请问如何在sql控制台中显示特定用户的所有权限/规则?
你可以尝试以下这些视图。
SELECT * FROM USER_SYS_PRIVS;
SELECT * FROM USER_TAB_PRIVS;
SELECT * FROM USER_ROLE_PRIVS;
DBAs及其他高级用户可以使用与这些相同视图的DBA_
版本找到授予其他用户的权限。 这些在文档中有详细说明。
这些视图仅显示直接授予用户的权限。要查找所有权限,包括通过角色间接授予的权限,则需要更复杂的递归SQL语句:
select * from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER' order by 1,2,3;
select * from dba_sys_privs where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3;
select * from dba_tab_privs where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3,4;
有各种各样的脚本可以实现这个目标,具体要看你想要多复杂。 我个人会使用Pete Finnigan的find_all_privs脚本。
如果你想自己编写脚本,查询可能会相当具有挑战性。 用户可以被授予系统特权,这些特权在DBA_SYS_PRIVS
中可见。他们可以被授予对象特权,这些特权在DBA_TAB_PRIVS
中可见。并且他们可以被授予角色,在DBA_ROLE_PRIVS
中可见(角色可以是默认或非默认的,也可以需要密码,因此仅仅因为用户已被授予角色并不意味着用户具备通过角色获取的权限)。但是这些角色可以反过来被授予系统特权、对象特权和其他角色,可以通过查看ROLE_SYS_PRIVS
、ROLE_TAB_PRIVS
和ROLE_ROLE_PRIVS
来查看这些信息。 Pete的脚本遍历这些关系以显示所有最终流向用户的权限。
虽然Raviteja Vutukuri的回答可行且很快,但对于不同的过滤器来说不是特别灵活,并且如果您想要以编程方式执行某些操作,则没有太大帮助。所以我自己编写了查询:
SELECT
PRIVILEGE,
OBJ_OWNER,
OBJ_NAME,
USERNAME,
LISTAGG(GRANT_TARGET, ',') WITHIN GROUP (ORDER BY GRANT_TARGET) AS GRANT_SOURCES, -- Lists the sources of the permission
MAX(ADMIN_OR_GRANT_OPT) AS ADMIN_OR_GRANT_OPT, -- MAX acts as a Boolean OR by picking 'YES' over 'NO'
MAX(HIERARCHY_OPT) AS HIERARCHY_OPT -- MAX acts as a Boolean OR by picking 'YES' over 'NO'
FROM (
-- Gets all roles a user has, even inherited ones
WITH ALL_ROLES_FOR_USER AS (
SELECT DISTINCT CONNECT_BY_ROOT GRANTEE AS GRANTED_USER, GRANTED_ROLE
FROM DBA_ROLE_PRIVS
CONNECT BY GRANTEE = PRIOR GRANTED_ROLE
)
SELECT
PRIVILEGE,
OBJ_OWNER,
OBJ_NAME,
USERNAME,
REPLACE(GRANT_TARGET, USERNAME, 'Direct to user') AS GRANT_TARGET,
ADMIN_OR_GRANT_OPT,
HIERARCHY_OPT
FROM (
-- System privileges granted directly to users
SELECT PRIVILEGE, NULL AS OBJ_OWNER, NULL AS OBJ_NAME, GRANTEE AS USERNAME, GRANTEE AS GRANT_TARGET, ADMIN_OPTION AS ADMIN_OR_GRANT_OPT, NULL AS HIERARCHY_OPT
FROM DBA_SYS_PRIVS
WHERE GRANTEE IN (SELECT USERNAME FROM DBA_USERS)
UNION ALL
-- System privileges granted users through roles
SELECT PRIVILEGE, NULL AS OBJ_OWNER, NULL AS OBJ_NAME, ALL_ROLES_FOR_USER.GRANTED_USER AS USERNAME, GRANTEE AS GRANT_TARGET, ADMIN_OPTION AS ADMIN_OR_GRANT_OPT, NULL AS HIERARCHY_OPT
FROM DBA_SYS_PRIVS
JOIN ALL_ROLES_FOR_USER ON ALL_ROLES_FOR_USER.GRANTED_ROLE = DBA_SYS_PRIVS.GRANTEE
UNION ALL
-- Object privileges granted directly to users
SELECT PRIVILEGE, OWNER AS OBJ_OWNER, TABLE_NAME AS OBJ_NAME, GRANTEE AS USERNAME, GRANTEE AS GRANT_TARGET, GRANTABLE, HIERARCHY
FROM DBA_TAB_PRIVS
WHERE GRANTEE IN (SELECT USERNAME FROM DBA_USERS)
UNION ALL
-- Object privileges granted users through roles
SELECT PRIVILEGE, OWNER AS OBJ_OWNER, TABLE_NAME AS OBJ_NAME, ALL_ROLES_FOR_USER.GRANTED_USER AS USERNAME, ALL_ROLES_FOR_USER.GRANTED_ROLE AS GRANT_TARGET, GRANTABLE, HIERARCHY
FROM DBA_TAB_PRIVS
JOIN ALL_ROLES_FOR_USER ON ALL_ROLES_FOR_USER.GRANTED_ROLE = DBA_TAB_PRIVS.GRANTEE
) ALL_USER_PRIVS
-- Adjust your filter here
WHERE USERNAME = 'USER_NAME'
) DISTINCT_USER_PRIVS
GROUP BY
PRIVILEGE,
OBJ_OWNER,
OBJ_NAME,
USERNAME
;
优点:
WHERE
子句来过滤许多不同的信息片段,例如对象、权限、是否通过特定角色等。DBMS_OUTPUT
或其他地方。这使得它对编程使用和导出非常有用。GRANT
,则可以轻松地将子查询提取出来。USER_SYS_PRIVS
(直接授予的系统权限)、USER_TAB_PRIVS
(直接授予的对象权限)、USER_ROLE_PRIVS
(用户直接授予的角色)、ROLE_ROLE_PRIVS
(获取继承角色)、ROLE_SYS_PRIVS
(通过角色获得系统权限)和ROLE_TAB_PRIVS
(通过角色获得对象权限)。哎呀,Oracle太复杂了。另一个有用的资源:
http://psoug.org/reference/roles.html
DBA
或SYS
角色,且只想找到自己账户的权限。 - vapcguyWITH data
AS (SELECT granted_role
FROM dba_role_privs
CONNECT BY PRIOR granted_role = grantee
START WITH grantee = '&USER')
SELECT 'SYSTEM' typ,
grantee grantee,
privilege priv,
admin_option ad,
'--' tabnm,
'--' colnm,
'--' owner
FROM dba_sys_privs
WHERE grantee = '&USER'
OR grantee IN (SELECT granted_role
FROM data)
UNION
SELECT 'TABLE' typ,
grantee grantee,
privilege priv,
grantable ad,
table_name tabnm,
'--' colnm,
owner owner
FROM dba_tab_privs
WHERE grantee = '&USER'
OR grantee IN (SELECT granted_role
FROM data)
ORDER BY 1;
您可以使用以下代码从所有用户获取所有权限列表。
select * from dba_sys_privs
选择 system_privilege_map 表中的 name 列;
SYS
特权,只想查看自己账户权限的人来说,这个脚本毫无用处。我没有访问UTL_FILE
,也没有访问脚本所查看的其他DBA
和SYS
区域的权限。 - vapcguyROLE_SYS_PRIVS
、ROLE_TAB_PRIVS
和ROLE_ROLE_PRIVS
。文档表明它们是针对当前用户的。 - jpmc26