Users, roles and privileges in Oracle

这个介绍的比较不错，当然官方文档很详细。记录一下。

原址如下：

http://www.adp-gmbh.ch/ora/misc/users_roles_privs.html

 

Users, roles and privileges in Oracle

Privileges

A privilege is a right to execute an   SQL statement  or to access another user's object. In Oracle, there are two types of privileges:   system privileges  and   object privileges. A privileges can be assigned to a   user  or a   role

The set of privileges is fixed, that is, there is no SQL statement like   create privilege xyz...

System privileges

There are quite a few system privileges: in Oracle 9.2, we count 157 of them, and   10g  has even 173. Those can be displayed with

select name from system_privilege_map

Executing this statement, we find privileges like   create session, drop user,   alter database, see   system privileges.

System privileges can be   audited.

Arguably, the most important system privileges are:

• create session (A user cannot login without this privilege. If he tries, he gets an ORA-01045).
• create table
• create view
• create procedure
• sysdba
• sysoper

Object privileges

privileges can be assigned to the following types of   database objects:

• Tables
  select, insert, update, delete, alter, debug, flashback, on commit refresh, query rewrite, references, all
• Views
  select, insert, update, delete, under, references, flashback, debug
• Sequence
  alter, select
• Packeges, Procedures, Functions (Java classes, sources...)
  execute, debug
• Materialized Views
  delete, flashback, insert, select, update
• Directories
  read, write
• Libraries
  execute
• User defined types
  execute, debug, under
• Operators
  execute
• Indextypes
  execute

For a user to be able to access an object in another user's schema, he needs the according object privilege.

Object privileges can be displayed using   all_tab_privs_made  or user_tab_privs_made.

Public

If a privilege is granted to the special role   public, this privilege can be executed by all other users. However,   sysdba  cannot be granted to public.

Users

to be finished ...

Roles

Predefined Roles

Along with the installation, more exactly with the   creation of an oracle database, Oracle creates predefined roles. These are:

• connect, resource, dba
  These might not be created anymore in future versions of Oracle. 
  Oracle 9.2 grants create session, alter session, create synonym, create view, create database link, create table,create cluster and create sequence to connect. 
  It also grants create table , create cluster, create sequence, create trigger create procedure, create type,create indextype and create operator to resource. 
  The role dba gets basically everything and that with admin option.
• delete_catalog_role, execute_catalog_role, select_catalog_role
  Accessing data dictionary views (v$ views and static dictionary views)
• exp_full_database, imp_full_database
  This role is needed to export objects found in another user's schema.
• aq_user_role, aq_administrator_role, global_aq_user_role(?)
• logstdby_administrator
• snmpagent
• recovery_catalog_owner
• hs_admin_role
• oem_monitor, oem_advisor
• scheduler_admin
• gather_system_statistics
• plustrace
• xdbadmin
• xdbwebservices
• ctxapp

Assigning privileges to users and roles

A privilege can be assigned to a user with the   grant  sql statment. On the other hand,   revoke  allows to take away such privileges from users and roles.

Oracle stores the granted privileges in its   data dictionary.

Displaying the relationship between users, roles and privileges

Use   this script  to recursively list users, granted roles and privileges.

Thanks

Thanks to   Josette Hammer  for notifying me of a typo and to Muhammad Imran  for correcting an error on this page.