Oracle DBA课程系列笔记(18)
2012-02-28 15:26
411 查看
第十八章: ROLE 管理
1、role 的功能:简化用户的权限管理
2、查看系统建立的role:
09:05:09 SQL> select * from dba_roles;
ROLE PASSWORD
------------------------------ --------
CONNECT NO
RESOURCE NO
DBA NO
SELECT_CATALOG_ROLE NO
EXECUTE_CATALOG_ROLE NO
DELETE_CATALOG_ROLE NO
EXP_FULL_DATABASE NO
IMP_FULL_DATABASE NO
RECOVERY_CATALOG_OWNER NO
GATHER_SYSTEM_STATISTICS NO
LOGSTDBY_ADMINISTRATOR NO
AQ_ADMINISTRATOR_ROLE NO
AQ_USER_ROLE NO
GLOBAL_AQ_USER_ROLE GLOBAL
SCHEDULER_ADMIN NO
HS_ADMIN_ROLE NO
AUTHENTICATEDUSER NO
ROLE PASSWORD
------------------------------ --------
OEM_ADVISOR NO
OEM_MONITOR NO
WM_ADMIN_ROLE NO
JAVAUSERPRIV NO
JAVAIDPRIV NO
JAVASYSPRIV NO
JAVADEBUGPRIV NO
EJBCLIENT NO
JAVA_ADMIN NO
JAVA_DEPLOY NO
CTXAPP NO
XDBADMIN NO
XDBWEBSERVICES NO
OLAP_DBA NO
OLAP_USER NO
MGMT_USER NO
PLUSTRACE NO
34 rows selected.
09:05:16 SQL>
3、建立角色(role)
09:05:16 SQL> create role pub_role;
Role created.
09:06:19 SQL> create role prv_role identified by oracle;
Role created.
09:06:32 SQL>
4、给角色授权
09:06:32 SQL> grant create session ,create table to pub_role;
Grant succeeded.
09:08:01 SQL> grant select on scott.emp to prv_role;
Grant succeeded.
09:08:12 SQL>
5、查看role 拥有的权限
-----SYSTEM PRIVILEGE
09:08:36 SQL> select * from role_sys_privs
09:08:55 2 where role='&name';
Enter value for name: DBA
old 2: where role='&name'
new 2: where role='DBA'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
DBA CREATE SESSION YES
DBA ALTER SESSION YES
DBA DROP TABLESPACE YES
DBA BECOME USER YES
DBA DROP ROLLBACK SEGMENT YES
DBA SELECT ANY TABLE YES
DBA INSERT ANY TABLE YES
DBA UPDATE ANY TABLE YES
...............
DBA READ ANY FILE GROUP YES
DBA CREATE EXTERNAL JOB YES
160 rows selected.
09:09:10 SQL>
1 select * from role_sys_privs
2* where role='&name'
Enter value for name: CONNECT
old 2: where role='&name'
new 2: where role='CONNECT'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
CONNECT CREATE SESSION NO
09:11:01 SQL>
1 select * from role_sys_privs
2* where role='&name'
Enter value for name: RESOURCE
old 2: where role='&name'
new 2: where role='RESOURCE'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE TYPE NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE TABLE NO
RESOURCE CREATE INDEXTYPE NO
8 rows selected.
----------------隐含unlimited tablespace 权限(可以在任何一个表空间上拥有配额)
09:11:20 SQL>
1 select * from role_sys_privs
2* where role='&name'
Enter value for name: PUB_ROLE
old 2: where role='&name'
new 2: where role='PUB_ROLE'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
PUB_ROLE CREATE TABLE NO
PUB_ROLE CREATE SESSION NO
-----OBJECT PRIVILEGE
09:14:31 SQL> COL PRIVILEGE FOR A20
09:14:41 SQL>
1 select role,owner ,table_name,column_name,privilege from role_tab_privs
2* where role='&name'
Enter value for name: PRV_ROLE
old 2: where role='&name'
new 2: where role='PRV_ROLE'
ROLE OWNER TABLE_NAME COLUMN_NAME PRIVILEGE
---------- ---------- ------------------------------ ------------------------------ --------------------
PRV_ROLE SCOTT EMP SELECT
09:14:45 SQL>
6、将role 分配给用户
----------default role:当用户建立session 时,用户所分配的role 上的权限会立刻生效。(如果不显式指定,用户所分配的role都是该用户的default role)
09:16:32 SQL> create user tom identified by tom;
User created.
09:16:36 SQL> create user rose identified by rose;
User created.
09:22:37 SQL> alter user tom quota 10m on users;
User altered.
