Grant privileges to a role without specifying an object

oracleoracle-11gSecurity

I am trying to create a role to simplify granting a set of privileges that I often give to users. I am wondering if there is any way to grant these privileges on only the objects owned by their schema without knowing what the schema name will be ahead of time?

For instance, I want to assign the role student_access to the users JOE and MARY without having to specify what tables or procedures they have these privileges on. They should have all privileges that the role grants on all objects owned by their schema.

Thanks.

Best Answer

The system privileges that relate to the object types (CREATE TABLE, VIEW, ...) can be divided in two groups:

Those that lack the keyword ANY are only effective on the user's own schema.
Those with the keyword ANY (DROP ANY TABLE, EXECUTE ANY PROCEDURE, ...) are effective on all schemas. Consequently, you should restrict the ANY privileges to administrative users.

If you grant an object type privilege (without ANY) such as CREATE TABLE to a role, all users of this role will be able to assert this privilege on their own schema. Consequently you can grant these privileges to a role and the users will inherit such rights (on their own schema) when they are granted the role.

Related Solutions

Security for Application Developers doing PL/SQL work in Oracle

Back in the days when I worked in an Oracle shop, we had a specific 'dev' (development) server, which had different security restrictions than the 'prod' (production) server. Developers could do whatever they needed, and then we'd hand off the necessary scripts to the DBA to apply to the production server.

In the case of our critical systems (SCT Banner, for tracking classes & students, and Oracle Financials), there were also 'test' and 'seed' servers. Test was for user acceptance testing before stuff migrated from dev to prod; 'seed' was stock install of the software, so should we find a bug, we could verify if it was something we had introduced or came from SCT or Oracle's software.

When creating views, why do users need direct object permissions if they already have the same permissions via a role

While you may have a lot of users, it would be unusual for them to require their own views. The views should be in one schema (possibly the one owning the tables) and the users should query them by either prefixing the schemaname (eg vwowner.view) or using the

ALTER SESSION SET_CURRENT_SCHEMA=vwowner

Roles are transient. You can do a SET ROLE NONE to turn them all off. You can have multiple sessions for the same account with different roles enabled. That isn't compatible with the way that Oracle handles objects (where they are either valid or they are not; they can't be valid for some sessions and not for others).

Best Answer

Related Solutions

Security for Application Developers doing PL/SQL work in Oracle

When creating views, why do users need direct object permissions if they already have the same permissions via a role

Related Question