Skip to Main Content
  • Questions

  • Looking for a table-driven Oracle script to grant privileges

Breadcrumb

Question and Answer

Tom Kyte

Thanks for the question, Todd.

Asked: April 24, 2013 - 6:02 pm UTC

Last updated: April 25, 2013 - 7:27 pm UTC

Version: 10.2.0

Viewed 1000+ times

You Asked

I'm sure someone out there has done this and we're hoping to not have to re-invent the wheel.

We are looking for a table-driven PL/SQL script that issues privileges to tables in other schemas within the database. We want it to be table-driven to make it flexible. We are thinking about a new configuration table with columns like 1. the Oracle username or role name, 2. the target schema in which the privileges are to be granted, and 3. the type of privilege (for example, "INSERT" or "SELECT"). We want the script to select from this configuration table and check to see if the users/roles in this configuration table have the privileges in the target schema. If the users/roles do not have the privileges listed in the configuration table the script should issue the privileges.

Example:
The configuration table contains the username, the target schema, and the type of privilege. Here's five sample records.
USER1, SCHEMA1, INSERT
USER1, SCHEMA1, UPDATE
USER1, SCHEMA1, SELECT
ROLE1, SCHEMA1, SELECT
ROLE1, SCHEMA2, SELECT

1. If, for example, USER1 (an individual user account) currently has only SELECT privileges on all the tables in SCHEMA1, the script will issue the missing UPDATE and INSERT priveleges on all the tables in SCHEMA1 to USER1.

2. If, for example, ROLE1 (a database role) currently has SELECT privileges on only the tables in the SCHEMA1 schema, the script will issue the missing SELECT privileges on all the tables in the SCHEMA2 schema.

Is there a better way to accomplish this?

Thanks!

and Tom said...

I don't know of anyone that has implemented exactly what you are asking for - but it would be fairly trivial

If you really mean this to discover all of the objects in the schema to grant on and grant on them (typically considered "a bad idea from a security perspective"), that would not be hard to script up at all:


begin
   for x in ( select * from your_table )
   loop
      for y in (select * from dba_objects 
                 where owner = x.schema1
                   and object_type in ('TABLE', 'VIEW') )
      loop
          execute immediate 'grant ' || x.what || 
                            ' on "' || y.owner || '"."' || y.object_name || 
                            '" to "' || dbms_assert.simple_sql_name( x.username ) || '"';
      end loop;
   end loop;
end;


just grant them all - if already granted, then so what. it would probably take longer for you to look to see if it were granted already.

put a check constraint on your table to check that what is in select, insert, update, delete to avoid sql injection issues on that field.

Is this answer out of date? If it is, please let us know via a Comment
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

DBMS_ASSERT

More on PL/SQL routine DBMS_ASSERT here