Oracle11g温习-第十七章:权限管理

2013年4月27日 星期六

10:50


1、权限(privilege):

    system privilege(系统权限):针对于database 的相关权限

        object privilege (对象权限):针对于schema object

2查看系统权限

SYS @ prod > desc system_privilege_map;       

Name                                                              Null?    Type

----------------------------------------------------------------- -------- --------------------------------------------

PRIVILEGE                                                         NOT NULL NUMBER

NAME                                                              NOT NULL VARCHAR2(40)

PROPERTY                                                          NOT NULL NUMBER

SYS @ prod > select * from system_privilege_map;      

PRIVILEGE NAME                             PROPERTY

---------- ------------------------------ ----------

-3 ALTER SYSTEM                            0

-4 AUDIT SYSTEM                            0

-5 CREATE SESSION                          0

-6 ALTER SESSION                           0

-7 RESTRICTED SESSION                      0

-10 CREATE TABLESPACE                       0

-11 ALTER TABLESPACE                        0

-12 MANAGE TABLESPACE                       0

-13 DROP TABLESPACE                         0

-15 UNLIMITED TABLESPACE                    0

-20 CREATE USER                             0

-21 BECOME USER                             0

-22 ALTER USER                              0

-23 DROP USER                               0

-30 CREATE ROLLBACK SEGMENT                 0

-31 ALTER ROLLBACK SEGMENT                  0

-32 DROP ROLLBACK SEGMENT                   0

-40 CREATE TABLE                            0

-41 CREATE ANY TABLE                        0

-42 ALTER ANY TABLE                         0

-43 BACKUP ANY TABLE                        0

-44 DROP ANY TABLE                          0

-45 LOCK ANY TABLE                          0

-46 COMMENT ANY TABLE                       0

-47 SELECT ANY TABLE                        0

-48 INSERT ANY TABLE                        0

-49 UPDATE ANY TABLE                        0

-50 DELETE ANY TABLE                        0

-60 CREATE CLUSTER                          0

-61 CREATE ANY CLUSTER                      0

-62 ALTER ANY CLUSTER                       0

-63 DROP ANY CLUSTER                        0

-71 CREATE ANY INDEX                        0

-72 ALTER ANY INDEX                         0

-73 DROP ANY INDEX                          0

-80 CREATE SYNONYM                          0

-81 CREATE ANY SYNONYM                      0

-82 DROP ANY SYNONYM                        0

-83 SYSDBA                                  0

-84 SYSOPER                                 0

-85 CREATE PUBLIC SYNONYM                   0

-86 DROP PUBLIC SYNONYM                     0

-90 CREATE VIEW                             0

-91 CREATE ANY VIEW                         0

-92 DROP ANY VIEW                           0

-105 CREATE SEQUENCE                         0

-106 CREATE ANY SEQUENCE                     0

-107 ALTER ANY SEQUENCE                      0

-108 DROP ANY SEQUENCE                       0

-109 SELECT ANY SEQUENCE                     0

-115 CREATE DATABASE LINK                    0

-120 CREATE PUBLIC DATABASE LINK             0

-121 DROP PUBLIC DATABASE LINK               0

-125 CREATE ROLE                             0

-126 DROP ANY ROLE                           0

-127 GRANT ANY ROLE                          0

-128 ALTER ANY ROLE                          0

-130 AUDIT ANY                               0

-135 ALTER DATABASE                          0

-138 FORCE TRANSACTION                       0

-139 FORCE ANY TRANSACTION                   0

-140 CREATE PROCEDURE                        0

-141 CREATE ANY PROCEDURE                    0

-142 ALTER ANY PROCEDURE                     0

-143 DROP ANY PROCEDURE                      0

-144 EXECUTE ANY PROCEDURE                   0

-151 CREATE TRIGGER                          0

-152 CREATE ANY TRIGGER                      0

-153 ALTER ANY TRIGGER                       0

-154 DROP ANY TRIGGER                        0

-160 CREATE PROFILE                          0

-161 ALTER PROFILE                           0

-162 DROP PROFILE                            0

-163 ALTER RESOURCE COST                     0

-165 ANALYZE ANY                             0

-167 GRANT ANY PRIVILEGE                     0

