Recursive Role grants
Hi everyone,
I'm hoping someone can help me with this problem. No one in my office can figure it out.
Scenario:
Amy has been granted Role1 and Role1 has been granted Role2 and Role 2 has been granted Role3
Role3 -> Role2 -> Role1 -> Amy
dba_role_privs table gives:
grantee granted_role
Amy Role1
Role1 Role2
Role2 Role3
My question is, what is the sql that I can use to link Amy to Role3??
grantee granted_role
Amy Role3
Please help!!
Thanks,
Mary
The following example should help you.
SQL> create role role1;
Role created.
SQL> create role role2;
Role created.
SQL> create role role3;
Role created.
SQL> grant role1 to role2;
Grant succeeded.
SQL> grant role2 to role3;
Grant succeeded.
SQL> grant create session to amy identified by amy;
Grant succeeded.
SQL> grant role1 to amy;
Grant succeeded.
SQL> select grantee, c.role
2 from dba_role_privs a, role_role_privs b,role_role_privs c
3 where a.granted_role = b.granted_role
4 and b.role = c.granted_role
5 and a.grantee = 'AMY';
GRANTEE ROLE
AMY ROLE3
Similar Messages
-
Missing Role Grants after datapump
Hello OTN-Community,
I have a problem with datapump. I am using some include filters to get the relevant data exported. One of these filters inlcudes the ROLES of my database which starts with a certain expression.
After the export into another database these roles exists but all of the role grants and the grants to other users misses. The object grants are exported correctly.
What am I doing wrong?
The export script:
declare
/*some declare specification are not copyed*/
cursor curSchema is
select
distinct
t.Mdbn_Name Name
from
ProphetMaster.Dat_MdBn t
where
Upper(t.MDBN_Name) not in ('****', '***');
begin
-- Schemas festlegen
SchemaList := '''****'',''***''';
if ExportAllProphetUsers then
for recSchema in curSchema loop
SchemaList := SchemaList||','''||recSchema.Name||'''';
end loop;
end if;
-- Dateigröße
FileSizeStr := to_char(MaxFileSize)||'M';
-- Verzeichnis
DirectoryName := 'PHT_PUMP_DIR';
execute immediate 'create or replace directory "'||DirectoryName||'" as '''|| PumpDir||'''';
-- JobName
JobName := 'PHT_EXPORT'||DateStr;
-- Filename
if not FilenameWithDateTime then
DateStr :='';
end if;
Filename := 'PHTDB'||DateStr||'_%U.DMP';
Logfilename := JobName||'.LOG';
-- Job festlegen und Ausführen
h1 := dbms_datapump.open (operation => 'EXPORT', job_mode => 'FULL', job_name => JobName, version => 'COMPATIBLE');
dbms_datapump.set_parallel(handle => h1, degree => ParallelExecutions);
dbms_datapump.add_file(handle => h1, filename => Logfilename, directory => DirectoryName, filetype => 3);
dbms_datapump.set_parameter(handle => h1, name => 'KEEP_MASTER', value => 0);
--10g
--dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filesize => FileSizeStr, filetype => 1);
--11g
dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filesize => FileSizeStr, filetype => 1, reusefile =>OverwriteFiles);
dbms_datapump.set_parameter(handle => h1, name => 'INCLUDE_METADATA', value => 1);
dbms_datapump.set_parameter(handle => h1, name => 'DATA_ACCESS_METHOD', value => 'AUTOMATIC');
-- Include Schemas
--dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'IN('||SchemaList||')', object_type => 'DATABASE_EXPORT/SCHEMA');
dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'IN('||SchemaList||')', object_type => 'DATABASE_EXPORT/SCHEMA');
dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''DATABASE_EXPORT/SCHEMA'')');
--Include Profiles
dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'like ''PROFILE_%''', object_type => 'PROFILE');
dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''PROFILE'')');
--Include Roles
dbms_datapump.metadata_filter(handle => h1, name => 'NAME_EXPR', value => 'like ''***%''', object_type => 'ROLE');
dbms_datapump.metadata_filter(handle => h1, name => 'INCLUDE_PATH_EXPR', value => 'IN(''ROLE'')');
-- Größenabschätzung
dbms_datapump.set_parameter(handle => h1, name => 'ESTIMATE', value => 'BLOCKS');
--Start Job
dbms_output.put_line('Import Job started; Logfile: '|| LogFileName);
dbms_datapump.start_job(handle => h1, skip_current => 0, abort_step => 0);
-- Wait for ending and finishing job
dbms_datapump.wait_for_job(handle=>h1,job_state =>job_state);
dbms_output.put_line('Job has completed');
dbms_output.put_line('Final job state = ' || job_state);
dbms_datapump.detach(handle => h1);
The Import Script:
begin
dbms_output.Enable(buffer_size => null);
-- Verzeichnis
DirectoryName := 'PHT_PUMP_DIR';
execute immediate 'create or replace directory "'||DirectoryName||'" as '''|| PumpDir||'''';
-- JobName
JobName := 'PHT_IMPORT'|| to_char(sysdate,'_yyyy-MM-DD-HH24-MI');
--FileNames
Filename := 'PHTDB'||FileNameDateStr||'_%U.DMP';
LogFilename := JobName||'.LOG';
h1 := dbms_datapump.open (operation => 'IMPORT', job_mode => 'FULL', job_name => JobName, version => 'COMPATIBLE');
--Wenn der Datapumpimport auf einer Standardversion ausgeführt wird, muss diese Aufrufzeizeile genutzt werden
--h1 := dbms_datapump.open (operation => 'IMPORT', job_mode => 'FULL', job_name => JobName, version => '10.2');
dbms_datapump.set_parallel(handle => h1, degree => ParallelExecutions);
dbms_datapump.add_file(handle => h1, filename => Logfilename, directory => DirectoryName, filetype => 3);
dbms_datapump.set_parameter(handle => h1, name => 'KEEP_MASTER', value => 0);
dbms_datapump.add_file(handle => h1, filename => Filename, directory => DirectoryName, filetype => 1);
dbms_datapump.set_parameter(handle => h1, name => 'INCLUDE_METADATA', value => 1);
dbms_datapump.set_parameter(handle => h1, name => 'DATA_ACCESS_METHOD', value => 'AUTOMATIC');
dbms_datapump.set_parameter(handle => h1, name => 'REUSE_DATAFILES', value => 0);
dbms_datapump.set_parameter(handle => h1, name => 'TABLE_EXISTS_ACTION', value => 'REPLACE');
dbms_datapump.set_parameter(handle => h1, name => 'SKIP_UNUSABLE_INDEXES', value => 0);
--Start Job
dbms_output.put_line('Import Job started; Logfile: '|| LogFileName);
dbms_datapump.start_job(handle => h1, skip_current => 0, abort_step => 0);
-- Wait for ending and finishing job
dbms_datapump.wait_for_job(handle=>h1,job_state =>job_state);
dbms_output.put_line('Job has completed');
dbms_output.put_line('Final job state = ' || job_state);
dbms_datapump.detach(handle => h1);Has no one any idea?
-
Find the roles granted on tables in oracle 10g
Hi,
I need to find what roles granted to what tables in a schema. I try to query dba_tab_privs but this will give what roles granted to tables, but i want to find what tables are missing these roles in a schema?
any help is appreciated.
Thanks...789287 wrote:
i have another scenario where i have 2 different schemas such as TEST_A ans TEST_B. here TEST_B. at TEST_B user have 2 roles B_query and b_update and granted these roles to TEST_B user.
TEST_A need to access the TEST_B objects, when i grant the A_QUERY, A_UPDATE to TEST_A user. then i login as TEST_A user to access the TEST_B objects gets an eror object doesn't exist.
i dont want to grant privileges directly on to the TEST_B objects to TEST_A user. is there anyway i can accomplish this through the role?
i thought it would appropriate to ask the question here rather opening a thread.
