6 thoughts on “The difference between granting direct privileges to a user and granting same privileges within a role”

  1. Thanks , I have just been searching for information approximately
    this topic for ages and yours is the best I've found out so far. However, what concerning the bottom line? Are you positive about the source?

    Also visit my web-site … bomba de calor

  2. this is correct but has an exception.
    try to create a self dblink in the same schema where you are trying to create the view.
    you will be able to create the view without having a direct privilge on the table.
    example
    I have one question:
    I have two users A and B
    I want to create a view under schema A. This view is on a single table owned by schema B. Name of the table owned by B is X
    after i login as user A, II get error when I do the following
    create view vw_1 as select * from B.X;
    But following is successfull:
    create view vw_1 as select * from B.X@dblink_Z

    dblink_z is a private database link owned by user A. Below is the command used to create this db link
    create database link dblink_z connect to A identified by 'passwrd' using 'DEV707'

    DEV707 is the name of the database where both the schemas A and B resides.

    Also note that, select on B.X is explicitly revoked from A

    A is granted a role which gets him select access on B.X

    is this a security hole or oracle has some defined purpose of letting a view gets created by creating a self-dblink???

  3. this is correct but has an exception.
    try to create a self dblink in the same schema where you are trying to create the view.
    you will be able to create the view without having a direct privilge on the table.
    example
    I have one question:
    I have two users A and B
    I want to create a view under schema A. This view is on a single table owned by schema B. Name of the table owned by B is X
    after i login as user A, II get error when I do the following
    create view vw_1 as select * from B.X;
    But following is successfull:
    create view vw_1 as select * from B.X@dblink_Z

    dblink_z is a private database link owned by user A. Below is the command used to create this db link
    create database link dblink_z connect to A identified by 'passwrd' using 'DEV707'

    DEV707 is the name of the database where both the schemas A and B resides.

    Also note that, select on B.X is explicitly revoked from A

    A is granted a role which gets him select access on B.X

    is this a security hole or oracle has some defined purpose of letting a view gets created by creating a self-dblink???

  4. Actually the role you gave to user A is not involved in the "create view" statement, once user A creates a DBLINK on his schema linking to user's B schema he will already has direct DML privileges on all user's B objects, in your example, the "create view" statement used the direct DML privilege (select) granted to user A, as user A is the owner of the database link which giving him full & direct DML privileges on all user's B objects.

    If we consider this example as a real case scenario you will not find it a security issue, because user A already knows user's B password (because he created a database link on his schema using user's B password) so he already can access user's B objects if he login to the database using user's b credentials, so once he creates the DBLINK to user's B schema Oracle gives him full DML privileges on user's B objects, so accessing user's B objects through that DBLINK is more secure than letting user A to connect using user's B credentials and have a full DDL&DML privs on user's B objects.

    Oracle gave this example to illustrate using procedures to secure data access through DBLINKs:
    http://docs.oracle.com/cd/B28359_01/server.111/b28310/ds_concepts002.htm#ADMIN12086

  5. {assume that employees submit expense reports to Accounts Payable (A/P), and further suppose that a user using an A/P application needs to retrieve information about employees from the hq database. The A/P users should be able to connect to the hq database and execute a stored procedure in the remote hq database that retrieves the desired information. The A/P users should not need to be hq database users to do their jobs; they should only be able to access hq information in a controlled way as limited by the procedure.}

Leave a Reply

Your email address will not be published. Required fields are marked *