-172 CREATE MATERIALIZED VIEW                0

-173 CREATE ANY MATERIALIZED VIEW            0

-174 ALTER ANY MATERIALIZED VIEW             0

-175 DROP ANY MATERIALIZED VIEW              0

-177 CREATE ANY DIRECTORY                    0

-178 DROP ANY DIRECTORY                      0

-180 CREATE TYPE                             0

-181 CREATE ANY TYPE                         0

-182 ALTER ANY TYPE                          0

-183 DROP ANY TYPE                           0

-184 EXECUTE ANY TYPE                        0

-186 UNDER ANY TYPE                          0

-188 CREATE LIBRARY                          0

-189 CREATE ANY LIBRARY                      0

-190 ALTER ANY LIBRARY                       0

-191 DROP ANY LIBRARY                        0

-192 EXECUTE ANY LIBRARY                     0

-200 CREATE OPERATOR                         0

-201 CREATE ANY OPERATOR                     0

-202 ALTER ANY OPERATOR                      0

-203 DROP ANY OPERATOR                       0

-204 EXECUTE ANY OPERATOR                    0

-205 CREATE INDEXTYPE                        0

-206 CREATE ANY INDEXTYPE                    0

-207 ALTER ANY INDEXTYPE                     0

-208 DROP ANY INDEXTYPE                      0

-209 UNDER ANY VIEW                          0

-210 QUERY REWRITE                           0

-211 GLOBAL QUERY REWRITE                    0

-212 EXECUTE ANY INDEXTYPE                   0

-213 UNDER ANY TABLE                         0

-214 CREATE DIMENSION                        0

-215 CREATE ANY DIMENSION                    0

-216 ALTER ANY DIMENSION                     0

-217 DROP ANY DIMENSION                      0

-218 MANAGE ANY QUEUE                        1

-219 ENQUEUE ANY QUEUE                       1

-220 DEQUEUE ANY QUEUE                       1

-222 CREATE ANY CONTEXT                      0

-223 DROP ANY CONTEXT                        0

-224 CREATE ANY OUTLINE                      0

-225 ALTER ANY OUTLINE                       0

-226 DROP ANY OUTLINE                        0

-227 ADMINISTER RESOURCE MANAGER             1

-228 ADMINISTER DATABASE TRIGGER             0

-233 MERGE ANY VIEW                          0

-234 ON COMMIT REFRESH                       0

-235 EXEMPT ACCESS POLICY                    0

-236 RESUMABLE                               0

-237 SELECT ANY DICTIONARY                   0

-238 DEBUG CONNECT SESSION                   0

-241 DEBUG ANY PROCEDURE                     0

-243 FLASHBACK ANY TABLE                     0

-244 GRANT ANY OBJECT PRIVILEGE              0

-245 CREATE EVALUATION CONTEXT               1

-246 CREATE ANY EVALUATION CONTEXT           1

-247 ALTER ANY EVALUATION CONTEXT            1

-248 DROP ANY EVALUATION CONTEXT             1

-249 EXECUTE ANY EVALUATION CONTEXT          1

-250 CREATE RULE SET                         1

-251 CREATE ANY RULE SET                     1

-252 ALTER ANY RULE SET                      1

-253 DROP ANY RULE SET                       1

-254 EXECUTE ANY RULE SET                    1

-255 EXPORT FULL DATABASE                    0

-256 IMPORT FULL DATABASE                    0

-257 CREATE RULE                             1

-258 CREATE ANY RULE                         1

-259 ALTER ANY RULE                          1

-260 DROP ANY RULE                           1

-261 EXECUTE ANY RULE                        1

-262 ANALYZE ANY DICTIONARY                  0

-263 ADVISOR                                 0

-264 CREATE JOB                              0

-265 CREATE ANY JOB                          0

-266 EXECUTE ANY PROGRAM                     0

-267 EXECUTE ANY CLASS                       0

-268 MANAGE SCHEDULER                        0

-269 SELECT ANY TRANSACTION                  0

-270 DROP ANY SQL PROFILE                    0

-271 ALTER ANY SQL PROFILE                   0

-272 ADMINISTER SQL TUNING SET               0

-273 ADMINISTER ANY SQL TUNING SET           0

-274 CREATE ANY SQL PROFILE                  0

-275 EXEMPT IDENTITY POLICY                  0

-276 MANAGE FILE GROUP                       1

-277 MANAGE ANY FILE GROUP                   1

-278 READ ANY FILE GROUP                     1

-279 CHANGE NOTIFICATION                     0

-280 CREATE EXTERNAL JOB                     0

select any table  访问dba_xxx数据字典视图

SYS @ prod > grant select any table to scott;                                          ——授权

Grant succeeded.

