如何在oracle中显示用户的所有权限?

时间:2012-03-21 19:39:24

标签: sql oracle rules privileges

有人可以告诉我如何在sql-console中显示特定用户的所有权限/规则吗?

7 个答案:

答案 0 :(得分:145)

您可以尝试以下观点。

SELECT * FROM USER_SYS_PRIVS; 
SELECT * FROM USER_TAB_PRIVS;
SELECT * FROM USER_ROLE_PRIVS;

DBA和其他超级用户可以使用这些相同视图的DBA_版本找到授予其他用户的权限。它们包含在documentation

这些视图仅显示直接授予用户的权限。查找所有特权,包括通过角色间接授予的特权,需要更复杂的递归SQL语句:

select * from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER' order by 1,2,3;
select * from dba_sys_privs  where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3;
select * from dba_tab_privs  where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3,4;

答案 1 :(得分:18)

有各种各样的脚本会根据您想要获得的疯狂程度来实现。我个人会使用Pete Finnigan的find_all_privs script

如果你想自己编写,那么查询就会变得非常具有挑战性。可以为用户授予DBA_SYS_PRIVS中可见的系统权限。可以为他们授予DBA_TAB_PRIVS中可见的对象权限。并且它们可以被授予在DBA_ROLE_PRIVS中可见的角色(角色可以是默认的或非默认的,并且也可以要求密码,因此仅仅因为用户被授予角色并不意味着用户可以必须使用默认情况下通过角色获得的特权)。但是,这些角色可以被授予系统权限,对象权限和其他角色,可以通过查看ROLE_SYS_PRIVSROLE_TAB_PRIVSROLE_ROLE_PRIVS来查看这些角色。 Pete的脚本遍历这些关系,以显示最终流向用户的所有权限。

答案 2 :(得分:7)

另一个有用的资源:

http://psoug.org/reference/roles.html

  • DBA_SYS_PRIVS
  • DBA_TAB_PRIVS
  • DBA_ROLE_PRIVS

答案 3 :(得分:1)

您可以使用以下代码获取所有用户的所有权限列表。

select * from dba_sys_privs 

答案 4 :(得分:0)

虽然Raviteja Vutukuri's answer可以工作并且可以快速组合在一起,但是它对于更改过滤器并不是特别灵活,并且如果您希望通过编程方式执行某些操作,也不会带来太大帮助。所以我整理了自己的查询:

