Grant Select on All Synonyms of Schema to Another Schema in Oracle

oraclepermissions

I need to write a query for granting the select privilege to all synonyms and tables of one schema to another schema in Oracle.

Example:

Admin schema has all the tables. I want the User schema to access all the tables owned by Admin. So I want to grant select privilege to User. How can I write a query to accomplish this task?

Best Answer

Here the script to generate grant select on all the tables and synonyms.

select 'grant select on Admin.' || object_name || ' to User;' 
from user_objects 
where object_type in('TABLE','SYNONYM');

Then you have to create a script to run these grant statements at once or you can use PL/SQL as well. Type the following in the SQL prompt.

SQL> spool grant_statements.sql
SQL> set pagesize 0
SQL> set feedback off
SQL> set linesize 300
SQL> set trimout on
SQL> set trimspool on
SQL> select 'grant select on Admin.' || object_name || ' to User;' from user_objects where object_type in('TABLE','SYNONYM')
/
SQL> spool off

And you have got the script file you can run it.
OR
You can run the following PL/SQL block (Run as admin user).

BEGIN
  FOR s IN (SELECT *
              FROM user_objects where object_type in('TABLE','SYNONYM'))
  LOOP
    EXECUTE IMMEDIATE  'grant select on admin.' || s.object_name || ' to user';
  END LOOP;
END;

Related Solutions

Grant permission to execute stored procedure without granting access to underlying table – Oracle

As long as you have your database organized in such a way that there is an account that is the owner of the tables and other objects, and your application connects using a separate account you can do what you want.

If you have tables and procedures organized in separate owners, you fist have to grant the required tables to the procedure owner (directly granted). Next you can grant the execute to a role or a user.

As soon as you allow connections to an object owner your security is broken since in that case you can always use all the objects of the owner (you are owner so you can use it).

PostgreSQL 9.3 – How to Grant Partial Schema Usage to User

I suggest you create a dedicated schema for this user (if it does not exist already), typically with the same name as the name of the role.

CREATE SCHEMA this_user;
REVOKE ALL ON SCHEMA this_user FROM public;
GRANT USAGE ON SCHEMA this_user TO this_user;

The default search_path in typical Postgres installations is "$user",public. So the new schema is automatically the "current" schema for this_user. If your installation is different, consider setting it explicitly:

ALTER ROLE this_user SET search_path=`"$user",public`;

More about the search_path in this related answer on SO:

How to create table inside specific schema by default in Postgres?

Create a VIEW in this schema:

CREATE VIEW this_user.the_table AS
TABLE other_schema.the_table;  -- shorthand for "SELECT * FROM"

GRANT SELECT, INSERT ON this_user.the_table TO this_user;

You may need privileges on the SEQUENCE additionally, if a serial column is involved. See:

Explicitly granting permissions to update the sequence for a serial column necessary?

The same is not necessary for IDENTITY columns in Postgres 10 or later.

Since Postgres 9.3 simple views like the above are automatically updatable. Per documentation:

Simple views are automatically updatable: the system will allow INSERT, UPDATE and DELETE statements to be used on the view in the same way as on a regular table. A view is automatically updatable if it satisfies all of the following conditions:

Then REVOKE all privileges from public, that should stay hidden from the public (including this_user).

More about default privileges and the basics:

Why can a new user select from any table?

Example:

Best Answer

Related Solutions

Grant permission to execute stored procedure without granting access to underlying table – Oracle

PostgreSQL 9.3 – How to Grant Partial Schema Usage to User

Related Question