René Nyffenegger's collection of things on the web
René Nyffenegger on Oracle - Most wanted - Feedback -
 

Users, roles and privileges in Oracle

Privileges

A privilege is a right to execute an SQL statement or to access another user's object. In Oracle, there are two types of privileges: system privileges and object privileges. A privileges can be assigned to a user or a role
The set of privileges is fixed, that is, there is no SQL statement like create privilege xyz...

System privileges

There are quite a few system privileges: in Oracle 9.2, we count 157 of them, and 10g has even 173. Those can be displayed with
select name from system_privilege_map
Executing this statement, we find privileges like create session, drop user, alter database, see system privileges.
System privileges can be audited.
Arguably, the most important system privileges are:

Object privileges

privileges can be assigned to the following types of database objects:
  • Tables
    select, insert, update, delete, alter, debug, flashback, on commit refresh, query rewrite, references, all
  • Views
    select, insert, update, delete, under, references, flashback, debug
  • Sequence
    alter, select
  • Packeges, Procedures, Functions (Java classes, sources...)
    execute, debug
  • Materialized Views
    delete, flashback, insert, select, update
  • Directories
    read, write
  • Libraries
    execute
  • User defined types
    execute, debug, under
  • Operators
    execute
  • Indextypes
    execute
For a user to be able to access an object in another user's schema, he needs the according object privilege.
Object privileges can be displayed using all_tab_privs_made or user_tab_privs_made.

Public

If a privilege is granted to the special role public, this privilege can be executed by all other users. However, sysdba cannot be granted to public.

Users

to be finished ...

Roles

Predefined Roles

Along with the installation, more exactly with the creation of an oracle database, Oracle creates predefined roles. These are:
  • connect, resource, dba
    These might not be created anymore in future versions of Oracle.
    Oracle 9.2 grants create session, alter session, create synonym, create view, create database link, create table, create cluster and create sequence to connect.
    It also grants create table , create cluster, create sequence, create trigger create procedure, create type, create indextype and create operator to resource.
    The role dba gets basically everything and that with admin option.
  • delete_catalog_role, execute_catalog_role, select_catalog_role
    Accessing data dictionary views (v$ views and static dictionary views)
  • exp_full_database, imp_full_database
    This role is needed to export objects found in another user's schema.
  • aq_user_role, aq_administrator_role, global_aq_user_role(?)
  • logstdby_administrator
  • snmpagent
  • recovery_catalog_owner
  • hs_admin_role
  • oem_monitor, oem_advisor
  • scheduler_admin
  • gather_system_statistics
  • plustrace
  • xdbadmin
  • xdbwebservices
  • ctxapp

Assigning privileges to users and roles

A privilege can be assigned to a user with the grant sql statment. On the other hand, revoke allows to take away such privileges from users and roles.
Oracle stores the granted privileges in its data dictionary.

Displaying the relationship between users, roles and privileges

Use this script to recursively list users, granted roles and privileges.

Thanks

Thanks to Josette Hammer for notifying me of a typo and to Muhammad Imran for correcting an error on this page.