用了ORACLE很久,但對用戶、角色、權限還是很模糊,認真看書,查資料整理文檔,做下記錄,希望從日常使用的角度去看ORACLE的用戶、角色與權限
理論性的知識再此省略,建議還是翻翻書透徹點
開工!
先放一張圖,可以跳過圖,讀完文章再回頭看看圖
說明:雙箭頭表示用戶與角色查那張表,單虛線箭頭表示包含關系,角色除了系統自帶的dba_roles里定義的以外還可以自己創建定義
正式開工:
創建一個表空間,命名為ts_urp指定空間為100M
創建一個用戶urp密碼urp,默認表空間ts_urp,臨時表空間為temp
SQL> create user urp identified by urp default tablespace ts_urp temporary tablespace temp; User created.
創建后嘗試使用該用戶連接數據庫
SQL> connect urp/urp ERROR: ORA-01045: user URP lacks CREATE SESSION privilege; logon denied Warning: You are no longer connected to ORACLE.
提示用戶不具有CREATE SESSION權限,查看下此時用於與權限對應表,grantee為URP的記錄為空
SQL> connect / as sysdba Connected. SQL> select * from dba_sys_privs where grantee='URP'; no rows selected
我們給用戶urp賦予CREATE SESSION權限
SQL> grant CREATE SESSION to urp; Grant succeeded.
再查看一次用戶與權限對應表,此時看到URP具有CREATE SESSION權限
SQL> select * from dba_sys_privs where grantee='URP'; GRANTEE PRIVILEGE ADM ------------------------------ ---------------------------------------- --- URP CREATE SESSION NO
那我們試試用這個用戶連接數據庫
SQL> connect urp/urp Connected.
賦予權限后連接成功
創建表試試
SQL> create table emp(id number,username varchar2(30)); create table emp(id number,username varchar2(30)) * ERROR at line 1: ORA-01031: insufficient privileges
再次提示權限不足
我們來看看那些權限是於table有關系的
SQL> select privilege from dba_sys_privs where privilege like '%TABLE%' group by privilege; PRIVILEGE ---------------------------------------- UNLIMITED TABLESPACE CREATE TABLE ALTER ANY TABLE DROP TABLESPACE UNDER ANY TABLE COMMENT ANY TABLE MANAGE TABLESPACE UPDATE ANY TABLE DELETE ANY TABLE BACKUP ANY TABLE CREATE ANY TABLE PRIVILEGE ---------------------------------------- DROP ANY TABLE FLASHBACK ANY TABLE INSERT ANY TABLE CREATE TABLESPACE LOCK ANY TABLE SELECT ANY TABLE ALTER TABLESPACE 18 rows selected.
給個權限后再建表看看
SQL> grant CREATE TABLE to urp; Grant succeeded. SQL> connect urp/urp Connected. SQL> create table emp(id number,username varchar(30)); create table emp(id number,username varchar(30)) * ERROR at line 1: ORA-01950: no privileges on tablespace 'TS_URP'
提示沒有權限在表空間TS_URP上
老辦法,回到dba看看tablespace有那些權限
SQL> select privilege from dba_sys_privs where privilege like '%TABLESPACE%' group by privilege; PRIVILEGE ---------------------------------------- UNLIMITED TABLESPACE DROP TABLESPACE MANAGE TABLESPACE CREATE TABLESPACE ALTER TABLESPACE
看起來只能是UNLIMITED TABLESPACE,賦權看看
SQL> connect / as sysdba Connected. SQL> grant UNLIMITED TABLESPACE to urp; Grant succeeded. SQL> connect urp/urp Connected. SQL> create table emp(id number,username varchar(30)); Table created.
看起來成功了
也就是說如果一個用戶需要連接數據庫並且創建表必須有三個權限
CREATE SESSION --連接數據庫權限
UNLIMITED TABLESPACE --表空間無限制權限(空間配額)
CREATE TABLE --建立數據表權限
繼續測試
有了數據表,我們插入、修改、刪除等基本權限:
SQL> connect urp/urp Connected. SQL> create table emp(id number,username varchar(30)); Table created. SQL> insert into emp values(1,'urp'); 1 row created. SQL> commit; Commit complete. SQL> update emp set username='urp1' where id=1; 1 row updated. SQL> commit; Commit complete. SQL> select * from emp; ID USERNAME ---------- ------------------------------ 1 urp1 SQL> delete from emp where id=1; 1 row deleted. SQL> commit; Commit complete.
看起來沒什么問題了
我們試試一些常用的操作:
非空約束
SQL> alter table emp modify (id constraints id_not_null NOT NULL); Table altered.
ok!
主鍵約束
SQL> alter table emp add constraint pk_id primary key (id); Table altered.
唯一約束
SQL> alter table emp add constraint uk_username unique(username); Table altered.
增加列
SQL> alter table emp add dep varchar(30); Table altered.
增加索引
SQL> create index idx_emp_dep on emp(dep); Index created.
