我需要查看 Oracle DB 上的所有授权。
我使用 TOAD 功能来比较模式,但它没有显示诱人的授权等,所以这是我的问题:
如何列出 Oracle DB 上的所有授权?
问问题
578565 次
6 回答
155
如果您想要的不仅仅是直接表授予(例如,通过角色授予、系统权限,例如选择任何表等),这里有一些额外的查询:
用户的系统权限:
SELECT PRIVILEGE
FROM sys.dba_sys_privs
WHERE grantee = <theUser>
UNION
SELECT PRIVILEGE
FROM dba_role_privs rp JOIN role_sys_privs rsp ON (rp.granted_role = rsp.role)
WHERE rp.grantee = <theUser>
ORDER BY 1;
直接授予表/视图:
SELECT owner, table_name, select_priv, insert_priv, delete_priv, update_priv, references_priv, alter_priv, index_priv
FROM table_privileges
WHERE grantee = <theUser>
ORDER BY owner, table_name;
对表/视图的间接授权:
SELECT DISTINCT owner, table_name, PRIVILEGE
FROM dba_role_privs rp JOIN role_tab_privs rtp ON (rp.granted_role = rtp.role)
WHERE rp.grantee = <theUser>
ORDER BY owner, table_name;
于 2009-08-19T17:09:36.793 回答
37
假设您要列出特定用户已收到的所有对象的授权:
select * from all_tab_privs_recd where grantee = 'your user'
这不会返回用户拥有的对象。如果您需要这些,请改用all_tab_privs视图。
于 2009-08-19T08:34:20.747 回答
24
抱歉,如果您从其他(假设是 SYS)用户运行选择,则从 all_tab_privs_recd where grantee = 'your user' 中选择不会提供任何输出,但公共授权和当前用户授权除外。正如文件所说,
ALL_TAB_PRIVS_RECD 描述了以下类型的授权:
Object grants for which the current user is the grantee Object grants for which an enabled role or PUBLIC is the grantee
因此,如果您是 DBA 并且想要列出特定(而不是 SYS 本身)用户的所有对象授权,则不能使用该系统视图。
在这种情况下,您必须执行更复杂的查询。这是从 TOAD 获取(跟踪)的一个,用于为特定用户选择所有对象授权:
select tpm.name privilege,
decode(mod(oa.option$,2), 1, 'YES', 'NO') grantable,
ue.name grantee,
ur.name grantor,
u.name owner,
decode(o.TYPE#, 0, 'NEXT OBJECT', 1, 'INDEX', 2, 'TABLE', 3, 'CLUSTER',
4, 'VIEW', 5, 'SYNONYM', 6, 'SEQUENCE',
7, 'PROCEDURE', 8, 'FUNCTION', 9, 'PACKAGE',
11, 'PACKAGE BODY', 12, 'TRIGGER',
13, 'TYPE', 14, 'TYPE BODY',
19, 'TABLE PARTITION', 20, 'INDEX PARTITION', 21, 'LOB',
22, 'LIBRARY', 23, 'DIRECTORY', 24, 'QUEUE',
28, 'JAVA SOURCE', 29, 'JAVA CLASS', 30, 'JAVA RESOURCE',
32, 'INDEXTYPE', 33, 'OPERATOR',
34, 'TABLE SUBPARTITION', 35, 'INDEX SUBPARTITION',
40, 'LOB PARTITION', 41, 'LOB SUBPARTITION',
42, 'MATERIALIZED VIEW',
43, 'DIMENSION',
44, 'CONTEXT', 46, 'RULE SET', 47, 'RESOURCE PLAN',
66, 'JOB', 67, 'PROGRAM', 74, 'SCHEDULE',
48, 'CONSUMER GROUP',
51, 'SUBSCRIPTION', 52, 'LOCATION',
55, 'XML SCHEMA', 56, 'JAVA DATA',
57, 'EDITION', 59, 'RULE',
62, 'EVALUATION CONTEXT',
'UNDEFINED') object_type,
o.name object_name,
'' column_name
from sys.objauth$ oa, sys.obj$ o, sys.user$ u, sys.user$ ur, sys.user$ ue,
table_privilege_map tpm
where oa.obj# = o.obj#
and oa.grantor# = ur.user#
and oa.grantee# = ue.user#
and oa.col# is null
and oa.privilege# = tpm.privilege
