Benpian discuss the following questions: You can guess in advance the following six scene statement, which of recovery can be executed successfully?
1. The user permissions levels recovered in the CDB, without effects container clause;
2. the user rights levels recovered in the CDB, with the effect of clause container = all;
3. CDB user privilege level in the recovery, with effects of container = current clause;
4. the user rights levels recovered in the PDB, without effects container clause;
The user permissions levels recovered in the PDB with the effect of all container = clause;
6. The user permissions levels recovered in the PDB with the effect of container = current clause;
Familiarize yourself create user scope , create role scope and authorization scopes . This article deals demonstrate the theoretical basis of the above.
Demo database version: 18.3.0.0.0 (18c)
Permissions recycling, for that authorization, our authorized under the review of scope: It should be noted that, in the exam, the test is often scope to the CDB level authorization and recycling authority.
1. Effect of user authorization levels in the CDB, without container clause: acts only on the current CDB
2. Effects of user authorization levels in the CDB with container = all clauses: acting on the current CDB and all PDB
3. CDB authorized user level, with the effect of container = current clause: only acts on the current CDB
4. Effects of the user authorization levels in the PDB, without container clause: acts only on the current PDB
5. Effect of the user authorization levels in the PDB with container = all clauses: X-X-PDB error level can not be used ALL
6. Effect user authorization levels in the PDB with container = current clause: acts only on the current PDB
For the authorized scope , we summarized in three sentences : that is authorized a total of three cases , acts only on the CDB , acting on a global , act only on the PDB
Acts only on the CDB : CDB level without a clause or only with the current role of the current CDB
Acting on a global: CDB levels if brought ALL, CDB and will act on all the global PDB
Acts only on the PDB : PDB level with or without the current clause only apply to the current PDB, not with ALL
Note: the above three cases authorization, and respectively correspond to three kinds of recovery option (without the clause, with all, Current band), so that a total of nine cases, discussed individually.
I.: CDB authorized to act on the current CDB, with no recovery clause
C ## r1 and create user authorization. Symbol '<>' represents the default value may be omitted
The SQL > Create User C ## R1 IDENTIFIED by R1 < Container = All> ; - - applied to the user's default global container User created. The SQL > Grant Create the session to C ## R1 < Container = Current > ; - - authorizing the default action on the current CDB container Grant succeeded.
All containers are present users c ## r1, but only CDB levels can log on, PDB could not land.
Recycling authority, without a clause
SQL> revoke create session from c##r1; Revoke succeeded. SQL> conn c##r1/r1@cdb18c; ERROR: ORA-01045: user C##R1 lacks CREATE SESSION privilege; logon denied
Without the clause, the recovery is successful, the default action on the current CDB, recovered, could not land.
Case 2: CDB authorized to act on the current CDB, recovered with ALL
C ## r2 and create user authorization.
SQL> create user c##r2 identified by r2; User created. SQL> grant create session to c##r2; Grant succeeded.
All containers are present users c ## r2, but only CDB levels can log on, PDB could not land.
Recycling permission clause with ALL
SQL> revoke create session from c##r2 container=all; revoke create session from c##r2 container=all * ERROR at line 1: ORA-65092: system privilege granted with a different scope to 'C##R2'
Clause with ALL, an error. Because only authorized for the current CDB take effect, so the recovery can not be recycled for all containers.
Case three: CDB authorized to act on the current CDB, recovered with CURRENT
C ## r3 and create user authorization.
SQL> create user c##r3 identified by r3; User created. SQL> grant create session to c##r3; Grant succeeded.
All containers are present users c ## r3, but only CDB levels can log on, PDB could not land.
Recycling permission clause with CURRENT
SQL> revoke create session from c##r3 container=current; Revoke succeeded. SQL> conn c##r3/r3@cdb18c; ERROR: ORA-01045: user C##R3 lacks CREATE SESSION privilege; logon denied
Clause with CURRENT, the recovery is successful, the role of the current CDB, recovered, could not land.
Four cases: CDB global authorized to act on the container, recovery without a clause
C ## r4 and create user authorization.
SQL> create user c##r4 identified by r4; User created. SQL> grant create session to c##r4 container=all; Grant succeeded.
All containers are present users c ## r4, and CDB and all PDB can log on.
Recycling authority, without a clause
SQL> revoke create session from c##r4; revoke create session from c##r4 * ERROR at line 1: ORA-65092: system privilege granted with a different scope to 'C##R4'
Without the clause, the recovery fails. Because authorization for the global container is to take effect, so the recovery can not be recovered for the current CDB container. --- OCP exam content
V.: CDB global authorized to act on the container, recovering the ALL
C ## r5 and create user authorization.
