Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

A Query about GRANT ALL PRIVILEGES in ORACLE

80 views
Skip to first unread message

Amardeep Verma

unread,
Feb 4, 2004, 6:51:56 AM2/4/04
to
Hi,
I have a quick question. Which role/privileges are required before
a user can give the statement "GRANT ALL PRIVILEGES"?

Thanking you in Advance

Have a nice day

Pete Finnigan

unread,
Feb 4, 2004, 7:48:09 AM2/4/04
to
Hi,

Try this;

Connected to:
Personal Oracle9i Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production

SQL>
SQL> sho user
USER is "SYSTEM"
SQL> select * from system_privilege_map
2 where name like '%PRIV%';

PRIVILEGE NAME PROPERTY
---------- ---------------------------------------- ----------
-167 GRANT ANY PRIVILEGE 0
-244 GRANT ANY OBJECT PRIVILEGE 0

SQL>
SQL> -- Create a new user with just create session (to log on) and grant
SQL> -- any privilege to, well grant all privileges.
SQL> create user emil identified by emil;

User created.

SQL> grant create session, grant any privilege to emil;

Grant succeeded.

SQL> -- because we want to test this privilege create a second user to
SQL> -- test it with
SQL> create user zulia identified by zulia;

User created.

SQL> -- connect as emil and grant all privileges to Zulia
SQL> connect emil/emil@sans
Connected.
SQL> grant all privileges to zulia;

Grant succeeded.

SQL> -- connect as system and find out if it worked.
SQL> connect system/manager@sans
Connected.

SQL> select count(*),grantee
2 from dba_sys_privs
3 where grantee in ('MDSYS','EMIL','ZULIA')
4* group by grantee
SQL> /

COUNT(*) GRANTEE
---------- ------------------------------
2 EMIL
139 MDSYS
139 ZULIA

SQL>

We used MDSYS as a checkpoint as MDSYS has all privileges granted to it
by default in a default installation of Oracle. The privilege you need
therefore is GRANT ANY PRIVILEGE.

I should ask WHY?, it is not a good idea to grant all privileges to any
user in the database. Just grant the privileges that are needed by your
user. Use the least privilege principle.

hth

kind regards

Pete
--
Pete Finnigan
email:pe...@petefinnigan.com
Web site: http://www.petefinnigan.com - Oracle security audit specialists
Book:Oracle security step-by-step Guide - see http://store.sans.org for details.

Mark D Powell

unread,
Feb 4, 2004, 9:31:06 AM2/4/04
to
addv...@netscape.net (Amardeep Verma) wrote in message news:<45d3f402.04020...@posting.google.com>...

From the 9.2 SQL manual: >>
ALL [PRIVILEGES]
Specify ALL to grant all the privileges for the object that you have
been granted with the GRANT OPTION. The user who owns the schema
containing an object automatically has all privileges on the object
with the GRANT OPTION. (The keyword PRIVILEGES is provided for
semantic clarity and is optional.)
<<

So any object owner can grant all on object to someuser_or_role

And it would appear that a DBA can grant all privileges to a user or
role:

I created a user named bob then I issued, "grant all privileges to
bob"
Next I connected as Bob and queries user_sys_privs.
I got 140 rows returned.

When I reconneted to my DBA id I queried dba_sys_privs for grantee =
'DBA' and got 138.

HTH -- Mark D Powell --

Amardeep Verma

unread,
Feb 4, 2004, 10:48:08 PM2/4/04
to
Thanks a lot Pete. Your Response was very informative

Enjoy your Day
Bye

Pete Finnigan <pl...@petefinnigan.com> wrote in message news:<BAswIjAJ...@peterfinnigan.demon.co.uk>...

Amardeep Verma

unread,
Feb 4, 2004, 10:48:52 PM2/4/04
to
Thanks Mark. Your points cleared up many items.

Have a nice day
Bye

Mark....@eds.com (Mark D Powell) wrote in message news:<2687bb95.04020...@posting.google.com>...

0 new messages