在實際的生產用戶過程中,角色的應用很廣泛,那麼到底什麼是角色呢?
角色是一組權限的集合,可以授權給用戶或角色,用於控制用戶對對象的訪問和行爲。
創建用戶的時候,你是否爲了貪圖方便直接授權DBA角色給它呢?其實這是種非常有風險的行爲。
下面你可以思考兩個問題:
1. connect,resource角色包含哪些權限?
2. 如何查詢用戶具有哪些角色?
connect,resource角色包含哪些權限?
可以通過DBA_SYS_PRIVES視圖來查詢
可見,我們將connect,resource角色授於用戶就能滿足一般用戶的需要了。
因此,我們也可以很方便地根據PRIVILEGE字段來查詢某些具體的權限,再根據對應角色授權給用戶,做好權限控制。
++++++++
SQL> select * from dba_sys_privs where GRANTEE = 'DBA';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
DBA CHANGE NOTIFICATION YES
DBA ADMINISTER ANY SQL TUNING SET YES
DBA ALTER ANY SQL PROFILE YES
DBA CREATE RULE YES
DBA EXPORT FULL DATABASE YES
DBA EXECUTE ANY EVALUATION CONTEXT YES
DBA DEQUEUE ANY QUEUE YES
DBA DROP ANY INDEXTYPE YES
DBA ALTER ANY INDEXTYPE YES
DBA EXECUTE ANY LIBRARY YES
DBA CREATE ANY LIBRARY YES
DBA CREATE ANY DIRECTORY YES
DBA ALTER PROFILE YES
DBA EXECUTE ANY PROCEDURE YES
DBA CREATE ROLE YES
DBA SELECT ANY SEQUENCE YES
DBA DROP ANY INDEX YES
DBA UPDATE ANY TABLE YES
DBA INSERT ANY TABLE YES
DBA SELECT ANY TABLE YES
DBA DROP ROLLBACK SEGMENT YES
DBA BECOME USER YES
DBA DROP TABLESPACE YES
DBA ALTER SESSION YES
DBA CREATE SESSION YES
DBA ANALYZE ANY DICTIONARY YES
DBA ALTER ANY RULE SET YES
DBA CREATE RULE SET YES
DBA DEBUG ANY PROCEDURE YES
DBA CREATE DIMENSION YES
DBA ALTER ANY LIBRARY YES
DBA UNDER ANY TYPE YES
DBA DROP ANY MATERIALIZED VIEW YES
DBA DROP ANY TRIGGER YES
DBA ALTER ANY PROCEDURE YES
DBA FORCE ANY TRANSACTION YES
DBA ALTER DATABASE YES
DBA DELETE ANY TABLE YES
DBA ALTER ROLLBACK SEGMENT YES
DBA EXECUTE ANY PROGRAM YES
DBA EXECUTE ANY RULE YES
DBA IMPORT FULL DATABASE YES
DBA EXECUTE ANY RULE SET YES
DBA CREATE ANY RULE SET YES
DBA FLASHBACK ANY TABLE YES
DBA RESUMABLE YES
DBA ADMINISTER DATABASE TRIGGER YES
DBA CREATE ANY OUTLINE YES
DBA ALTER ANY DIMENSION YES
DBA CREATE ANY DIMENSION YES
DBA EXECUTE ANY OPERATOR YES
DBA CREATE TYPE YES
DBA CREATE TRIGGER YES
DBA GRANT ANY ROLE YES
DBA DROP ANY VIEW YES
DBA CREATE VIEW YES
DBA LOCK ANY TABLE YES
DBA ALTER USER YES
DBA CREATE USER YES
DBA ALTER TABLESPACE YES
DBA CREATE TABLESPACE YES
DBA RESTRICTED SESSION YES
DBA CREATE ANY JOB YES
DBA CREATE JOB YES
DBA CREATE ANY RULE YES
DBA DROP ANY EVALUATION CONTEXT YES
DBA CREATE ANY EVALUATION CONTEXT YES
DBA CREATE EVALUATION CONTEXT YES
DBA GRANT ANY OBJECT PRIVILEGE YES
DBA SELECT ANY DICTIONARY YES
DBA DROP ANY DIMENSION YES
DBA UNDER ANY TABLE YES
DBA CREATE INDEXTYPE YES
DBA CREATE ANY OPERATOR YES
DBA DROP ANY LIBRARY YES
DBA ANALYZE ANY YES
DBA ALTER ANY ROLE YES
DBA CREATE ANY SEQUENCE YES
DBA CREATE ANY INDEX YES
DBA CREATE ANY TABLE YES
DBA MANAGE FILE GROUP YES
DBA MANAGE SCHEDULER YES
DBA ADMINISTER RESOURCE MANAGER YES
DBA ALTER ANY OUTLINE YES
DBA DROP ANY CONTEXT YES
DBA EXECUTE ANY INDEXTYPE YES
DBA UNDER ANY VIEW YES
DBA DROP ANY TYPE YES
DBA ALTER ANY TYPE YES
DBA ALTER ANY MATERIALIZED VIEW YES
DBA CREATE PROFILE YES
DBA DROP PUBLIC DATABASE LINK YES
