Oracle – User to not see data from other users

oracleoracle-12cpermissions

I've done some research about it but I found some answers that are not clearly saying if it is possible or not.

Right now, I have a user admin. Everyone in my team is using it to create other users. One user = one project.
When we create the users, we grant all privileges to him.

Now, we would like to be a bit more secure (I know, it's absolutely not secured right now).

I thought, we could have a user, let's name him "User_Creator", to have the sole purpose of creating other users (projects).
The new user, let's name him "Project1", can do whatever he wants in his own schema (create/drop/alter/insert/delete).
When User_Creator, creates another project (Project2), I would like that Project1 can not see data from Project2 and Project2 from Project1.

Is that even possible ? I understand that the grant/revoke is done on the object-level right ? Do I need to create a trigger to revoke access to other users immediately after the creation of a new object?

Edit1: I've created my user "User_Creator" like this:

CREATE USER user_creation IDENTIFIED BY abcdef; 
GRANT RESOURCE TO user_creation WITH ADMIN OPTION; 
GRANT dba TO user_creation with admin option;
CREATE ROLE user_creation_role; 
GRANT CREATE SESSION TO user_creation_role with admin option; 
GRANT ALTER USER TO user_creation_role;
GRANT CREATE USER TO user_creation_role WITH ADMIN OPTION;
GRANT DROP USER TO user_creation_role;
GRANT CREATE TABLE TO user_creation_role with admin option; 
GRANT user_creation_role TO user_creation ;

And a project is created like this:

CREATE USER project1 IDENTIFIED BY abc;
GRANT CREATE SESSION TO project1;
GRANT dba TO project1;

Edit2:

The answer is to not grant DBA and only grant the creation.
That way, user will not share data.
Thank you for your help guys.
Sorry if it was a bit of a rookie question.

I create users like this now:

CREATE USER user_creator IDENTIFIED BY abcdef; 
GRANT RESOURCE TO user_creator WITH ADMIN OPTION;
GRANT UNLIMITED TABLESPACE TO user_creator with admin option;
CREATE ROLE user_creation_role; 
GRANT CREATE SESSION TO user_creation_role with admin option; 
GRANT CREATE USER TO user_creation_role WITH ADMIN OPTION;
GRANT CREATE PROCEDURE TO user_creation_role WITH ADMIN OPTION;
GRANT CREATE TABLE TO user_creation_role WITH ADMIN OPTION;
GRANT CREATE VIEW TO user_creation_role WITH ADMIN OPTION;
CREATE USER project1 IDENTIFIED BY abc;
GRANT CREATE SESSION TO project1 ;
GRANT CREATE TABLE TO project1 ;
GRANT UNLIMITED TABLESPACE TO project1 ;
GRANT CREATE VIEW TO project1 ;
GRANT CREATE PROCEDURE TO project1 ;

Best Answer

This is the default behaviour in Oracle. Users do not have access to other user's objects unless explicitly granted.

The DBA role includes the "GRANT ANY OBJECT" privilege, allowing the user to see all database objects: https://docs.oracle.com/cd/B28359_01/server.111/b28310/dba005.htm https://docs.oracle.com/cd/A97630_01/server.920/a96521/privs.htm

You should revoke the DBA role from every app user and stop granting it to new users.

Related Solutions

Mysql – “Set Password” with a limited user

The problem I see with what you propose is that a user who has the ability to grant privileges to other users... is, almost by definition, not a "limited" user.

You can't grant privileges at all without the GRANT privilege, and even with that, you can't grant a specific privilege that you don't possess ... unless you have permission to manipulate the grant tables directly, in which case, you're not exactly a limited user either.

But, aha, here's your workaround.

Stored procedures run with the credentials of the user who defined them or as the explicitly-specified definer. (You have to have SUPER to specify somebody else as DEFINER.) Any user with the EXECUTE privilege on a stored procedure can execute the procedure, and the procedure essentially escalates their privilege level while it is running.

If you wrap your administrative operations in (well-written) procedures, then you don't have to actually give the limited user permission to do anything, other than run the procedures.