Thanks...consider to actually post the actual SQL & complete error response from Oracle.
How do I ask a question on the forums?
SQL and PL/SQL FAQ -
Script for Users, Roles,Grant,Tablespace
Hi,
Please guide me on the following .
I am moving database to new Unix server .
so can I create the script which will check the existing Users, Roles, Grants, Tablespaces from current database and store that data.
And using same soared data I want to create the same " Users, Roles, Grants, Tablespaces" using the script.
Can i do this. Please guide me how to do this so I will help me to move database
Thanks,
AmolYou should run ?\rdbms\admin\utlrp (note the ?, which is shorthand for ORACLE_HOME) from the database server. to make sure you have the correct script. You can call sqlplus from Toad easily.
The script affects PL/SQL only. PL/SQL resides in the SYSTEM tablespace in the SYS schema. You don't have 400G of PL/SQL. It should take a few minutes only.
The SYSTEM schema WILL be imported. SYS will not be imported, but automagically recreated. The only thing you will miss is Grants which have been made by SYS directly to end-users or roles, outside those defined in catalog.sql
Sybrand Bakker
Senior Oracle DBA -
Expdp users, roles, grants (privs)
(sorry for the cross-posting - I'm not sure how to delete or move threads and I posted this in the general questions forum thinking I was in this forum)
So, I think this works - still in the process of testing - but what I want to do is the following:
1) Export ONLY users, passwords, and privs from TEST
2) Clone PROD --> TEST
3) Drop all users in TEST excluding system users.
4) Import original users file from Step 1.
I think I've got it with the following. Am I missing anything? I'm testing, but if someone else has done this, I would be happy to hear from something I may be missing.
JOB_NAME=EXPDP_USERS
DIRECTORY=DTPUMP
REUSE_DUMPFILES=Y
FULL=Y
DUMPFILE=users_test.dmp
LOGFILE=users_test_expdp.log
INCLUDE=SCHEMA:"IN (SELECT USERNAME FROM dba_users where default_tablespace NOT in('SYSAUX','SYSTEM'))",ROLE,USER,SYSTEM_GRANT,ROLE_GRANT,DEFAULT_ROLE,TABLESPACE_QUOTAPl do not post duplicates - expdp users, roles, grants (privs)
-
Hi,
I have created one role with some system privileges like create any table,dubug any procedure etc and with some object prvileges like select grant on DBA_TABLES, DBA_JOBS etc. Now I have granted the role to a different user where I have written a package which consist of few procedures, one of the procedures in package spec like below :
PROCEDURE REGISTER (
p_Owner IN ORBIT_DELTA_CNTL.OWNER%TYPE,
p_Object IN ORBIT_DELTA_CNTL.NAME%TYPE,
p_Type IN ORBIT_DELTA_CNTL.OBJECT_TYPE%TYPE,
p_RefreshInterval IN DBA_JOBS.INTERVAL%TYPE,
p_PurgeInterval IN DBA_JOBS.INTERVAL%TYPE,
p_Tablespace IN DBA_TABLES.TABLESPACE_NAME%TYPE DEFAULT NULL
which throws a error during compilation "PLS-00201: identifier 'DBA_JOBS' must be declared". Can any one please explain why this error is coming though I have granted the role to that user.
Regards,
KoushikKoushik,
The reason is probably dependencies related. When an object gets invalid, all dependent objects get invalid et cetera. When objects could be valid because of a grant via a role, this means that an object could get invalid by revoking a grant from a role. Because granting user access via a role should not make big parts of the database invalid, it is only allowed via direct grants.
Regards,
Rob. -
Where to find tutorial for oracle.security.jazn , specially role granting?
