELECT_ACCESS = 'Y' THEN
Forms_DDL('GRANT SELECT ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
IF Teller_Rec.INSERT_ACCESS = 'Y' THEN
Forms_DDL('GRANT INSERT ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
IF Teller_Rec.UPDATE_ACCESS = 'Y' THEN
Forms_DDL('GRANT UPDATE ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
IF Teller_Rec.DELETE_ACCESS = 'Y' THEN
Forms_DDL('GRANT DELETE ON ' || :DTABLE || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
END IF;
-- Creating Synonyms in new User schema
Forms_DDL('CREATE SYNONYM ' || Teller_Rec.Teller_Id||'.'|| :DTABLE || ' FOR ' || :DTABLE ||'');
ELSE
-- for stored procedure:
Forms_DDL('CREATE SYNONYM ' || Teller_Rec.Teller_Id||'.'|| :DSTOREDP || ' FOR ' || :DSTOREDP ||'');
Forms_DDL('GRANT EXECUTE ON ' || :DSTOREDP || ' TO ' || Teller_Rec.Teller_Id || '');
END IF;
END LOOP;
Message('Setting table access completed!!!', No_acknowledge);
END IF;
END;
If i use oracle 8.1.7 locally, it doesn't take than 5 minutes to grant access. But whereas to Oracle 9.0.1 (through network) is taking more than 20 minutes.
If anyone knows, do help me.
Thank you.The problem is not the difference between the database versions I think; it's the location of the Server.
Take a look what one call of forms_ddl causes network traffic. you have this traffic for each call of forms_ddl. On the Local Server this might not be so much of a problem but with the network between it I this is much slower...
Try to bundle up your statements or even better put the whole stuff in a database procedure to do it via one call. I speeded up creating grants and synonyms from 10 minutes via forms_ddl to 3 minutes using database procedure.
The only limitation is that your messages won't display for each user.
regards -
Oracle users and revoking privileges
Hello,
To test out some error conditions in an application, I'd like to temporarily revoke a privilege on a table from a database user.
I am trying to do that, logged into SQL*Plus as "sys" or "system", and running the command:
REVOKE UPDATE ON USERX.TABLE_A FROM USERX;
However, this is failing with the following message:
ORA-01927: cannot REVOKE privileges you did not grant
I've also tried logging into my server as oracle, typing "sqlplus /nolog" at the command line, then "connect internal as sysdba;" from the SQL*Plus prompt, and then running the REVOKE command, but that results in the same error message.
So basically my question is: if neither the "sys" nor the "system" user is able to revoke the privilege from the "userx" user (because they did not specifically grant it), how would I determine which oracle user would be able to do this? Or how else would I go about revoking the privilege?
I'm running Oracle8i Enterprise Edition Release 8.1.6.1.0 on Linux.
Thanks for your help with this. I am not very familiar with Oracle DBA concepts.Hello,
I am fully agree with Eric....Yes! a User created a table means...the User is OWNER of the table....and that means......the User is by default having the privilege of DML operations...i belive...OK
And the privilege which you have not granted...then how could you revoke them...Whether it may b e SYS or SYSTEM or for that matter any User a/c.
If you really want to restrict the restrict option on table owned by your User, then i can suggest to put a Schema Level Trigger on DML action. This will be fired when update in invoked on table by the user and there you can have your STOP mechanism.....BUT..this is not really suggested.
Regards,
Kamesh Rastogi
Oracle - DBA -
Granting ALTER SYSTEM privilege to Application user
DB version:10gR2
When we purchased a logistics application software, we have been asked to grant alter system privileges to the Application Oracle user/schema by the application vendor. They said they need this to change Instance level parameters like OPTIMIZER_MODE,..etc. What do you guys think?
Edited by: GarryB on Feb 17, 2009 10:25 PMGarryB,
This is a strange idea. Many parameters can be altered on session level.
If they want to change static parameters, do they also require the privilege to bounce the instance?
Even if the application would need to change parameters, this should be encapsulated in a procedure created in a privileged user, with execute privilege granted to the application owner.
If feel you will regret to have purchased this application sooner or later, the vendor doesn't seem to know much about Oracle.
