Re: Rights

From: Pete Finnigan <pete_at_petefinnigan.com>
Date: Fri, 29 Aug 2003 15:31:59 +0100
Message-ID: <NRh$uMBfP2T$EwdG@peterfinnigan.demon.co.uk>

Hi

You can use a script i created called find_all_privs.sql (it is available from my site http://www.petefinnigan.com on the tools page) to see all privileges granted to a user including those granted via a role. The output is hierarchical. An example is as follows for the user DBSNMP: NAME OF USER TO CHECK [ORCL]: DBSNMP
OUTPUT METHOD [S/F]: S
FILE NAME FOR OUTPUT [priv.lst]:
OUTPUT DIRECTORY [/tmp]:

old 162:        lv_file_or_screen:='&&output_method';
new 162:        lv_file_or_screen:='S';
old 164:                open_file('&&file_name','&&output_dir');
new 164:                open_file('priv.lst','/tmp');
old 166:        get_privs('&&user_to_find',lv_tabs);
new 166:        get_privs('DBSNMP',lv_tabs);

...USER => DBSNMP has ROLE CONNECT which contains =>
......SYS PRIV =>ALTER SESSION grantable => NO
......SYS PRIV =>CREATE CLUSTER grantable => NO
......SYS PRIV =>CREATE DATABASE LINK grantable => NO
......SYS PRIV =>CREATE SEQUENCE grantable => NO
......SYS PRIV =>CREATE SESSION grantable => NO
......SYS PRIV =>CREATE SYNONYM grantable => NO
......SYS PRIV =>CREATE TABLE grantable => NO
......SYS PRIV =>CREATE VIEW grantable => NO
...SYS PRIV =>CREATE USER grantable => NO
...SYS PRIV =>SELECT ANY DICTIONARY grantable => NO

PL/SQL procedure successfully completed.

SQL> To do it as the connected user use the USER_% views, such as user_sys_privs, user_role_privs and user_tab_privs etc.

The privilege needed to create a user is "create user".

hth

kind regards

Pete

-- 
Pete Finnigan
email:pete_at_petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

Received on Fri Aug 29 2003 - 09:31:59 CDT