oracle grant resource для чего

Oracle grant resource для чего

Privileges for object types exist at the system level and the schema object level.

7.1.1 System Privileges for Object Types

Oracle database defines the following system privileges for object types:

CREATE TYPE enables you to create object types in your own schema

CREATE ANY TYPE enables you to create object types in any schema

ALTER ANY TYPE enables you to alter object types in any schema

DROP ANY TYPE enables you to drop named types in any schema

EXECUTE ANY TYPE enables you to use and reference named types in any schema

UNDER ANY TYPE enables you to create subtypes under any non-final object types

UNDER ANY VIEW enables you to create subviews under any object view

The following roles are helpful:

The RESOURCE role includes the CREATE TYPE system privilege.

The DBA role includes all of these privileges.

7.1.2 Schema Object Privileges

Two schema object privileges apply to object types:

EXECUTE enables you to use the type to:

Define a column in a relational table.

Declare a variable or parameter of the named type.

EXECUTE lets you invoke the methods of a type, including the constructor.

Method execution and the associated permissions are the same as for stored PL/SQL procedures.

UNDER enables you to create a subtype or subview under the type or view on which the privilege is granted.

Only a grantor with the UNDER privilege WITH GRANT OPTION on the direct supertype or superview can grant the UNDER privilege on a subtype or subview.

The phrase WITH HIERARCHY OPTION grants a specified object privilege on all subtypes of the object. This option is meaningful only with the SELECT object privilege granted on an object view in an object view hierarchy. In this case, the privilege applies to all subviews of the view on which the privilege is granted.

7.1.3 Types Used in New Types or Tables

In addition to the permissions detailed in the previous sections, you need specific privileges to:

Create types or tables that use types created by other users.

Grant use of your new types or tables to other users.

You must have either the EXECUTE ANY TYPE system privilege or the EXECUTE object privilege for any type used to define a new type or table. You must have been granted these privileges explicitly, and not through a role.

7.1.4 Example: Privileges on Object Types

This section presents several related examples, creating users or schemas and then granting privileges on them.

This example requires you to create and use several passwords. If you plan to run the example, make these changes to your SQL code first.

For simplicity, this example does not perform the password management techniques that a deployed system normally uses. In a production environment, follow the Oracle Database password management guidelines, and disable any sample accounts.

See Oracle Database Security Guide for password management guidelines and other security recommendations.

Example 7-1 Creating User Schemas

Example 7-2 requires the input of a password, USER1 performs the CREATE and GRANT Data Definition Language (DDL) statements in the USER1 schema:

Example 7-2 Granting Privileges on Object Types

In Example 7-3, USER2 performs the CREATE DDL statement in the USER2 schema:

Example 7-3 Performing DDL Statements in USER2 Schema

Example 7-4 Performing Grants to USER3

In Example 7-5, USER3 has the necessary privileges to perform the following actions:

Example 7-5 Creating Tables and Types

7.1.5 Access Privileges on Objects, Types, and Tables

Object types only make use of the EXECUTE privilege.

However, object tables use all the same privileges as relational tables:

READ or SELECT lets you access an object and its attributes from the table.

UPDATE lets you modify attributes of objects in the table.

INSERT lets you add new objects to the table.

DELETE lets you delete objects from the table.

Similar table and column privileges regulate the use of table columns of object types.

Consider the schema and queries created below in Example 7-6:

Example 7-6 SELECT Privileges on Type Access

The second query, however, does not involve named types, so the database does not check type privileges.

Additionally, USER3 can perform queries such as these:

Note that in both queries, USER3 does not have explicit privileges on the underlying type. However, the statement succeeds because the type and table owners have the necessary privileges with the GRANT option.

Oracle database checks privileges on the following requests and returns an error if the requestor does not have the privilege for the action:

Pinning an object in the object cache using its REF value causes the database to check the READ or SELECT privilege on the object table containing the object and the EXECUTE privilege on the object type.

Modifying an existing object or flushing an object from the object cache causes the database to check the UPDATE privilege on the destination object table. Flushing a new object causes the database to check the INSERT privilege on the destination object table.