SYS @ prod > conn scott/tiger

Connected.

SCOTT @ prod > desc user_sys_privs;

Name                                                              Null?    Type

----------------------------------------------------------------- -------- --------------------------------------------

USERNAME                                                                   VARCHAR2(30)

PRIVILEGE                                                         NOT NULL VARCHAR2(40)

ADMIN_OPTION                                                               VARCHAR2(3)

SCOTT @ prod > select * from user_sys_privs——【查看用户拥有的系统权限】   

USERNAME                       PRIVILEGE                                ADM

------------------------------ ---------------------------------------- ---

SCOTT                          UNLIMITED TABLESPACE                     NO

SCOTT                          SELECT ANY TABLE                         NO

SCOTT @ prod > select * from tom.text2;

ID

----------

1

2

3

4

5

6

7

8

SCOTT @ prod > select * from sys.dba_users;

select * from sys.dba_users

*

ERROR at line 1:

ORA-00942: table or view does not exist

——默认普通用户不能去访问dba_xxx 视图,需要修改以下参数

SYS @ prod > show parameter   o7

NAME                                 TYPE        VALUE

------------------------------------ ----------- ------------------------------

O7_DICTIONARY_ACCESSIBILITY          boolean     FALSE

SYS @ prod > alter system set O7_DICTIONARY_ACCESSIBILITY=true scope=spfile;

System altered.

SYS @ prod > startup force

SYS @ prod > conn scott/tiger

SCOTT @ prod > select table_name from dba_tables where owner=‘SCOTT‘;

TABLE_NAME

-------------------------

DEPT

EMP

BONUS

SALGRADE

EMPLOYEES

ADMIN_EXT_EMPLOYEES

EMP1

3、分配、回收系统权限

grant——with admin option  【如果用户获得权限时,设置此参数,用户可以将权限再授予别的用户】

SYS @ prod > grant select any table to scott with admin option;

Grant succeeded.

SYS @ prod > conn scott/tiger

Connected.

SCOTT @ prod > col usrname for a10

SCOTT @ prod > col privilege for a30

SCOTT @ prod > select * from user_sys_privs;

USERNAME        PRIVILEGE                      ADMIN_OPT

--------------- ------------------------------ ---------

SCOTT           UNLIMITED TABLESPACE           NO

SCOTT           SELECT ANY TABLE               YES

SCOTT @ prod > grant select any table to tom;

Grant succeeded.

SCOTT @ prod > conn tom/tom

Connected.

TOM @ prod > select * from user_sys_privs;

USERNAME        PRIVILEGE                      ADMIN_OPT

--------------- ------------------------------ ---------

TOM             SELECT ANY TABLE               NO

TOM             CREATE SESSION                 NO

TOM             UNLIMITED TABLESPACE           NO

TOM @ prod > select * from scott.emp where rownum <3;

EMPNO ENAME      JOB              MGR HIREDATE         SAL       COMM     DEPTNO

---------- ---------- --------- ---------- --------- ---------- ---------- ----------

7369 SMITH      CLERK           7902 17-DEC-80        800                    20

7499 ALLEN      SALESMAN        7698 20-FEB-81       1600        300         30

——【revoke              with admin option ,在回收权限时,不能级联】。

TOM @ prod > conn /as sysdba

Connected.

SYS @ prod > revoke select any table from scott;

Revoke succeeded.

SCOTT @ prod > conn scott/tiger

Connected.

SCOTT @ prod > select * from user_sys_privs;

USERNAME        PRIVILEGE                      ADMIN_OPT

--------------- ------------------------------ ---------

SCOTT           UNLIMITED TABLESPACE           NO

SCOTT @ prod > conn tom/tom

Connected.

