中文字幕av专区_日韩电影在线播放_精品国产精品久久一区免费式_av在线免费观看网站

溫馨提示×

溫馨提示×

您好,登錄后才能下訂單哦!

密碼登錄×
登錄注冊×
其他方式登錄
點擊 登錄注冊 即表示同意《億速云用戶服務條款》

12c 禁用DBA權限,你怎么給業務用戶授權

發布時間:2020-07-17 16:39:53 來源:網絡 閱讀:1614 作者:roidba 欄目:關系型數據庫

看到太多客戶,使用業務用戶的權限都是DBA,這樣設置是最簡單的,也是最危險的,這里給大家介紹一種設置權限的方法。

測試環境為Oracle 12c

1.connect 角色具有的系統權限
SQL>  select * from role_sys_privs where role='CONNECT';

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
CONNECT                        SET CONTAINER                            NO  YES
CONNECT                        CREATE SESSION                           NO  YES

2.resource 角色具有的系統權限
SQL> select * from role_sys_privs where role='RESOURCE';

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
RESOURCE                       CREATE SEQUENCE                          NO  YES
RESOURCE                       CREATE TRIGGER                           NO  YES
RESOURCE                       CREATE CLUSTER                           NO  YES
RESOURCE                       CREATE PROCEDURE                         NO  YES
RESOURCE                       CREATE TYPE                              NO  YES
RESOURCE                       CREATE OPERATOR                          NO  YES
RESOURCE                       CREATE TABLE                             NO  YES
RESOURCE                       CREATE INDEXTYPE                         NO  YES

看看connect,resource角色都是做哪些操作

SQL> create user roi identified by roi;

User created.

SQL> conn / as sysdba
Connected.
SQL> grant create session to roi;

Grant succeeded.

SQL> conn roi/roi
Connected.
SQL> 
SQL> select sysdate from dual;

SYSDATE
-----------------------
22-DEC-2017 09:06:48

SQL> create table tt(id int);

Table created.

SQL> create index idx_tt on tt(id);

Index created.

SQL> insert into tt values(11);
insert into tt values(11)
            *
ERROR at line 1:
ORA-01950: no privileges on tablespace 'USERS'

SQL> conn / as sysdba
Connected.
SQL> alter user roi quota unlimited on users;

User altered.

SQL> 

SQL> conn roi/roi
Connected.
SQL> insert into tt values(11);

1 row created.

SQL> commit;

Commit complete.

SQL> update tt set id=111 where id=11;

1 row updated.

SQL> commit;

Commit complete.

SQL> delete from tt;

1 row deleted.

SQL> rollback;

Rollback complete.

SQL> select * from tt;

        ID
----------
       111

為什么不能給業務用戶DBA權限!!
1.從安全層面考慮
2.從管理上考慮

DBA 角色所具有的權限

SQL> conn / as sysdba
Connected.
SQL> select * from role_sys_privs where role='DBA';