Deleting an object causes the database to check the DELETE privilege on the destination table.

Invoking a method causes the database to check the EXECUTE privilege on the corresponding object type.

Oracle database does not provide column level privileges for object tables.

Oracle Call Interface Programmer’s Guide for tips and techniques for using OCI program effectively with objects

Источник

Oracle Security by

Get full access to Oracle Security and 60K+ other titles, with free 10-day trial of O’Reilly.

There’s also live online events, interactive content, certification prep materials, and more.

The RESOURCE Role

The RESOURCE role grants a user the privileges necessary to create procedures, triggers and, in Oracle8, types within the user’s own schema area. Granting a user RESOURCE without CONNECT, while possible, does not allow the user to log in to the database. Therefore, if you really must grant a user RESOURCE, you have to grant CONNECT also — or, at least, CREATE SESSION — so the user can log in.

System Privileges for the RESOURCE Role

The system privileges for the RESOURCE role are shown in Table 5.2.

Table 5-2. RESOURCE Role System Privileges

CREATE TYPE (new in Oracle8)

Problems with the RESOURCE Role

There are several potential problems with the use of the RESOURCE role.

The Oracle-supplied roles can be moving targets

As we mentioned earlier in the section “About the Defaults,” the system privileges of an Oracle-supplied role may change with a new version or upgrade release. For example, the privileges listed in Table 5.2 are from an Oracle8 RESOURCE role. Note that in an Oracle7 database, the CREATE TYPE privilege does not exist. There is another problem that has as much or more impact on your database security, which we examine next.

UNLIMITED TABLESPACE access

Get Oracle Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.

Источник

Oracle grant resource для чего

Use the GRANT statement to grant:

System privileges to users and roles. Table 18-1 lists the system privileges (organized by the database object operated upon).

Object privileges for a particular object to users and roles. Table 18-2 lists the object privileges (organized by the database object operated upon).

Global roles (created with IDENTIFIED GLOBALLY ) are granted through enterprise roles and cannot be granted using the GRANT statement.

Notes on Authorizing Database Users

You can authorize database users through means other than the database and the GRANT statement.

Many Oracle Database privileges are granted through supplied PL/SQL and Java packages. For information on those privileges, refer to the documentation for the appropriate package.

Note on Oracle Automatic Storage Management

Note on Editionable Objects

A GRANT operation to grant object privileges on an editionable object actualizes the object in the current edition. See Oracle Database Development Guide for more information about editions and editionable objects.

CREATE USER and CREATE ROLE for definitions of local, global, and external privileges

Oracle Database Security Guide for information about other authorization methods and for information about privileges

REVOKE for information on revoking grants

You must have been granted the GRANT ANY PRIVILEGE system privilege. In this case, if you grant the system privilege to a role, then a user to whom the role has been granted does not have the privilege unless the role is enabled in user’s session.

Источник

GRANT

Use the GRANT statement to grant:

System privileges to users and roles.

Roles to users and roles. Both privileges and roles are either local, global, or external. Table 18-1 lists the system privileges (organized by the database object operated upon). Table 18-2 lists Oracle Database predefined roles.

Notes on Authorizing Database Users You can authorize database users through means other than the database and the GRANT statement.

Many Oracle Database privileges are granted through supplied PL/SQL and Java packages. For information on those privileges, please refer to the documentation for the appropriate package.

CREATE USER and CREATE ROLE for definitions of local, global, and external privileges

Oracle Database Security Guide for information about other authorization methods and for information about privileges

REVOKE for information on revoking grants

To grant a system privilege, you must either have been granted the system privilege with the ADMIN OPTION or have been granted the GRANT ANY PRIVILEGE system privilege.

To grant a role, you must either have been granted the role with the ADMIN OPTION or have been granted the GRANT ANY ROLE system privilege, or you must have created the role.

Description of the illustration grant.gif

Description of the illustration grant_system_privileges.gif

Description of the illustration grant_object_privileges.gif

Description of the illustration on_object_clause.gif

Description of the illustration grantee_clause.gif

Use these clauses to grant system privileges.

