如何列出用户收到的所有授权?
Posted
技术标签:
【中文标题】如何列出用户收到的所有授权?【英文标题】:How can I list ALL grants a user received? 【发布时间】:2010-11-20 20:57:00 【问题描述】:我需要查看 Oracle DB 上的所有授权。
我使用 TOAD 功能来比较架构,但它没有显示诱人的授权等。所以我的问题是:
如何列出 Oracle DB 上的所有授权?
【问题讨论】:
【参考方案1】:如果您想要的不仅仅是直接表授权(例如,通过角色、系统权限(例如选择任何表等)进行授权),这里有一些额外的查询:
用户的系统权限:
SELECT PRIVILEGE
FROM sys.dba_sys_privs
WHERE grantee = <theUser>
UNION
SELECT PRIVILEGE
FROM dba_role_privs rp JOIN role_sys_privs rsp ON (rp.granted_role = rsp.role)
WHERE rp.grantee = <theUser>
ORDER BY 1;
直接授予表/视图:
SELECT owner, table_name, select_priv, insert_priv, delete_priv, update_priv, references_priv, alter_priv, index_priv
FROM table_privileges
WHERE grantee = <theUser>
ORDER BY owner, table_name;
对表/视图的间接授权:
SELECT DISTINCT owner, table_name, PRIVILEGE
FROM dba_role_privs rp JOIN role_tab_privs rtp ON (rp.granted_role = rtp.role)
WHERE rp.grantee = <theUser>
ORDER BY owner, table_name;
【讨论】:
您可能无权查看 sys.dba_sys_privs 表。 绝对正确。请咨询您的 DBA。如果他们拒绝,他们可能有合法的安全问题。查看这些视图的内容为用户提供了他们无法获得的信息。 左加入role_role_privs 表然后CONNECT BY PRIOR granted_role = role 递归到传递角色权限会很有趣...【参考方案2】:
假设您想列出特定用户收到的所有对象的授权:
select * from all_tab_privs_recd where grantee = 'your user'
这不会返回用户拥有的对象。如果您需要这些,请改用all_tab_privs 视图。
【讨论】:
【参考方案3】:抱歉,如果您从其他(假设是 SYS)用户运行选择,则从 all_tab_privs_recd where grantee = 'your user' 中选择不会提供任何输出,除了公共授权和当前用户授权。正如文档所说,
ALL_TAB_PRIVS_RECD 描述了以下类型的授权:
Object grants for which the current user is the grantee Object grants for which an enabled role or PUBLIC is the grantee
因此,如果您是 DBA,并且想要列出特定(不是 SYS 本身)用户的所有 object 授权,则不能使用该系统视图。
在这种情况下,您必须执行更复杂的查询。这是从 TOAD 中提取(跟踪)的一个,用于选择特定用户的所有对象授权:
select tpm.name privilege,
decode(mod(oa.option$,2), 1, 'YES', 'NO') grantable,
ue.name grantee,
ur.name grantor,
u.name owner,
decode(o.TYPE#, 0, 'NEXT OBJECT', 1, 'INDEX', 2, 'TABLE', 3, 'CLUSTER',
4, 'VIEW', 5, 'SYNONYM', 6, 'SEQUENCE',
7, 'PROCEDURE', 8, 'FUNCTION', 9, 'PACKAGE',
11, 'PACKAGE BODY', 12, 'TRIGGER',
13, 'TYPE', 14, 'TYPE BODY',
19, 'TABLE PARTITION', 20, 'INDEX PARTITION', 21, 'LOB',
22, 'LIBRARY', 23, 'DIRECTORY', 24, 'QUEUE',
28, 'JAVA SOURCE', 29, 'JAVA CLASS', 30, 'JAVA RESOURCE',
32, 'INDEXTYPE', 33, 'OPERATOR',
34, 'TABLE SUBPARTITION', 35, 'INDEX SUBPARTITION',
40, 'LOB PARTITION', 41, 'LOB SUBPARTITION',
42, 'MATERIALIZED VIEW',
43, 'DIMENSION',
44, 'CONTEXT', 46, 'RULE SET', 47, 'RESOURCE PLAN',
66, 'JOB', 67, 'PROGRAM', 74, 'SCHEDULE',
48, 'CONSUMER GROUP',
51, 'SUBSCRIPTION', 52, 'LOCATION',
55, 'XML SCHEMA', 56, 'JAVA DATA',
57, 'EDITION', 59, 'RULE',
62, 'EVALUATION CONTEXT',
'UNDEFINED') object_type,
o.name object_name,
'' column_name
from sys.objauth$ oa, sys.obj$ o, sys.user$ u, sys.user$ ur, sys.user$ ue,
table_privilege_map tpm
