如何在oracle中显示用户的所有特权?


113

有人可以告诉我如何在sql-console中显示特定用户的所有特权/规则吗?

Answers:


164

您可以尝试以下视图。

SELECT * FROM USER_SYS_PRIVS; 
SELECT * FROM USER_TAB_PRIVS;
SELECT * FROM USER_ROLE_PRIVS;

DBA和其他超级用户可以使用DBA_这些相同视图的版本找到授予其他用户的特权。它们包含在文档中

这些视图仅显示直接授予用户的特权。查找所有特权,包括通过角色间接授予的特权,需要更复杂的递归SQL语句:

select * from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER' order by 1,2,3;
select * from dba_sys_privs  where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3;
select * from dba_tab_privs  where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3,4;

21

有各种各样的脚本会根据您想要变得多么疯狂来执行此操作。我将亲自使用Pete Finnigan的find_all_privs脚本

如果您想自己编写它,查询将变得非常困难。可以授予用户系统特权,这些特权在中可见DBA_SYS_PRIVS。可以授予它们在中可见的对象特权DBA_TAB_PRIVS。可以授予他们可见的DBA_ROLE_PRIVS角色(角色可以是默认角色,也可以是非默认角色,并且还可能需要密码,因此,仅因为已授予用户角色,并不意味着该用户一定可以使用他所拥有的特权默认情况下通过角色获得)。但是,这些角色可以反过来,被授予系统权限,对象权限,并可以通过查看查看其他角色ROLE_SYS_PRIVSROLE_TAB_PRIVSROLE_ROLE_PRIVS。Pete的脚本遍历了这些关系,以显示最终流向用户的所有特权。


该脚本真棒刚刚检查出来
I.Tyger

1
您需要UTL_FILE软件包的特权,否则在运行Pete Finnigan的脚本时会出错:“必须声明标识符'UTL_FILE'”。您可以通过SQL Developer通过sys与roll sysdba进行sys连接,然后它可以使用以下程序起作用或授予您对该程序包的执行特权:

1
对于我们这些没有SYS特权的人,只想看看我们自己帐户的特权,该脚本毫无价值。我没有获得UTL_FILE,也不DBA_SYS_PRIVS和其他DBASYS地区的脚本看起来在。
vapcguy

我不认为ROLE_SYS_PRIVSROLE_TAB_PRIVS并且ROLE_ROLE_PRIVS需要进行检查。文档表明它们适用于当前用户。
jpmc26

如果有人拥有这些脚本的副本,他们可以在这里还是在更绿的地方(如要旨)发布?该站点已关闭。
Michael Thompson,


2

尽管Raviteja Vutukuri的答案有效并且可以快速组合在一起,但是它对于更改过滤器并不是特别灵活,并且如果您希望通过编程方式进行某些操作,也不会带来太大帮助。所以我把自己的查询放在一起:

