檢視許可權的設定案例

hexiaomail發表於2010-04-21

今天在042一個自測試看一個有關許可權的問題,做了一個測試,而在測試過程中又犯了個錯誤,記錄此案。

問題如下:

During a single session, you run the following set of statements in your database: 

 

SQL> CREATE USER SCOTT IDENTIFIED BY SCOTT; 

SQL> CREATE ROLE HR_ADMIN; 

SQL> GRANT SELECT ANY TABLE TO HR_ADMIN; 

SQL> GRANT CREATE ANY VIEW TO HR_ADMIN; 

SQL> GRANT HR_ADMIN TO SCOTT; 

 

The database user SCOTT tries to execute a SELECT statement against a table in the HR user's schema, but the following error

is generated: 

 

SQL> SELECT * FROM HR.TRAINING; 

 

ORA-01031: insufficient privileges 

 

Which two could be the possible reasons for this error? (Choose two.)

  The HR_ADMIN role is a secured application role.

  The HR_ADMIN role has not been set as the default role for the user SCOTT.

  A password must be provided to access the privileges granted by the HR_ADMIN role.

  The user HR has not granted select access on the TRAINING table to the user SCOTT.

  The user SCOTT has not enabled the HR_ADMIN role by using the SET ROLE statement.

 

答案:

The HR_ADMIN role has not been set as the default role for the user SCOTT .

The user SCOTT has not enabled the HR_ADMIN role by using the SET ROLE statement.

 

做如下解釋:

The two possible reasons for this error are that the HR_ADMIN role has not been set as the default role for the user SCOTT or that the user SCOTT has not enabled the HR_ADMIN role by using the SET ROLE statement. When a role is assigned to a user, the role must be enabled using the SET ROLE statement or the role must be set as the default role for the user so that the user can access the privileges granted to them through the role. The default role is enabled for the user at log on. A non-default role must be enabled using the SET ROLE statement. If the role is not enabled for the user, the user cannot access the privileges. The HR_ADMIN role created in this scenario is granted the SELECT ANY TABLE privilege and the CREATE ANY VIEW privilege. The SELECT ANY TABLE privilege enables you to issue SELECT statements against any tables in any user's schema. The CREATE ANY VIEW privilege enables you to create views based on any table in any user's schema. Apart from having the CREATE ANY VIEW privilege, the user must also have SELECT privileges on the tables on which he is trying to create the view. If the user does not have SELECT privileges on the table on which he is trying to create the view, the user SCOTT will receive an error stating he does not have the required privileges. 

從解釋上主要是利用set role設定。

 

現在做了一個測試

建立一個使用者

SQL> create user hrk identified by hrk;

 User created

 

建立一個角色

SQL> create role hr_admin;

Role created

 

將兩個系統許可權賦予給角色hr_admin

SQL> grant select any table to hr_admin;

 Grant succeeded

 

SQL> grant create any view to hr_admin;

 Grant succeeded

 

將角色hr_admin賦給使用者

SQL> grant hr_admin to hrk;

 Grant succeeded

 

給使用者一個連線許可權

SQL> grant connect to hrk;

Grant succeeded

 

hrk連線進去,建立一個檢視。

SQL> conn hrk/hrk

Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0

Connected as hrk

 

SQL> create view hrk_v as

  2  select * from hrbak.employees where salary>8000;

 

create view hrk_v as

select * from hrbak.employees where salary>8000

 

ORA-01031: insufficient privileges

 

檢視許可權情況

SQL> select * from user_role_privs;

 

USERNAME   GRANTED_ROLE   ADMIN_OPTION DEFAULT_ROLE OS_GRANTED

--------- -------------- ------------ ------------ ----------

HRK          CONNECT             NO           YES          NO

HRK          HR_ADMIN            NO           YES          NO

 

SQL> select * from role_sys_privs where role='HR_ADMIN';

 

ROLE                PRIVILEGE                   ADMIN_OPTION

-------------- -------------------------- ------------

HR_ADMIN            SELECT ANY TABLE                  NO

HR_ADMIN            CREATE ANY VIEW                   NO

 

改變使用者的預設表空間設定,還是同樣的問題

SQL> alter user hrk default tablespace hrbak;

User altered

 

SQL> create view hrk_v as

  2  select * from hrbak.employees where salary>8000;

 

create view hrk_v as

select * from hrbak.employees where salary>8000

 

ORA-01031: insufficient privileges

 

從許可權上來看似乎沒什麼問題,測試不少步驟,最後找到CREATE VIEW的解釋。

To create a view in your own schema, you must have the CREATE VIEW system privilege. To create a view in another user's schema, you must have the CREATE ANY VIEW system privilege.

The owner of the schema containing the view must have the privileges necessary to either select, insert, update, or delete rows from all the tables or views on which the view is based. The owner must be granted these privileges directly, rather than through a role.

To use the basic constructor method of an object type when creating an object view, one of the following must be true:

1.  The object type must belong to the same schema as the view to be created.

2.  You must have the EXECUTE ANY TYPE system privileges.

3.  You must have the EXECUTE object privilege on that object type.

 

應該說是schema的問題,加入一個schema的名稱

SQL> create view hrbak.hrk_v as

  2  select * from hrbak.employees where salary>8000;

 

View created

 

總結,create any view可以在任何shema上建立檢視,但是注意在檢視的前加上所屬schema的名稱。

來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/9932141/viewspace-660354/,如需轉載,請註明出處,否則將追究法律責任。

相關文章