TOM @ prod > select * from user_sys_privs;

USERNAME        PRIVILEGE                      ADMIN_OPT

--------------- ------------------------------ ---------

TOM             SELECT ANY TABLE               NO

TOM             CREATE SESSION                 NO

TOM             UNLIMITED TABLESPACE           NO

——【必须一一收回】

TOM @ prod > conn /as sysdba

Connected.

SYS @ prod > revoke select any table from tom;

Revoke succeeded.

SYS @ prod > conn tom/tom

Connected.

TOM @ prod > select * from user_sys_privs;

USERNAME        PRIVILEGE                      ADMIN_OPT

--------------- ------------------------------ ---------

TOM             CREATE SESSION                 NO

TOM             UNLIMITED TABLESPACE           NO

 4、对象权限

grant  ---------with grant option  ——【如果用户获得权限时,设置此参数,用户可以将权限再授予别的用户】

SYS @ prod > grant all on scott.emp to public; ——all 代表所有的对象权限,public 代表所有的用户 

SYS @ prod > conn tom/tom

Connected.

TOM @ prod > select * from user_tab_privs;

no rows selected

在视图user_tab_privs没有记载,但是权限是授予的了,一样可以执行权限【如果是系统权限就会在user_sys_privs上显示信息】】

TOM @ prod > select ename from scott.emp;

ENAME

------------------------------

SMITH

ALLEN

WARD

JONES

MARTIN

BLAKE

CLARK

SCOTT

KING

TURNER

ADAMS

JAMES

FORD

MILLER

14 rows selected.

TOM @ prod > delete from scott.emp;

14 rows deleted.

TOM @ prod > rollback;

Rollback complete.

TOM @ prod > conn /as sysdba

Connected.

SYS @ prod > revoke all on scott.emp from public; ——【回收权限】

Revoke succeeded.

SYS @ prod > grant update on scott.emp to tom with grant option;        

Grant succeeded.

SYS @ prod > create user rose identified by rose ;

User created.

SYS @ prod > grant create session to rose;

Grant succeeded.

SYS @ prod > conn tom/tom

Connected.

GRANTEE    OWNER           TABLE_NAME      GRANTOR         PRIVILEGE       GRANTABLE       HIERARCHY

---------- --------------- --------------- --------------- --------------- --------------- ---------------

TOM        SCOTT           EMP1            SCOTT           UPDATE          YES             NO

TOM @ prod > grant update on scott.emp to rose;

Grant succeeded.

TOM @ prod > conn rose/rose

Connected.

ROSE @ prod > select * from user_tab_privs;

GRANTEE    OWNER           TABLE_NAME      GRANTOR         PRIVILEGE       GRANTABLE       HIERARCHY

---------- --------------- --------------- --------------- --------------- --------------- ---------------

ROSE       SCOTT           EMP1            TOM             UPDATE          NO              NO

——【revoke          with grant option ,在回收权限时,级联。】

ROSE @ prod > conn /as sysdba

Connected.

SYS @ prod > revoke update on scott.emp from rose;        

revoke update on scott.emp from rose

*

ERROR at line 1:

ORA-01927: cannot REVOKE privileges you did not grant

----只能从直接授予者回收权限

SYS @ prod > revoke update on scott.emp from tom;  

Revoke succeeded.

SYS @ prod > conn tom/tom

Connected.

TOM @ prod > select * from user_tab_privs;

GRANTEE              OWNER      TABLE_NAME GRANTOR    PRIVILEGE                                GRA HIE

-------------------- ---------- ---------- ---------- ---------------------------------------- --- ---

TOM                  SCOTT      EMP        SCOTT      SELECT                                   NO  NO

——针对列授予对象权限

SYS @ prod >grant update(sal) on scott.emp to tom;        

Grant succeeded.

SYS @ prod > conn tom/tom

Connected.

TOM @ prod > update scott.emp set comm=100 where empno=7788;  ——对该列无权限修改

update scott.emp set comm=100 where empno=7788

*

ERROR at line 1:

ORA-01031: insufficient privileges

TOM @ prod > update scott.emp set sal=10000 where empno=7788;

1 row updated.

TOM @ prod > rollback;

Rollback complete.

