查询用户所拥有的权限(待补充)
本帖最后由 kevin.zhang 于 2010-12-16 11:30 编辑有人问,我的用户A明明查不到具有某个权限,为什么能进行一些‘越权’的操作呢?
下面我们以用户CATALOGADMIN为例查询其所有的权限:
1.查询系统权限:
duck_11 > selectGRANTEE,PRIVILEGE from dba_sys_privs where GRANTEE='CATALOGADMIN';
GRANTEE PRIVILEGE
------------------------------ ----------------------------------------
CATALOGADMIN UNLIMITED TABLESPACE
2.查询对象权限:
duck_11 >selectGRANTEE,PRIVILEGE from dba_tab_privs where GRANTEE='CATALOGADMIN';
no rows selected
3.用户CATALOGADMIN通过角色拥有的权限是不会显示在上面2个查询中的,所以继续查询用户CATALOGADMIN被赋予的角色:
duck_11 > select GRANTEE,GRANTED_ROLE from dba_role_privs where grantee='CATALOGADMIN';
GRANTEE GRANTED_ROLE
------------------------------ ------------------------------
CATALOGADMIN ZYF
CATALOGADMIN RECOVERY_CATALOG_OWNER
CATALOGADMIN RESOURCE
CATALOGADMIN CONNECT
4.进一步查询角色所拥有的系统和对象权限,如ZYF:
duck_11 > select ROLE,PRIVILEGE From role_sys_privs where role='ZYF';
ROLE PRIVILEGE
------------------------------ ----------------------------------------
ZYF CREATE ANY TABLE
duck_11 > select ROLE,OWNER,TABLE_NAME,PRIVILEGE From role_tab_privs where role='ZYF';
ROLE OWNER TABLE_NAME PRIVILEGE
------------------------------ ---------- ------------------------------ ----------------------------------------
ZYF SYS DBA_USERS SELECT
5.注意,角色也是可以赋予角色的,而角色ZYF通过被赋予其它角色而获得的权限同样不会在第4步中显示出来,所以继续查询角色ZYF可能拥有的角色:
duck_11 > select * from role_role_privs where role='ZYF';
ROLE GRANTED_ROLE ADM
------------------------------ ------------------------------ ---
ZYF EXP_FULL_DATABASE NO
6.重复第3至第5步,直到所有嵌套的角色都被查询过。
如果只是要查询当前用户所拥有的权限,则比较简单。如以CATALOGADMIN登陆oracle,然后查询session_privs视图即可:
oracle $ sqlplus catalogadmin/oracle
SQL*Plus: Release 11.2.0.1.0 Production on Wed Dec 15 21:15:03 2010
Copyright (c) 1982, 2009, Oracle.All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
duck_11 > Select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
ALTER SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE ANY TABLE
BACKUP ANY TABLE
SELECT ANY TABLE
CREATE CLUSTER
CREATE SYNONYM
CREATE VIEW
CREATE SEQUENCE
PRIVILEGE
----------------------------------------
SELECT ANY SEQUENCE
CREATE DATABASE LINK
CREATE PROCEDURE
EXECUTE ANY PROCEDURE
CREATE TRIGGER
CREATE TYPE
EXECUTE ANY TYPE
CREATE OPERATOR
CREATE INDEXTYPE
ADMINISTER RESOURCE MANAGER
RESUMABLE
PRIVILEGE
----------------------------------------
READ ANY FILE GROUP
ADMINISTER SQL MANAGEMENT OBJECT
24 rows selected.
查询出来的结果包括了当前用户所有的系统权限,也包含了通过嵌套的角色获得的系统权限。
这个有点意思 呵呵 复习一下了 谢了
页:
[1]