DELIMITER $$

DROP PROCEDURE IF EXISTS `mysql`.`change_password` $$
-- root@localhost is an example; use an appropriate local user that has the
-- permissions that need to be available for the operation to succeed
CREATE DEFINER='root'@'localhost' PROCEDURE `mysql`.`change_password` (
  IN dirty_user VARCHAR(16), 
  IN dirty_host VARCHAR(40), 
  IN dirty_password VARCHAR(41))
BEGIN

  DECLARE encrypted_password TINYTEXT DEFAULT PASSWORD(dirty_password);
  DECLARE clean_user TINYTEXT DEFAULT NULL;
  DECLARE clean_host TINYTEXT DEFAULT NULL;

  SELECT user, host
    FROM mysql.user
   WHERE user = dirty_user
     AND host = dirty_host
    INTO clean_user, clean_host;

  IF clean_user IS NULL OR clean_host IS NULL THEN
    SIGNAL SQLSTATE '45000' SET MESSAGE_TEXT = 'user/host provided does not exist';
  END IF;

  SET @_sql = CONCAT_WS('\'','SET PASSWORD FOR ',clean_user,'@',clean_host,' = ',encrypted_password,'');

  PREPARE stmt FROM @_sql;
  EXECUTE stmt;
  DEALLOCATE PREPARE stmt;
  SET @_sql = NULL;

END $$

DELIMITER ;

GRANT EXECUTE ON PROCEDURE mysql.change_password TO 'limited'@'%';

The 'limited'@'%' user can now change passwords for other users even though they don't have permission to do it themselves, by using CALL mysql.change_password('user','host','password');.

This user does not have permissions themselves, but does have execute on the proc; they can't do it directly:

mysql> set password for 'wombat'@'localhost' = PASSWORD('secret');
ERROR 1044 (42000): Access denied for user 'limited'@'%' to database 'mysql'

... but they can do it this way. Note that "0 rows affected" is not a meaningful value.

mysql> call mysql.change_password('wombat','localhost','secret');

Query OK, 0 rows affected (0.00 sec)

Notes:

String-concatenated queries with input parameters are unacceptable, but the SET PASSWORD statement does not accept ? positional-parameters, so there's no choice here. To sanitize the inputs, I take care of the password by encrypting it in advance, outside the prepared statement, and concatenated the encrypted password there; I've sanitized the user and host by actually selecting them from the mysql.user table and using the values I've selected, also outside the prepared statement. If they aren't found, we can't set their password, so we throw an exception using SIGNAL. If they are found, we concatenate the fetched values into the prepared statement, sanitizing them by this mechanism. It's still theoretically possible that bad data in the mysql.user table could render the quoting of the prepared statement invalid, but if you have bad data in the mysql.user table, then you have 2 problems (1 problem in addition to this one).
Any explicit GRANT EXECUTE you've given at the procedure level disappears from the mysql.procs_priv table if you drop and redefine the procedure, so if you make changes to the procedure, you have to re-grant the privileges to the limited user.
You need MySQL 5.5+ for the SIGNAL statement to be valid. Below 5.5 you can replace it with a hack, something like CALL mysql.`change_password(): the user/host provided`; (note the backticks) which will throw a not quite as pretty, but still serviceable message complaining that the bogus procedure name quoted in the backticks... does not exist. Heh... ERROR 1305 (42000): PROCEDURE mysql.change_password(): the user/host provided does not exist

Configure Oracle user in Enterprise Manager to CREATE VIEW on any of his tables

I'm not sure if I'm understanding your question properly. I created a user with the ability to create views for his own schema.

SQL> create user view_user identified by password default tablespace users quota unlimited on users;

User created.

SQL> grant create session, create table, create view to view_user;

Grant succeeded.

SQL> connect view_user
Enter password: 
Connected.
SQL> CREATE TABLE Members (ID number(10), Name varchar2(100), Street_No varchar2(100), ZIP number(5), City varchar2(100));

Table created.

SQL> CREATE VIEW MembersNamesOnly AS SELECT ID, Name FROM Members;

View created.

SQL>

Best Answer

Related Solutions

Mysql – “Set Password” with a limited user

Configure Oracle user in Enterprise Manager to CREATE VIEW on any of his tables

Related Question