Skip to Main Content
  • Questions
  • SELECT ANY TABLE VS SELECT_CATALOG_ROLE

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question, abhishek.

Asked: February 14, 2022 - 6:08 am UTC

Last updated: November 14, 2024 - 1:48 pm UTC

Version: 12.2.0.1

Viewed 10K+ times! This question is

You Asked

What is the difference between SEELCT ANY TABLE and SELECT_CATALOG_ROLE and under what circumstances should we use either of them? Thanks in advance.

and Connor said...

SELECT ANY TABLE ... read *anything* in *any* schema except the data dictionary (see O7_DICTIONARY_ACCESSIBILITY parameter docs for more details on this one)

Hence ... almost no-one should ever need this except admins.

SELECT_CATALOG_ROLE ... query the data dictionary only.

Once again very few people should need this, but in a non-production environment, it can be useful for developers to extract DDL and view performance information etc for testing.

Rating

  (7 ratings)

Is this answer out of date? If it is, please let us know via a Comment

Comments

abhishek, February 15, 2022 - 3:05 pm UTC

Hello,

Thank you for your reply.

Then what is the difference between SELECT ANY DICTIONARY and SELECT_CATALOG_ROLE.

Regards
Connor McDonald
February 16, 2022 - 12:11 am UTC

SELECT_CATALOG_ROLE is your dictionary views (DBA_xxx, CDB_xxx, V$..., GV$).

SELECT ANY DICTIONARY is that plus everything else under SYS

SELECT_CATALOG_ROLE nested grant question

Dave, November 02, 2023 - 7:57 pm UTC

Hello All,

I guess my question would be, why does SELECT_CATALOG_ROLE have nested roles granted to it and its name SELECT?

In reality the role is not a SELECT role because it also has
HS_ADMIN_EXECUTE_ROLE, HS_ADMIN_SELECT_ROLE and HS_ADMIN_ROLE.

So can we label a user as read only if they have that role?

Thanks
Dave
Chris Saxon
November 03, 2023 - 5:07 pm UTC

It does? I've checked on various version from 12.2 -> 23c and can only see HS_ADMIN_SELECT_ROLE granted to it:

select granted_role from dba_role_privs
where  grantee = 'SELECT_CATALOG_ROLE';

GRANTED_ROLE                                                                                                                    
--------------------
HS_ADMIN_SELECT_ROLE


Which version are you running? Are you certain someone has not manually added the other HS_ADMIN roles to it?

You can check which HS roles were granted by the install by logging into the database server and running something like:

[oracle@dbaas122 admin]$ cd $ORACLE_HOME/rdbms/admin
[oracle@dbaas122 admin]$ egrep -i "to select_catalog_role" * | grep -i hs_admin
grep: backport_files: Is a directory
caths.sql:grant hs_admin_select_role to select_catalog_role;
grep: cdb_cloud: Is a directory



Probably Clone issue

t1dsoldier, November 13, 2024 - 3:25 pm UTC

Yes you are correct. we are on 19.24

create role hs_admin_select_role;
create role hs_admin_execute_role;
create role hs_admin_role;

grant hs_admin_select_role to select_catalog_role;
grant hs_admin_execute_role to execute_catalog_role;
grant hs_admin_select_role to hs_admin_role;
grant hs_admin_execute_role to hs_admin_role;

When I check out dev and stage, fresh builds the role is only granted the select role.

Should it be rebuilt from the oracle script or copy from another env?

The script has a lot in it and I dont want to cause a huge issue.

Thanks
Dave

'SELECT_CATALOG_ROLE

t1dsoldier, November 13, 2024 - 3:28 pm UTC

hit send too soon. So the role is right in the CDB$ROOT but not in the pluggables

SELECT_CATALOG_ROLE

t1dsoldier, November 13, 2024 - 6:51 pm UTC

I was able to revoke the local role grants and the role maintained its common role grant

There are still a few diffs with direct grants but reading this post and the oracle security doc this role is why too much for an analyst.

Thanks as always
Chris Saxon
November 14, 2024 - 1:48 pm UTC

Did you manage to get this resolved? I would rebuild using the Oracle script rather than trying something home grown.

More to Explore

Design

New to good database design? Check out Chris Saxon's full fundamentals class.