and u.user# = o.owner#
and o.TYPE# in (2, 4, 6, 9, 7, 8, 42, 23, 22, 13, 33, 32, 66, 67, 74, 57)
and ue.name = 'your user'
and bitand (o.flags, 128) = 0
union all -- column level grants
select tpm.name privilege,
decode(mod(oa.option$,2), 1, 'YES', 'NO') grantable,
ue.name grantee,
ur.name grantor,
u.name owner,
decode(o.TYPE#, 2, 'TABLE', 4, 'VIEW', 42, 'MATERIALIZED VIEW') object_type,
o.name object_name,
c.name column_name
from sys.objauth$ oa, sys.obj$ o, sys.user$ u, sys.user$ ur, sys.user$ ue,
sys.col$ c, table_privilege_map tpm
where oa.obj# = o.obj#
and oa.grantor# = ur.user#
and oa.grantee# = ue.user#
and oa.obj# = c.obj#
and oa.col# = c.col#
and bitand(c.property, 32) = 0 /* not hidden column */
and oa.col# is not null
and oa.privilege# = tpm.privilege
and u.user# = o.owner#
and o.TYPE# in (2, 4, 42)
and ue.name = 'your user'
and bitand (o.flags, 128) = 0;
这将列出您(指定)用户的所有对象授权(包括列授权)。如果您不想要列级授权,请删除以“联合”子句开头的所有选择部分。
UPD:研究文档后,我发现了另一个以更简单的方式列出所有赠款的视图:
select * from DBA_TAB_PRIVS where grantee = 'your user';
请记住, Oracle 中没有DBA_TAB_PRIVS_RECD 视图。
于 2013-05-16T08:46:18.637 回答
21
我知道的最全面和最可靠的方法仍然是使用DBMS_METADATA:
select dbms_metadata.get_granted_ddl( 'SYSTEM_GRANT', :username ) from dual;
select dbms_metadata.get_granted_ddl( 'OBJECT_GRANT', :username ) from dual;
select dbms_metadata.get_granted_ddl( 'ROLE_GRANT', :username ) from dual;
(用户名必须全部大写)
不过有趣的答案。
于 2016-09-01T10:47:45.720 回答
5
select distinct 'GRANT '||privilege||' ON '||OWNER||'.'||TABLE_NAME||' TO '||RP.GRANTEE
from DBA_ROLE_PRIVS RP join ROLE_TAB_PRIVS RTP
on (RP.GRANTED_ROLE = RTP.role)
where (OWNER in ('YOUR USER') --Change User Name
OR RP.GRANTEE in ('YOUR USER')) --Change User Name
and RP.GRANTEE not in ('SYS', 'SYSTEM')
;
于 2012-09-27T21:10:40.153 回答
0
以下查询可用于获取一个用户的所有权限...只需在第一个查询中提供用户名,您将获得该用户的所有权限
WITH users AS
(SELECT 'SCHEMA_USER' usr FROM dual),
Roles AS
(SELECT granted_role
FROM dba_role_privs rp
JOIN users
ON rp.GRANTEE = users.usr
UNION
SELECT granted_role
FROM role_role_privs
WHERE role IN (SELECT granted_role
FROM dba_role_privs rp
JOIN users
ON rp.GRANTEE = users.usr)),
tab_privilage AS
(SELECT OWNER, TABLE_NAME, PRIVILEGE
FROM role_tab_privs rtp
JOIN roles r
ON rtp.role = r.granted_role
UNION
SELECT OWNER, TABLE_NAME, PRIVILEGE
FROM Dba_Tab_Privs dtp
JOIN Users
ON dtp.grantee = users.usr),
sys_privileges AS
(SELECT privilege
FROM dba_sys_privs dsp
JOIN users
ON dsp.grantee = users.usr)
SELECT * FROM tab_privilage ORDER BY owner, table_name
--SELECT * FROM sys_privileges
于 2020-05-05T07:38:19.673 回答