系統許可權傳遞和物件許可權傳遞的測試

在資料庫伺服器不同的計算機上(AIDU)

cmd

sqlplus

SQL>CONN SYS/SYSTEM@AIDU2008 AS SYSDBA

SQL>CREATE USER AIDU PROFILE "DAFAULT" IDENTIFIED BY "AIDU" DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" ACCOUNT UNLOCK;

[@more@]

SQL>GRANT CONNECT TO AIDU;

SQL>CREATE USER AIDU2 PROFILE "DEFAULT" IDENTIFIED BY "AIDU2" DEFAULT TABLESPACE "USERS" TEMPORARY TABLESPACE "TEMP" ACCOUNT UNLOCK;

SQL>GRANT CONNECT TO AIDU2;

SQL>GRANT SYSDBA TO AIDU WITH ADMIN OPTION;

SQL>CONN AIDU/AIDU@AIDU2008 AS SYSDBA;

SQL>GRANT SYSDBA TO AIDU2;

SQL>CONN AIDU2/AIDU2@AIDU2008 AS SYSDBA --OK

SQL>CONN SYS/SYSTEM@AIDU2008 AS SYSDBA

SQL>REVOKE SYSDBA FROM AIDU

SQL>CONN AIDU2/AIDU2@AIDU2008 AS SYSDBA --仍然可以使用SYSDBA身份進行登陸,不受AIDU被剝奪SYSDBA許可權的影響

物件許可權的傳遞,當回收中間鏈後,後續節點的物件許可權也被回收.

在資料庫伺服器不同的計算機上(AIDU)

cmd

sqlplus

SQL>conn / as sysdba

SQL>create user aidu3 profile default indentified by "aidu3" default tablespace "USERS" temporary tablespace "TEMP";

SQL>grant connect to aidu3

SQL>grant resource to aidu3

SQL>conn aidu/aidu;

SQL>create tabel test01(id number not null,name varchar2(20),primary key(id));

SQL>grant select on test01 to aidu2 with grant option;

SQL>conn aidu2/aidu2

SQL>grant select on aidu.test01 to aidu3

SQL>conn aidu3/aidu3

SQL>select count(1) from aidu.test01;

顯示統計數為0,表明可以訪問

SQL>conn aidu/aidu

SQL>revoke select on test01 from aidu2 --從中間使用者回收SELECT 許可權

SQL>conn aidu3/aidu3

SQL>select count(1) from aidu.test01;

報錯: 找不到表或檢視. 說明當中間者aidu2被 剝奪SELECT ON AIDU.TEST01表許可權時,透過它建立的aidu3對AIDU.TEST01表的許可權也被同時剝奪.