09:22:44 SQL> alter user rose quota 10m on users;
User altered.
09:16:43 SQL> grant pub_role,prv_role to tom,rose;
----------with admin option 用户有权将role 分配给其他用户
Grant succeeded.
-------role 可以分配给用户,也可以分配其他role,不能分配给自己。
09:20:19 SQL> conn tom/tom
Connected.
09:21:12 SQL> select USERNAME,DEFAULT_ROLE from user_role_privs;
USERNAME DEF
------------------------------ ---
PUBLIC YES
TOM YES
TOM YES
09:21:31 SQL> select USERNAME, GRANTED_ROLE,DEFAULT_ROLE from user_role_privs;
USERNAME GRANTED_ROLE DEF
------------------------------ ------------------------------ ---
PUBLIC PLUSTRACE YES
TOM PRV_ROLE YES
TOM PUB_ROLE YES
-------------默认情况下,pub_role 和 prv_role 都是tom的 default role
09:21:51 SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7369 SMITH CLERK 7902 17-DEC-80 800 20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 100 40
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
14 rows selected.
----------tom 继承了prv_role的object privilege
09:22:14 SQL>
09:23:19 SQL> create table emp as select * from scott.emp;
Table created.
-----tom 继承了pub_role的system privilege
09:23:27 SQL>
------------显式指定默认 role(对于非default role 必须在启用后,用户才能继承role 所具有的权限)
09:38:15 SQL> alter user tom default role pub_role;
User altered.
09:38:27 SQL> conn tom/tom
Connected.
09:38:32 SQL>
09:38:32 SQL> desc user_role_privs
Name Null? Type
----------------------------------------------------------------- -------- --------------------------------------------
USERNAME VARCHAR2(30)
GRANTED_ROLE VARCHAR2(30)
ADMIN_OPTION VARCHAR2(3)
DEFAULT_ROLE VARCHAR2(3)
OS_GRANTED VARCHAR2(3)
09:38:36 SQL> select username,GRANTED_ROLE,DEFAULT_ROLE from user_role_privs;
USERNAME GRANTED_ROLE DEF
------------------------------ ------------------------------ ---
PUBLIC PLUSTRACE YES
TOM PRV_ROLE NO
TOM PUB_ROLE YES
09:38:49 SQL> select * from scott.emp;
select * from scott.emp
*
ERROR at line 1:
ORA-00942: table or view does not exist
---------因为prv_role 是非 default role 所以tom 在建立session 不具有prv_role 的权限
09:39:29 SQL> create table t1 (id int);
Table created.
09:39:52 SQL> set role prv_role;
set role prv_role
*
ERROR at line 1:
ORA-01979: missing or invalid password for role 'PRV_ROLE'
09:40:02 SQL> set role prv_role identified by oracle;
Role set.
--------启用非默认角色,如果有口令,需通过password 启用
09:40:12 SQL> select username,GRANTED_ROLE,DEFAULT_ROLE from user_role_privs;
USERNAME GRANTED_ROLE DEF
------------------------------ ------------------------------ ---
PUBLIC PLUSTRACE YES
TOM PRV_ROLE NO
TOM PUB_ROLE YES
09:40:17 SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7369 SMITH CLERK 7902 17-DEC-80 800 20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 100 40
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
14 rows selected.
09:40:21 SQL>
-----启用非 default role 后,用户就具有了非default role 的权限
7、角色回收
09:46:28 SQL> revoke pub_role ,prv_role from tom,rose;
Revoke succeeded.
8、删除角色
09:46:40 SQL> drop role pub_role;
Role dropped.
09:46:44 SQL> drop role prv_role;
Role dropped.
09:46:48 SQL>
本文出自 “天涯客的blog” 博客,请务必保留此出处http://tiany.blog.51cto.com/513694/791813
1、role 的功能:简化用户的权限管理
2、查看系统建立的role:
09:05:09 SQL> select * from dba_roles;
ROLE PASSWORD
------------------------------ --------
CONNECT NO
RESOURCE NO
DBA NO
SELECT_CATALOG_ROLE NO
EXECUTE_CATALOG_ROLE NO
DELETE_CATALOG_ROLE NO
EXP_FULL_DATABASE NO
IMP_FULL_DATABASE NO
RECOVERY_CATALOG_OWNER NO
GATHER_SYSTEM_STATISTICS NO
LOGSTDBY_ADMINISTRATOR NO
AQ_ADMINISTRATOR_ROLE NO
AQ_USER_ROLE NO
GLOBAL_AQ_USER_ROLE GLOBAL
SCHEDULER_ADMIN NO
HS_ADMIN_ROLE NO
AUTHENTICATEDUSER NO
ROLE PASSWORD
------------------------------ --------
OEM_ADVISOR NO
OEM_MONITOR NO
WM_ADMIN_ROLE NO
JAVAUSERPRIV NO
JAVAIDPRIV NO
JAVASYSPRIV NO
JAVADEBUGPRIV NO
EJBCLIENT NO
JAVA_ADMIN NO
JAVA_DEPLOY NO
CTXAPP NO
XDBADMIN NO
XDBWEBSERVICES NO
OLAP_DBA NO
OLAP_USER NO
MGMT_USER NO
PLUSTRACE NO
34 rows selected.