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            CREATE PLUGGABLE DATABASE                NO  YES
DBA                            USE ANY SQL TRANSLATION PROFILE          NO  YES
DBA                            DROP ANY CUBE BUILD PROCESS              NO  YES
DBA                            CREATE CUBE                              NO  YES
DBA                            ALTER ANY CUBE DIMENSION                 NO  YES
DBA                            ALTER ANY MINING MODEL                   NO  YES
DBA                            DROP ANY MINING MODEL                    NO  YES
DBA                            DROP ANY EDITION                         NO  YES
DBA                            CHANGE NOTIFICATION                      NO  YES
DBA                            ADMINISTER ANY SQL TUNING SET            NO  YES
DBA                            ALTER ANY SQL PROFILE                    NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            CREATE RULE                              NO  YES
DBA                            EXPORT FULL DATABASE                     NO  YES
DBA                            EXECUTE ANY EVALUATION CONTEXT           NO  YES
DBA                            DEQUEUE ANY QUEUE                        NO  YES
DBA                            DROP ANY INDEXTYPE                       NO  YES
DBA                            ALTER ANY INDEXTYPE                      NO  YES
DBA                            EXECUTE ANY LIBRARY                      NO  YES
DBA                            CREATE ANY LIBRARY                       NO  YES
DBA                            CREATE ANY DIRECTORY                     NO  YES
DBA                            ALTER PROFILE                            NO  YES
DBA                            EXECUTE ANY PROCEDURE                    NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            CREATE ROLE                              NO  YES
DBA                            SELECT ANY SEQUENCE                      NO  YES
DBA                            DROP ANY INDEX                           NO  YES
DBA                            UPDATE ANY TABLE                         NO  YES
DBA                            INSERT ANY TABLE                         NO  YES
DBA                            SELECT ANY TABLE                         NO  YES
DBA                            DROP ROLLBACK SEGMENT                    NO  YES
DBA                            BECOME USER                              NO  YES
DBA                            DROP TABLESPACE                          NO  YES
DBA                            ALTER SESSION                            NO  YES
DBA                            CREATE SESSION                           NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            DROP ANY MEASURE FOLDER                  NO  YES
DBA                            SELECT ANY CUBE                          NO  YES
DBA                            ALTER ANY CUBE                           NO  YES
DBA                            CREATE ANY ASSEMBLY                      NO  YES
DBA                            ALTER ANY EDITION                        NO  YES
DBA                            ANALYZE ANY DICTIONARY                   NO  YES
DBA                            ALTER ANY RULE SET                       NO  YES
DBA                            CREATE RULE SET                          NO  YES
DBA                            DEBUG ANY PROCEDURE                      NO  YES
DBA                            CREATE DIMENSION                         NO  YES
DBA                            ALTER ANY LIBRARY                        NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            UNDER ANY TYPE                           NO  YES
DBA                            DROP ANY MATERIALIZED VIEW               NO  YES
DBA                            DROP ANY TRIGGER                         NO  YES
DBA                            ALTER ANY PROCEDURE                      NO  YES
DBA                            FORCE ANY TRANSACTION                    NO  YES
DBA                            ALTER DATABASE                           NO  YES
DBA                            DELETE ANY TABLE                         NO  YES
DBA                            ALTER ROLLBACK SEGMENT                   NO  YES
DBA                            ALTER ANY MEASURE FOLDER                 NO  YES
DBA                            SET CONTAINER                            NO  YES
DBA                            EM EXPRESS CONNECT                       NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            UPDATE ANY CUBE DIMENSION                NO  YES
DBA                            CREATE ANY CUBE BUILD PROCESS            NO  YES
DBA                            CREATE CUBE DIMENSION                    NO  YES
DBA                            ALTER ANY ASSEMBLY                       NO  YES
DBA                            CREATE ASSEMBLY                          NO  YES
DBA                            CREATE ANY EDITION                       NO  YES
DBA                            EXECUTE ANY PROGRAM                      NO  YES
DBA                            EXECUTE ANY RULE                         NO  YES
DBA                            IMPORT FULL DATABASE                     NO  YES
DBA                            EXECUTE ANY RULE SET                     NO  YES
DBA                            CREATE ANY RULE SET                      NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            FLASHBACK ANY TABLE                      NO  YES
DBA                            RESUMABLE                                NO  YES
DBA                            ADMINISTER DATABASE TRIGGER              NO  YES
DBA                            CREATE ANY OUTLINE                       NO  YES
DBA                            ALTER ANY DIMENSION                      NO  YES
DBA                            CREATE ANY DIMENSION                     NO  YES
DBA                            EXECUTE ANY OPERATOR                     NO  YES
DBA                            CREATE TYPE                              NO  YES
DBA                            CREATE TRIGGER                           NO  YES
DBA                            GRANT ANY ROLE                           NO  YES
DBA                            DROP ANY VIEW                            NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            CREATE VIEW                              NO  YES
DBA                            LOCK ANY TABLE                           NO  YES
DBA                            ALTER USER                               NO  YES
DBA                            CREATE USER                              NO  YES
DBA                            ALTER TABLESPACE                         NO  YES
DBA                            CREATE TABLESPACE                        NO  YES
DBA                            RESTRICTED SESSION                       NO  YES
DBA                            READ ANY TABLE                           NO  YES
DBA                            EXEMPT DML REDACTION POLICY              NO  YES
DBA                            UPDATE ANY CUBE BUILD PROCESS            NO  YES
DBA                            DROP ANY CUBE                            NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            INSERT ANY CUBE DIMENSION                NO  YES
DBA                            CREATE MINING MODEL                      NO  YES
DBA                            CREATE ANY JOB                           NO  YES
DBA                            CREATE JOB                               NO  YES
DBA                            CREATE ANY RULE                          NO  YES
DBA                            DROP ANY EVALUATION CONTEXT              NO  YES
DBA                            CREATE ANY EVALUATION CONTEXT            NO  YES
DBA                            CREATE EVALUATION CONTEXT                NO  YES
DBA                            GRANT ANY OBJECT PRIVILEGE               NO  YES
DBA                            SELECT ANY DICTIONARY                    NO  YES
DBA                            DROP ANY DIMENSION                       NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            UNDER ANY TABLE                          NO  YES
DBA                            CREATE INDEXTYPE                         NO  YES
DBA                            CREATE ANY OPERATOR                      NO  YES
DBA                            DROP ANY LIBRARY                         NO  YES
DBA                            ANALYZE ANY                              NO  YES