Specify the system privilege you want to grant. Table 18-1 lists the system privileges, organized by the database object operated upon.

Oracle Database provides the ALL PRIVILEGES shortcut for granting all the system privileges listed in Table 18-1, except the SELECT ANY DICTIONARY privilege.

Specify the role you want to grant. You can grant an Oracle Database predefined role or a user-defined role. Table 18-2 lists the predefined roles.

«Granting a Role to a Role: Example» and CREATE ROLE for information on creating a user-defined role

IDENTIFIED BY Clause

CREATE USER for restrictions on usernames and passwords

Specify WITH ADMIN OPTION to enable the grantee to:

Grant the role to another user or role, unless the role is a GLOBAL role

Revoke the role from another user or role

Alter the role to change the authorization needed to access it

TO grantee_clause identifies users or roles to which the system privilege, role, or object privilege is granted.

Restriction on Grantees A user, role, or PUBLIC cannot appear more than once in TO grantee_clause.

PUBLIC Specify PUBLIC to grant the privileges to all users.

Restrictions on Granting System Privileges and Roles Privileges and roles are subject to the following restrictions:

A privilege or role cannot appear more than once in the list of privileges and roles to be granted.

You cannot grant a role to itself.

You cannot grant a role IDENTIFIED GLOBALLY to anything.

You cannot grant a role IDENTIFIED EXTERNALLY to a global user or global role.

Use these clauses to grant object privileges.

Specify the object privilege you want to grant. You can specify any of the values shown in Table 18-3. See also Table 18-4.

Restriction on Object Privileges A privilege cannot appear more than once in the list of privileges to be granted.

The on_object_clause identifies the object on which the privileges are granted. Directory schema objects and Java source and resource schema objects are identified separately because they reside in separate namespaces.

«Revoke Operations that Use GRANT ANY OBJECT PRIVILEGE: Example» for more information on using the GRANT ANY OBJECT PRIVILEGE system privilege for revoke operations

Specify WITH GRANT OPTION to enable the grantee to grant the object privileges to other users and roles.

WITH HIERARCHY OPTION

This clause is meaningful only in combination with the SELECT object privilege.

Table, view, or materialized view

Procedure, function, or package

Synonym for any of the preceding items

Directory, library, operator, or indextype

Java source, class, or resource

You cannot grant privileges directly to a single partition of a partitioned table.

DIRECTORY directory_name Specify a directory schema object on which privileges are to be granted. You cannot qualify directory_name with a schema name.

JAVA SOURCE | RESOURCE The JAVA clause lets you specify a Java source or resource schema object on which privileges are to be granted.

Listings of System and Object Privileges

Table 18-1 System Privileges

Advisor Framework Privileges: All of the advisor framework privileges are part of the DBA role.

Please refer to PL/SQL Packages and Types Reference for information on these packages.

ADMINISTER SQL TUNING SET

Create, drop, select (read), load (write), and delete a SQL tuning set owned by the grantee through the DBMS_SQLTUNE package.

ADMINISTER ANY SQL TUNING SET

Create, drop, select (read), load (write), and delete a SQL tuning set owned by any user through the DBMS_SQLTUNE package.

CREATE ANY SQL PROFILE

Accept a SQL Profile recommended by the SQL Tuning Advisor, which is accessed through Enterprise Manager or by the DBMS_SQLTUNE package.

DROP ANY SQL PROFILE

Drop an existing SQL Profile.

ALTER ANY SQL PROFILE

Alter the attributes of an existing SQL Profile.

Create clusters in the grantee’s schema.

CREATE ANY CLUSTER

Alter clusters in any schema.

Drop clusters in any schema.

CREATE ANY CONTEXT

Create any context namespace.

Drop any context namespace.

Alter the database.

Issue ALTER SYSTEM statements.

Issue AUDIT statements.

CREATE DATABASE LINK

Create private database links in the grantee’s schema.

CREATE PUBLIC DATABASE LINK

Create public database links.

DROP PUBLIC DATABASE LINK

Drop public database links.

DEBUG CONNECT SESSION

Connect the current session to a debugger.