Hi
Thank you for reading my post
where i can find references about oracle.security.jazn and its classes and interfaces ?
i am stucked with granting roles that i created in admin console or from within my application to users ?
where is this package javadocs ?
thanksThanks for giving the link
is there any way that i add this javadocs to Jdeveloper IDE for quick javadoc facilities ?
where i can download its zip/jar package for offline IDE use ?
which jdeveloper predefined library contains oracle.security.jazn ?
thank you again -
Enterprise Role grants in jazn-data fail for AD Provider User Accounts?
Hello All,
I have enterprise roles defined within my jazn-data.xml for my 11.1.1.4 web application. We just recently switched user accounts over to an active directory provider for authentication. So, I have user accounts associated with the active directory provider that are assigned to my enterprise roles. This is working fine because all of my EL expressions of the form #{securityContext.userInRole['EnterpriseRoleName']} are working great.
However, all of the grants in jazn-data.xml for pages that should only be viewable by users with this role are now not working. Users with this role see a "Internal Server 500" error with the message "oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed", rather than the related pages. This all used to work when the user accounts were not coming from the active directory provider.
As a work around, I've had to grant test-all view access to all pages, but hide controls and portions of pages that non-authorized users should see using EL like what I printed above.
This can't be right. Why are AD user accounts treated differently by WebLogic Server, when the security context indicates that the user has the proper role?
ThanksHaha... nice one. This is a low-key production app that is internal to this company. I can't have users with AD accounts, who used to have WLS internal accounts when the jazn grants worked, just stop using the application until some solution comes about. It may take days. I don't understand why you would leave such an unhelpful comment and then leave the discussion. Is this a precedence that you want set within your forum? Please help me to understand why this is a bad workaround. I'm just at the beginning of trying to figure out the root cause of this issue. A search didn't reveal any obvious answers, so I thought I'd reach out to my knowledgeable ADF friends on the forum to see if this was something that could easily be fixed.
Back to your comment -- why is this a mistake? I have always used the rendered attribute value to hide navigation points to pages that are supposed to be accessible to users with the enterprise role (e.g. rendered="#{securityContext.userInRole['EnterpriseRoleName']}"). This still works fine in the context of this problem, because the security context is working properly -- it's picking up user membership to enterprise roles. It's the jazn grants that are not working for the AD provider related users.
In this context, if some really smart user guesses the URL of a page I don't want them on because they don't have the role, then why can't I simply set rendered="#{securityContext.userInRole['EnterpriseRoleName']}" on the PGL that presents the body of the page? The content of the page isn't rendered. That's the point of the "rendered" attribute, right? Better yet, I could have a nice message that says that aren't authorized to view the page, rather than put a Java stack trace in their face. Why, then, as a temporary workaround, is this such a bad idea?
Thank you "sameera.sac" for the links. I'd seen the first one before posting and it wasn't pertinent. But I'll certainly research the others you provided.
Thanks -
Hi everybody,
I have this strange problem:
I've an owner schema owning most of my db's tables: "SALE". SALE is a DBA and creates the rest of db users. I also have a qrya_rl owned by SALE. I grant selects on SALE tables to this qrya_rl and assign it to users whenever necessary.
Strange thing is in a 10gr2 database, everything is fine and users can select from SALE.xxxxx tables (through a public synonym of course). In 11g r2 however, users are able to select from SALE tables but are not able to compile functions, procedures and packages with references to SALE objects?!?
Compile error says: unknown table or view : SALE.xxxxx.
It finally exhausts me and I assign selects on SALE tables directly to users or to Public. Function and packages compile fine!
My db is a huge transactional database with many users. I do not want to assign privileges to public and having a growing number of users, I do not want to assign privileges directly so I'm stock in here!
Any ideas?
Edited by: Ali on Jun 1, 2011 9:29 PM
Edited by: Ali on Jun 1, 2011 9:35 PMAny ideas?privileges acquired via ROLE do not apply within PL/SQL named procedures.
-
Creating objects only with role grants.
Good afternoon, everybody.
