Granting read only access

Is there a way to grant read only access to all tables in a schema, rather than doing it for each individual table in the schema?

I have a package that does something just like this, here is a snippit. It uses dynamic SQL to build the GRANT statements. I'm not sure if this is a 'best practice', but it works for me.
      --Find the tables to GRANT SELECT privileges on
      string_query := 'SELECT DISTINCT ''' || LOWER(schema_name) || '.''|| ' || 'table_name FROM all_tables WHERE UPPER(owner) LIKE ''%' || UPPER(schema_name) || '%''';
      OPEN c FOR string_query;
         LOOP
            FETCH c INTO table_name;
         EXIT WHEN c%NOTFOUND;
            --Build the GRANT string
            string_grant := 'GRANT SELECT ON ' || LOWER(table_name) || ' TO ' || UPPER(role_name);
            --GRANT privilege
            EXECUTE IMMEDIATE string_grant;
         END LOOP;
      CLOSE c;

Similar Messages

  • Granting Read Only Access to user in another schema

    Oracle Database 10g
    Red Hat Enterprise Linux Server release 5.3
    We are requested by a developer to grant his account read only access to TABLES, VIEWS, INDEXES, SEQUENCES, FUNCTIONS, PROCEDURES, PACKAGES, TRIGGERS, JOBS of another schema.
    I know granting read only access to Tables and Views. But is it possible to grant READ ONLY access to other mentioned objects ? How to do it ?
    And some views are in INVALID status.
    I tried to compile them using alter view owner.viewname compile;
    But got this ---- Warning: View altered with compilation errors.
    Those views are still in INVALID status. And then I tried to use utlrp.sql . Same result.
    Then I used the following
    SELECT TEXT FROM DBA_VIEWS WHERE VIEW_NAME='view-name';
    select REFERENCED_NAME,REFERENCED_TYPE from dba_dependencies where name='view-name';
    It turns out some reference types are non existent.
    Does that mean DBAs cannot do anything about this ?

    Nilton wrote:
    We are requested by a developer to grant his account read only access to TABLES, VIEWS, INDEXES, SEQUENCES, FUNCTIONS, PROCEDURES, PACKAGES, TRIGGERS, JOBS of another schema.
    I know granting read only access to Tables and Views. But is it possible to grant READ ONLY access to other mentioned objects ? How to do it ?
    TABLES -> YES grant SELECT
    VIEWS -> YES grant SELECT
    SEQUENCE -> YES grant SELECT
    INDEXES -> There is no read access for indexes...indexes are put on tables and a user who has read access on tables can read the index as well.
    FUNCTIONS / PROCEDURES / PACKAGES -> I am not sure what you mean by read access on procedures, functions and packages. You may grant EXECUTE privilege on these.
    TRIGGERS -> there is no read access on triggers required. They are implemented on tables for a DML event. If the user has DML access he has the execute access on the trigger as well.
    JOBS -> I am not sure what to read from Jobs.
    And some views are in INVALID status.
    I tried to compile them using alter view owner.viewname compile;
    But got this ---- Warning: View altered with compilation errors.
    Those views are still in INVALID status. And then I tried to use utlrp.sql . Same result.
    Then I used the following
    SELECT TEXT FROM DBA_VIEWS WHERE VIEW_NAME='view-name';
    select REFERENCED_NAME,REFERENCED_TYPE from dba_dependencies where name='view-name';
    It turns out some reference types are non existent.
    Does that mean DBAs cannot do anything about this ?There are compilation errors in the Views. e.g. the view may be referring to a table which doesn't exist etc.
    Unless you fix the error in the view you can't compile it and male it valid. Fix the view errors. If objects are non existing create them or refer to view to some where else.
    If the nonexistent objects were mistakenly dropped, or the data file which contained those objects was dropped, no matter what was the reason for that object to be gone a DBA can bring it back if he is a well prepared DBA and has setup his database for such kind of disasters.
    Now tell us why those objects are non-existent ? were they meant to be gone ? or they were dropped mistakenly?
    Now here are my guesses:
    If they were meant to be gone then probably the views definitions need to be adjusted not to refer them anymore.
    If they were mistakenly dropped then:
    Do you have them in recyclebin? (only tables) if YES just FLASHBACK TABLE <<tablename>> AS BEFORE DROP.
    Is your database has Flashback database ON? if YES FLASHBACK DATABASE until 'time/scn just before the object was dropped'
    Do you have backups and your database is running in ARCHIVE LOG mode? if YES perform an incomplete recovery using RMAN.

