By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,333 Members | 1,850 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,333 IT Pros & Developers. It's quick & easy.

A Query about GRANT ALL PRIVILEGES in ORACLE

P: n/a
Hi,
I have a quick question. Which role/privileges are required before
a user can give the statement "GRANT ALL PRIVILEGES"?

Thanking you in Advance

Have a nice day
Jul 19 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a
Hi,

Try this;

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL>
SQL> sho user
USER is "SYSTEM"
SQL> select * from system_privilege_map
2 where name like '%PRIV%';

PRIVILEGE NAME PROPERTY
---------- ---------------------------------------- ----------
-167 GRANT ANY PRIVILEGE 0
-244 GRANT ANY OBJECT PRIVILEGE 0

SQL>
SQL> -- Create a new user with just create session (to log on) and grant
SQL> -- any privilege to, well grant all privileges.
SQL> create user emil identified by emil;

User created.

SQL> grant create session, grant any privilege to emil;

Grant succeeded.

SQL> -- because we want to test this privilege create a second user to
SQL> -- test it with
SQL> create user zulia identified by zulia;

User created.

SQL> -- connect as emil and grant all privileges to Zulia
SQL> connect emil/emil@sans
Connected.
SQL> grant all privileges to zulia;

Grant succeeded.

SQL> -- connect as system and find out if it worked.
SQL> connect system/manager@sans
Connected.

SQL> select count(*),grantee
2 from dba_sys_privs
3 where grantee in ('MDSYS','EMIL','ZULIA')
4* group by grantee
SQL> /

COUNT(*) GRANTEE
---------- ------------------------------
2 EMIL
139 MDSYS
139 ZULIA

SQL>

We used MDSYS as a checkpoint as MDSYS has all privileges granted to it
by default in a default installation of Oracle. The privilege you need
therefore is GRANT ANY PRIVILEGE.

I should ask WHY?, it is not a good idea to grant all privileges to any
user in the database. Just grant the privileges that are needed by your
user. Use the least privilege principle.

hth

kind regards

Pete
--
Pete Finnigan
email:pe**@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.
Jul 19 '05 #2

P: n/a
ad******@netscape.net (Amardeep Verma) wrote in message news:<45**************************@posting.google. com>...
Hi,
I have a quick question. Which role/privileges are required before
a user can give the statement "GRANT ALL PRIVILEGES"?

Thanking you in Advance

Have a nice day


From the 9.2 SQL manual: >>
ALL [PRIVILEGES]
Specify ALL to grant all the privileges for the object that you have
been granted with the GRANT OPTION. The user who owns the schema
containing an object automatically has all privileges on the object
with the GRANT OPTION. (The keyword PRIVILEGES is provided for
semantic clarity and is optional.)
<<

So any object owner can grant all on object to someuser_or_role

And it would appear that a DBA can grant all privileges to a user or
role:

I created a user named bob then I issued, "grant all privileges to
bob"
Next I connected as Bob and queries user_sys_privs.
I got 140 rows returned.

When I reconneted to my DBA id I queried dba_sys_privs for grantee =
'DBA' and got 138.

HTH -- Mark D Powell --
Jul 19 '05 #3

P: n/a
Thanks a lot Pete. Your Response was very informative

Enjoy your Day
Bye

Pete Finnigan <pl***@petefinnigan.com> wrote in message news:<BA**************@peterfinnigan.demon.co.uk>. ..
Hi,

Try this;

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL>
SQL> sho user
USER is "SYSTEM"
SQL> select * from system_privilege_map
2 where name like '%PRIV%';

PRIVILEGE NAME PROPERTY
---------- ---------------------------------------- ----------
-167 GRANT ANY PRIVILEGE 0
-244 GRANT ANY OBJECT PRIVILEGE 0

SQL>
SQL> -- Create a new user with just create session (to log on) and grant
SQL> -- any privilege to, well grant all privileges.
SQL> create user emil identified by emil;

User created.

SQL> grant create session, grant any privilege to emil;

Grant succeeded.

SQL> -- because we want to test this privilege create a second user to
SQL> -- test it with
SQL> create user zulia identified by zulia;

User created.

SQL> -- connect as emil and grant all privileges to Zulia
SQL> connect emil/emil@sans
Connected.
SQL> grant all privileges to zulia;

Grant succeeded.

SQL> -- connect as system and find out if it worked.
SQL> connect system/manager@sans
Connected.

SQL> select count(*),grantee
2 from dba_sys_privs
3 where grantee in ('MDSYS','EMIL','ZULIA')
4* group by grantee
SQL> /

COUNT(*) GRANTEE
---------- ------------------------------
2 EMIL
139 MDSYS
139 ZULIA

SQL>

We used MDSYS as a checkpoint as MDSYS has all privileges granted to it
by default in a default installation of Oracle. The privilege you need
therefore is GRANT ANY PRIVILEGE.

I should ask WHY?, it is not a good idea to grant all privileges to any
user in the database. Just grant the privileges that are needed by your
user. Use the least privilege principle.

hth

kind regards

Pete

Jul 19 '05 #4

P: n/a
Thanks Mark. Your points cleared up many items.

Have a nice day
Bye

Ma*********@eds.com (Mark D Powell) wrote in message news:<26**************************@posting.google. com>...
ad******@netscape.net (Amardeep Verma) wrote in message news:<45**************************@posting.google. com>...
Hi,
I have a quick question. Which role/privileges are required before
a user can give the statement "GRANT ALL PRIVILEGES"?

Thanking you in Advance

Have a nice day
From the 9.2 SQL manual: >>
ALL [PRIVILEGES]
Specify ALL to grant all the privileges for the object that you have
been granted with the GRANT OPTION. The user who owns the schema
containing an object automatically has all privileges on the object
with the GRANT OPTION. (The keyword PRIVILEGES is provided for
semantic clarity and is optional.)

<<

So any object owner can grant all on object to someuser_or_role

And it would appear that a DBA can grant all privileges to a user or
role:

I created a user named bob then I issued, "grant all privileges to
bob"
Next I connected as Bob and queries user_sys_privs.
I got 140 rows returned.

When I reconneted to my DBA id I queried dba_sys_privs for grantee =
'DBA' and got 138.

HTH -- Mark D Powell --

Jul 19 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.