09:05:16 SQL>
3、建立角色(role)
09:05:16 SQL> create role pub_role;
Role created.
09:06:19 SQL> create role prv_role identified by oracle;
Role created.
09:06:32 SQL>
4、给角色授权
09:06:32 SQL> grant create session ,create table to pub_role;
Grant succeeded.
09:08:01 SQL> grant select on scott.emp to prv_role;
Grant succeeded.
09:08:12 SQL>
5、查看role 拥有的权限
-----SYSTEM PRIVILEGE
09:08:36 SQL> select * from role_sys_privs
09:08:55 2 where role='&name';
Enter value for name: DBA
old 2: where role='&name'
new 2: where role='DBA'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
DBA CREATE SESSION YES
DBA ALTER SESSION YES
DBA DROP TABLESPACE YES
DBA BECOME USER YES
DBA DROP ROLLBACK SEGMENT YES
DBA SELECT ANY TABLE YES
DBA INSERT ANY TABLE YES
DBA UPDATE ANY TABLE YES
...............
DBA READ ANY FILE GROUP YES
DBA CREATE EXTERNAL JOB YES
160 rows selected.
09:09:10 SQL>
1 select * from role_sys_privs
2* where role='&name'
Enter value for name: CONNECT
old 2: where role='&name'
new 2: where role='CONNECT'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
CONNECT CREATE SESSION NO
09:11:01 SQL>
1 select * from role_sys_privs
2* where role='&name'
Enter value for name: RESOURCE
old 2: where role='&name'
new 2: where role='RESOURCE'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE TYPE NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE TABLE NO
RESOURCE CREATE INDEXTYPE NO
8 rows selected.
----------------隐含unlimited tablespace 权限(可以在任何一个表空间上拥有配额)
09:11:20 SQL>
1 select * from role_sys_privs
2* where role='&name'
Enter value for name: PUB_ROLE
old 2: where role='&name'
new 2: where role='PUB_ROLE'
ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
PUB_ROLE CREATE TABLE NO
PUB_ROLE CREATE SESSION NO
-----OBJECT PRIVILEGE
09:14:31 SQL> COL PRIVILEGE FOR A20
09:14:41 SQL>
1 select role,owner ,table_name,column_name,privilege from role_tab_privs
2* where role='&name'
Enter value for name: PRV_ROLE
old 2: where role='&name'
new 2: where role='PRV_ROLE'
ROLE OWNER TABLE_NAME COLUMN_NAME PRIVILEGE
---------- ---------- ------------------------------ ------------------------------ --------------------
PRV_ROLE SCOTT EMP SELECT
09:14:45 SQL>
6、将role 分配给用户
----------default role:当用户建立session 时,用户所分配的role 上的权限会立刻生效。(如果不显式指定,用户所分配的role都是该用户的default role)
09:16:32 SQL> create user tom identified by tom;
User created.
09:16:36 SQL> create user rose identified by rose;
User created.
09:22:37 SQL> alter user tom quota 10m on users;
User altered.
09:22:44 SQL> alter user rose quota 10m on users;
User altered.
09:16:43 SQL> grant pub_role,prv_role to tom,rose;
----------with admin option 用户有权将role 分配给其他用户
Grant succeeded.
-------role 可以分配给用户,也可以分配其他role,不能分配给自己。
09:20:19 SQL> conn tom/tom
Connected.
09:21:12 SQL> select USERNAME,DEFAULT_ROLE from user_role_privs;
USERNAME DEF
------------------------------ ---
PUBLIC YES
TOM YES
TOM YES
09:21:31 SQL> select USERNAME, GRANTED_ROLE,DEFAULT_ROLE from user_role_privs;
USERNAME GRANTED_ROLE DEF
------------------------------ ------------------------------ ---
PUBLIC PLUSTRACE YES
TOM PRV_ROLE YES
TOM PUB_ROLE YES
-------------默认情况下,pub_role 和 prv_role 都是tom的 default role
09:21:51 SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7369 SMITH CLERK 7902 17-DEC-80 800 20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 100 40
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
14 rows selected.