DEBUG ANY PROCEDURE

Debug all PL/SQL and Java code in any database object. Display information on all SQL statements executed by the application.

Note: Granting this privilege is equivalent to granting the DEBUG object privilege on all applicable objects in the database.

Create dimensions in the grantee’s schema.

CREATE ANY DIMENSION

Create dimensions in any schema.

ALTER ANY DIMENSION

Alter dimensions in any schema.

DROP ANY DIMENSION

Drop dimensions in any schema.

CREATE ANY DIRECTORY

Create directory database objects.

DROP ANY DIRECTORY

Drop directory database objects.

Create an indextype in the grantee’s schema.

CREATE ANY INDEXTYPE

Create an indextype in any schema and create a comment on an indextype in any schema.

ALTER ANY INDEXTYPE

Modify indextypes in any schema.

DROP ANY INDEXTYPE

Drop an indextype in any schema.

EXECUTE ANY INDEXTYPE

Reference an indextype in any schema.

Create in any schema a domain index or an index on any table in any schema.

Alter indexes in any schema.

Drop indexes in any schema.

JOB SCHEDULER OBJECTS:

The following privileges are needed to execute procedures in the DBMS_SCHEDULER package.

Create jobs, schedules, or programs in the grantee’s schema.

Create, alter, or drop jobs, schedules, or programs in any schema.

Note: This extremely powerful privilege allows the grantee to execute code as any other user. It should be granted with caution.

CREATE EXTERNAL JOB

Create in the grantee’s schema an executable scheduler job that runs on the operating system.

EXECUTE ANY PROGRAM

Use any program in a job in the grantee’s schema.

Specify any job class in a job in the grantee’s schema.

Create, alter, or drop any job class, window, or window group.

Create external procedure or function libraries in the grantee’s schema.

CREATE ANY LIBRARY

Create external procedure or function libraries in any schema.

Drop external procedure or function libraries in any schema.

CREATE MATERIALIZED VIEW

Create a materialized view in the grantee’s schema.

CREATE ANY MATERIALIZED VIEW

Create materialized views in any schema.

ALTER ANY MATERIALIZED VIEW

Alter materialized views in any schema.

DROP ANY MATERIALIZED VIEW

Drop materialized views in any schema.

This privilege has been deprecated. No privileges are needed for a user to enable rewrite for a materialized view that references tables or views in the user’s own schema.

GLOBAL QUERY REWRITE

Enable rewrite using a materialized view when that materialized view references tables or views in any schema.

Create a refresh-on-commit materialized view on any table in the database.

Alter a refresh-on-demand materialized on any table in the database to refresh-on-commit.

FLASHBACK ANY TABLE

Issue a SQL Flashback Query on any table, view, or materialized view in any schema. This privilege is not needed to execute the DBMS_FLASHBACK procedures.

Create an operator and its bindings in the grantee’s schema.

CREATE ANY OPERATOR

Create an operator and its bindings in any schema and create a comment on an operator in any schema.

ALTER ANY OPERATOR

Modify an operator in any schema.

Drop an operator in any schema.

EXECUTE ANY OPERATOR

Reference an operator in any schema.

CREATE ANY OUTLINE

Create public outlines that can be used in any schema that uses outlines.

Create stored procedures, functions, and packages in the grantee’s schema.

CREATE ANY PROCEDURE

Create stored procedures, functions, and packages in any schema.

ALTER ANY PROCEDURE

Alter stored procedures, functions, or packages in any schema.

DROP ANY PROCEDURE

Drop stored procedures, functions, or packages in any schema.

EXECUTE ANY PROCEDURE

Execute procedures or functions, either standalone or packaged.

Reference public package variables in any schema.

Alter any role in the database.

Grant any role in the database.

CREATE ROLLBACK SEGMENT

Create rollback segments.

ALTER ROLLBACK SEGMENT

Alter rollback segments.

DROP ROLLBACK SEGMENT

Drop rollback segments.

Create sequences in the grantee’s schema.

CREATE ANY SEQUENCE

Create sequences in any schema.

ALTER ANY SEQUENCE

Alter any sequence in the database.