DBA ALTER ANY INDEX YES
DBA CREATE CLUSTER YES
DBA COMMENT ANY TABLE YES
DBA DROP ANY TABLE YES
DBA CREATE ROLLBACK SEGMENT YES
DBA AUDIT SYSTEM YES
DBA ALTER SYSTEM YES
DBA MANAGE ANY FILE GROUP YES
DBA EXECUTE ANY CLASS YES
DBA DROP ANY RULE SET YES
DBA DEBUG CONNECT SESSION YES
DBA ON COMMIT REFRESH YES
DBA ENQUEUE ANY QUEUE YES
DBA CREATE ANY INDEXTYPE YES
DBA CREATE ANY TYPE YES
DBA DROP ANY DIRECTORY YES
DBA ALTER RESOURCE COST YES
DBA CREATE ANY PROCEDURE YES
DBA CREATE PROCEDURE YES
DBA FORCE TRANSACTION YES
DBA ALTER ANY SEQUENCE YES
DBA CREATE SEQUENCE YES
DBA CREATE ANY VIEW YES
DBA DROP PUBLIC SYNONYM YES
DBA DROP ANY SYNONYM YES
DBA CREATE ANY CLUSTER YES
DBA BACKUP ANY TABLE YES
DBA CREATE TABLE YES
DBA ADMINISTER SQL TUNING SET YES
DBA MERGE ANY VIEW YES
DBA DROP ANY OUTLINE YES
DBA CREATE OPERATOR YES
DBA CREATE LIBRARY YES
DBA GRANT ANY PRIVILEGE YES
DBA DROP PROFILE YES
DBA ALTER ANY TRIGGER YES
DBA CREATE ANY TRIGGER YES
DBA DROP ANY PROCEDURE YES
DBA AUDIT ANY YES
DBA DROP ANY ROLE YES
DBA DROP ANY SEQUENCE YES
DBA CREATE PUBLIC SYNONYM YES
DBA CREATE SYNONYM YES
DBA DROP ANY CLUSTER YES
DBA ALTER ANY TABLE YES
DBA CREATE EXTERNAL JOB YES
DBA READ ANY FILE GROUP YES
DBA CREATE ANY SQL PROFILE YES
DBA DROP ANY SQL PROFILE YES
DBA SELECT ANY TRANSACTION YES
DBA ADVISOR YES
DBA DROP ANY RULE YES
DBA ALTER ANY RULE YES
DBA ALTER ANY EVALUATION CONTEXT YES
DBA CREATE ANY CONTEXT YES
DBA MANAGE ANY QUEUE YES
DBA GLOBAL QUERY REWRITE YES
DBA QUERY REWRITE YES
DBA DROP ANY OPERATOR YES
DBA EXECUTE ANY TYPE YES
DBA CREATE ANY MATERIALIZED VIEW YES
DBA CREATE MATERIALIZED VIEW YES
DBA CREATE PUBLIC DATABASE LINK YES
DBA CREATE DATABASE LINK YES
DBA CREATE ANY SYNONYM YES
DBA ALTER ANY CLUSTER YES
DBA DROP USER YES
DBA MANAGE TABLESPACE YES
160 rows selected.
+++++
這足以說明DBA角色的權限非常大了,因此不要輕易將DBA角色授權給管理員以外的用戶。
如何查詢用戶具有哪些角色?
可以通過DBA_ROLE_PRIVS視圖來查詢
SQL> create user t1 account unlock identified by t1;
User created.
SQL> create user t2 account unlock identified by t2;
User created.
SQL> grant connect,resource to t2;
Grant succeeded.
SQL> grant dba to t1;
Grant succeeded.
下面,通過簡單的實例說明權限控制:
T1用戶擁有DBA角色,T2用戶只有最基本的角色,現將實現T2用戶對T1的所有表只讀權限:
SQL> connect t1/t1
Connected.
SQL> create table t1(id number);
Table created.
SQL> grant SELECT ANY table to t2;
Grant succeeded.
SQL> connect t2/t2
Connected.
SQL> select * from t1.t1;
no rows selected
SQL> drop table t1.t1;
drop table t1.t1
*
ERROR at line 1:
ORA-01031: insufficient privileges
SQL> delete from t1.t1;
delete from t1.t1
*
ERROR at line 1:
ORA-01031: insufficient privileges
如果你的其他想實現的權限,可以通過DBA_SYS_PRIVS.PRIVILEGE字段來對應授權。
因此,如果你擔心生產用戶的表或存儲過程或序列號等被其他用戶惡意修改,你可以創建一個單獨的查詢用戶,將生產用戶的表、存儲過程、序列號的只讀權限賦予它,而後都通過查詢用戶來查詢。這樣就大大降低了生產的風險。
-------------------------------------------------------------------------------------------------
本文來自於我的技術博客 http://blog.csdn.net/robo23
轉載請標註源文鏈接,否則追究法律責任!
