1. Introduction to object permissions
refers to the right to access objects in other programs. Users can directly access objects in their own programs, but if they want to access objects in other programs, they must have object permissions.
For example, if the smith user wants to access the scott.emp table (scott: scheme, emp: table)
, he must have object permissions on the scott.emp table
Commonly used are:
alter modify delete delete select query insert add
update modify index index references reference execute execute
2. Display object permissions
Through the data field view, the object permissions of users or roles can be displayed.
View is dba_tab_privs
SQL> conn system/Mayu2638;
connected.
SQL> select distinct privilege from dba_tab_privs;
SQL> select grantor,owner,table_name,privilege from dba_tab_privs where grantee='username/role name';
3.
Before oracle9i, granting object permissions was made by the owner of the object Completed, if other users are used to operate, the user needs to have the corresponding (with grant option) authority. Starting from oracle9i, the dba user (sys, system) can grant the object authority on any object to other users, granting object authority This is done with the grant command.
Object permissions can be granted to users, roles, and public. When granting permissions, if the with grant option option is used, the permission can be delegated to other users , but it should be noted that the with grant option option cannot be granted to roles .
1) If the monkey user wants to operate the scott.emp table, he must grant the corresponding object permissions
1. Authorize through the scott user
2. Authorize through the sys user
3. Authorize through the system user
1. I hope monkey can query the table data of scott.emp, how to do it?
SQL> grant select on emp to monkey;
the authorization is successful.
To revoke the permission is
SQL> revoke select on emp from monkey;
the revocation is successful.
2. I hope monkey can query the table data of scott.emp, how to do it?
SQL> grant update on emp to monkey;
the authorization is successful.
To revoke the permission is
SQL> revoke update on emp from monkey;
the revocation is successful.
3. I hope monkey can delete the table data of scott.emp, how to do it?
SQL> grant delete on emp to monkey;
Authorization succeeded.
Revoking this permission is
SQL> revoke delete on emp from monkey;
revoke succeeded.
4. Is there an easier way to assign all the permissions above to monkey at once?
SQL> grant update, select, delete on emp to monkey;
the authorization is successful.
If all permissions are assigned to monkey
SQL> grant all on emp to monkey;
the authorization is successful.
3. Grant object permissions
2) Can you control the access permissions of monkeys more finely (grant column permissions)
1. I hope that monkey can only modify the sal field of the scott.emp table. How to do it?
grant update on emp(sal) to monkey;
2. I hope that monkey can only query the ename and sal data of the scott.emp table. How to do it?
grant select on emp(ename,sal) to monkey;
...
4. Grant alter permission
If the black user wants to modify the structure of the scott.emp table, he must grant the object permission
SQL>conn scott/tiger;
SQL>grant alter on emp to black;
Of course, you can also use system and sys users to do this.
5. Grant execute permission
If the user wants to execute packages, procedures, and functions of other programs, execute permission is required.
For example, in order to allow ken to execute the package dbms_transaction, you can grant execute permission
SQL>conn system/Mayu2638
SQL>grant execute on dbms_transaction to ken;
6. Grant index permission
If you want to create an index on the table of other schemes, you must have an index object permissions.
For example, in order to allow the black user to create an index on scott.emp, give the object permission of the index
SQL>conn scott/tiger
SQL>grant index on scott.emp to black
7. Use with grant option
This option is used for delegation Object permissions, but this option can only be granted to users, not roles.
SQL>conn scott/tiger
SQL>grant select on emp to black with grant option
SQL>conn black/tiger
SQL>grant select on scott.emp to
jones
The owner can also use the dba user (sys, system) to complete.
The point to be explained here is: after the object authority is revoked, the user cannot execute the corresponding sql command, but it should be noted that whether the object authority will be revoked in cascade?
Such as:
scott——————”black——————”jones
select on emp select on emp select on emp
sql>conn scott/tiger
sql>revoke select on emp from black;
can jones query scott.emp table data?
Answer: It cannot be queried.
Therefore, it can be shown that the revocation of object rights is a cascaded revocation and the revocation of system rights. The revocation of different
system rights is not a cascaded revocation.
Note: If the object authority is revoked by cascade, even if the object authority of blank is restored, the object authority of jones still does not exist, and it needs to be re-assigned.