Drop sequences in any schema.

SELECT ANY SEQUENCE

Reference sequences in any schema.

Connect to the database.

ALTER RESOURCE COST

Set costs for session resources.

Issue ALTER SESSION statements.

Logon after the instance is started using the SQL*Plus STARTUP RESTRICT statement.

See MATERIALIZED VIEWS

Create synonyms in the grantee’s schema.

CREATE ANY SYNONYM

Create private synonyms in any schema.

CREATE PUBLIC SYNONYM

Create public synonyms.

Drop private synonyms in any schema.

DROP PUBLIC SYNONYM

Drop public synonyms.

Create tables in the grantee’s schema.

Create tables in any schema. The owner of the schema containing the table must have space quota on the tablespace to contain the table.

Alter any table or view in any schema.

Use the Export utility to incrementally export objects from the schema of other users.

Delete rows from tables, table partitions, or views in any schema.

Drop or truncate tables or table partitions in any schema.

Insert rows into tables and views in any schema.

Lock tables and views in any schema.

Query tables, views, or materialized views in any schema.

FLASHBACK ANY TABLE

Issue a SQL Flashback Query on any table, view, or materialized view in any schema. This privilege is not needed to execute the DBMS_FLASHBACK procedures.

Update rows in tables and views in any schema.

Take tablespaces offline and online and begin and end tablespace backups.

Use an unlimited amount of any tablespace. This privilege overrides any specific quotas assigned. If you revoke this privilege from a user, then the user’s schema objects remain but further tablespace allocation is denied unless authorized by specific tablespace quotas. You cannot grant this system privilege to roles.

Create a database trigger in the grantee’s schema.

CREATE ANY TRIGGER

Create database triggers in any schema.

Enable, disable, or compile database triggers in any schema.

Drop database triggers in any schema.

ADMINISTER DATABASE TRIGGER

Create object types and object type bodies in the grantee’s schema.

Create object types and object type bodies in any schema.

Alter object types in any schema.

Drop object types and object type bodies in any schema.

Use and reference object types and collection types in any schema, and invoke methods of an object type in any schema if you make the grant to a specific user. If you grant EXECUTE ANY TYPE to a role, then users holding the enabled role will not be able to invoke methods of an object type in any schema.

Create subtypes under any nonfinal object types.

Create users. This privilege also allows the creator to:

Assign quotas on any tablespace.

Set default and temporary tablespaces.

Assign a profile as part of a CREATE USER statement.

Alter any user. This privilege authorizes the grantee to:

Change another user’s password or authentication method.

Assign quotas on any tablespace.

Set default and temporary tablespaces.

Assign a profile and default roles.

Create views in the grantee’s schema.

Create views in any schema.

Drop views in any schema.

Create subviews under any object views.

FLASHBACK ANY TABLE

Issue a SQL Flashback Query on any table, view, or materialized view in any schema. This privilege is not needed to execute the DBMS_FLASHBACK procedures.

If a user has been granted the MERGE ANY VIEW privilege, then for any query issued by that user, the optimizer can use view merging to improve query performance without performing the checks that would otherwise be performed to ensure that view merging does not violate any security intentions of the view creator. See also Oracle Database Reference for information on the OPTIMIZER_SECURE_VIEW_MERGING parameter and Oracle Database Performance Tuning Guide for information on view merging.

Analyze any table, cluster, or index in any schema.

Audit any object in any schema using AUDIT schema_objects statements.

Comment on any table, view, or column in any schema.

EXEMPT ACCESS POLICY

Bypass fine-grained access control.

Caution: This is a very powerful system privilege, as it lets the grantee bypass application-driven security policies. Database administrators should use caution when granting this privilege.

FORCE ANY TRANSACTION

Force the commit or rollback of any in-doubt distributed transaction in the local database.

Induce the failure of a distributed transaction.

Force the commit or rollback of the grantee’s in-doubt distributed transactions in the local database.

GRANT ANY OBJECT PRIVILEGE

Grant any object privilege that the object owner is permitted to to grant.

