檢視許可權的設定案例
今天在042一個自測試看一個有關許可權的問題,做了一個測試,而在測試過程中又犯了個錯誤,記錄此案。
問題如下:
During a single session, you run the following set of statements in your database:
SQL> CREATE USER SCOTT IDENTIFIED BY SCOTT;
SQL> CREATE ROLE HR_ADMIN;
SQL> GRANT SELECT ANY TABLE TO HR_ADMIN;
SQL> GRANT CREATE ANY VIEW TO HR_ADMIN;
SQL> GRANT HR_ADMIN TO SCOTT;
The database user SCOTT tries to execute a SELECT statement against a table in the HR user's schema, but the following error
is generated:
SQL> SELECT * FROM HR.TRAINING;
ORA-01031: insufficient privileges
Which two could be the possible reasons for this error? (Choose two.)
The HR_ADMIN role is a secured application role.
The HR_ADMIN role has not been set as the default role for the user SCOTT.
A password must be provided to access the privileges granted by the HR_ADMIN role.
The user HR has not granted select access on the TRAINING table to the user SCOTT.
The user SCOTT has not enabled the HR_ADMIN role by using the SET ROLE statement.
答案:
The HR_ADMIN role has not been set as the default role for the user SCOTT .
The user SCOTT has not enabled the HR_ADMIN role by using the SET ROLE statement.
做如下解釋:
The two possible reasons for this error are that the HR_ADMIN role has not been set as the default role for the user SCOTT or that the user SCOTT has not enabled the HR_ADMIN role by using the SET ROLE statement. When a role is assigned to a user, the role must be enabled using the SET ROLE statement or the role must be set as the default role for the user so that the user can access the privileges granted to them through the role. The default role is enabled for the user at log on. A non-default role must be enabled using the SET ROLE statement. If the role is not enabled for the user, the user cannot access the privileges. The HR_ADMIN role created in this scenario is granted the SELECT ANY TABLE privilege and the CREATE ANY VIEW privilege. The SELECT ANY TABLE privilege enables you to issue SELECT statements against any tables in any user's schema. The CREATE ANY VIEW privilege enables you to create views based on any table in any user's schema. Apart from having the CREATE ANY VIEW privilege, the user must also have SELECT privileges on the tables on which he is trying to create the view. If the user does not have SELECT privileges on the table on which he is trying to create the view, the user SCOTT will receive an error stating he does not have the required privileges.
從解釋上主要是利用set role設定。
現在做了一個測試
建立一個使用者
SQL> create user hrk identified by hrk;
User created
建立一個角色
SQL> create role hr_admin;
Role created
將兩個系統許可權賦予給角色hr_admin
SQL> grant select any table to hr_admin;
Grant succeeded
SQL> grant create any view to hr_admin;
Grant succeeded
將角色hr_admin賦給使用者
SQL> grant hr_admin to hrk;
Grant succeeded
給使用者一個連線許可權
SQL> grant connect to hrk;
Grant succeeded
用hrk連線進去,建立一個檢視。
SQL> conn hrk/hrk
Connected to Oracle Database 10g Enterprise Edition Release 10.2.0.4.0
Connected as hrk
SQL> create view hrk_v as
2 select * from hrbak.employees where salary>8000;
create view hrk_v as
select * from hrbak.employees where salary>8000
ORA-01031: insufficient privileges
檢視許可權情況
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE OS_GRANTED
--------- -------------- ------------ ------------ ----------
HRK CONNECT NO YES NO
HRK HR_ADMIN NO YES NO
SQL> select * from role_sys_privs where role='HR_ADMIN';
ROLE PRIVILEGE ADMIN_OPTION
-------------- -------------------------- ------------
HR_ADMIN SELECT ANY TABLE NO
HR_ADMIN CREATE ANY VIEW NO
改變使用者的預設表空間設定,還是同樣的問題
SQL> alter user hrk default tablespace hrbak;
User altered
SQL> create view hrk_v as
2 select * from hrbak.employees where salary>8000;
create view hrk_v as
select * from hrbak.employees where salary>8000
ORA-01031: insufficient privileges
從許可權上來看似乎沒什麼問題,測試不少步驟,最後找到CREATE VIEW的解釋。
To create a view in your own schema, you must have the CREATE VIEW system privilege. To create a view in another user's schema, you must have the CREATE ANY VIEW system privilege.
The owner of the schema containing the view must have the privileges necessary to either select, insert, update, or delete rows from all the tables or views on which the view is based. The owner must be granted these privileges directly, rather than through a role.
To use the basic constructor method of an object type when creating an object view, one of the following must be true:
1. The object type must belong to the same schema as the view to be created.
2. You must have the EXECUTE ANY TYPE system privileges.
3. You must have the EXECUTE object privilege on that object type.
應該說是schema的問題,加入一個schema的名稱
SQL> create view hrbak.hrk_v as
2 select * from hrbak.employees where salary>8000;
View created
總結,create any view可以在任何shema上建立檢視,但是注意在檢視的前加上所屬schema的名稱。
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/9932141/viewspace-660354/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- [Linux]學習⑥④---ACL許可權檢視與設定Linux
- Oracle檢視許可權Oracle
- 如何用 Vue 實現前端許可權控制(路由許可權 + 檢視許可權 + 請求許可權)Vue前端路由
- 如何設定許可權?
- Oracle許可權(二)許可權相關的動態效能檢視與資料字典檢視Oracle
- 如何檢測應用通知許可權?如何跳轉通知許可權設定頁?
- oracle許可權相關檢視Oracle
- oracle的儲存許可權的檢視Oracle
- 檢視角色裡包含的系統許可權、物件許可權和角色物件
- 許可權管理系統的設計案例 -- 需求定義(2)
- 許可權管理系統的設計案例 -- 需求定義(3)
- 許可權管理系統的設計案例 -- 需求定義(4)
- Oracle中定義者許可權和呼叫者許可權案例分析Oracle
- ubuntu 許可權管理設定Ubuntu
- Atitit godaddy 檔案許可權 root許可權設定Go
- linux檢視檔案許可權Linux
- Oracle檢視使用者許可權Oracle
- 檢視oracle 使用者許可權Oracle
- 小程式許可權設定(位置)
- Windows許可權設定詳解Windows
- PHP專案許可權設定PHP
- 如何檢視postgresql使用者許可權SQL
- NAS使用者許可權的設定
- SVN伺服器的許可權設定伺服器
- postgresql關於訪問檢視需要的許可權SQL
- 檢視Oracle使用者的許可權或角色Oracle
- 檢視PG資料庫的許可權情況資料庫
- mysql檢視使用者的許可權指令碼MySql指令碼
- 檢視使用者的目錄操作許可權
- Oracle角色、許可權的一些常用檢視Oracle
- 適配懸浮窗許可權與系統設定修改許可權
- Vue設定許可權列表目錄Vue
- iOS 10設定應用許可權iOS
- 金山文件怎麼設定編輯許可權 金山文件線上編輯許可權設定
- Oracle檢視使用者預設表空間、臨時表空間、系統許可權、物件許可權、角色許可權舉例說明Oracle物件
- jboss許可權的設定 大俠賜教
- [SAP BO]BOE的 檔案許可權設定
- [BUG反饋]許可權條目中缺少兩個公開方法的許可權設定