  • Read Only access to tablespace

    Hi,
    Oracle 10.2.0.4
    How can I grant read only access to a tablespace for a user.
    Thanks

    It is no ussual.... a tablespace is a box where one or more user store his data... sure you do not want to say user and not tablespace?
    Grant select to the objects of this tablespace...DBA_TABLES or ALL_TABLES...
    Select 'GRANT SELECT ON ' || OWNER || '.' || TABLE_NAME || ' TO <USERNAME> ' FROM DBA_TABLES WHERE TABLESPACE_NAME = <TABLESPACE>

  • Read only access to J2EE related tools

    Hello,
    I would like to help our auditors access everything they need to check in the Java systems, but I am not ready to give them ADMIN accounts. That`s why I need some kind of read only access for them.
    So I would like to ask you if there is a SAP Note about the read only access roles for J2EE/ Java AS?
    I am afraid there is no such note available, so can anybody share any experience with granting read only access to the Java system? I know how to grant access to the whole NWA, but what about the rest?
    Examples:
    - is there a way how to grant read only access only to the UME?
    - is there a role for read only access to the portal PCD?
    - is there something similar for KM access?
    Or has anybody ever tried to split the admin roles into smaller pieces? Is there a description/ document how to do such thing?
    Thank you for your time and effort,
    cheers Otto

    Hi,
    thanks for trying, but I can use help.sap.com and was on that page before.
    Maybe if there were any examples there or better: if the whole thing would be more granular (I see no point in using roles starting with SUPER, containing ADMIN or ending with ALL). I am looking for roles for surgery or for auditing. I don`t want to give anybody these super/admin/all roles just like that.
    If you can suggest how to use that page, that would be cool. Otherwise I see no use.
    By the way: another question of mine about surgery: How to restrict access to download/ upload UME configuration file
    I would like to know how to controla access to this specific feature, nothing else.
    Thanks for the time and effort,
    cheers Otto

  • How to configure Mailbox Read-Only access for Mailbox's owner on Exchange Server 2010?

    I have to configure the Exchange Server 2010's mailbox to only grant Read-Only Access on the mailbox's owners.  So they can only allowed to read their messages and cannot modify or remove them.  Are there any references or methods to do?

    Hi,alexchy8
    We can make use of 2 PowerShell commands to achieve this goal.
    Add-MailboxPermission and Add-MailboxFolderPermission.
    Execute the Add-MailboxPermission command to delegate the read permission at mailbox level.
    Execute the Add-MailboxFolderPermission command to delegate the required permissions on specific folders inside the mailbox.
    You can read the following article as reference:
    http://www.exchangedictionary.com/articles/assign-read-only-mailbox-permission-on-exchange-2010-2013-powershell
    Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Microsoft cannot make any representations regarding the quality, safety,
    or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
    Best Regards.

  • Read only access to Admin Console in WL 6.1

    Hi,
    I've seen a couple of questions already posted about this... but so far no answers!
    Does anyone know how to grant read only access to the WL 6.1 Admin Console? The
    supplied user "guest" doesn't seem to have any access, so I was wondering what
    needs to be edited to enable this.... I've tried adding ACL's with "read" permission,
    but that doesn't seem ot help.
    Any thoughts would be most appreciated.
    Jim

    Brown,
    This functionality is not available in 6.1. The newest version of wls
    8.1 has this feature depending on the role that the user is in.
    ~satya
    Mr. Brown wrote:
    Is there a way to restrict a user to read-only priv. on the weblogic
    console? Either by using acl's or other means.
    Thanks in advance,
    Brown

  • Read-Only Access to Specific SAP tables

    Is it possible to grant a user read-only access to a specific table or tables?
    For example, say I wanted to give someone SE16N capability for just EKKO/EKPO/EKBE and NO OTHER tables.  Is this possible?  How?
    Thanks.

    Hi,
    as it was mentioned the transaction SE16N checks for authorization object S_TABU_DIS. The problem in your case is that the tables EKKO, EKPO and EKBE are already assigned to the authorization group MA - MM Appl. table. But there are many more tables assigned to this group. Changing assignment of standard tables is not a good idea.
    Cheers

  • Read only access of a full schema ?