SELECT
    PRIVILEGE,
    OBJ_OWNER,
    OBJ_NAME,
    USERNAME,
    LISTAGG(GRANT_TARGET, ',') WITHIN GROUP (ORDER BY GRANT_TARGET) AS GRANT_SOURCES, -- Lists the sources of the permission
    MAX(ADMIN_OR_GRANT_OPT) AS ADMIN_OR_GRANT_OPT, -- MAX acts as a Boolean OR by picking 'YES' over 'NO'
    MAX(HIERARCHY_OPT) AS HIERARCHY_OPT -- MAX acts as a Boolean OR by picking 'YES' over 'NO'
FROM (
    -- Gets all roles a user has, even inherited ones
    WITH ALL_ROLES_FOR_USER AS (
        SELECT DISTINCT CONNECT_BY_ROOT GRANTEE AS GRANTED_USER, GRANTED_ROLE
        FROM DBA_ROLE_PRIVS
        CONNECT BY GRANTEE = PRIOR GRANTED_ROLE
    )
    SELECT
        PRIVILEGE,
        OBJ_OWNER,
        OBJ_NAME,
        USERNAME,
        REPLACE(GRANT_TARGET, USERNAME, 'Direct to user') AS GRANT_TARGET,
        ADMIN_OR_GRANT_OPT,
        HIERARCHY_OPT
    FROM (
        -- System privileges granted directly to users
        SELECT PRIVILEGE, NULL AS OBJ_OWNER, NULL AS OBJ_NAME, GRANTEE AS USERNAME, GRANTEE AS GRANT_TARGET, ADMIN_OPTION AS ADMIN_OR_GRANT_OPT, NULL AS HIERARCHY_OPT
        FROM DBA_SYS_PRIVS
        WHERE GRANTEE IN (SELECT USERNAME FROM DBA_USERS)
        UNION ALL
        -- System privileges granted users through roles
        SELECT PRIVILEGE, NULL AS OBJ_OWNER, NULL AS OBJ_NAME, ALL_ROLES_FOR_USER.GRANTED_USER AS USERNAME, GRANTEE AS GRANT_TARGET, ADMIN_OPTION AS ADMIN_OR_GRANT_OPT, NULL AS HIERARCHY_OPT
        FROM DBA_SYS_PRIVS
        JOIN ALL_ROLES_FOR_USER ON ALL_ROLES_FOR_USER.GRANTED_ROLE = DBA_SYS_PRIVS.GRANTEE
        UNION ALL
        -- Object privileges granted directly to users
        SELECT PRIVILEGE, OWNER AS OBJ_OWNER, TABLE_NAME AS OBJ_NAME, GRANTEE AS USERNAME, GRANTEE AS GRANT_TARGET, GRANTABLE, HIERARCHY
        FROM DBA_TAB_PRIVS
        WHERE GRANTEE IN (SELECT USERNAME FROM DBA_USERS)
        UNION ALL
        -- Object privileges granted users through roles
        SELECT PRIVILEGE, OWNER AS OBJ_OWNER, TABLE_NAME AS OBJ_NAME, GRANTEE AS USERNAME, ALL_ROLES_FOR_USER.GRANTED_ROLE AS GRANT_TARGET, GRANTABLE, HIERARCHY
        FROM DBA_TAB_PRIVS
        JOIN ALL_ROLES_FOR_USER ON ALL_ROLES_FOR_USER.GRANTED_ROLE = DBA_TAB_PRIVS.GRANTEE
    ) ALL_USER_PRIVS
    -- Adjust your filter here
    WHERE USERNAME = 'USER_NAME'
) DISTINCT_USER_PRIVS
GROUP BY
    PRIVILEGE,
    OBJ_OWNER,
    OBJ_NAME,
    USERNAME
;

优点:

  • 我只需更改一个WHERE子句就可以轻松地通过许多不同的信息进行过滤,例如对象,特权,是否通过特定角色等等。
  • 这是一个查询,这意味着我不必费心将结果组合在一起。
  • 它解决了它们是否可以授予特权以及它是否包括跨特权的不同来源的子对象(“分层”部分)的特权的问题。
  • 可以很容易地看到我撤销特权所需要做的一切,因为它列出了特权的所有来源。
  • 它将表和系统特权组合到一个统一的视图中,使我们能够一口气列出用户的所有特权。
  • 这是一个查询,而不是将所有内容喷出来的DBMS_OUTPUT东西(或与Pete Finnigan的链接脚本相比)。这对于程序使用和导出很有用。
  • 过滤器不重复;它只出现一次。这使更改变得更容易。
  • 如果您需要每个人检查子查询,则可以轻松地将其取出GRANT

本人的一些待办事项:1.添加指示器,如果用户可以通过将角色授予其他用户来授予特权。2.弄清楚如何为没有DBA特权的当前用户执行此操作。可能涉及USER_SYS_PRIVS(直接授予的系统特权),USER_TAB_PRIVS(直接授予的对象特权)USER_ROLE_PRIVS(用户的直接授予的角色),ROLE_ROLE_PRIVS(用于获取继承角色),ROLE_SYS_PRIVS(通过角色的系统特权)和ROLE_TAB_PRIVS(通过角色的对象特权)。啊。Oracle非常复杂。
jpmc26

1

您可以使用以下代码从所有用户那里获取所有特权列表。

select * from dba_sys_privs 

这不会列出所有特权。这表现在几个其他答案通过多年之前你的,它忽略了表的权限,并通过角色授予的所有权限。
jpmc26 '18 -10-17

By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.