DBA                            ALTER ANY ROLE                           NO  YES
DBA                            CREATE ANY SEQUENCE                      NO  YES
DBA                            CREATE ANY INDEX                         NO  YES
DBA                            CREATE ANY TABLE                         NO  YES
DBA                            ALTER ANY CUBE BUILD PROCESS             NO  YES
DBA                            SELECT ANY CUBE BUILD PROCESS            NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            SELECT ANY MEASURE FOLDER                NO  YES
DBA                            EXEMPT DDL REDACTION POLICY              NO  YES
DBA                            CREATE ANY CREDENTIAL                    NO  YES
DBA                            CREATE ANY SQL TRANSLATION PROFILE       NO  YES
DBA                            DELETE ANY MEASURE FOLDER                NO  YES
DBA                            CREATE ANY MEASURE FOLDER                NO  YES
DBA                            SELECT ANY MINING MODEL                  NO  YES
DBA                            CREATE ANY MINING MODEL                  NO  YES
DBA                            MANAGE FILE GROUP                        NO  YES
DBA                            MANAGE SCHEDULER                         NO  YES
DBA                            ADMINISTER RESOURCE MANAGER              NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            ALTER ANY OUTLINE                        NO  YES
DBA                            DROP ANY CONTEXT                         NO  YES
DBA                            EXECUTE ANY INDEXTYPE                    NO  YES
DBA                            UNDER ANY VIEW                           NO  YES
DBA                            DROP ANY TYPE                            NO  YES
DBA                            ALTER ANY TYPE                           NO  YES
DBA                            ALTER ANY MATERIALIZED VIEW              NO  YES
DBA                            CREATE PROFILE                           NO  YES
DBA                            DROP PUBLIC DATABASE LINK                NO  YES
DBA                            ALTER ANY INDEX                          NO  YES
DBA                            CREATE CLUSTER                           NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            REDEFINE ANY TABLE                       NO  YES
DBA                            COMMENT ANY TABLE                        NO  YES
DBA                            DROP ANY TABLE                           NO  YES
DBA                            CREATE ROLLBACK SEGMENT                  NO  YES
DBA                            AUDIT SYSTEM                             NO  YES
DBA                            ALTER SYSTEM                             NO  YES
DBA                            CREATE CREDENTIAL                        NO  YES
DBA                            DROP ANY SQL TRANSLATION PROFILE         NO  YES
DBA                            SELECT ANY CUBE DIMENSION                NO  YES
DBA                            DELETE ANY CUBE DIMENSION                NO  YES
DBA                            CREATE ANY CUBE DIMENSION                NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            COMMENT ANY MINING MODEL                 NO  YES
DBA                            EXECUTE ASSEMBLY                         NO  YES
DBA                            EXECUTE ANY ASSEMBLY                     NO  YES
DBA                            MANAGE ANY FILE GROUP                    NO  YES
DBA                            EXECUTE ANY CLASS                        NO  YES
DBA                            DROP ANY RULE SET                        NO  YES
DBA                            DEBUG CONNECT SESSION                    NO  YES
DBA                            ON COMMIT REFRESH                        NO  YES
DBA                            ENQUEUE ANY QUEUE                        NO  YES
DBA                            CREATE ANY INDEXTYPE                     NO  YES
DBA                            ALTER ANY OPERATOR                       NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            CREATE ANY TYPE                          NO  YES
DBA                            DROP ANY DIRECTORY                       NO  YES
DBA                            ALTER RESOURCE COST                      NO  YES
DBA                            CREATE ANY PROCEDURE                     NO  YES
DBA                            CREATE PROCEDURE                         NO  YES
DBA                            FORCE TRANSACTION                        NO  YES
DBA                            ALTER ANY SEQUENCE                       NO  YES
DBA                            CREATE SEQUENCE                          NO  YES
DBA                            CREATE ANY VIEW                          NO  YES
DBA                            DROP PUBLIC SYNONYM                      NO  YES
DBA                            DROP ANY SYNONYM                         NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            CREATE ANY CLUSTER                       NO  YES
DBA                            BACKUP ANY TABLE                         NO  YES
DBA                            CREATE TABLE                             NO  YES
DBA                            LOGMINING                                NO  YES
DBA                            CREATE SQL TRANSLATION PROFILE           NO  YES
DBA                            ADMINISTER SQL MANAGEMENT OBJECT         NO  YES
DBA                            INSERT ANY MEASURE FOLDER                NO  YES
DBA                            UPDATE ANY CUBE                          NO  YES
DBA                            ADMINISTER SQL TUNING SET                NO  YES
DBA                            MERGE ANY VIEW                           NO  YES
DBA                            DROP ANY OUTLINE                         NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            CREATE OPERATOR                          NO  YES
DBA                            CREATE LIBRARY                           NO  YES
DBA                            GRANT ANY PRIVILEGE                      NO  YES
DBA                            DROP PROFILE                             NO  YES
DBA                            ALTER ANY TRIGGER                        NO  YES
DBA                            CREATE ANY TRIGGER                       NO  YES
DBA                            DROP ANY PROCEDURE                       NO  YES
DBA                            AUDIT ANY                                NO  YES
DBA                            DROP ANY ROLE                            NO  YES
DBA                            DROP ANY SEQUENCE                        NO  YES
DBA                            CREATE PUBLIC SYNONYM                    NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            CREATE SYNONYM                           NO  YES
DBA                            DROP ANY CLUSTER                         NO  YES
DBA                            ALTER ANY TABLE                          NO  YES
DBA                            FLASHBACK ARCHIVE ADMINISTER             NO  YES
DBA                            ALTER ANY SQL TRANSLATION PROFILE        NO  YES
DBA                            CREATE CUBE BUILD PROCESS                NO  YES
DBA                            CREATE MEASURE FOLDER                    NO  YES
DBA                            CREATE ANY CUBE                          NO  YES
DBA                            DROP ANY CUBE DIMENSION                  NO  YES
DBA                            DROP ANY ASSEMBLY                        NO  YES
DBA                            CREATE EXTERNAL JOB                      NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            READ ANY FILE GROUP                      NO  YES
DBA                            CREATE ANY SQL PROFILE                   NO  YES
DBA                            DROP ANY SQL PROFILE                     NO  YES
DBA                            SELECT ANY TRANSACTION                   NO  YES
DBA                            ADVISOR                                  NO  YES
DBA                            DROP ANY RULE                            NO  YES
DBA                            ALTER ANY RULE                           NO  YES
DBA                            ALTER ANY EVALUATION CONTEXT             NO  YES
DBA                            CREATE ANY CONTEXT                       NO  YES
DBA                            MANAGE ANY QUEUE                         NO  YES
DBA                            GLOBAL QUERY REWRITE                     NO  YES

