Table Security

Information about who has been granted access to a particular table can be found in two views, the ALL_TAB_PRIVS view and the ALL_COL_PRIVS view. These views show you information about privileges granted on tables you own or privileges you have been granted on tables owned by other users. Unless you are the DBA or otherwise have access to the DBA_TAB_PRIVS_MADE and DBA_COL_PRIVS_MADE views, you cannot fully see the security for tables you do not own.

Looking at Table Security

As stated earlier, there are two views you need to look at when you want to find out who has access to a particular table. The ALL_TAB_PRIVS view gives you information about table-level grants. For example, if you issue the following statement, it will be reflected in ALL_TAB_PRIVS:

GRANT SELECT, DELETE ON employee TO user_a;

Some privileges, UPDATE and INSERT, for example, may be restricted only to certain columns of a table. For example, the following grant allows user_a to change just the employee’s name:

GRANT UPDATE (employee_name) ON employee TO user_a;

Grants such as this, which are restricted to certain columns, are reflected in the ALL_COL_PRIVS view. To get a complete picture of the privileges you have granted on any particular table, you need to query both of these views. The query against ALL_TAB_PRIVS will look something like this:

SELECT grantee, privilege, grantable
  FROM all_tab_privs
 WHERE table_schema = 'owner_name'
   AND table_name = 'object_name';

This query will give you a list of all privileges that have been granted without any column restrictions. The GRANTABLE column will tell you whether or not the privilege was granted using the WITH GRANT OPTION keywords. Granting a privilege with GRANT OPTION allows the grantee to pass that privilege on to others.

You also need to know about any column-level privileges that have been granted. These will only be reflected in ALL_COL_PRIVS, so you must query that as well. This query looks similar to the previous query, except that it also returns the column names:

SELECT grantee, privilege, column_name, grantable
  FROM all_col_privs
 WHERE table_schema = 'owner_name'
   AND table_name = 'object_name';

Security Scripts

The SHOW_SECURITY script you are about to see unions together the two queries we saw in the previous section.

The SHOW_SECURITY.SQL script

The following script shows you the grants that have been made on any table you own. You can also see grants made on tables owned by other users, so long as those grants apply to you. The two queries you saw previously have been unioned together, and the columns have been concatenated together to produce readable output. The table name and grantee are shown in the header, which changes each time the grantee changes.

--DESCRIPTION
--This script displays information about security on a table.
--
--USAGE
--        @SHOW_SECURITY [owner.]table_name
--  
SET ECHO OFF 
SET VERIFY OFF
SET FEEDBACK OFF
SET PAGESIZE 9999
SET HEADING OFF
 
--Dissect the input argument, and get the owner name and
--table name into two separate substitution variables.
--The owner name defaults to the current user.
SET TERMOUT OFF
DEFINE s_owner_name = ' '
DEFINE s_synonym_name = ' '
COLUMN owner_name NOPRINT NEW_VALUE s_owner_name
COLUMN table_name NOPRINT NEW_VALUE s_table_name
SELECT
  DECODE(INSTR('&&1','.'),
         0,USER,  /*Default to current user.*/
         UPPER(SUBSTR('&&1',1,INSTR('&&1','.')-1))) owner_name,
  DECODE(INSTR('&&1','.'),
         0,UPPER('&&1'),  /*Only the table name was passed in.*/
         UPPER(SUBSTR('&&1',INSTR('&&1','.')+1))) table_name
  FROM dual;
SET TERMOUT ON

COLUMN grantee NOPRINT NEW_VALUE s_grantee
BREAK ON grantee SKIP PAGE
TTITLE LEFT 'PRIVILEGES GRANTED TO ' s_grantee -
       ' ON ' s_owner_name '.' s_table_name

--Execute a query to show privileges granted at the table level.
SELECT grantee, 
       '     ' || privilege || 
       DECODE(grantable, 'YES', ' with grant option', '') privilege
  FROM all_tab_privs
 WHERE table_schema = '&&s_owner_name'
   AND table_name = '&&s_table_name'
UNION
SELECT grantee,
       '     ' || privilege || ' of column ' || column_name 
       || DECODE(grantable, 'YES', ' with grant option', '') privilege
  FROM all_col_privs
 WHERE table_schema = '&&s_owner_name'
   AND table_name = '&&s_table_name'
ORDER BY grantee, privilege;
 
--Reset everything back to its default.
CLEAR COLUMNS
CLEAR BREAK
UNDEFINE s_owner_name
UNDEFINE s_table_name
SET VERIFY ON
SET FEEDBACK ON
SET HEADING ON
SET PAGESIZE 24

Running the SHOW_SECURITY script

The following example shows the results of running SHOW_SECURITY against the EMPLOYEE table, after first granting some access to other users:

SQL> @show_security employee

PRIVILEGES GRANTED TO PUBLIC ON JEFF.EMPLOYEE
     SELECT
     UPDATE of column EMPLOYEE_TERMINATION_DATE

PRIVILEGES GRANTED TO USER_A ON JEFF.EMPLOYEE
     DELETE
     INSERT of column EMPLOYEE_BILLING_RATE with grant option
     INSERT of column EMPLOYEE_HIRE_DATE with grant option
     INSERT of column EMPLOYEE_ID with grant option
     INSERT of column EMPLOYEE_NAME with grant option
     SELECT

PRIVILEGES GRANTED TO USER_B ON JEFF.EMPLOYEE
     UPDATE of column EMPLOYEE_NAME
     UPDATE of column EMPLOYEE_TERMINATION_DATE

PRIVILEGES GRANTED TO USER_C ON JEFF.EMPLOYEE
     INSERT
     INSERT of column EMPLOYEE_ID
     SELECT
     UPDATE
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.189.180.76