HPE Community
Operating System - HP-UX
1752789 Members
5660 Online
108789 Solutions
New Discussion юеВ

grant "almost" dba privies on specific schema

 
SOLVED
Go to solution
Ratzie
Super Advisor

тАО12-04-2008 01:07 PM

тАО12-04-2008 01:07 PM

grant "almost" dba privies on specific schema

I do not want to grant DBA to a specific user so he can do what ever he wants within his schema.
I know... the question will be, well what do you want to grant him.
I need to make this easy, I thought of doing this in OEM, but click-i-tis started happening.

I do not want to grant CREATE ANY, etc.
the resource role looked good, but is does not allow to create views, drop views, create anything from within his schema, triggers, sequences, procedures, as well as DROP and ALTER etc...
0 Kudos
5 REPLIES 5
AINMS
Respected Contributor

тАО12-14-2008 03:59 AM

тАО12-14-2008 03:59 AM

Re: grant "almost" dba privies on specific schema

hi
you can grant these roles if you don't need it to create any
SQL> GRANT connect TO user;
SQL> GRANT dba TO user;
SQL> GRANT exp_full_database TO user;
SQL> GRANT imp_full_database TO user;
SQL> GRANT unlimited tablespace TO user;
SQL> GRANT select any table TO user;
SQL> GRANT select any dictionary TO user;
SQL> GRANT execute ON sys.dbms_lock TO user;
SQL> COMMIT;
SQL> CONNECT user/password;

HTH
AINMS
If it were all easy, we would not have anything to do.
0 Kudos
Eric Antunes
Honored Contributor

тАО12-15-2008 03:58 AM

тАО12-15-2008 03:58 AM

Re: grant "almost" dba privies on specific schema

Hi Ratzie,

CONNECT role is a good start. See the system privileges of roles in dba_sys_privs:

select *
from ROLE_SYS_PRIVS
where role = 'CONNECT'

Regardless of roles, the user will be able to drop and alter all objects in HIS schema.

Best Regards,

Eric Antunes
Each and every day is a good day to learn.
0 Kudos
Vadim Loginov
Advisor

тАО12-29-2008 06:02 AM

тАО12-29-2008 06:02 AM

Solution

Re: grant "almost" dba privies on specific schema

Hi Ratzie,
I would recommend you to create a new role - ROLE_XXX.
Then you can either grant role CONNECT (if you use Oracle 9i - http://my.opera.com/onyxluo/blog/change-of-connect-role-in-oracle-10g) to ROLE_XXX or grant all appropriate system privileges to ROLE_XXX.

Grant CREATE SESSION to ROLE_XXX
Grant CREATE VIEW to ROLE_XXX
Grant CREATE TABLE to ROLE_XXX
Grant CREATE SYNONYM to ROLE_XXX
Grant CREATE SEQUENCE to ROLE_XXX
├в ┬ж├в ┬ж.
The list of all (Oracle) system privileges is here: http://www.adp-gmbh.ch/ora/admin/system_privileges.html

Finally, grant ROLE_XXX to your user.

Regards,
Vadim
0 Kudos
Ben Dehner
Trusted Contributor

тАО12-29-2008 02:50 PM

тАО12-29-2008 02:50 PM

Re: grant "almost" dba privies on specific schema

Vadim had a good suggestion. Create a role with the various 'create ' privileges, and grant that role to the users. This is what I do, and I typically grant the following privs:

create session
alter session
create table
create view
create trigger
create procedure
create sequence
create type
create synonym
create cluster
create materialized view
create materialized view log

Two things to note:
First, if you own an object, you automagically have privileges to alter, drop, whatever on that object. However, "create session" and "alter session" are different, because these are seperate system privleges, not object privleges.

Second, any object that takes up space (tables, indexes, anything that has a "tablespace" clause ...) also seperately requires a quota on a tablespace somewhere. You still have to do this manually, can't grant a quote to a role.
Trust me, I know what I'm doing
0 Kudos
Ratzie
Super Advisor

тАО01-06-2009 12:31 PM

тАО01-06-2009 12:31 PM

Re: grant "almost" dba privies on specific schema

Thanks for imput
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.