Re: HELP with grants

In article <gU9q2.848$A03.1662_at_news7.ispnews.com>, Van Messner vmessner_at_netaxis.com says...

> I started this week at a company with six decent sized databases. Most
> of the objects in each have one owner - but there is some variation. The
> password is known for only one of the owners. I have been told that some
> older applications have the passwords coded and encrypted so I can't change
> the passwords of any of the object owners in the databases.
> I have access to SYS and to a fully privileged DBA user Tom who has a
> complete set of system privileges including GRANT ANY PRIVILEGE, INSERT ANY
> TABLE etc. All have the WITH ADMIN OPTION.
> When a user who is not the owner wants to get object rights to some
> object neither SYS nor Tom can grant them. Insufficient privileges says
> Oracle.
>

I have the same problems as you. I think it works this way:

Only the databaser owner can grant object rights. This means that pyu can't login as sys and grant object rights to other users and must login as the database owner.

One thing you can do is to login as the database owner and grant the rights to sys or any other user with the GRANT OPTION. After doing that SYS can grant object rights to other users. You can only do this to a user and not a role (which I hoped then I could grant to the DBA role or some other role to let several users grant rights.)

I don't understand the logic why it is this way. If a DBA can grant all other priviliges why not object rights. I could understand if you don't want the DBA to be able to have any rights to tables (for example hiding sensitive data from the DBA) but since the DBA already has complete rights to select/insert etc in all tables and schemas I find this very strange.

Magnus Received on Tue Jan 26 1999 - 18:01:21 CST