truncate beware [message #10226] |
Fri, 09 January 2004 01:10 |
cormac
Messages: 25 Registered: November 2002
|
Junior Member |
|
|
Hi,
yesterday, I caused mayhem by accidentally truncating the wrong table. I know, a stupid mistake, but it happens!
I checked out the TOAD help and learnt that the truncate and drop buttons can be disabled by adding "ALLOW_DROP_TBL=0" to your TOAD.ini file. This is great as now developers must type in the SQL command 'truncate table_name;', making us slightly more aware of what we are doing.
My question is can I now create a user that does not have the power to truncate/drop tables. It would be very useful to have such users with only select/insert options.
cheers
Cormac
|
|
|
|
Re: truncate beware [message #10242 is a reply to message #10232] |
Sat, 10 January 2004 04:26 |
Thiru
Messages: 1089 Registered: May 2002
|
Senior Member |
|
|
Maaher,
there is no DROP privilege on a specific table. As long as you are the owner of the table,you will be able to drop it(or truncate it).
Revoking 'Drop any table' privilege also does not help if you are the owner of the table.
thiru@9.2.0:SQL>revoke drop any table from thiru;
Revoke succeeded.
thiru@9.2.0:SQL>show user
USER is "THIRU"
thiru@9.2.0:SQL>drop table t;
Table dropped.
thiru@9.2.0:SQL>truncate table t2;
Table truncated.
-- Also when a GRANT ALL has been made on your table to a different user, that user will be able to truncate your table,irrespective of whether he has 'drop any table' privilege or not.
thiru@9.2.0:SQL>grant all on t2 to scott;
Grant succeeded.
thiru@9.2.0:SQL>connect scott/tiger;
Connected.
thiru@9.2.0:SQL>truncate table thiru.t2;
Table truncated.
thiru@9.2.0:SQL>connect thiru/*****
Connected.
thiru@9.2.0:SQL>revoke drop any table from scott;
revoke drop any table from scott
*
ERROR at line 1:
ORA-01952: system privileges not granted to 'SCOTT'
-Thiru
|
|
|
Re: truncate beware [message #10243 is a reply to message #10226] |
Sat, 10 January 2004 04:38 |
Thiru
Messages: 1089 Registered: May 2002
|
Senior Member |
|
|
Hi,
you can do something like this, if you are the owner of the object and are concerned about accidentally truncating or dropping the table. You could create this trigger right after you create the user , in his schema. Once the trigger is disabled you can drop/truncate the table
thiru@9.2.0:SQL>create or replace trigger drop_trigger
2 Before drop or Truncate on Thiru.SCHEMA
3 Begin
4 Raise_Application_Error(num=>-20000,msg=>'Are you sure?');
5 end;
6 /
Trigger created.
thiru@9.2.0:SQL>show user
USER is "THIRU"
thiru@9.2.0:SQL>truncate table t2;
truncate table t2
*
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20000: Are you sure?
ORA-06512: at line 2
thiru@9.2.0:SQL>alter trigger drop_trigger disable;
Trigger altered.
thiru@9.2.0:SQL>truncate table t2;
Table truncated.
-Thiru
|
|
|
Re: truncate beware [message #10244 is a reply to message #10242] |
Sat, 10 January 2004 04:52 |
Thiru
Messages: 1089 Registered: May 2002
|
Senior Member |
|
|
Oops Oops!, Pls Ignore the 2nd part of the demo. Grant ALL, doesnt include 'truncate' privilege. Here, Scott was able to truncate Thiru.T2 becos of 'DBA' role granted to scott.
-Thiru
|
|
|
|
|
Re: truncate beware [message #10262 is a reply to message #10256] |
Sun, 11 January 2004 22:28 |
Thiru
Messages: 1089 Registered: May 2002
|
Senior Member |
|
|
I am sure :-) . Normally, DROP ANY TABLE privilege shouldnt and isnt granted to anyone,other than DBA role(if it is, its a bad idea). On many occasions the concern is the 'owner' accidentally dropping/truncating his own table.
Yes,DROP ANY TABLE includes truncate and there's no TRUNCATE ANY TABLE privilege.
-Thiru
|
|
|