SQL> create user c##r5 identified by r5; User created. SQL> grant create session to c##r5 container=all; Grant succeeded.
All containers are present users c ## r5, and CDB and all PDB can log on.
Recycling permission clause with ALL
SQL> revoke create session from c##r5 container=all; Revoke succeeded. SQL > conn c ## r5 / r5 @ cdb18c ; - -cdb could not land ERROR: ORA-01045: user C##R5 lacks CREATE SESSION privilege; logon denied Warning: You are no longer connected to ORACLE. SQL > conn c ## r5 / r5 @orders ; - to PDB could not land ERROR: ORA-01045: user C##R5 lacks CREATE SESSION privilege; logon denied
Clause with ALL, recycling success. For all containers, CDB and PDB will not land.
Six cases: CDB authorized to act on global container, recovered with CURRENT
C ## r6 and create user authorization.
SQL> create user c##r6 identified by r6; User created. SQL> grant create session to c##r6 container=all; Grant succeeded.
All containers are present users c ## r6, and CDB and all PDB can log on.
Recycling permission clause with CURRENT
SQL> revoke create session from c##r6 container=current; revoke create session from c##r6 container=current * ERROR at line 1: ORA-65092: system privilege granted with a different scope to 'C##R6'
With current recovery has failed. Because authorization for the global container is to take effect, so the recovery can not be recovered for the current CDB container.
VII.: PDB own authorized recycling without a clause
CDB create a user c ## r7
SQL> create user c##r7 identified by r7; User created.
All containers are present users c ## r7, and CDB and all PDB now can not log in.
C ## r7 PDB individually authorized users.
SQL> alter session set container=orders; Session altered. SQL > Grant the Create the session to c ## r7; --- PDB default authorization level for the CURRENT, ALL can not be authorized Grant succeeded.
The results for the PDB be logged, CDB could not land
SQL > conn c r7 ## / r7 @ cdb18c ; - -cdb could not land ERROR: ORA-01045: user C##R7 lacks CREATE SESSION privilege; logon denied Warning: You are no longer connected to ORACLE. SQL > conn c r7 ## / r7 @orders ; - to PDB can be found Connected.
CDB try to recover
SQL> conn / as sysdba Connected. SQL> revoke create session from c##r7; revoke create session from c##r7 * ERROR at line 1: ORA-01952: system privileges not granted to 'C##R7'
Error, because the CDB level did not authorize.
PDB own attempt to recover
SQL> conn sys/oracle@orders as sysdba Connected. SQL> revoke create session from c##r7; Revoke succeeded.
In other words: PDB level for their own public user authorization can only be managed by its own PDB level, CDB rights can not be recovered.
Eight cases: PDB own authorized recycling with ALL
CDB create a user c ## r8, PDB own authorization level
SQL> conn / as sysdba Connected. SQL> create user c##r8 identified by r8; User created. SQL> alter session set container=orders; Session altered. SQL> grant create session to c##r8; Grant succeeded.
The results can be registered as a PDB, CDB could not land
PDB recovered with clause ALL
SQL> revoke create session from c##r8 container=all; revoke create session from c##r8 container=all * ERROR at line 1: ORA-65040: operation not allowed from within a pluggable database
Being given, the operation is not permitted PDB level, can not use the clause container = all
IX.: PDB own authorized recycling with CURRENT
CDB create a user c ## r9, PDB own authorization level
SQL> conn / as sysdba Connected. SQL> create user c##r9 identified by r9; User created. SQL> alter session set container=orders; Session altered. SQL> grant create session to c##r9; Grant succeeded.
The results can be registered as a PDB, CDB could not land
PDB recovered with clause CURRENT
SQL> revoke create session from c##r9 container=current; Revoke succeeded.
Recycling success and consistent level of default and PDB CURRENT situation.
In summary:
I.: CDB authorized to act on the current CDB, with no recovery clause recovery current CDB rights
Case 2: CDB authorized to act on the current CDB, recovered with ALL X X Error
Case three: CDB authorized to act on the current CDB, CURRENT recovery with the recovery of the current CDB rights
-----------------------------------------------------------------------------------------------------------
Four cases: CDB global authorized to act on the container, recovery without a clause X X Error
V.: CDB authorized to act on global container recycling with ALL recycling global container rights
Six cases: CDB authorized to act on global container recycling with CURRENT X X Error
-----------------------------------------------------------------------------------------------------------
VII.: PDB own authorized recycling without the clause recovery current PDB rights
Eight cases: PDB own authorized recycling with ALL X X Error
IX.: PDB own authorized recycling with CURRENT recovery current PDB rights