Revoke any object privilege that was granted by the object owner or by some other user with the GRANT ANY OBJECT PRIVILEGE privilege.

GRANT ANY PRIVILEGE

Grant any system privilege.

Enable resumable space allocation.

SELECT ANY DICTIONARY

Query any data dictionary object in the SYS schema. This privilege lets you selectively override the default FALSE setting of the O7_DICTIONARY_ACCESSIBILITY initialization parameter.

SELECT ANY TRANSACTION

Query the contents of the FLASHBACK_TRANSACTION_QUERY view.

Caution: This is a very powerful system privilege, as it lets the grantee view all data in the database, including past data. This privilege should be granted only to users who need to use the Oracle Flashback Transaction Query feature.

Perform STARTUP and SHUTDOWN operations.

ALTER DATABASE : open, mount, back up, or change character set.

Includes the RESTRICTED SESSION privilege.

Perform STARTUP and SHUTDOWN operations.

ALTER DATABASE : open, mount, or back up.

Includes the RESTRICTED SESSION privilege.

CONNECT, RESOURCE, and DBA

These roles are provided for compatibility with previous versions of Oracle Database. You can determine the privileges encompassed by these roles by querying the DBA_SYS_PRIVS data dictionary view.

Note: Oracle recommends that you design your own roles for database security rather than relying on these roles. These roles may not be created automatically by future versions of Oracle Database.

See Also: Oracle Database Reference for a description of the DBA_SYS_PRIVS view

DELETE_CATALOG_ROLE EXECUTE_CATALOG_ROLE SELECT_CATALOG_ROLE

These roles are provided for accessing data dictionary views and packages.

See Also: Oracle Database Administrator’s Guide for more information on these roles

These roles are provided for convenience in using the import and export utilities.

See Also: Oracle Database Utilities for more information on these roles

You need these roles to use Oracle Advanced Queuing.

This role is used by the Enterprise Manager Intelligent Agent.

You need this role to create a user who owns a recovery catalog.

See Also: Oracle Database Backup and Recovery Advanced User’s Guide for more information on recovery catalogs

Table 18-2 Oracle Database Predefined Roles

A DBA using Oracle Database heterogeneous services needs this role to access appropriate tables in the data dictionary.

This role allows the grantee to execute the procedures of the DBMS_SCHEDULER package. It includes all of the job scheduler system privileges and is included in the DBA role.

See Also: Oracle Database Administrator’s Guide for more information on the DBMS_SCHEDULER package

Table 18-3 Object Privileges Available for Particular Objects

Note 1: Oracle Database treats a Java class, source, or resource as if it were a procedure for purposes of granting object privileges.

Note 2: Job scheduler objects are created using the DBMS_SCHEDULER package. After these objects are created, you can grant the EXECUTE object privilege on job scheduler classes and programs. You can grant ALTER privilege on job scheduler jobs, programs, and schedules.

Table 18-4 Object Privileges and the Operations They Authorize

The following table privileges authorize operations on a table. Any one of following object privileges allows the grantee to lock the table in any lock mode with the LOCK TABLE statement.

Change the table definition with the ALTER TABLE statement.

Remove rows from the table with the DELETE statement.

Note: You must grant the SELECT privilege on the table along with the DELETE privilege if the table is on a remote database.

Access, through a debugger:

PL/SQL code in the body of any triggers defined on the table

Information on SQL statements that reference the table directly

Create an index on the table with the CREATE INDEX statement.

Add new rows to the table with the INSERT statement.

Create a constraint that refers to the table. You cannot grant this privilege to a role.

Query the table with the SELECT statement.

Change data in the table with the UPDATE statement.

Note: You must grant the SELECT privilege on the table along with the UPDATE privilege if the table is on a remote database.

The following view privileges authorize operations on a view. Any one of the following object privileges allows the grantee to lock the view in any lock mode with the LOCK TABLE statement.

To grant a privilege on a view, you must have that privilege with the GRANT OPTION on all of the base tables of the view.

Access, through a debugger:

PL/SQL code in the body of any triggers defined on the view

Information on SQL statements that reference the view directly

Remove rows from the view with the DELETE statement.

