grant to other schema
Alejandro Camacho, May 29, 2001 - 12:45 pm UTC
Very useful. thanks
Doesnt it work in 9i
jianhui, July 03, 2003 - 5:35 pm UTC
FYI:
I can do grant of other's object to another user in 9i , but not in 8.1.7
It seems it was a design problem in previous versions, so in 9i , DBA is more like a real DBA now.
Creating procedure in another schema and grant execution right to some users.
Tommy, May 27, 2004 - 3:23 pm UTC
Hi Tom,
I know I can create objects in other schemas by create any procedure/table/view role. But how do I grant rights for other users to these objects?
drop user app_installer cascade
User dropped
create user app_installer identified by app_installer1
User created
drop role code_roll_role
Role dropped
create role code_roll_role
Role created
grant create any table, alter any table,create any procedure,alter any procedure,create any index, create any view
to code_roll_role
Grant succeeded
grant create session,code_roll_role to app_installer
Grant succeeded
connect app_installer/app_installer1;
Connecting as app_installer/app_installer1
/
create or replace procedure test_schema.tmp_proc1
as
v_cnt number;
begin
select count(*) into v_cnt from a_table_in_test_schema;
dbms_output.put_line('count = '||v_cnt);
end;
Procedure created
grant execute on test_schema.tmp_proc1 to user_a
ORA-01031: insufficient privileges
Original user/pwd reconnected
May 27, 2004 - 8:41 pm UTC
version?
RE: Creating procedure in another schema and grant execution right to some users
Tommy, May 28, 2004 - 9:43 am UTC
select * from v$version
BANNER
----------------------------------------------------------------
Oracle9i Enterprise Edition Release 9.0.1.0.0 - Production
PL/SQL Release 9.0.1.0.0 - Production
CORE 9.0.1.0.0 Production
TNS for Linux: Version 9.0.1.0.0 - Production
NLSRTL Version 9.0.1.0.0 - Production
May 28, 2004 - 11:38 am UTC
In 9.2 you can grant on schema A from schema B.
Prior to that, you will need to have that user (schema A) grant to schema B with the grant/admin option.
A reader, December 14, 2004 - 1:21 pm UTC
"In 9.2 you can grant on schema A from schema B.
Prior to that, you will need to have that user (schema A) grant to schema B with the grant/admin option"
Just curious...why was this added to 9.2? From a technical perspective, I am sure it was not a big deal to add? IIRC, there were security considerations in disallowing it in earlier versions?
In general, are there any caveats to using this feature? Using this someone with the DBA role can (in theory) start granting object privileges on any object to any user/role.
Somehow, the earlier behaviour seemed more "sane"! Comments?
Thanks
December 15, 2004 - 12:42 pm UTC
let me generalize: why is any feature added in any release?
because people asked for it in most cases.
this was something that was asked for.
(i was never one asking for it personally, it gives lots of control/capabilities -- it falls into the "ANY" grouping of privs -- really super powerful)
Alexander the ok, February 08, 2007 - 12:11 pm UTC
Hi,
To allow a user to access, modify objects in other schemas we use the with admin option. This however allows them to do so in any schema, correct? I was wondering if there is a way to limit this access to only a specific schema, instead of granting N number of individual statements for all the objects. That makes for a ton of sql statements.
I apologize in advance if you've covered this ad nauseam but I find Oracle security stuff impossibly hard to follow.
February 08, 2007 - 12:49 pm UTC
no, you don't use the admin option for that.
the admin option would allow someone that was granted a privilege to they themselves grant that privilege to others.
Alexander the ok, February 08, 2007 - 1:46 pm UTC
Right but isn't that expected? That's how it works for objects. If the dba grants select with admin to user a, then user a can grant to user b right? I guess I don't see the difference or what problem this would pose.
February 08, 2007 - 1:54 pm UTC
No, you wrote:
... To allow a user to access, modify objects in other schemas we use the with admin option. ...
that is not accurate. I'm not sure what you are trying to say.
Alexander the ok, February 08, 2007 - 2:00 pm UTC
Ok what I was trying to ask is,
grant select any table to joe with admin option;
will allow joe to select from a table in any schema right?
I want to allow joe to select from any table in a specific schema.
February 08, 2007 - 2:16 pm UTC
there is no such capability to "grant select on schema", you grant on individual schema objects.
Alexander the ok, February 08, 2007 - 3:38 pm UTC
Ok that's fine. I'm asking because I am having a problem with grants supposedly disappearing when I drop a schema and import objects back in from a dump. Oracle does not revoke grants to a role that belong to objects that are dropped via drop user cascade correct?
The documentation says roles are not dropped that are created by the dropped user but It doesn't mention anything about grants. Thanks a lot.
February 08, 2007 - 4:28 pm UTC
you are really confusing here - this question is going round and round and where it stops, no one will know.
if you drop a schema, everything goes away. everything granted to it.
if you import a schema level import, - it is expecting the user to exist, with all of the grants.
the import won't grant things TO the user, it'll grant things the user granted.
Alexander the ok, February 08, 2007 - 5:48 pm UTC
Yeah sorry I was getting reports of things happening that actually did not, so I was second guessing myself about how stuff works.
Admin_option
Helen Anderson, September 23, 2010 - 11:19 pm UTC
I am trying to update dba_role_privs.admin_option & default_role for a user, but seem to be running into some issues, can you help ....
update dba_role_privs
set ADMIN_OPTION ='NO'
WHERE GRANTEE = UPPER('wongm3')
AND ADMIN_OPTION IN ('RPD_ALL','RPD_USER');
commit;
September 27, 2010 - 10:12 am UTC
You cannot update the data dictionary - ever.
You use DDL to modify the dictionary. You will use the REVOKE/GRANT commands for this operation.