有人可以告诉我如何在sql-console中显示特定用户的所有权限/规则吗?
您可以尝试以下视图。
SELECT * FROM USER_SYS_PRIVS;
SELECT * FROM USER_TAB_PRIVS;
SELECT * FROM USER_ROLE_PRIVS;
DBA和其他高级用户可以使用这些相同视图的DBA_
版本找到授予其他用户的权限。他们被documentation所覆盖。
这些视图仅显示直接授予用户的权限。查找所有权限(包括通过角色间接授予的权限)需要更复杂的递归SQL语句:
select * from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER' order by 1,2,3;
select * from dba_sys_privs where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3;
select * from dba_tab_privs where grantee = '&USER' or grantee in (select granted_role from dba_role_privs connect by prior granted_role = grantee start with grantee = '&USER') order by 1,2,3,4;
根据你想要的疯狂程度,有各种各样的脚本可以做到这一点。我个人会使用Pete Finnigan的find_all_privs script。
如果你想自己编写,那么查询就会变得非常具有挑战性。可以为用户授予在DBA_SYS_PRIVS
中可见的系统权限。他们可以被授予在DBA_TAB_PRIVS
中可见的对象权限。并且可以授予他们在DBA_ROLE_PRIVS
中可见的角色(角色可以是默认或非默认,也可以要求密码,因此仅仅因为用户被授予角色并不意味着用户必须使用权限他默认获得了这个角色)。但是,这些角色可以被授予系统权限,对象权限和其他角色,可以通过查看ROLE_SYS_PRIVS
,ROLE_TAB_PRIVS
和ROLE_ROLE_PRIVS
来查看。 Pete的脚本遍历这些关系,以显示最终流向用户的所有权限。
您可以使用以下代码获取所有用户的所有权限列表。
select * from dba_sys_privs
虽然Raviteja Vutukuri's answer可以工作并且很快就可以组合在一起,但是对于改变过滤器并不是特别灵活,如果你想要以编程方式做某事,那就没有多大帮助。所以我把我自己的查询放在一起:
SELECT
PRIVILEGE,
OBJ_OWNER,
OBJ_NAME,
USERNAME,
LISTAGG(GRANT_TARGET, ',') WITHIN GROUP (ORDER BY GRANT_TARGET) AS GRANT_SOURCES, -- Lists the sources of the permission
MAX(ADMIN_OR_GRANT_OPT) AS ADMIN_OR_GRANT_OPT, -- MAX acts as a Boolean OR by picking 'YES' over 'NO'
MAX(HIERARCHY_OPT) AS HIERARCHY_OPT -- MAX acts as a Boolean OR by picking 'YES' over 'NO'
FROM (
-- Gets all roles a user has, even inherited ones
WITH ALL_ROLES_FOR_USER AS (
SELECT DISTINCT CONNECT_BY_ROOT GRANTEE AS GRANTED_USER, GRANTED_ROLE
FROM DBA_ROLE_PRIVS
CONNECT BY GRANTEE = PRIOR GRANTED_ROLE
)
SELECT
PRIVILEGE,
OBJ_OWNER,
OBJ_NAME,
USERNAME,
REPLACE(GRANT_TARGET, USERNAME, 'Direct to user') AS GRANT_TARGET,
ADMIN_OR_GRANT_OPT,
HIERARCHY_OPT
FROM (
-- System privileges granted directly to users
SELECT PRIVILEGE, NULL AS OBJ_OWNER, NULL AS OBJ_NAME, GRANTEE AS USERNAME, GRANTEE AS GRANT_TARGET, ADMIN_OPTION AS ADMIN_OR_GRANT_OPT, NULL AS HIERARCHY_OPT
FROM DBA_SYS_PRIVS
WHERE GRANTEE IN (SELECT USERNAME FROM DBA_USERS)
UNION ALL
-- System privileges granted users through roles
SELECT PRIVILEGE, NULL AS OBJ_OWNER, NULL AS OBJ_NAME, ALL_ROLES_FOR_USER.GRANTED_USER AS USERNAME, GRANTEE AS GRANT_TARGET, ADMIN_OPTION AS ADMIN_OR_GRANT_OPT, NULL AS HIERARCHY_OPT
FROM DBA_SYS_PRIVS
JOIN ALL_ROLES_FOR_USER ON ALL_ROLES_FOR_USER.GRANTED_ROLE = DBA_SYS_PRIVS.GRANTEE
UNION ALL
-- Object privileges granted directly to users
SELECT PRIVILEGE, OWNER AS OBJ_OWNER, TABLE_NAME AS OBJ_NAME, GRANTEE AS USERNAME, GRANTEE AS GRANT_TARGET, GRANTABLE, HIERARCHY
FROM DBA_TAB_PRIVS
WHERE GRANTEE IN (SELECT USERNAME FROM DBA_USERS)
UNION ALL
-- Object privileges granted users through roles
SELECT PRIVILEGE, OWNER AS OBJ_OWNER, TABLE_NAME AS OBJ_NAME, GRANTEE AS USERNAME, ALL_ROLES_FOR_USER.GRANTED_ROLE AS GRANT_TARGET, GRANTABLE, HIERARCHY
FROM DBA_TAB_PRIVS
JOIN ALL_ROLES_FOR_USER ON ALL_ROLES_FOR_USER.GRANTED_ROLE = DBA_TAB_PRIVS.GRANTEE
) ALL_USER_PRIVS
-- Adjust your filter here
WHERE USERNAME = 'USER_NAME'
) DISTINCT_USER_PRIVS
GROUP BY
PRIVILEGE,
OBJ_OWNER,
OBJ_NAME,
USERNAME
;
好处:
WHERE
子句轻松地过滤掉许多不同的信息,比如对象,特权,是否通过特定的角色等。DBMS_OUTPUT
或其他东西的功能(与Pete Finnigan的链接脚本相比)。这使它对程序化使用和导出很有用。GRANT
进行检查,子查询可以很容易地被拉出。要显示所有权限:
从system_privilege_map中选择名称;