    Hi all,
    Can i create a role having read only access of a full schema ?
    Thanks in advance.

    Can i create a role having read only access of a
    full schema ?The point here is that there is not a single command to perform this task, so you will have to do it on a per object basis. If you want to give access to the complete schema then it is advisable to create a script to grant on each table and on each view from the source schema. By providing read only to the full schema, I understand you are referring not also to the tables but also to the views, sequences, and may be stored program units, so you will have to properly define the scope of this 'full schema'.
    Once you have properly defined the scope and have granted, as suggested by means of a role, then you may want to create synonyms for each granted object, so you don't have to qualify it with the schema name prefix when the object is being accessed.
    ~ Madrid

  • Read only access on abc scheema to all other users

    i want to give read only access on abc scheema to all other users. which command will be used.

    Hi
    Create a role first
    CREATE ROLE ABC_SELECTONLY_ROLE IDENTIFIED BY anypassword;
    Assign SELECT permissions to that role.
    spool c:\grantprivs.lst
    SELECT 'GRANT SELECT ON ABC.'||OBJECT_NAME||' TO ABC_SELECTONLY_ROLE;'
    FROM DBA_OBJECTS
    WHERE OWNER LIKE 'ABC'
    AND OBJECT_TYPE IN ('TABLE', 'VIEW');
    spool off
    @c:\grantprivs.lst
    Attach role to users (EXCLUDE USERS AS YOU LIKE. In this example we have excluded SYS, SYSTEM etc)
    spool c:\attachrole.lst
    SELECT 'GRANT ABC_SELECTONLY_ROLE TO '||USERNAME||';'
    FROM DBA_USERS
    WHERE USERNAME NOT IN ('SYS','SYSTEM',DBSNMP','SYSMAN');
    spool off
    @c:\attachrole.lst
    You may wish to create private synonyms for the users.
    CREATE SYNONYM USER1.TABLENAME FOR ABC.TABLENAME;
    Regards
    Adnan

  • Read only access in MIIS

    Experts,
    How to provide read only access in MIIS?
    Thanks,
    Manohar

    Do you mean what MIIS security group needs to be added? If yes, then MIISBrowse sounds the one. You can find more from Technet:
    MIISAdmins - Members of this group have full access to Identity Manager.
    MIISBrowse - Members of this group are granted permission to gather user information through the use of Windows Management Instrumentation (WMI) queries.
    MIISJoiners - Members of this group can perform metaverse search operations in Identity Manager and can perform join and disconnect operations.
    MIISOperators - Members of this group can run management agents, view synchronization statistics and save run histories.
    MIISPasswordSet - Members of this group can perform all operations using the password management interface with WMI. This group also inherits the permissions of
    MIISBrowse.
    MIIS 2003 Security Considerations

  • Give user Read-Only access to one table in a database.

    Does anyone know how to give a user account Read-only access to 1 table within a SQL Server Database using SQL Server Management Studio? I don't want the account to be able to access any other tables in the database, just the one table. I'm not a sql programmer,
    so if there is a way to do it in Sql Server Managment Studio settings that would be the best.

    Using Management Studio, I assume you already have a login and user for that person. If not,
    How to: Create a SQL Server Login http://msdn.microsoft.com/en-us/library/aa337562.aspx
    How to: Create a Database User
    http://msdn.microsoft.com/en-us/library/aa337545.aspx
    1. Then, in Object Explorer, expand the Database, expand
    Tables, right-click the table you want, and then click
    Properties. 
    2. On the Permissions page, under Users or Roles, click
    Search, then Browse, etc, until you find the user. Click
    OK until you are back to the Permissions page.
    3. In the Permission for <user>section, find the
    SELECT (that's the read permission) and click the Grant
    box. Then click OK.
    Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

  • OAS 10g (10.1.2) - Read only Access Required to oc4j Container Settings

    As a load tester I need to be able to access the details of the container settings for our live servers to enable me to mimic this set up on my test kit.
    of particular interest are the Server Properties and Data Sources for each container.
    I am not permitted a username/login for the live OAS.
    The Unix admins looking after this kit tell me it's not possible to grant me read only access.
    Is this the case?
    Is there any other way for me to get this information without a live login - can OAS export the details of these settings?
    It's very frustrating to have to rely on info handed down from the Unix admins as and when they have the time to give it to me!....
    Any help much appreciated....