Hth
Sybrand Bakker
Senior Oracle DBA -
Grant privileges and permission to user, to create user and database in 10g
Hi,
I'm very much new to Oracle 10g database and after all my search, I think this forum will help me to solve my puzzle. Installed Oracle 10g database and during installation created a Global database "TestDB". I created an user "user1" in sqlplusw, by logging in as system.
Now I need to know, what privileges and permissions should be given to this "user1", so that I can create new users and create database by logging as "user1". I don't want to Inherit all the sytem privileges of SYSTEM or SYSDBA or SYS or SYSOPER.
Is there a way where I could achieve this by explicitly granting the required privileges and permissionsYou may need to know all the views to get the privilege information.
SQL> conn /as sysdba
SQL> select table_name from dict where table_name like '%PRIV%';
And also, take a look into below Oracle Documentations.
http://download.oracle.com/docs/cd/B19306_01/server.102/b14200/statements_9013.htm#SQLRF01603
Regards,
Sabdar Syed. -
Select Grant on local Table to the Remote Oracle User
How Can we Give a SELECT Grant on a Specific Table to the Remote Oracle User.
IIRC, the remote user accesses local objects via a schema on the local database. That suggests you need to grant SELECT on the local table to the local schema that the remote user connects by.
-
Check package/procedure level privileges for a user
hi gurus,
how to check the package/procedure level privileges for a user? like dba_tab_privs for tables.
for eg: grant execute on dbms_scheduler to user1.
now, i need to verify that user1 has execute privilege on dbms_scheduler or not.
what's the view for this?
thanks in advance,
charlesSQL> select privilege, count(*) from dba_tab_privs group by privilege order by 1;
PRIVILEGE COUNT(*)
ALTER 19
DEBUG 256
DELETE 131
DEQUEUE 3
EXECUTE 19315
FLASHBACK 52
INDEX 14
INSERT 137
MERGE VIEW 36
ON COMMIT REFRESH 52
QUERY REWRITE 52
PRIVILEGE COUNT(*)
READ 7
REFERENCES 54
SELECT 3752
UNDER 3
UPDATE 111
WRITE 5
17 rows selected.DBA_TAB_PRIVS is for more than just tables. -
Granting the privileges to the Other User
Hi,
I am Using Oracle 10g. My Question is, I am Selecting the table from party from SYSTEM as the user and SYSADM is the Password. It is populating the Record. And when Select the table Party in SYSADM as the user and SYSADM as the password it is giving no rows message. I tryed to give the Privileges to the SYSADM but it is not taking
Can anyone give the process to give privileges to the another user to ( Means SYSTEM user table to SYSADM user tables )
Can anyone give suggestion...!
Thank u..!hi,
i am using Oracle 10g. Previously i asked the question there is no reply.
So i tryed this commands but no effect please can anyone tell me any suggestions
Here SYSTEM is User, SYSADM is PASSWORD, TEST is Database
connected as SYSTEM/SYSADM@TEST
SQL> GRANT INSERT, DELETE, UPDATE, SELECT ON ' || table_name || ' TO SYSADM; Here SYSADM is Another USER Name
Grant succeeded.
Like this i am getting. Any mistake i made when writing this Statement, Otherwise why this is not granting Privileges to other USER SYSADM
Pls. Tell me any Suggestions..!
Thank u..!
Maybe you are looking for
-
No NWDI activity asked while modifying the Web Dynpro java code
Hi, We have 2 team in our project, one offshore team and one onsite team. We have NWDI also in our landscape. I have created 1 project in my local NWDS from DTR using create project option from NWDI track , when i do any modification in that web dyn
-
Corrupt image formatting when creating pdf from embedded visio image in MS word
Hello, Using Adobe Acrobat 9 standard and trying to create a PDF file from an MS word (version 2003) document. PDF file created is fine except for an image (embedded visio diagram imported into word). When created in PDF, the image is missing many
-
How is when a button pressed a report will come to the same page !!!
Hi all, I wonder that is it possible to bring a report to the page as a region but only when a button pressed in apex .When ı clicked the go button for example ı want to list a report in the same page. but I dont know how .If is this possible can you
-
Okay. I tried associating one of my domain names with my .mac account, but never finished it. I never put in the cname with godaddy.com. But now my domain points at my .mac account EVEN THOUGH I have removed the domain through the .mac settings... HE
-
Import contacts from Google gmail into iPad2?
How do I import contacts from Google gmail into the iPAD2?