Oracle implements a decentralised security model.
A user is generally created by a high level account holder such as a DBA. The DBA will probably issue various system privileges to the user at the same time.
When a user has created some database objects (if allowed) that user is then responsible for the granting of access rights to other users.
System object rights are given and taken away by using two commands - GRANT and REVOKE.
Below is a list of privileges that can be granted.
WITH GRANT OPTION
The statement lists the access rights after the GRANT keyword (comma delimited) followed by the name of the resource to be shared followed by a list of the users (or roles) that will have the
specified access rights (JD12 and JD14 in this case).
The WITH GRANT OPTION allows the users JD12 and JD14 to grant access to the SECTION table to other users.
To give access to the section ID number sequence generator I need only give SELECT rights as this is all that is required for other users to be able to use it.
To find out which users have privileges on your tables, views, sequences etc. query the data dictionary views USER_TAB_GRANTS or USER_COL_GRANTS. Christophe Emery has suggested that the
dictionary views USER_TAB_PRIVS or USER_COL_PRIVS are also very useful.
To find out which privileges have been granted to roles query the ROLE_SYS_PRIVS, ROLE_TAB_PRIVS, USER_ROLE_PRIVS, ROLE_ROLE_PRIVS and SESSION_ROLES data dictionary views.
REVOKE SELECT ON JD11.SECIDNUM FROM PUBLIC
A user is generally created by a high level account holder such as a DBA. The DBA will probably issue various system privileges to the user at the same time.
When a user has created some database objects (if allowed) that user is then responsible for the granting of access rights to other users.
System object rights are given and taken away by using two commands - GRANT and REVOKE.
Object Privileges - GRANT
If a user creates a table, view, sequence or synonym then they own it. Unless the object is shared by the owning user then only the owning user and a DBA class user can access it.
Below is a list of privileges that can be granted.
Privilege | <><><><><> Object | <><><><><>
SELECT | <><><><><> data in a table or view | <><><><><>
INSERT | <><><><><> rows in a table or view | <><><><><>
UPDATE | <><><><><> rows in specified columns in a table or view | <><><><><>
DELETE | <><><><><> rows from a table or view | <><><><><>
ALTER | <><><><><> column definitions in a table | <><><><><>
INDEX | <><><><><> index to a table | <><><><><>
REFERENCES | <><><><><> refer to a table named within a table or column constraint | <><><><><>
ALL | <><><><><> all of the above | <><><><><>
To grant access to the BOOK and SECTION tables (owned by user JD11) to user JD12 and JD14 I can use a GRANT command like the one below :
GRANT INSERT, UPDATE, DELETE, SELECT ON JD11.BOOK TO JD12, JD14
GRANT INSERT, UPDATE, DELETE, SELECT ON JD11.SECTION TO JD12, JD14WITH GRANT OPTION
The statement lists the access rights after the GRANT keyword (comma delimited) followed by the name of the resource to be shared followed by a list of the users (or roles) that will have the
specified access rights (JD12 and JD14 in this case).
The WITH GRANT OPTION allows the users JD12 and JD14 to grant access to the SECTION table to other users.
To give access to the section ID number sequence generator I need only give SELECT rights as this is all that is required for other users to be able to use it.
GRANT SELECT ON JD11.SECIDNUM TO JD12, JD14
If I wanted to grant access to everybody for a particular object I can use the PUBLIC keyword instead of specifying individual users.
GRANT SELECT ON JD11.SECIDNUM TO PUBLIC
To find out which users have privileges on your tables, views, sequences etc. query the data dictionary views USER_TAB_GRANTS or USER_COL_GRANTS. Christophe Emery has suggested that the
dictionary views USER_TAB_PRIVS or USER_COL_PRIVS are also very useful.
To find out which privileges have been granted to roles query the ROLE_SYS_PRIVS, ROLE_TAB_PRIVS, USER_ROLE_PRIVS, ROLE_ROLE_PRIVS and SESSION_ROLES data dictionary views.
Object Privileges - REVOKE
To withdraw an access right that you have granted you can use the REVOKE command.
To revoke a particular grant to a user or role use a command like :
REVOKE SELECT ON JD11.SECIDNUM FROM JD12, JD14
This removes the ability to use the sequence generator (SECIDNUM) from the users JD12 and JD14. To remove a public privilege use the PUBLIC keyword.
REVOKE SELECT ON JD11.SECIDNUM FROM PUBLIC
No comments:
Post a Comment