    The Unix admins looking after this kit tell me it's not possible to grant me read only access.
    Is this the case?
    NO, the UNIX Admins are full of it. Here are several (but not all settings)
    400 Owner Readable
    600 Owner Readable and Writeable
    700 Owner Readable and Writeable and Execute
    740 Owner Readable and Writeable and Execute Plus Group Readable
    760 Owner Readable and Writeable and Execute Plus Group Readable and Writeable
    770 Owner Readable and Writeable and Execute Plus Group Readable and Writeable and Execute
    774 Owner Readable and Writeable and Execute Plus Group Readable and Writeable and Execute and Other Readable
    776 Owner Readable and Writeable and Execute Plus Group Readable and Writeable and Execute and Other Readable and Writeable
    777 Owner Readable and Writeable and Execute Plus Group Readable and Writeable and Execute and Other Readable and Writeable and Execute
    Is there any other way for me to get this information without a live login - can OAS export the details of these settings?
    Sorry I don't know the answer to this one
    And don't tell the Unix admins your handle is "TestCowboy" most of them don't have much of a sense of humor. (But I think its great!)

  • Grant read only permission on my stored procedure.

    I have a requirement like give reaonly access on my stored procedure to another user , not even execute permission on that steored procedure.
    Could you please let us know the command ?

    Marwim wrote:
    You can read the source of any PL/SQL code in dba_sourceBut that requires a priv such as select any dictionary to be granted. Why would you want to give a schema access to reading any and all source code in the database?
    This is why I think it is important that the OP provides the reasons behind the question of granting read-only source code access.
    Security is a critical component of software engineering. The basic security principle is to grant the absolute minimum privileges required to s/w and users to get the job done. Granting access to a schema read access to a dictionary view like DBA_SOURCE violates it.
    If userB wants to see userA's source code - then why not have userA simply mail it to userB, or check the code into a common source code repository?

  • Grant read only-rights to own schema

    Hallo,
    i have a schema (and i am the owner) of schema bbi. Now I wanna give to me read-only- rights. Is this possible? What ist the sql-query to give this rights to bbi? Which rights do I have as the owner of a schema? Which tables are nessasary?
    Hope I do not mix anything!!
    Thanks, Katrin

    One possible way would be to put your table into an
    read-only tablespace, but then no one could update
    it.Although the owner can still drop tables in a read-only tablespace (since that only involves updating entries in the data dictionary).
    I'd second Andrew's question about why you'd want to do this. Normally, you would have one user that owned all the objects and grant many other users read-only access to that schema.
    Justin

  • Role for system data dictionary read-only access

    [NOTE: this is for 9i]
    What grants must a role have to have read-only access to
    the system data dictionary tables (e.g.: ALL_SOURCE,
    ALL_OBJECTS, ...)?
    Or, is there somewhere in the docs that talks about this
    kind of role?
    Thanks in advance,
    Robert

    Well, the answer to your explicit question would be that it would need SELECT on each of the data dictionary views that do not have SELECT granted to PUBLIC. To find out what those are, you could do:
    SELECT table_name, privilege
    FROM dba_tab_privs
    WHERE grantee = 'SELECT_CATALOG_ROLE'however, it would probably be easier just to grant it SELECT_CATALOG_ROLE :-)
    John

Maybe you are looking for

  • Exporting a report to Excel

    Hi Guys, Is it possible for a simple report (NOT an ALV) to be exported into an excel file? Please let me know how... Thanks a lot! Regards, Mark

  • How can I find calendar items that are missing?

    I just went to do a mileage report for the past month and every item that is not a recurring item is missing. Is there any way to recovder these items?

  • ABAP Mapping in RFC to SOAP Scenario

    Hi Folks,     I have a scenario to send data from RFC to SOAP. I want to use the ABAP MApping for this case. Can anybody guide me how to do the ABAP Mapping for this case ? It will be real help if somebody can give a step by step guide ? Regards,   

  • File transfer issues in Skype 6.22?

    Recently updated to 6.22 and lost the ability to decline incoming files. In previous versions you had to options - accept or decline, now the only options seem to be "accept" or ignore and then the file request just sits in the chat window as incompl

  • Check last letter in a string

    Good Day All, I have a string field that does not a Consistence length. I want to check the last of this field and concatenate some text depending on the result. I've tried this but does not work. if mid({usp_wb_Reporting_AssetsUnderManagement_A2a_Ma