概述:oracle在分配权限的时候可以使用角色权限进行授权,那角色是不是授予了用户,用户就能够使用角色里面的权限了呢?直接能够使用是不是权限就不安全了对吧!实验证明:
1、创建不带密码的role并进行授权:
SQL> create role cube1;
Role created.
SQL> GRANT SELECT ON HR.EMPLOYEES TO CUBE1;
Grant succeeded.
SQL> grant cube1 to cube;
Grant succeeded.
SQL> select * from dba_role_privs where grantee ='CUBE';
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
CUBE CUBE1 NO YES
CUBE CONNECT NO YES
SQL>
select * from dba_tab_privs where grantee ='CUBE1';
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRA HIE
---------------------------------------- ------------------------------------------------------------------------------------------------------------------
CUBE1 HR EMPLOYEES HR SELECT no no
SQL> conn cube/oracle
Connected.
SQL> show user
USER is "CUBE"
SQL> select count(*) from hr.EMPLOYEES;
COUNT(*)
----------
107
2、当给role指定密码时呢?(其中给role设置密码有三种情况:口令、外部和全局)
SQL> conn / as sysdba
Connected.
SQL> alter role cube1 identified by oracle;
SQL> conn cube/oracle
Connected.
SQL> select count(*) from hr.EMPLOYEES;
select count(*) from hr.EMPLOYEES
*
ERROR at line 1:
ORA-00942: table or view does not exist
SQL> set role cube1 identified by oracle;
Role set.
SQL> select count(*) from hr.EMPLOYEES;
COUNT(*)
----------
107
另外开启一个会话:
SQL> conn cube/oracle
Connected.
SQL> select count(*) from hr.EMPLOYEES;
select count(*) from hr.EMPLOYEES
*
ERROR at line 1:
ORA-00942: table or view does not exist
总结:给权限设置密码也是为了安全起见,当用户不知道角色的密码时即使给用户授予了角色也是无法使用角色中的权限的。