Add new rows to the view with the INSERT statement.

Define foreign key constraints on the view.

Query the view with the SELECT statement.

Create a subview under this view. You can grant this object privilege only if you have the UNDER ANY VIEW privilege WITH GRANT OPTION on the immediate superview of this view.

Change data in the view with the UPDATE statement.

The following sequence privileges authorize operations on a sequence.

Change the sequence definition with the ALTER SEQUENCE statement.

Examine and increment values of the sequence with the CURRVAL and NEXTVAL pseudocolumns.

PROCEDURE, FUNCTION, PACKAGE PRIVILEGES

Access, through a debugger, all public and nonpublic variables, methods, and types defined on the object.

Place a breakpoint or stop at a line or instruction boundary within the procedure, function, or package. This privilege grants access to the declarations in the method or package specification and body.

Access, through a debugger, public variables, types, and methods defined on the procedure, function, or package. This privilege grants access to the declarations in the method or package specification only.

Note: Users do not need this privilege to execute a procedure, function, or package indirectly.

MATERIALIZED VIEW PRIVILEGES

The following materialized view privileges authorize operations on a materialized view.

Create a refresh-on-commit materialized view on the specified table.

Create a materialized view for query rewrite using the specified table.

Query the materialized view with the SELECT statement.

Synonym privileges are the same as the privileges for the base object. Granting a privilege on a synonym is equivalent to granting the privilege on the base object. Similarly, granting a privilege on a base object is equivalent to granting the privilege on all synonyms for the object. If you grant to a user a privilege on a synonym, then the user can use either the synonym name or the base object name in the SQL statement that exercises the privilege.

The following directory privileges provide secured access to the files stored in the operating system directory to which the directory object serves as a pointer. The directory object contains the full path name of the operating system directory where the files reside. Because the files are actually stored outside the database, Oracle Database server processes also need to have appropriate file permissions on the file system server. Granting object privileges on the directory database object to individual database users, rather than on the operating system, allows the database to enforce security during file operations.

Read files in the directory.

Write files in the directory. This privilege is useful only in connection with external tables. It allows the grantee to determine whether the external table agent can write a log file or a bad file to the directory.

The following library privilege authorizes operations on a library.

Use and reference the specified object and invoke its methods.

OBJECT TYPE PRIVILEGES

The following object type privileges authorize operations on a database object type.

Access, through a debugger, all public and nonpublic variables, methods, and types defined on the object type.

Place a breakpoint or stop at a line or instruction boundary within the type body.

Use and reference the specified object and invoke its methods.

Access, through a debugger, public variables, types, and methods defined on the object type.

Create a subtype under this type. You can grant this object privilege only if you have the UNDER ANY TYPE privilege WITH GRANT OPTION on the immediate supertype of this type.

The following indextype privilege authorizes operations on indextypes.

Reference an indextype.

The following operator privilege authorizes operations on user-defined operators.

Reference an operator.

Granting System Privileges to a Role: Example The following statement grants appropriate system privileges to a data warehouse manager role, which was created in the «Creating a Role: Example»:

The dw_manager privilege domain now contains the system privileges related to materialized views.

User sh can now perform the following operations with the dw_manager role:

Enable the role and exercise any privileges in the privilege domain of the role, including the CREATE MATERIALIZED VIEW system privilege

Grant and revoke the role to and from other users

Granting Object Privileges to a Role: Example The following example grants the SELECT object privileges to a data warehouse user role, which was created in the «Creating a Role: Example»:

Granting a Role to a Role: Example The following statement grants the warehouse_user role to the dw_manager role. Both roles were created in the «Creating a Role: Example»:

The dw_manager role now contains all of the privileges in the domain of the warehouse_user role.

The user hr can subsequently perform the following operations:

Exercise any privilege on the bonuses table

Grant any privilege on the bonuses table to another user or role

All users can subsequently query and update the view of employee details.

The user hr can subsequently generate the next value of the sequence with the following statement:

For example, oe can create a table with a constraint:

Источник

• ← Ультрикс квадри вакцина детям что это
• с днем рождения подруга школьная моя →