Oracle11g温习-第十八章:role管理 - Oracle-fans - 博客园
——SYSTEM PRIVILEGE
SYS @ prod > select * from role_sys_privs where role='&name';
Enter value for name: DBA
old 1: select * from role_sys_privs where role='&name'
new 1: select * from role_sys_privs where role='DBA'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
DBA CREATE SESSION YES
DBA ALTER SESSION YES
DBA DROP TABLESPACE YES
DBA BECOME USER YES
DBA DROP ROLLBACK SEGMENT YES
DBA SELECT ANY TABLE YES
DBA INSERT ANY TABLE YES
DBA UPDATE ANY TABLE YES
DBA READ ANY FILE GROUP YES
DBA CREATE EXTERNAL JOB YES
SYS @ prod > select * from role_sys_privs where role='&name';
Enter value for name: CONNECT
old 1: select * from role_sys_privs where role='&name'
new 1: select * from role_sys_privs where role='CONNECT'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
CONNECT CREATE SESSION NO
SYS @ prod > select * from role_sys_privs where role='&name';
Enter value for name: RESOURCE
old 1: select * from role_sys_privs where role='&name'
new 1: select * from role_sys_privs where role='RESOURCE' 【隐含unlimited tablespace 权限(可以在任何一个表空间上拥有配额)
如果将该角色分配给用户,一般都会将该权限收回,再进行表空间配额的分配】
ROLE PRIVILEGE ADMIN_OPT
-------------------- ------------------------------ ---------
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE TYPE NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE TABLE NO
RESOURCE CREATE INDEXTYPE NO
8 rows selected.
SYS @ prod > select * from role_sys_privs where role='&name';
Enter value for name: PUB_ROLE
old 1: select * from role_sys_privs where role='&name'
new 1: select * from role_sys_privs where role='PUB_ROLE'
ROLE PRIVILEGE ADMIN_OPT
-------------------- ------------------------------ ---------
PUB_ROLE CREATE TABLE NO
PUB_ROLE CREATE SESSION NO
——OBJECT PRIVILEGE
SYS @ prod > select * from role_tab_privs where role='&name';
Enter value for name: PRV_ROLE
old 1: select * from role_tab_privs where role='&name'
new 1: select * from role_tab_privs where role='PRV_ROLE'
ROLE OWNER TABLE_NAME COLUMN_NAME PRIVILEGE GRANTABLE
-------------------- --------------- --------------- --------------- -------------------- ---------------
PRV_ROLE SCOTT EMP SELECT NO
——【default role:当用户建立session 时,用户所分配的role 上的权限会立刻生效。
(如果不显式指定,用户所分配的role都是该用户的default role,默认角色分配的权限一般都很少)】
SYS @ prod > create user tom identified by tom;
User created.
SYS @ prod > create user rose identified by rose;
User created.
SYS @ prod > alter user tom quota 10m on users;
User altered.
SYS @ prod > alter user rose quota 10m on users;
User altered.
SYS @ prod > grant pub_role,prv_role to tom,rose; ——【with admin option 用户有权将role 分配给其他用户】
Grant succeeded.
——【role 可以分配给用户,也可以分配其他role,不能分配给自己。
SYS @ prod > select * from user_role_privs; ——【默认情况下,pub_role 和 prv_role 都是tom的 default role】
USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTE
--------------- ------------------------------ --------------- --------------- ---------
TOM PRV_ROLE NO YES NO
TOM PUB_ROLE NO YES NO
TOM RESOURCE NO YES NO
SYS @ prod > select * from scott.emp; 【tom 继承了prv_role的object privilege】
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7369 SMITH CLERK 7902 17-DEC-80 800 20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 100 40
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
SYS @ prod > create table emp as select * from scott.emp; ——【tom 继承了pub_role的system privilege】
Table created.
【显式指定默认 role(对于非default role 必须在启用后,用户才能继承role 所具有的权限)】
SYS @ prod > conn /as sysdba
Connected.
SYS @ prod > alter user tom default role pub_role;
User altered.
SYS @ prod > conn tom/tom
Connected.
TOM @ prod > select * from user_role_privs;
USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTE
--------------- ------------------------------ --------------- --------------- ---------
TOM PRV_ROLE NO NO NO
TOM PUB_ROLE NO YES NO
TOM RESOURCE NO NO NO
TOM @ prod > select * from scott.emp;
select * from scott.emp
*
ERROR at line 1:
ORA-01031: insufficient privileges
【因为prv_role 是非 default role,所以tom 在建立session 不具有prv_role 的权限】
TOM @ prod > create table t1 (id int);
Table created.
TOM @ prod > set role prv_role;
set role prv_role
*
ERROR at line 1:
ORA-01979: missing or invalid password for role 'PRV_ROLE'
SYS @ prod > set role prv_role identified by oracle; ——【启用非默认角色,如果有口令,需通过password 启用】
Role set.
USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTE
--------------- ------------------------------ --------------- --------------- ---------
TOM ANNY_ROLE NO NO NO
TOM PRV_ROLE NO NO NO
TOM PUB_ROLE NO YES NO
TOM RESOURCE NO NO N
SYS @ prod > select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7369 SMITH CLERK 7902 17-DEC-80 800 20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 100 40
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
【启用非 default role 后,用户就具有了非default role 的权限】