I'm having a problem to compile some procedures in a scheme, let's call it scheme A.
This scheme A is receiving privileges to execute a function(B.get_date) of other scheme, let's call it scheme B, through a role B_STUFF.
When I try to compile a procedure from scheme A that uses the function B.get_date, it doesn't compile because there are
insufficient privileges for scheme A to execute that function, but I already gave that privilege through the role B_STUFF.
Nevertheless it only works when I give direct grant execute on function B.get_date to schema A.
Here is the example of my problem:
create function B.get_date return date
is
Begin
return sysdate;
end;
grant execute on function B.get_date to B_STUFF;
grant B_STUFF to A;
create procedure A.proc
is
begin
....uses the function B.get_date....
end;
Invalid object.
Is there a way to do this without having to give direct privilege of an object to a schema?
Thanks for the attention...
Regards...Is there a way? Yes. But it's probably not what you want...
SQL> ed
Wrote file afiedt.buf
1 create or replace procedure a.proc
2 authid current_user
3 is
4 l_dt date;
5 begin
6 execute immediate 'select b.get_date from dual' into l_dt;
7 dbms_output.put_line( l_dt );
8* end;
SQL> /
Procedure created.
SQL> set serveroutput on;
SQL> exec a.proc;
06-FEB-13
PL/SQL procedure successfully completed.will work. Any user that wants to execute the A.PROC procedure will need to have the ability to call B.GET_DATE (either directly or via a role).
In general, since roles can be enabled or disabled in a session, password protected, made default or non-default, etc. you can't use them when you're creating persistent objects. Otherwise, if A has two sessions open and in one session B_STUFF is enabled and in the other the role is disabled, Oracle would have a very hard time figuring out whether the A.PROC procedure should be valid or not. And then what happens when both of those sessions are terminated-- which set of roles should Oracle then use for A's persistent objects? That's why Oracle generally depends on privileges that are granted directly to a user when you're trying to create persistent objects.
Justin -
Hi,
I have created different roles for all schemas in my database. I have a trigger on database before grant or update which logs on the grant or revoke statement. Now I want to have a provision that if a schema has 2 roles, System user should not be able to assign more roles to it. If it does so, it must get an error.
Can please suggest how can we acheive this ?You can try to check the number of granted roles using DBA_ROLE_PRIVS: http://download.oracle.com/docs/cd/B19306_01/server.102/b14237/statviews_4064.htm#REFRN23230.
-
Role grants to roles being deprecated
I have just read with concern in the release notes for Oracle Database 10.1 (paragraph 7.1) that the ability to grant "application role to another role will not be allowed in future Oracle database releases". Why will we be unable to nest roles in the way we have been doing for years? I can see many problems with this loss of functionality, or is there a cleverer way of organising security being introduced to replace roles?
I cannot find it online either. It is in the README that comes with the download of 10G from OTN. The document part number is B12304-01 and it is the README for Oracle Database 10G Release 10.1 dated January 2004. It is in the section on Database Security, paragraph 7.1. The exact text of the bullet point is, "Grants of password protection or application role to another role will not be allowed in future Oracle Database releases".
-
Asking for ROLES granted to the current user
I am trying to trigger an ALTER SESSION SET NLS_DATE_FORMAT ... for users in a particular database role. I can write some PL/SQL which properly captures a user's roles. When the same code isinvoked from a LOGON trigger, though, it doesn't find any roles:
SQL> create global temporary table hold_roles (role varchar2(30));
Table created.
SQL> create or replace
2 package oper_logon_trigger_pg_delete
3 authid current_user
4 as
5 procedure MAIN;
6 end oper_logon_trigger_pg_delete;
7 /
Package created.
SQL> create or replace
2 package body oper_logon_trigger_pg_delete
3 as
4
5 procedure MAIN
6 is
7 l_str varchar2(4000);
8 begin
9 for row in (select granted_role from user_role_privs)
10 loop
11 insert into hold_roles values (row.granted_role);
12 end loop;
13
14 end MAIN;
15
16 end oper_logon_trigger_pg_delete;
17 /
SQL> exec oper_logon_trigger_pg_delete.main;
PL/SQL procedure successfully completed.
