Re: granting privileges on other user

According to the Oracle SQL Reference:

"You must own the object or the owner of the object granted you the object privileges with the GRANT OPTION. This rule applies to users with the DBA role."

This applies to ANY other user. A DBA may have all of the "ANY TABLE" privileges, but still has no authority to grant object permissions to another user.

This can be accomplished by connecting as the object owner and issuing something like;

GRANT ALL PRIVILEGES ON <object> TO <user> WITH GRANT OPTION;

After this, the specified user may grant the specified privileges to other users (you may, of course, replace "ALL PRIVILEGES" with specific privileges to limit what access may be given to other users).

Note also that you can only grant this authority to a specific user -- not to a role or to PUBLIC.

Basically, the idea is that while a user cannot prevent a DBA (or a user with SELECT ANY TABLE role) from seeing the data in his/her tables (or a user with UPDATE ANY TABLE from changing it, etc.), (s)he still retains control over granting privileges to "ordinary mortals" unless (s)he specifically decides to allow another user to do so.

"Doug Cowles" <dcowles_at_i84.net> wrote in message news:38beb947.697559_at_news.remarq.com...
> Isn't it possible to grant privileges on someone else's table to yet
> another user as sys, or anyone as sysdba for that matter?
>
> Was trying to (paraphrased) - connect internal
> svmgrl> grant select on INV.SOMETABLE to VANUSER;
> and got
> .....insufficient privileges.....
>
> Must you be logged in as the owner of the object in order to grant
> something?
>
> Thanks,
> Dc.
>
>
Received on Thu Mar 02 2000 - 00:00:00 CST