There was a mail in Turkish Oracle Users group mailing list about “why a users can still alter a table despite all privileges has been revoked (only connect privilege is left). My answer was to double check if there is any privilege was left by selecting DBA_TAB_PRIVS for that user, but the best answer send by Yasin Baskan (Oracle Today). He claimed and proved that, if the objects are created/owned by that user he can still alter the objects without any privilege. Below is how he proved his claim and a little addition from me (privileges on different schema test).
First create a user with connect and dba privileges.
Create tables with that user under his own schema;
Create tables with that user under HR schema;
Revoke DBA privilage from user; (the costst user is must disconnect after revoke to connect with new privs)
Test ddl on table ;
He is still altering but can he create new ?
What about the table he created on HR schema, can he alter it ?He couldn’t as I expected because he doesn’t have access to that schema.
What privileges user has ? (Checked by find_all_privs.sql script written by Pete Finnegan ). CONNECT and CREATE SESSION
What if other one creates a table on coststs schema. He still has access as you might guess
The privileges comes from schema owning and this is the expected behaviour. You can not disable this option, so you must think different ways such as creating different user or moving tables under another schema, to prevent a user from accessing tablesunder its schem.
Special thanks goes to Yasin for this entry.
Thanks for the credit Coskan.
Comment by Yas — December 7, 2007 @ 4:11 pm
Just for completeness sake, this wasn’t always the case. Back in day, the CONNECT role used to contain the CREATE TABLE privilege, amongst others (and in the above case, the example to create table T3 would then have worked). I never used CONNECT or RESOURCE for that very reason but rather implemented custom roles/quotas for application schemas and users to explicitly define their privileges independent of whatever would be in the current (or next) Oracle release. It’s nice to see that Oracle (at least in 10g rel. 2) has taken the least permissive/privileged principle to heart.
Comment by Marvin — April 30, 2008 @ 4:38 pm
It’s a good tutorial Mr Coskan. Hopefully Oracle is always easy to be learned by beginners.
regards
tiftazani.wordpress.com
Comment by tiftazani — July 27, 2008 @ 6:51 pm
This tutorial helped me a lotb .It was very useful , Thanks to Mr Coskan.
regards vel
Comment by murugavel — October 17, 2008 @ 6:10 pm
This tutorial helped me a lot .It was very useful , Thanks to Mr Coskan.
regards vel
Comment by murugavel — October 17, 2008 @ 6:11 pm