SQL> select * from hold_roles;
ROLE
CKR_REPOS_MANAGER
CONNECT
DBA
PLUSTRACE
SQL> CREATE OR REPLACE TRIGGER LOGON_ALT
2 AFTER LOGON ON DATABASE
3
4 BEGIN
5
6 OPER_LOGON_TRIGGER_PG_DELETE.MAIN();
7
8 END LOGON_ALT;
9 /
Trigger created.
SQL> disconnect
Disconnected from Oracle Database 10g Enterprise Edition Release 10.1.0.4.0 - 64bit Production
With the Partitioning, OLAP and Data Mining options
SQL> connect r25u7@dev
Enter password: **********
Connected.
SQL> select * from hold_roles;
no rows selectedWhy the difference in behavior? Same code, just one is called directly, vs from a LOGON trigger...
Thanks,
--=Chuckchuckers wrote:
How does that circumvent the concept that " First trigger is fired and roles are not included into context."?
Won't the same fundamental problem be true if I just move that code directly into the trigger?OK. I will explain it in details. Trigger, as I already mentioned, is always executed with definer rights which means it is executed on trigger owner's behalf. Now package has AUTHID CURRENT_USER which means it will be executed on package caller's behalf. And since your package is called from the trigger, package is executed on trigger owner's behalf, not on logon user's behalf. As a result, querying USER_ROLE_PRIVS will go against trigger owner's roles. So you are querying wrong user's roles. As you can see, you can't use user_role_privs. That is why you need to go against DBA_ROLE_PRIVS (and do not forget to grant select on DBA_ROLE_PRIVS directly to trigger owner). Your second issue is GTT. AFAIK after logon trigger is executed aftr user is logged in but before session is fully instantiated and GTT does not work yet. Anyway:
SQL> connect sys/******** as sysdba
Connected.
SQL> grant select on dba_role_privs to scott
2 /
Grant succeeded.
SQL> connect scott/******
Connected.
SQL> drop role CHANGE_NLS_DATE_FORMAT
2 /
Role dropped.
SQL> create role CHANGE_NLS_DATE_FORMAT
2 /
Role created.
SQL> grant CHANGE_NLS_DATE_FORMAT to u1
2 /
Grant succeeded.
SQL> drop table hold_roles
2 /
Table dropped.
SQL> create table hold_roles(role varchar2(30))
2 /
Table created.
SQL> grant insert,select on hold_roles to public
2 /
Grant succeeded.
SQL> create or replace
2 package oper_logon_trigger_pg_delete
3 authid current_user
4 as
5 procedure MAIN;
6 end oper_logon_trigger_pg_delete;
7 /
Package created.
SQL> create or replace
2 package body oper_logon_trigger_pg_delete
3 as
4 procedure MAIN
5 is
6 l_str varchar2(4000);
7 begin
8 for v_rec in (select granted_role from dba_role_privs where grantee = user)
9 loop
10 insert into hold_roles values(v_rec.granted_role);
11 end loop;
12 end MAIN;
13 end oper_logon_trigger_pg_delete;
14 /
Package body created.
SQL> CREATE OR REPLACE
2 TRIGGER LOGON_ALT
3 AFTER LOGON ON DATABASE
4 BEGIN
5 OPER_LOGON_TRIGGER_PG_DELETE.MAIN();
6 END LOGON_ALT;
7 /
Trigger created.
SQL> truncate table hold_roles
2 /
Table truncated.
SQL> connect u1/****
Connected.
SQL> select * from scott.hold_roles
2 /
ROLE
CHANGE_NLS_DATE_FORMAT
SQL> select granted_role from user_role_privs
2 /
GRANTED_ROLE
CHANGE_NLS_DATE_FORMAT
SQL> SY.
