469,645 Members | 1,174 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,645 developers. It's quick & easy.

A Query about GRANT ALL PRIVILEGES in ORACLE

Hi,
I have a quick question. Which role/privileges are required before
a user can give the statement "GRANT ALL PRIVILEGES"?

Thanking you in Advance

Have a nice day
Jul 19 '05 #1
4 98513
Hi,

Try this;

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL>
SQL> sho user
USER is "SYSTEM"
SQL> select * from system_privilege_map
2 where name like '%PRIV%';

PRIVILEGE NAME PROPERTY
---------- ---------------------------------------- ----------
-167 GRANT ANY PRIVILEGE 0
-244 GRANT ANY OBJECT PRIVILEGE 0

SQL>
SQL> -- Create a new user with just create session (to log on) and grant
SQL> -- any privilege to, well grant all privileges.
SQL> create user emil identified by emil;

User created.

SQL> grant create session, grant any privilege to emil;

Grant succeeded.

SQL> -- because we want to test this privilege create a second user to
SQL> -- test it with
SQL> create user zulia identified by zulia;

User created.

SQL> -- connect as emil and grant all privileges to Zulia
SQL> connect emil/emil@sans
Connected.
SQL> grant all privileges to zulia;

Grant succeeded.

SQL> -- connect as system and find out if it worked.
SQL> connect system/manager@sans
Connected.

SQL> select count(*),grantee
2 from dba_sys_privs
3 where grantee in ('MDSYS','EMIL','ZULIA')
4* group by grantee
SQL> /

COUNT(*) GRANTEE
---------- ------------------------------
2 EMIL
139 MDSYS
139 ZULIA

SQL>

We used MDSYS as a checkpoint as MDSYS has all privileges granted to it
by default in a default installation of Oracle. The privilege you need
therefore is GRANT ANY PRIVILEGE.

I should ask WHY?, it is not a good idea to grant all privileges to any
user in the database. Just grant the privileges that are needed by your
user. Use the least privilege principle.

hth

kind regards

Pete
--
Pete Finnigan
email:pe**@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
Jul 19 '05 #2
ad******@netscape.net (Amardeep Verma) wrote in message news:<45**************************@posting.google. com>...
Hi,
I have a quick question. Which role/privileges are required before
a user can give the statement "GRANT ALL PRIVILEGES"?

Thanking you in Advance

Have a nice day


From the 9.2 SQL manual: >>
ALL [PRIVILEGES]
Specify ALL to grant all the privileges for the object that you have
been granted with the GRANT OPTION. The user who owns the schema
containing an object automatically has all privileges on the object
with the GRANT OPTION. (The keyword PRIVILEGES is provided for
semantic clarity and is optional.)
<<

So any object owner can grant all on object to someuser_or_role

And it would appear that a DBA can grant all privileges to a user or
role:

I created a user named bob then I issued, "grant all privileges to
bob"
Next I connected as Bob and queries user_sys_privs.
I got 140 rows returned.

When I reconneted to my DBA id I queried dba_sys_privs for grantee =
'DBA' and got 138.

HTH -- Mark D Powell --
Jul 19 '05 #3
Thanks a lot Pete. Your Response was very informative

Enjoy your Day
Bye

Pete Finnigan <pl***@petefinnigan.com> wrote in message news:<BA**************@peterfinnigan.demon.co.uk>. ..
Hi,

Try this;

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL>
SQL> sho user
USER is "SYSTEM"
SQL> select * from system_privilege_map
2 where name like '%PRIV%';

PRIVILEGE NAME PROPERTY
---------- ---------------------------------------- ----------
-167 GRANT ANY PRIVILEGE 0
-244 GRANT ANY OBJECT PRIVILEGE 0

SQL>
SQL> -- Create a new user with just create session (to log on) and grant
SQL> -- any privilege to, well grant all privileges.
SQL> create user emil identified by emil;

User created.

SQL> grant create session, grant any privilege to emil;

Grant succeeded.

SQL> -- because we want to test this privilege create a second user to
SQL> -- test it with
SQL> create user zulia identified by zulia;

User created.

SQL> -- connect as emil and grant all privileges to Zulia
SQL> connect emil/emil@sans
Connected.
SQL> grant all privileges to zulia;

Grant succeeded.

SQL> -- connect as system and find out if it worked.
SQL> connect system/manager@sans
Connected.

SQL> select count(*),grantee
2 from dba_sys_privs
3 where grantee in ('MDSYS','EMIL','ZULIA')
4* group by grantee
SQL> /

COUNT(*) GRANTEE
---------- ------------------------------
2 EMIL
139 MDSYS
139 ZULIA

SQL>

We used MDSYS as a checkpoint as MDSYS has all privileges granted to it
by default in a default installation of Oracle. The privilege you need
therefore is GRANT ANY PRIVILEGE.

I should ask WHY?, it is not a good idea to grant all privileges to any
user in the database. Just grant the privileges that are needed by your
user. Use the least privilege principle.

hth

kind regards

Pete

Jul 19 '05 #4
Thanks Mark. Your points cleared up many items.

Have a nice day
Bye

Ma*********@eds.com (Mark D Powell) wrote in message news:<26**************************@posting.google. com>...
ad******@netscape.net (Amardeep Verma) wrote in message news:<45**************************@posting.google. com>...
Hi,
I have a quick question. Which role/privileges are required before
a user can give the statement "GRANT ALL PRIVILEGES"?

Thanking you in Advance

Have a nice day
From the 9.2 SQL manual: >>
ALL [PRIVILEGES]
Specify ALL to grant all the privileges for the object that you have
been granted with the GRANT OPTION. The user who owns the schema
containing an object automatically has all privileges on the object
with the GRANT OPTION. (The keyword PRIVILEGES is provided for
semantic clarity and is optional.)

<<

So any object owner can grant all on object to someuser_or_role

And it would appear that a DBA can grant all privileges to a user or
role:

I created a user named bob then I issued, "grant all privileges to
bob"
Next I connected as Bob and queries user_sys_privs.
I got 140 rows returned.

When I reconneted to my DBA id I queried dba_sys_privs for grantee =
'DBA' and got 138.

HTH -- Mark D Powell --

Jul 19 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

12 posts views Thread by | last post: by
3 posts views Thread by Marc | last post: by
reply views Thread by Charles Cantrell | last post: by
reply views Thread by Marc | last post: by
3 posts views Thread by mel_palmeruk | last post: by
6 posts views Thread by john_woo | last post: by
2 posts views Thread by jmarr02s | last post: by
4 posts views Thread by Amardeep Verma | last post: by
reply views Thread by gheharukoh7 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.