ROLE                           PRIVILEGE                                ADM COM
------------------------------ ---------------------------------------- --- ---
DBA                            QUERY REWRITE                            NO  YES
DBA                            DROP ANY OPERATOR                        NO  YES
DBA                            EXECUTE ANY TYPE                         NO  YES
DBA                            CREATE ANY MATERIALIZED VIEW             NO  YES
DBA                            CREATE MATERIALIZED VIEW                 NO  YES
DBA                            CREATE PUBLIC DATABASE LINK              NO  YES
DBA                            CREATE DATABASE LINK                     NO  YES
DBA                            CREATE ANY SYNONYM                       NO  YES
DBA                            ALTER ANY CLUSTER                        NO  YES
DBA                            DROP USER                                NO  YES
DBA                            MANAGE TABLESPACE                        NO  YES

220 rows selected.
3.業務用戶權限設置
要點:
--  權限要足夠的小
-- 設計業務自己獨有的角色
--應付安全檢查

--創建一個業務用戶角色
SQL> create role app;    

Role created.

--默認給connect,resource 角色授予app角色
SQL> grant connect,resource to app;

Grant succeeded.

--app角色可能權限不夠,再單獨給需要的系統權限,比如給insert any table
grant insert ANY TABLE to app;

--把app角色給roidba用戶
grant app to roidba;

三個重要的視圖,可以查看用戶權限
dba_role_privs

dba_sys_privs

role_role_privs

向AI問一下細節

免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。

AI

合肥市| 栾川县| 小金县| 庐江县| 寻乌县| 清河县| 隆昌县| 武陟县| 翼城县| 耒阳市| 象山县| 盈江县| 梧州市| 廊坊市| 鹰潭市| 惠水县| 旬阳县| 土默特右旗| 台前县| 沙坪坝区| 邢台市| 兴安盟| 锡林郭勒盟| 嘉禾县| 黎平县| 吉水县| 邳州市| 安图县| 张家港市| 苏尼特右旗| 阳高县| 财经| 湛江市| 库伦旗| 仲巴县| 亳州市| 南郑县| 绥中县| 三台县| 历史| 榆树市|