P.S. Now, when the issue is explained, you could simplify whole thing. You do not need package at all. Just create the trigger:
CREATE OR REPLACE
TRIGGER LOGON_ALT
AFTER LOGON ON DATABASE
BEGIN
insert into hold_roles
select granted_role from dba_role_privs where grantee = user;
END LOGON_ALT;
/ -
Role Grants to Bounded Task Flow not Recognized on standalone WLS 10.3
Jdeveloper 11G Build 1188
Weblogic 10.3
I receive this error
oracle.adf.controller.security.AuthorizationException: ADFC-0619: Authorization check failed: '/WEB-INF/menuflow.xml#menuflow' 'VIEW'.
This occurs before and after security migration.
I have spent 4 days on this problem and read and re-read Jdeveloper and Weblogic docs and all the blogs I could find as well as this forum.
The security works fine using Integated WLS.
It seems to me that the roles in Jazn and the roles I setup in Weblogic are NOT being associated
I followed step by step the blogs concerning security migration, weblogic standalone install, weblogic setup as to rolls and groups, etc.
Before I go through every step I took, I would like to know If anyone has received this error.
ChuckHi Frank,
I copied the <jazn-policy> section from the jazn-data.xml to system-jazn-data.xml and it is working
So as expected something wrong with the migration...I will check what
Thanks
Jamil -
Hi,
We are in the process of creating a new db. After completing schema level import, I have to create roles & grants same as the primary db.
I used,
SQL>select dbms_metadata.get_ddl('ROLE',role) from dba_roles;
to find the roles.
How can I provide the grants on those rolenames?
Is this right approach?
Suggestions appreciated.
Thanks!jdba wrote:
Hi,
We are in the process of creating a new db. After completing schema level import, I have to create roles & grants same as the primary db.
I used,
SQL>select dbms_metadata.get_ddl('ROLE',role) from dba_roles;
to find the roles.
How can I provide the grants on those rolenames?
Is this right approach?
Suggestions appreciated.
Thanks!You can bulk in google, also check this
-- Create the roles
SELECT DBMS_METADATA.GET_DDL('ROLE', role)||';'
FROM dba_roles
-- Roles which are granted to roles
SELECT DBMS_METADATA.GET_GRANTED_DDL('ROLE_GRANT', role)
FROM role_role_privs
-- System privileges granted to roles
SELECT DBMS_METADATA.GET_GRANTED_DDL('SYSTEM_GRANT', role)
FROM ROLE_SYS_PRIVS
-- Table privileges granted to roles
SELECT DBMS_METADATA.GET_GRANTED_DDL('OBJECT_GRANT', role)
FROM ROLE_TAB_PRIVS
/
Maybe you are looking for
-
Add Microsoft Publisher to Office Professional Plus 2013
Hi, I'm trying to do a command-line installation to add Microsoft Publisher 2013 to an existing Office Professional Plus 2013. It was assumed that our staff would not need it, but as we have already received one request to get it installed, and the s
-
Hi to all, while migrating from NW to OES, one clustered volume with one (and always the same) folder is duplicated with an trailing zero at the folders name. Source is USER:\Abteilung\Edv\ Destination is /media/nss/USER/Abteilung/EDV0/ while /var/op
-
Hi, Why do we need to apply support package thru client 000? Why can't we do it thru some other client? It was an interview question. Is there any specific documentation or note about client 000 and why do we need to use client 000? Regards....Iyy
-
every time i close my macbook and open it the airplay icon disappears from both the menu bar and itunes or i get an error when i try to use it do you know why and how to solve this problem?
-
After install firefox 4 beta 3 i have an erorr in kaspersky antivirus
i have this error Quarantined legal software that can be used by criminals for damaging your computer or personal data PDM.Worm.P2P.generic F:\MOZILLA FIREFOX 4.0 BETA 1\FIREFOX.EXE Low thanks