SELECT
    PRIVILEGE,
    OBJ_OWNER,
    OBJ_NAME,
    USERNAME,
    LISTAGG(GRANT_TARGET, ',') WITHIN GROUP (ORDER BY GRANT_TARGET) AS GRANT_SOURCES, -- Lists the sources of the permission
    MAX(ADMIN_OR_GRANT_OPT) AS ADMIN_OR_GRANT_OPT, -- MAX acts as a Boolean OR by picking 'YES' over 'NO'
    MAX(HIERARCHY_OPT) AS HIERARCHY_OPT -- MAX acts as a Boolean OR by picking 'YES' over 'NO'
FROM (
    -- Gets all roles a user has, even inherited ones
    WITH ALL_ROLES_FOR_USER AS (
        SELECT DISTINCT CONNECT_BY_ROOT GRANTEE AS GRANTED_USER, GRANTED_ROLE
        FROM DBA_ROLE_PRIVS
        CONNECT BY GRANTEE = PRIOR GRANTED_ROLE
    )
    SELECT
        PRIVILEGE,
        OBJ_OWNER,
        OBJ_NAME,
        USERNAME,
        REPLACE(GRANT_TARGET, USERNAME, 'Direct to user') AS GRANT_TARGET,
        ADMIN_OR_GRANT_OPT,
        HIERARCHY_OPT
    FROM (
        -- System privileges granted directly to users
        SELECT PRIVILEGE, NULL AS OBJ_OWNER, NULL AS OBJ_NAME, GRANTEE AS USERNAME, GRANTEE AS GRANT_TARGET, ADMIN_OPTION AS ADMIN_OR_GRANT_OPT, NULL AS HIERARCHY_OPT
        FROM DBA_SYS_PRIVS
        WHERE GRANTEE IN (SELECT USERNAME FROM DBA_USERS)
        UNION ALL
        -- System privileges granted users through roles
        SELECT PRIVILEGE, NULL AS OBJ_OWNER, NULL AS OBJ_NAME, ALL_ROLES_FOR_USER.GRANTED_USER AS USERNAME, GRANTEE AS GRANT_TARGET, ADMIN_OPTION AS ADMIN_OR_GRANT_OPT, NULL AS HIERARCHY_OPT
        FROM DBA_SYS_PRIVS
        JOIN ALL_ROLES_FOR_USER ON ALL_ROLES_FOR_USER.GRANTED_ROLE = DBA_SYS_PRIVS.GRANTEE
        UNION ALL
        -- Object privileges granted directly to users
        SELECT PRIVILEGE, OWNER AS OBJ_OWNER, TABLE_NAME AS OBJ_NAME, GRANTEE AS USERNAME, GRANTEE AS GRANT_TARGET, GRANTABLE, HIERARCHY
        FROM DBA_TAB_PRIVS
        WHERE GRANTEE IN (SELECT USERNAME FROM DBA_USERS)
        UNION ALL
        -- Object privileges granted users through roles
        SELECT PRIVILEGE, OWNER AS OBJ_OWNER, TABLE_NAME AS OBJ_NAME, GRANTEE AS USERNAME, ALL_ROLES_FOR_USER.GRANTED_ROLE AS GRANT_TARGET, GRANTABLE, HIERARCHY
        FROM DBA_TAB_PRIVS
        JOIN ALL_ROLES_FOR_USER ON ALL_ROLES_FOR_USER.GRANTED_ROLE = DBA_TAB_PRIVS.GRANTEE
    ) ALL_USER_PRIVS
    -- Adjust your filter here
    WHERE USERNAME = 'USER_NAME'
) DISTINCT_USER_PRIVS
GROUP BY
    PRIVILEGE,
    OBJ_OWNER,
    OBJ_NAME,
    USERNAME
;

优势:

  • 我只需更改一个WHERE子句,就可以轻松地过滤出许多不同的信息,例如对象,特权,是否通过特定角色等等。
  • 这是一个查询,这意味着我不必费心将结果组合在一起。
  • 它解决了他们是否可以授予特权以及它是否包括跨特权的不同来源的子对象(“分层”部分)的特权的问题。
  • 很容易看到撤销特权所需的一切,因为它列出了特权的所有来源。
  • 它将表和系统特权组合到一个统一的视图中,使我们可以一口气列出用户的所有特权。
  • 这是一个 query ,而不是一个将所有内容喷洒到DBMS_OUTPUT之类的函数(与Pete Finnigan的链接脚本相比)。这对于程序化使用和导出很有用。
  • 过滤器不重复;它只出现一次。这使更改变得更容易。
  • 如果您需要每个单独的GRANT检查一下子查询,则可以轻松地将其删除。

答案 5 :(得分:0)

显示所有特权:

  

从system_privilege_map中选择名称;

答案 6 :(得分:0)

更简单的单查询oracle版本。

WITH data 
     AS (SELECT granted_role 
         FROM   dba_role_privs 
         CONNECT BY PRIOR granted_role = grantee 
         START WITH grantee = '&USER') 
SELECT 'SYSTEM'     typ, 
       grantee      grantee, 
       privilege    priv, 
       admin_option ad, 
       '--'         tabnm, 
       '--'         colnm, 
       '--'         owner 
FROM   dba_sys_privs 
WHERE  grantee = '&USER' 
        OR grantee IN (SELECT granted_role 
                       FROM   data) 
UNION 
SELECT 'TABLE'    typ, 
       grantee    grantee, 
       privilege  priv, 
       grantable  ad, 
       table_name tabnm, 
       '--'       colnm, 
       owner      owner 
FROM   dba_tab_privs 
WHERE  grantee = '&USER' 
        OR grantee IN (SELECT granted_role 
                       FROM   data) 
ORDER  BY 1;