----------tom 继承了prv_role的object privilege
09:22:14 SQL>
09:23:19 SQL> create table emp as select * from scott.emp;
Table created.
-----tom 继承了pub_role的system privilege
09:23:27 SQL>
------------显式指定默认 role(对于非default role 必须在启用后,用户才能继承role 所具有的权限)
09:38:15 SQL> alter user tom default role pub_role;
User altered.
09:38:27 SQL> conn tom/tom
Connected.
09:38:32 SQL>
09:38:32 SQL> desc user_role_privs
Name Null? Type
----------------------------------------------------------------- -------- --------------------------------------------
USERNAME VARCHAR2(30)
GRANTED_ROLE VARCHAR2(30)
ADMIN_OPTION VARCHAR2(3)
DEFAULT_ROLE VARCHAR2(3)
OS_GRANTED VARCHAR2(3)
09:38:36 SQL> select username,GRANTED_ROLE,DEFAULT_ROLE from user_role_privs;
USERNAME GRANTED_ROLE DEF
------------------------------ ------------------------------ ---
PUBLIC PLUSTRACE YES
TOM PRV_ROLE NO
TOM PUB_ROLE YES
09:38:49 SQL> select * from scott.emp;
select * from scott.emp
*
ERROR at line 1:
ORA-00942: table or view does not exist
---------因为prv_role 是非 default role 所以tom 在建立session 不具有prv_role 的权限
09:39:29 SQL> create table t1 (id int);
Table created.
09:39:52 SQL> set role prv_role;
set role prv_role
*
ERROR at line 1:
ORA-01979: missing or invalid password for role 'PRV_ROLE'
09:40:02 SQL> set role prv_role identified by oracle;
Role set.
--------启用非默认角色,如果有口令,需通过password 启用
09:40:12 SQL> select username,GRANTED_ROLE,DEFAULT_ROLE from user_role_privs;
USERNAME GRANTED_ROLE DEF
------------------------------ ------------------------------ ---
PUBLIC PLUSTRACE YES
TOM PRV_ROLE NO
TOM PUB_ROLE YES
09:40:17 SQL> select * from scott.emp;
EMPNO ENAME JOB MGR HIREDATE SAL COMM DEPTNO
---------- ---------- --------- ---------- --------- ---------- ---------- ----------
7369 SMITH CLERK 7902 17-DEC-80 800 20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300 30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500 30
7566 JONES MANAGER 7839 02-APR-81 2975 20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400 30
7698 BLAKE MANAGER 7839 01-MAY-81 2850 30
7782 CLARK MANAGER 7839 09-JUN-81 2450 10
7788 SCOTT ANALYST 7566 19-APR-87 3000 100 40
7839 KING PRESIDENT 17-NOV-81 5000 10
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0 30
7876 ADAMS CLERK 7788 23-MAY-87 1100 20
7900 JAMES CLERK 7698 03-DEC-81 950 30
7902 FORD ANALYST 7566 03-DEC-81 3000 20
7934 MILLER CLERK 7782 23-JAN-82 1300 10
14 rows selected.
09:40:21 SQL>
-----启用非 default role 后,用户就具有了非default role 的权限
7、角色回收
09:46:28 SQL> revoke pub_role ,prv_role from tom,rose;
Revoke succeeded.
8、删除角色
09:46:40 SQL> drop role pub_role;
Role dropped.
09:46:44 SQL> drop role prv_role;
Role dropped.
09:46:48 SQL>
本文出自 “天涯客的blog” 博客,请务必保留此出处http://tiany.blog.51cto.com/513694/791813
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Oracle DBA课程系列笔记(18)
- Oracle DBA课程系列笔记(6_1)
- Oracle DBA课程系列笔记(7_2)
- Oracle DBA课程系列笔记(6_2)
- Oracle DBA课程系列笔记(19)
- Oracle DBA课程系列笔记(8)
- Oracle DBA课程系列笔记(19)
- Oracle DBA课程系列笔记(7_1)
- Oracle DBA课程系列笔记(20)
- Oracle DBA课程系列笔记(9_1)
- Oracle DBA课程系列笔记(7_2)
- Oracle DBA课程系列笔记(21)
- Oracle DBA课程系列笔记(9_2)
- Oracle DBA课程系列笔记(8)
- Oracle DBA课程系列笔记(1)
- Oracle DBA课程系列笔记(10)
- Oracle DBA课程系列笔记(9_1)
- Oracle DBA课程系列笔记(2)
- Oracle DBA课程系列笔记(11)
- Oracle DBA课程系列笔记(9_2)