【权限】admin option和grant option的使用测试

在测试ADMIN OPTION和GRANT OPTION之前，先介绍几个概念，如下：

1）系统权限：是针对oracle系统操作而言，例如登陆create session，创建表：create table等；

2）对象权限：是针对对象操作的权限，例如对表的DML操作、sp的exec等；

3）ADMIN OPTION（只能用于系统权限）比如：sys用户将create table的系统权限加上ADMIN OPTION一同赋予jeff用户，那么jeff用户就有权利将create table的系统权限emi用户，当sys将jeff的create table的系统权限收回时，那么jeff将失去create table的系统权限，不过需要注意的是，撤销系统权限的时候，不会级联影响，也就是说，emi用户依然有create table的权限。

4）GRANT OPTION（只能用于对象权限）GRANT OPTION的用法与ADMIN OPTION相似，只不过，在撤销的时候，级联影响，比如sys撤销了jeff的select scott.emp的查询权限，如果这个权限jeff赋予emi了，那么当sys撤销时，jeff差选权限失效，emi的查询权限也级联失效。

一：ADMIN OPTION测试：

1)   创建用户jeff和emi

SYS@ORA11GR2>create user jeff identified by jeff;

 

User created.

 

SYS@ORA11GR2>create user emi identified by emi;

 

User created.

 

SYS@ORA11GR2>

2)   只给jeff和emi用户connect角色

SYS@ORA11GR2>grant connect to jeff,emi;

 

Grant succeeded.

 

SYS@ORA11GR2>

3)   连接jeff用户成功，但无法创建表

SYS@ORA11GR2>conn jeff/jeff

Connected.

JEFF@ORA11GR2>create table t(x int);

create table t(x int)

*

ERROR at line 1:

ORA-01031: insufficient privileges

 

JEFF@ORA11GR2>

4)   连接emi用户成功，但无法创建表

JEFF@ORA11GR2>conn emi/emi

Connected.

EMI@ORA11GR2>create table t(x int);

create table t(x int)

*

ERROR at line 1:

ORA-01031: insufficient privileges

 

5)   利用sys用户将create table权限赋予jeff用户并且使用admin option子句

EMI@ORA11GR2>conn / as sysdba

Connected.

SYS@ORA11GR2>

SYS@ORA11GR2>grant create table to jeff with admin option;

 

Grant succeeded.

 

SYS@ORA11GR2>

6)   再次连接jeff用户并成功创建了表

SYS@ORA11GR2>conn jeff/jeff

Connected.

JEFF@ORA11GR2>create table t(x int);

 

Table created.

 

JEFF@ORA11GR2>

7)   Jeff用户将sys赋予它的create table权限转赋给emi用户，赋予成功

JEFF@ORA11GR2>grant create table to emi;

 

Grant succeeded.

 

JEFF@ORA11GR2>

8)   连接emi用户也成功的创建了表

JEFF@ORA11GR2>conn emi/emi

Connected.

EMI@ORA11GR2>create table t(x int);

 

Table created.

 

EMI@ORA11GR2>

9)   连接会sys用户，收回jeff的create table的权限

EMI@ORA11GR2>conn / as sysdba

Connected.

SYS@ORA11GR2>revoke create table from jeff;

 

Revoke succeeded.

 

SYS@ORA11GR2>

10)  第三次连接jeff用户，因为jeff用户已无create table权限，所以无权建表

SYS@ORA11GR2>conn jeff/jeff

Connected.

JEFF@ORA11GR2>create table t1(x int);

create table t1(x int)

*

ERROR at line 1:

ORA-01031: insufficient privileges

 

 

JEFF@ORA11GR2>

11)  再次连接到emi用户，emi的建表权限是jeff给的，虽然jeff已经 没有了建表的权限，不过由于当初jeff给emi建表权限的时候，jeff的建表权限是sys连通admin option一起赋予的，虽然jeff此时已经没有了建表权限，不过，emi依然还有建表的权限，就是因为，当初jeff的建表权限是带admin option子句的。

JEFF@ORA11GR2>conn emi/emi

Connected.

