select any dictionary與select_catalog_role的區別

select any dictionary與select_catalog_role

相同之處，有了這兩個中的一個，基本就可以查詢資料字典

不同之處：

1、select any dictionary是一種系統許可權（system privilege），而select_catalog_role 是一種角色（a role）。

2、角色的話需要重新登入或者顯式的set role 來生效，而賦予系統許可權是立即生效的。（P.S. 同樣revoke許可權也是立即生效）

3、select_catalog_role可以檢視一些資料字典的檢視·(可以看role的定義)，如dba_之類的，而select any dictionary可以檢視sys的表，select_catalog_role看不到。

下面具體驗證一下：

2、角色的話需要重新登入或者顯式的set role 來生效，而賦予系統許可權是立即生效的。（P.S. 同樣revoke許可權也是立即生效）

select any dictionary立即生效

同時開兩個會話，檢視情況。從上至下，按順序。

> select * from dba_role_privs where grantee = 'TEST_USER'; GRANTEE                        GRANTED_ROLE                   ADM DEF ------------------------------ ------------------------------ --- --- TEST_USER                    CONNECT                        NO  YES TEST_USER                    RESOURCE                       NO  YES 1、TEST_USER 只有最基本的CONNECT和RESOURCE  角色，其它的表許可權也沒有。
	> select count(*) from v$session;    select count(*) from v$session                      * ERROR at line 1: ORA-00942: table or view does not exist 2、此時看不到 v$session
> GRANT SELECT ANY DICTIONARY TO TEST_USER;  Grant succeeded. 3、賦予SELECT ANY DICTIONARY系統許可權
	>  select count(*) from v$session;     COUNT(*) ----------         73 4、立即生效，可以檢視到v$session
> REVOKE SELECT ANY DICTIONARY  FROM TEST_USER; Revoke succeeded. 5、收回SELECT ANY DICTIONARY系統許可權
	>  select count(*) from v$session;  select count(*) from v$session                       * ERROR at line 1: ORA-00942: table or view does not exist 6、立即生效，無法檢視到v$session

select_catalog_role 無法立即生效

> GRANT SELECT_CATALOG_ROLE TO TEST_USER;    Grant succeeded. 1、賦予SELECT ANY DICTIONARY角色
	>  select count(*) from v$session;  select count(*) from v$session                       * ERROR at line 1: ORA-00942: table or view does not exist 2、無法立即生效，使用set role即可， revoke role也相同，不即時生效。 > set role SELECT_CATALOG_ROLE; Role set. >  select count(*) from v$session;   COUNT(*) ----------         74

3、select_catalog_role可以檢視一些資料字典的檢視·，如dba_之類的，而select any dictionary可以檢視sys的表。

select any dictionary 可以看到 SYS.ACCESS$表

> select * from dba_sys_privs where grantee = 'TEST_USER'; GRANTEE                        PRIVILEGE                                ADM ------------------------------ ---------------------------------------- --- TEST_USER                     UNLIMITED TABLESPACE                     NO TEST_USER                     SELECT ANY DICTIONARY                    NO >  select * from dba_role_privs where grantee = 'TEST_USER'; GRANTEE                        GRANTED_ROLE                   ADM DEF ------------------------------ ------------------------------ --- --- TEST_USER                      CONNECT                        NO  YES TEST_USER                     RESOURCE                       NO  YES   > desc SYS.ACCESS$  Name                                                  Null?    Type  ----------------------------------------------------- -------- ------------------------------------  D_OBJ#                                                NOT NULL NUMBER  ORDER#                                                NOT NULL NUMBER  COLUMNS                                                        RAW(126)  TYPES                                                 NOT NULL NUMBER

select_catalog_role 看不到

> select * from dba_sys_privs where grantee = 'TEST_USER'; GRANTEE                        PRIVILEGE                                ADM ------------------------------ ---------------------------------------- --- TEST_USER                     UNLIMITED TABLESPACE                     NO >  select * from dba_role_privs where grantee = 'TEST_USER'; GRANTEE                        GRANTED_ROLE                   ADM DEF ------------------------------ ------------------------------ --- --- TEST_USER                    CONNECT                        NO  YES TEST_USER                    RESOURCE                       NO  YES TEST_USER                    SELECT_CATALOG_ROLE            NO  YES >  desc SYS.ACCESS$ ERROR: ORA-04043: object SYS.ACCESS$ does not exist