TOM @ prod > select GRANTEE,OWNER,TABLE_NAME,COLUMN_NAME,PRIVILEGE from user_col_privs;

GRANTEE    OWNER           TABLE_NAME      COLUMN_NAME     PRIVILEGE

---------- --------------- --------------- --------------- ---------------

TOM        SCOTT           EMP             SAL             UPDATE

与权限相关的视图

SESSION_PRIVS          【用户当前会话拥有的系统权限】

USER_ROLE_PRIVS      【用户被授予的角色】

ROLE_SYS_PRIVS        【用户当前拥有的角色的系统权限】

USER_SYS_PRIVS        【直接授予用户的系统权限】

USER_TAB_PRIVS      【授予用户的对象权限  包含了当前用户给其他用户的对象权限和其他用户给当前用户的对象权限】

ROLE_TAB_PRIVS      【授予角色的表的权限】

USER_TAB_PRIVS_RECD      【其他用户给当前用户的对象权限】

USER_TAB_PRIVS_MADE      【当前用户给其他用户的对象权限】

USER_COL_PRIVS_MADE      【在用户对象列一级上被分配的对象权限】

USER_COL_PRIVS_RECD      【在指定列上分配给用户的对象权限】

【显示用户授出的列权限【user_col_privs_made


SYS @ prod >select GRANTEE,PRIVILEGE,TABLE_NAME||‘.‘||COLUMN_NAME tab_column from user_col_privs;

GRANTEE    PRIVILEGE       TAB_COLUMN

---------- --------------- --------------------

TOM        UPDATE          EMP.SAL

【显示用户所具有的列权限】


SYS @ prod > select PRIVILEGE,TABLE_NAME||‘.‘||COLUMN_NAME tab_column,GRANTOR from user_col_privs;

PRIVILEGE       TAB_COLUMN           GRANTOR

--------------- -------------------- ---------------

UPDATE          EMP.SAL              SCOTT

【显示用户所授出的对象权限】


SYS @ prod >    select grantee ,privilege ,table_name       from user_tab_privs_made;

GRANTEE                        PRIVILEGE                                TABLE_NAME

------------------------------ ---------------------------------------- ----------

HR                             DELETE                                   DEPT

HR                             SELECT                                   DEPT

HR                             UPDATE                                   DEPT

OE                             SELECT                                   EMP

【显示用户所具有的对象权限(收到)】


SYS @ prod >select privilege,table_name,grantor            from all_tab_privs_recd             where grantee=‘HR‘;

PRIVILEGE                                TABLE_NAME GRANTOR

---------------------------------------- ---------- ------------------------------

EXECUTE                                  DBMS_STATS SYS

DELETE                                   DEPT       SCOTT

SELECT                                   DEPT       SCOTT

UPDATE                                   DEPT       SCOTT
时间: 2024-12-12 01:50:41

Oracle11g温习-第十七章:权限管理的相关文章

Oracle11g温习-第十一章:管理undo

2013年4月27日 星期六 10:40 1.undo tablespace 功能 undo tablespace 功能:用来存放从datafiles 读出的数据块旧的镜像 [             1)   回滚事务:rollback             2)   读一致性:正在做DML操作的数据块,在没有提交前,其他用户不能读,其他用户读undo里面的数据块信息             3)   事务的恢复:instance recover   (undo -------->rollb

[学习笔记—Objective-C]《Objective-C 程序设计 第6版》第十七章 内存管理和自动计数

本书第十六章讲解的时关于文件和目录的操作,内容相对简单,再次略过. 第十七章的学习笔记经本人归纳整理呈献给大家. 内存管理: - 为了被占用的内存能够再次利用,通过内存管理清理不用的内存.如果一个对象不再使用,就需要释放对象占用的内存 Part 1. 基本内存管理模型 Part 1.1 自动垃圾收集: 系统能够自动贾策对象是否拥有其他的对象,当程序执行需要空间的时候,不再被引用的对象会被自动释放 Part 1.2 手工管理内存计数: 每当创建引用到对象的时候需要为引用数+1.[myFractio

第7章 权限管理(2)_文件特殊权限(SUID、SGID、SBIT)