建立sequence
SQL> create sequence seq_emp_id 2 minvalue 1 3 maxvalue 9999999999 4 start with 5000 5 increment by 1 6 nocache; create sequence seq_emp_id * ERROR at line 1: ORA-01031: insufficient privileges
提示沒有權限,繼續老辦法,回到dba用戶執行
SQL> select privilege from dba_sys_privs where privilege like '%SEQUENCE%' group by privilege; PRIVILEGE ---------------------------------------- CREATE ANY SEQUENCE ALTER ANY SEQUENCE DROP ANY SEQUENCE SELECT ANY SEQUENCE CREATE SEQUENCE
備注:CREATE SEQUENCE & CREATE ANY SEQUENCE 主要區別在於:
CREATE SEQUENCE:可以在當前用戶下建立SEQUENCE
CREATE ANY SEQUENCE:可以在其他用戶下建立SEQUENCE,權限表中其他有關ANY的權限也是這樣。
賦予用戶CREATE SEQUENCE權限
SQL> grant CREATE SEQUENCE to urp; Grant succeeded. SQL> connect urp/urp Connected. SQL> create sequence seq_emp_id 2 minvalue 1 3 maxvalue 500000 4 start with 5000 5 increment by 1 6 nocache; Sequence created. SQL> select seq_emp_id.nextval from dual; NEXTVAL ---------- 5000 SQL> select seq_emp_id.nextval from dual; NEXTVAL ---------- 5001 SQL> select seq_emp_id.currval from dual; CURRVAL ---------- 5001 SQL> insert into emp values(seq_emp_id.nextval,'john','system'); 1 row created. SQL> commit; Commit complete. SQL> insert into emp values(seq_emp_id.nextval,'tom','hr'); 1 row created. SQL> commit; Commit complete. SQL> select * from emp; ID USERNAME DEP ---------- ------------------------------ ------------------------------ 5004 tom hr 5002 john system SQL>
存儲過程測試(一樣遇到問題,賦予權限后ok)
SQL> CREATE OR REPLACE PROCEDURE TEST 2 AS 3 BEGIN 4 NULL; 5 END; 6 / create or replace procedure TEST * ERROR at line 1: ORA-01031: insufficient privileges SQL> connect / as sysdba Connected. SQL> select privilege from dba_sys_privs where privilege like '%PROCEDURE%' group by privilege; PRIVILEGE ---------------------------------------- DROP ANY PROCEDURE EXECUTE ANY PROCEDURE ALTER ANY PROCEDURE CREATE ANY PROCEDURE CREATE PROCEDURE DEBUG ANY PROCEDURE 6 rows selected. SQL> grant CREATE PROCEDURE to urp; Grant succeeded. SQL> connect urp/urp Connected. SQL> CREATE OR REPLACE PROCEDURE TEST 2 AS 3 BEGIN 4 NULL; 5 END; 6 / Procedure created. SQL> exec test; PL/SQL procedure successfully completed.
觸發器測試(繼續遇到權限問題,同樣方法解決)
SQL> alter table emp drop constraint pk_id; Table altered. SQL> update emp set id=5003 ; 2 rows updated. SQL> commit; Commit complete. SQL>CREATE OR REPLACE TRIGGER trg_del_emp_info BEFORE DELETE ON emp FOR EACH ROW DECLARE -- local variables here BEGIN INSERT INTO emp1(id,username,dep) VALUES( seq_emp_id.NEXTVAL, :OLD.username, :OLD.dep); END; Trigger created. SQL> select * from emp; ID USERNAME DEP ---------- ------------------------------ ------------------------------ 5003 tom hr 5003 john system SQL> select * from emp1; no rows selected SQL> delete from emp where id=5003; 2 rows deleted. SQL> commit; Commit complete. SQL> select * from emp1; ID USERNAME DEP ---------- ------------------------------ ------------------------------ 5005 tom hr 5006 john system SQL>
.....
基本是這些了把
那由此見得我們日常使用還需要
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
....等等
現在我們看看urp所具有的權限
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
URP CREATE SESSION NO
URP UNLIMITED TABLESPACE NO
URP CREATE SEQUENCE NO
URP CREATE TRIGGER NO
URP CREATE PROCEDURE NO
URP CREATE TABLE NO
折騰了那么多為了就是說明用戶<->權限方式對oracle的管理非常麻煩
oracle還有一個角色管理可以方便的授權,角色是一組權限的集合(也可以是一組角色的組合,也就是角色可以有包含關系)
比如:
用戶--角色1_____角色2
|___權限1
給用戶授予角色1這個role,用戶就同時擁有了角色2及權限1的權限屬性
之前看了很多文檔,昏昏的,我自己覺得很抽象,一些常用的其他操作
出處:http://czmmiao.iteye.com/blog/1304934
查詢用戶擁有哪里權限: SQL> select * from dba_role_privs; SQL> select * from dba_sys_privs; SQL> select * from role_sys_privs; 查自己擁有哪些系統權限 SQL> select * from session_privs; 刪除用戶 SQL> drop user 用戶名 cascade; //加上cascade則將用戶連同其創建的東西全部刪除 系統權限傳遞: 增加WITH ADMIN OPTION選項,則得到的權限可以傳遞。 SQL> grant connect, resorce to user50 with admin option; //可以傳遞所獲權限。 系統權限回收:系統權限只能由DBA用戶回收 SQL> Revoke connect, resource from user50;
查詢用戶擁有哪里權限: SQL> select * from dba_role_privs; SQL> select * from dba_sys_privs; SQL> select * from role_sys_privs; 查自己擁有哪些系統權限 SQL> select * from session_privs; 刪除用戶 SQL> drop user 用戶名 cascade; //加上cascade則將用戶連同其創建的東西全部刪除 系統權限傳遞: 增加WITH ADMIN OPTION選項,則得到的權限可以傳遞。 SQL> grant connect, resorce to user50 with admin option; //可以傳遞所獲權限。 系統權限回收:系統權限只能由DBA用戶回收 SQL> Revoke connect, resource from user50;
繼續上個圖,其實幾個關於用戶、權限、角色的表只是分布在了dba字典表,user字典表
role相關的管理角色,sys相關的管理系統權限
總結如圖...往上,往上,回去上圖看看用戶、角色、權限的關系
關於oracle用戶、角色、權限還有很多知識點,有時間再寫寫
完全原創,如有轉載希望保留出處及作者
by cycsa