| Revoke fails even with SYS [message #456413] |
Mon, 17 May 2010 16:02  |
Amine
Messages: 376
Registered: March 2010
|
Senior Member |
|
|
Hi All,
I want to revoke some privileges (given from user, say A, on table TABLE to user B) with SYS, and i've got an error : It says that I can't revoke a privilege that I didn't give.
In DBA_TAB_PRIVS, there's no information about that : I can't know who gives the privilege (when I try to perform the REVOKE statment with OWNER, GRANTOR, I've got the same error).
How I have to do ?
Amine
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Revoke fails even with SYS [message #456426 is a reply to message #456422] |
Mon, 17 May 2010 17:04  |
JRowbottom
Messages: 5933
Registered: June 2006
Location: Sunny North Yorkshire, ho...
|
Senior Member |
|
|
@Blackswan and I don't always see eye to eye on posting style, but I'm with them on this one.
It is really really difficult to provide useful help in the absence of information.
I know the posting guidelines seem onerous, but posters that follow them do get a better class of answer, simply because we have the information that we need to provide the answer.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Revoke fails even with SYS [message #456615 is a reply to message #456598] |
Tue, 18 May 2010 16:43 |
Solomon Yakobson
Messages: 3305
Registered: January 2010
Location: Connecticut, USA
|
Senior Member |
|
|
Michel Cadot wrote on Tue, 18 May 2010 13:23Right.
Unless you are a DBA. Then you could use a handy SP (I have it as part of my DBA package) that uses undocumented package DBMS_SYS_SQL ("guts" of DBMS_SQL package and therefore it is highly unlikely it will be dropped). It has very handy procedure PARSE_AS_USER. Anyway, here is a simplified version of a procedure in my DBA package:
CREATE OR REPLACE
PROCEDURE EXECUTE_AS_USER(
p_username VARCHAR2,
p_stmt VARCHAR2
)
IS
v_cur NUMBER;
v_user_id NUMBER;
BEGIN
SELECT MAX(user_id)
INTO v_user_id
FROM DBA_USERS
WHERE username = UPPER(p_username);
IF v_user_id IS NULL
THEN
RAISE_APPLICATION_ERROR(-20900,'User ' || p_username || ' does not exist.');
END IF;
v_cur := DBMS_SQL.OPEN_CURSOR;
DBMS_SYS_SQL.PARSE_AS_USER(v_cur,p_stmt,DBMS_SQL.NATIVE,v_user_id);
DBMS_SQL.CLOSE_CURSOR(v_cur);
END;
/
Now:
SQL> show user
USER is "SCOTT"
SQL> grant select on emp to u1 with grant option
2 /
Grant succeeded.
SQL> connect u1/u1
Connected.
SQL> grant select on scott.emp to u2
2 /
Grant succeeded.
SQL> connect u2/u2
Connected.
SQL> select count(*) from scott.emp
2 /
COUNT(*)
-----------
14
SQL> connect scott as sysdba
Enter password: *****
Connected.
SQL> show user
USER is "SYS"
SQL> revoke select on scott.emp from u2
2 /
revoke select on scott.emp from u2
*
ERROR at line 1:
ORA-01927: cannot REVOKE privileges you did not grant
SQL> CREATE OR REPLACE
2 PROCEDURE EXECUTE_AS_USER(
3 p_username VARCHAR2,
4 p_stmt VARCHAR2
5 )
6 IS
7 v_cur NUMBER;
8 v_user_id NUMBER;
9 BEGIN
10 SELECT MAX(user_id)
11 INTO v_user_id
12 FROM DBA_USERS
13 WHERE username = UPPER(p_username);
14 IF v_user_id IS NULL
15 THEN
16 RAISE_APPLICATION_ERROR(-20900,'User ' || p_username || ' does not exist.');
17 END IF;
18 v_cur := DBMS_SQL.OPEN_CURSOR;
19 DBMS_SYS_SQL.PARSE_AS_USER(v_cur,p_stmt,DBMS_SQL.NATIVE,v_user_id);
20 DBMS_SQL.CLOSE_CURSOR(v_cur);
21 END;
22 /
Procedure created.
SQL> EXEC EXECUTE_AS_USER('u1','revoke select on scott.emp from u2');
PL/SQL procedure successfully completed.
SQL> connect u2/u2
Connected.
SQL> select count(*) from scott.emp
2 /
select count(*) from scott.emp
*
ERROR at line 1:
ORA-00942: table or view does not exist
SQL>
SY.
P.S. I created procedure in schema SYS just to simplify things. In real life you shouldn't create user objects in SYS schema. As I already mentioned, it is part of my DBA package owned by a highly privileged DBA_SUPPORT user.
[Updated on: Tue, 18 May 2010 16:50] Report message to a moderator |
|
|
|
|
|
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
you seem to be nervous, aren't you ?
