Querying DBA/USER Privilege Views
A database administrator (DBA) can simply execute a query to view the rows in DBA_SYS_PRIVS, DBA_TAB_PRIVS, and DBA_ROLE_PRIVS to retrieve information about user privileges related to the system, tables, and roles, respectively.
For example, a DBA wishing to view all system privileges granted to all users would issue the following query:
SELECT * FROM DBA_SYS_PRIVS;
The DBA_SYS_PRIVS view contains three columns of data:
GRANTEE is the name, role, or user that was assigned the privilege.
PRIVILEGE is the privilege that is assigned.
ADMIN_OPTION indicates if the granted privilege also includes the ADMIN option.
To determine which users have direct grant access to a table we’ll use the DBA_TAB_PRIVS view:
SELECT * FROM DBA_TAB_PRIVS;
GRANTEE is the name of the user with granted access.
TABLE_NAME is the name of the object (table, index, sequence, etc).
PRIVILEGE is the privilege assigned to the GRANTEE for the associated object.
Finally, querying the DBA_ROLE_PRIVS view has much of the same information but applicable to roles instead, where the GRANTED_ROLE column specifies the role in question:
SELECT * FROM DBA_ROLE_PRIVS;
Querying the Current User’s Privileges
If DBA access isn’t possible or necessary, it is also possible to slightly modify the above queries to view the privileges solely for the current user.
This is done by alternatively querying USER_ versions of the above DBA_ views. Thus, instead of looking at DBA_SYS_PRIVS we’d query USER_SYS_PRIVS, like so:
SELECT * FROM USER_SYS_PRIVS;
Since the USER_ privilege views are effectively the same as their DBA_ counterparts, but specific to the current user only, the type of returned data and column names are all identical to those when querying DBA_ views intead.
A database administrator (DBA) can simply execute a query to view the rows in DBA_SYS_PRIVS, DBA_TAB_PRIVS, and DBA_ROLE_PRIVS to retrieve information about user privileges related to the system, tables, and roles, respectively.
For example, a DBA wishing to view all system privileges granted to all users would issue the following query:
SELECT * FROM DBA_SYS_PRIVS;
The DBA_SYS_PRIVS view contains three columns of data:
GRANTEE is the name, role, or user that was assigned the privilege.
PRIVILEGE is the privilege that is assigned.
ADMIN_OPTION indicates if the granted privilege also includes the ADMIN option.
To determine which users have direct grant access to a table we’ll use the DBA_TAB_PRIVS view:
SELECT * FROM DBA_TAB_PRIVS;
GRANTEE is the name of the user with granted access.
TABLE_NAME is the name of the object (table, index, sequence, etc).
PRIVILEGE is the privilege assigned to the GRANTEE for the associated object.
Finally, querying the DBA_ROLE_PRIVS view has much of the same information but applicable to roles instead, where the GRANTED_ROLE column specifies the role in question:
SELECT * FROM DBA_ROLE_PRIVS;
Querying the Current User’s Privileges
If DBA access isn’t possible or necessary, it is also possible to slightly modify the above queries to view the privileges solely for the current user.
This is done by alternatively querying USER_ versions of the above DBA_ views. Thus, instead of looking at DBA_SYS_PRIVS we’d query USER_SYS_PRIVS, like so:
SELECT * FROM USER_SYS_PRIVS;
Since the USER_ privilege views are effectively the same as their DBA_ counterparts, but specific to the current user only, the type of returned data and column names are all identical to those when querying DBA_ views intead.
No comments:
Post a Comment