如何在oracle中授予DDL权限?
在数据库上,我有用户SCHEMA_1,SCHEMA_2和SCHEMA_3
现在我想从schema_1只能在SCHEMA_2上执行DDL
是否可以从SCHEMA_2级别或系统获得授权?
答案 0 :(得分:1)
Oracle不会那样工作。您必须向该用户授予CREATE ANY [OBJECT_TYPE]并具有系统事件触发器,该触发器限制他们在您不希望他们使用的模式中工作。
警告:使用DBMS_STANDARD的未记录/未记录的功能。
CREATE OR REPLACE TRIGGER schema_1_on_schema_2
before DDL on DATABASE
as
has_dba_priv number;
n number;
stmt ora_name_list_t;
BEGIN
-- exit if user is object owner
if ora_dict_obj_owner = ora_login_user then
return
end if;
-- exit if user has dba directly
select count(*)
into has_dba_priv
from dba_role_privs
where granted_role = 'DBA'
and grantee = ora_login_user;
if has_dba_priv <> 0 then
return;
end if;
-- exit if action is an automatic recompile
stmt := null;
n := ora_sql_txt(sql_text);
FOR i IN 1..n LOOP
stmt := stmt || sql_text(i);
END LOOP;
if stmt like 'ALTER % COMPILE REUSE SETTINGS%' then
return;
end if;
-- you should probably organize this into a database table of permitted
-- schema_x can affect schema_y, but this is a "basic" example
if (ora_dict_obj_owner = 'SCHEMA_2')
and (ora_login_user = 'SCHEMA_1') then
null;
else
raise_application_error (-20000, 'User ' || ora_login_user ||
' is not permitted to execute DDL against ' || ora_dict_obj_owner);
end if;
end;
答案 1 :(得分:1)
更好的方法可能是将schema_2 DDL嵌入到过程中,并将这些过程的执行授予schema_1。更全面地解释您的要求可能会得到更全面/更好的答案。