where oa.obj# = o.obj#
and oa.grantor# = ur.user#
and oa.grantee# = ue.user#
and oa.col# is null
and oa.privilege# = tpm.privilege
and u.user# = o.owner#
and o.TYPE# in (2, 4, 6, 9, 7, 8, 42, 23, 22, 13, 33, 32, 66, 67, 74, 57)
and ue.name = 'your user'
and bitand (o.flags, 128) = 0
union all -- column level grants
select tpm.name privilege,
decode(mod(oa.option$,2), 1, 'YES', 'NO') grantable,
ue.name grantee,
ur.name grantor,
u.name owner,
decode(o.TYPE#, 2, 'TABLE', 4, 'VIEW', 42, 'MATERIALIZED VIEW') object_type,
o.name object_name,
c.name column_name
from sys.objauth$ oa, sys.obj$ o, sys.user$ u, sys.user$ ur, sys.user$ ue,
sys.col$ c, table_privilege_map tpm
where oa.obj# = o.obj#
and oa.grantor# = ur.user#
and oa.grantee# = ue.user#
and oa.obj# = c.obj#
and oa.col# = c.col#
and bitand(c.property, 32) = 0 /* not hidden column */
and oa.col# is not null
and oa.privilege# = tpm.privilege
and u.user# = o.owner#
and o.TYPE# in (2, 4, 42)
and ue.name = 'your user'
and bitand (o.flags, 128) = 0;
这将列出您(指定)用户的所有对象授权(包括列授权)。如果您不想要列级授权,请删除以“union”子句开头的所有选择部分。
UPD:研究文档后,我发现了另一个以更简单的方式列出所有赠款的视图:
select * from DBA_TAB_PRIVS where grantee = 'your user';
请记住,Oracle 中没有没有 DBA_TAB_PRIVS_RECD 视图。
【讨论】:
【参考方案4】:我所知道的最全面可靠的方法仍然是使用DBMS_METADATA:
select dbms_metadata.get_granted_ddl( 'SYSTEM_GRANT', :username ) from dual;
select dbms_metadata.get_granted_ddl( 'OBJECT_GRANT', :username ) from dual;
select dbms_metadata.get_granted_ddl( 'ROLE_GRANT', :username ) from dual;
(用户名必须全部大写)
有趣的答案。
【讨论】:
【参考方案5】:select distinct 'GRANT '||privilege||' ON '||OWNER||'.'||TABLE_NAME||' TO '||RP.GRANTEE
from DBA_ROLE_PRIVS RP join ROLE_TAB_PRIVS RTP
on (RP.GRANTED_ROLE = RTP.role)
where (OWNER in ('YOUR USER') --Change User Name
OR RP.GRANTEE in ('YOUR USER')) --Change User Name
and RP.GRANTEE not in ('SYS', 'SYSTEM')
;
【讨论】:
一些解释将有助于这个答案,因为当其他人来找到它时。【参考方案6】:以下查询可用于获取一个用户的所有权限...只需在第一个查询中提供用户名,您将获得该用户的所有权限
WITH users AS
(SELECT 'SCHEMA_USER' usr FROM dual),
Roles AS
(SELECT granted_role
FROM dba_role_privs rp
JOIN users
ON rp.GRANTEE = users.usr
UNION
SELECT granted_role
FROM role_role_privs
WHERE role IN (SELECT granted_role
FROM dba_role_privs rp
JOIN users
ON rp.GRANTEE = users.usr)),
tab_privilage AS
(SELECT OWNER, TABLE_NAME, PRIVILEGE
FROM role_tab_privs rtp
JOIN roles r
ON rtp.role = r.granted_role
UNION
SELECT OWNER, TABLE_NAME, PRIVILEGE
FROM Dba_Tab_Privs dtp
JOIN Users
ON dtp.grantee = users.usr),
sys_privileges AS
(SELECT privilege
FROM dba_sys_privs dsp
JOIN users
ON dsp.grantee = users.usr)
SELECT * FROM tab_privilage ORDER BY owner, table_name
--SELECT * FROM sys_privileges
【讨论】:
以上是关于如何列出用户收到的所有授权?的主要内容,如果未能解决你的问题,请参考以下文章
如何列出我的 Google Cloud 项目的所有 IAM 用户