在实际的生产用户过程中,角色的应用很广泛,那么到底什么是角色呢?
角色是一组权限的集合,可以授权给用户或角色,用于控制用户对对象的访问和行为。
创建用户的时候,你是否为了贪图方便直接授权DBA角色给它呢?其实这是种非常有风险的行为。
下面你可以思考两个问题:
1. connect,resource角色包含哪些权限
2. 如何查询用户具有哪些角色
connect,resource角色包含哪些权限
可以通过DBA_SYS_PRIVES视图来查询
可见,我们将connect,resource角色授于用户就能满足一般用户的需要了。
因此,我们也可以很方便地根据PRIVILEGE字段来查询某些具体的权限,再根据对应角色授权给用户,做好权限控制。
++++++++
SQL> select * from dba_sys_privs where GRANTEE = 'DBA';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
DBA CHANGE NOTIFICATION YES
DBA ADMINISTER ANY SQL TUNING SET YES
DBA ALTER ANY SQL PROFILE YES
DBA CREATE RULE YES
DBA EXPORT FULL DATABASE YES
DBA EXECUTE ANY eva lUATION CONTEXT YES
DBA DEQUEUE ANY QUEUE YES
DBA DROP ANY INDEXTYPE YES
DBA ALTER ANY INDEXTYPE YES
DBA EXECUTE ANY LIBRARY YES
DBA CREATE ANY LIBRARY YES
DBA CREATE ANY DIRECTORY YES
DBA ALTER PROFILE YES
DBA EXECUTE ANY PROCEDURE YES
DBA CREATE ROLE YES
DBA SELECT ANY SEQUENCE YES
DBA DROP ANY INDEX YES
DBA UPDATE ANY TABLE YES
DBA INSERT ANY TABLE YES
DBA SELECT ANY TABLE YES
DBA DROP ROLLBACK SEGMENT YES
DBA BECOME USER YES
DBA DROP TABLESPACE YES
DBA ALTER SESSION YES
DBA CREATE SESSION YES
DBA ANALYZE ANY DICTIONARY YES
DBA ALTER ANY RULE SET YES
DBA CREATE RULE SET YES
DBA DEBUG ANY PROCEDURE YES
DBA CREATE DIMENSION YES
DBA ALTER ANY LIBRARY YES
DBA UNDER ANY TYPE YES
DBA DROP ANY MATERIALIZED VIEW YES
DBA DROP ANY TRIGGER YES
DBA ALTER ANY PROCEDURE YES
DBA FORCE ANY TRANSACTION YES
DBA ALTER DATABASE YES
DBA DELETE ANY TABLE YES
DBA ALTER ROLLBACK SEGMENT YES
DBA EXECUTE ANY PROGRAM YES
DBA EXECUTE ANY RULE YES
DBA IMPORT FULL DATABASE YES
DBA EXECUTE ANY RULE SET YES
DBA CREATE ANY RULE SET YES
DBA FLASHBACK ANY TABLE YES
DBA RESUMABLE YES
DBA ADMINISTER DATABASE TRIGGER YES
DBA CREATE ANY OUTLINE YES
DBA ALTER ANY DIMENSION YES
DBA CREATE ANY DIMENSION YES
DBA EXECUTE ANY OPERATOR YES
DBA CREATE TYPE YES
DBA CREATE TRIGGER YES
DBA GRANT ANY ROLE YES
DBA DROP ANY VIEW YES
DBA CREATE VIEW YES
DBA LOCK ANY TABLE YES
DBA ALTER USER YES
DBA CREATE USER YES
DBA ALTER TABLESPACE YES
DBA CREATE TABLESPACE YES
DBA RESTRICTED SESSION YES
DBA CREATE ANY JOB YES
DBA CREATE JOB YES
DBA CREATE ANY RULE YES
DBA DROP ANY eva lUATION CONTEXT YES
DBA CREATE ANY eva lUATION CONTEXT YES
DBA CREATE eva lUATION CONTEXT YES
DBA GRANT ANY OBJECT PRIVILEGE YES
DBA SELECT ANY DICTIONARY YES
DBA DROP ANY DIMENSION YES
DBA UNDER ANY TABLE YES
DBA CREATE INDEXTYPE YES
DBA CREATE ANY OPERATOR YES
DBA DROP ANY LIBRARY YES
DBA ANALYZE ANY YES
DBA ALTER ANY ROLE YES
DBA CREATE ANY SEQUENCE YES
DBA CREATE ANY INDEX YES
DBA CREATE ANY TABLE YES
DBA MANAGE FILE GROUP YES
DBA MANAGE SCHEDULER YES
DBA ADMINISTER RESOURCE MANAGER YES
DBA ALTER ANY OUTLINE YES
DBA DROP ANY CONTEXT YES
DBA EXECUTE ANY INDEXTYPE YES
DBA UNDER ANY VIEW YES
DBA DROP ANY TYPE YES
DBA ALTER ANY TYPE YES
DBA ALTER ANY MATERIALIZED VIEW YES
DBA CREATE PROFILE YES
DBA DROP PUBLIC DATABASE LINK YES
DBA ALTER ANY INDEX YES
DBA CREATE CLUSTER YES
DBA COMMENT ANY TABLE YES
DBA DROP ANY TABLE YES
DBA CREATE ROLLBACK SEGMENT YES
DBA AUDIT SYSTEM YES
DBA ALTER SYSTEM YES
DBA MANAGE ANY FILE GROUP YES
DBA EXECUTE ANY CLASS YES
DBA DROP ANY RULE SET YES
DBA DEBUG CONNECT SESSION YES
DBA ON COMMIT REFRESH YES
DBA ENQUEUE ANY QUEUE YES
DBA CREATE ANY INDEXTYPE YES
DBA CREATE ANY TYPE YES
DBA DROP ANY DIRECTORY YES
DBA ALTER RESOURCE COST YES
DBA CREATE ANY PROCEDURE YES
DBA CREATE PROCEDURE YES
DBA FORCE TRANSACTION YES
DBA ALTER ANY SEQUENCE YES
DBA CREATE SEQUENCE YES
DBA CREATE ANY VIEW YES
DBA DROP PUBLIC SYNONYM YES
DBA DROP ANY SYNONYM Y