2. 文件特殊权限 2.1 SetUID (1)SetUID的功能 ①只有可以执行的二进制程序才能设定SUID权限.用来临时提升执行程序(或某条命令)的用户身份. ②命令执行者要对该程序拥有x(执行)权限,即用户必须拥有执行该程序的权限. ③命令执行者在执行该程序时获得该程序文件属主的身份(在执行程序的过程中灵魂附体为文件的属主 ④SetUID权限只在该程序执行过程中有效,也就是说身份改变只在程序执行过程中有效. (2)以passwd命令为例分析SUID权限 ①所有用户密码都是写入/etc/sh

第7章 权限管理(1)_ACL权限

1. ACL权限 1.1 ACL权限简介与开启 (1)ACL权限简介 ①ACL是Access Control List的缩写,主要目的是在提供传统的owner,group,others的read,write,execute权限之外的局部权限设定.ACL可以针对单个用户,单个文件或目录来进行r,w,x的权限设定,特别适用于需要特殊权限的使用情况. ②简单地来说,ACL就是可以设置特定用户或用户组对于一个文件/目录的操作权限.(即,将文件或目录的操作权限赋于某些特定的用户或组) (2)查看分区ACL

第7章 权限管理(3)_文件系统属性和sudo权限

3. 文件系统属性chattr权限 (1)chattr命令 命令格式: #chattr [+-=][选项] 文件或目录名 +.-.= 分别表示增加权限.删除权限和赋于某种权限 选项 i:主要用来防止对文件或目录误操作.如果对文件设置i属性,那么不允许对文件进行删除.改名,也不能添加和修改数据:如果对目录设置i属性,那么只能修改目录下文件的数据,但不允许建立和删除文件.(注意,这里的设置对root也同样起作用) a:如果对文件设置a属性,那么只能在文件中增加数据,但是不能删除也不能修改数据:如果对

Django第10章: 权限管理(递归菜单树)

权限四表(重点) 用户登录 进入admin后台填充数据; 前端利用form表单登录; 用户输入登录信息后, 若后端认证通过,则缓存当前用户的所有权限信息 # views.py============================================ def login(request): if request.method == 'GET': return render(request, 'login.html') else: username = request.POST.get

第二章 基于二进制进行权限管理的理论知识

源代码GitHub:https://github.com/ZhaoRd/Zrd_0001_AuthorityManagement 1.介绍 第一章主要是介绍了这个DEMO的来由和主要使用的技术,这章内容主要是介绍如何通过二进制的位运算进行权限控制的内容. 第一章发布之后,有不少网友.园友反映程序代码运行不起来,很感谢您们的反馈,刚刚进行了代码修复,已经同步到github,感兴趣的朋友可以加我QQ! 2.二进制的位运算以及如何进行权限判断 基于二进制的权限管理,这个内容是我在两年前接触到过的一个知

linux &nbsp; &nbsp; 第六章 账号和权限管理

linux     第六章 账号和权限管理 享受生活热爱挑战 明远分享 每章一段话: 每一个优秀的人,都有一段沉默的时光.人总会有困难丶会被别人不理睬丶这个时候就是你最关键的时候,我们需要相信生活,不放弃,命运不会抛弃你,苦过方可甜. 今天我们要学习在linux中的用户和组的各种配置和管理,其实不要想命令多难记,其实多敲几遍就记住了,想它越简单你就越容易达成你的目标. 理论: Linux基于用户身份对资源访问进行控制     我们先来看下linux用户帐号和组的分类: ①超级用户root    

深入浅出Zabbix 3.0 -- 第四章 主机、用户和权限管理

第四章  主机.用户和权限管理 Zabbix中主机作为一个管理单元,用来管理和组织监控项,它可以包含任意数量和类型的监控项,并且每个主机必须属于至少一个主机组.当主机中的监控项获取监控数据后,Zabbix中创建的用户就可以访问这些数据,同样这些用户必须属于至少一个用户组.你可能注意到不管是主机还是用户,在Zabbix中必须属于至少一个主机组或用户组.为什么要这么做呢?这是因为Zabbix中是通过用户组和主机组来实现用户对主机中监控数据进行访问权限的分配和管理. 4.1主机 4.1.1创建主机 Z