Skip to Main Content
  • Questions

  • Table Level Privileges for Read Only Access

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Mohammed.

Asked: February 08, 2018 - 1:42 pm UTC

Last updated: February 08, 2018 - 4:56 pm UTC

Version: 11G

Viewed 1000+ times

You Asked

Hi,

I have new DB installed and configured by sys user.

then i will execute following script to create new schema identified by CS4

create user cs4 identified by cs4;
grant connect to cs4;
grant create session to cs4;
grant dba to cs4;
grant all privileges to cs4;

Now i will login as CS4 and create table T1;

Now as a system administrator - i want table T1 to be in readonly access to CS4

How can i do that as a sysdba

and Chris said...

Oh boy. All privileges and DBA. Really?

They give cs4 the ability to do pretty much everything. That's bad, mmmkay? Grant your database users as few privileges as you can.

But even with a stripped down set, if cs4 owns the table, they can still change the data. Even if you make it read only. It's their table. So they can make it read-write again:

grant create session, create table, unlimited tablespace 
  to cs4 identified by cs4;
  
create table cs4.t (
  x int
);
insert into cs4.t values (1);
commit;
alter table cs4.t read only;

conn cs4/cs4

insert into t values (2);

SQL Error: ORA-12081: update operation not allowed on table "CS4"."T"

alter table t read write;
insert into t values (3);
select * from t;

X   
  1 
  3


If you want to ensure cs4 can only read a table, not change it, you should:

- Create the table in another schema
- Grant only cs4 create session and select on the required table:

drop user cs4 cascade;

grant unlimited tablespace to u identified by u;
create table u.t (
  x int
);
insert into u.t values (1);
commit;
  
grant create session to cs4 identified by cs4;
grant select on u.t to cs4;
  
conn cs4/cs4

insert into u.t values (2);

SQL Error: ORA-01031: insufficient privileges

alter table u.t read write;

SQL Error: ORA-01031: insufficient privileges

insert into u.t values (3);

SQL Error: ORA-01031: insufficient privileges

delete u.t;

SQL Error: ORA-01031: insufficient privileges

select * from u.t;

X   
  1

Rating

  (2 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

READ Privilege in 12c

Rajeshwaran, Jeyabal, February 10, 2018 - 6:08 am UTC


If you want to ensure cs4 can only read a table, not change it, you should:

- Create the table in another schema
- Grant only cs4 create session and SELECT on the required table:


BTW, when you move into 12c - grant READ Privilege rather than SELECT on the required tables, since they restrict the users to explicitly lock those (granted) tables in their session.

Thanks For Info

Mohammed Nayeem, February 11, 2018 - 4:20 am UTC

Thanks For Info Bro
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's latest video and Chris's latest video from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library