EMI@ORA11GR2>create table t1(x int);

 

Table created.

 

EMI@ORA11GR2>

二：GRANT OPTION测试：

1)   清理环境并重新创建用户，赋予create session权限(即connect角色中的唯一权限)，测试连接没问题并且都无权创建表

SYS@ORA11GR2>drop user jeff cascade;

 

User dropped.

 

SYS@ORA11GR2>drop user emi cascade;

 

User dropped.

 

SYS@ORA11GR2>create user jeff identified by jeff;

 

User created.

 

SYS@ORA11GR2>create user emi identified by emi;

 

User created.

 

SYS@ORA11GR2>grant create session to jeff,emi;

 

Grant succeeded.

 

SYS@ORA11GR2>conn jeff/jeff

Connected.

JEFF@ORA11GR2>

JEFF@ORA11GR2>select count(*) from scott.emp;

select count(*) from scott.emp

                           *

ERROR at line 1:

ORA-00942: table or view does not exist

 

 

JEFF@ORA11GR2>

JEFF@ORA11GR2>conn emi/emi

Connected.

EMI@ORA11GR2>

EMI@ORA11GR2>select count(*) from scott.emp;

select count(*) from scott.emp

                           *

ERROR at line 1:

ORA-00942: table or view does not exist

 

 

EMI@ORA11GR2>

2)   回到sys用户下，赋予jeff用户select on scott.emp的对象查询权限并且加上grant option子句

SYS@ORA11GR2>grant select on scott.emp to jeff with grant option;

 

Grant succeeded.

 

SYS@ORA11GR2>

SYS@ORA11GR2>conn jeff/jeff

Connected.

JEFF@ORA11GR2>select count(*) from scott.emp;

 

  COUNT(*)

----------

        14

 

JEFF@ORA11GR2>

3)   由于jeff用户select on scott.emp的对象查询权限是sys用户赋予的并且加上grant option子句，所以jeff有权利将select on scott.emp的对象查询权限给emi用户

JEFF@ORA11GR2>grant select on scott.emp to emi with grant option;

 

Grant succeeded.

 

JEFF@ORA11GR2>

JEFF@ORA11GR2>conn emi/emi

Connected.

EMI@ORA11GR2>select count(*) from scott.emp;

 

  COUNT(*)

----------

        14

 

EMI@ORA11GR2>

4)   回到sys用户，回收jeff用户select on scott.emp的对象查询权限

EMI@ORA11GR2>conn / as sysdba

Connected.

SYS@ORA11GR2>revoke select on scott.emp from jeff;

 

Revoke succeeded.

 

SYS@ORA11GR2>

5)   验证jeff是否还有查询scott用户的emp的权限，结果是没有

SYS@ORA11GR2>conn jeff/jeff

Connected.

JEFF@ORA11GR2>select count(*) from scott.emp;

select count(*) from scott.emp

                           *

ERROR at line 1:

ORA-00942: table or view does not exist

 

 

JEFF@ORA11GR2>

6)   验证emi是否依然还有查询scott用户的emp的权限，结果是也没有

JEFF@ORA11GR2>conn emi/emi

Connected.

EMI@ORA11GR2>select count(*) from scott.emp;

select count(*) from scott.emp

                           *

ERROR at line 1:

ORA-00942: table or view does not exist

 

 

EMI@ORA11GR2>

小结：

1.ADMIN OPTION：仅用于系统权限，在撤销权限时无级联效应；

2.GRANT OPTION：仅用于对象权限，在撤销权限是，级联应用；

3.系统权限不加ADMIN OPTION子句，那么被赋予的用户没有权利“转赠”他人；“GRANT OPTION”如是。

来自 “ ITPUB博客 ” ，链接：http://blog.itpub.net/685769/viewspace-745307/，如需转载，请注明出处，否则将追究法律责任。

转载于:http://blog.itpub.net/685769/viewspace-745307/