[每日一题]OCP1z0-047 :2013-08-02权限 分配系统权限
这题是考权限的知识点,权限分为两大类,系统权限和对象权限,这题主要讲系统权限,我们先来了解什么是系统权,什么是对象权限吧。
1、系统权限:允许用户在
数据库中执行特定的操作
A、SYSDBA/SYSOPER这两个权限比较特殊
B、DBA的
系统权限是可以查到的
[html] gyj@OCM> select * from dba_sys_privs where grantee='DBA'; GRANTEE PRIVILEGE ADM ---------------------------------------------------------------------- --- DBA DROP ANY CUBE BUILD PROCESS YES DBA CREATE CUBE YES DBA ALTER ANY CUBE DIMENSION YES DBA ALTER ANY MINING MODEL YES (中间结果省略) ………………………….. 202 rows selected.
C、普通用户的系统权限
[html] gyj@OCM> select * from dba_sys_privs where grantee='GYJ'; GRANTEE PRIVILEGE ADM ------------------------------ ------------------------------------------- GYJ UNLIMITED TABLESPACE NO
D、 当前会话上的系统权限
[html] gyj@OCM> select * from session_privs; PRIVILEGE ---------------------------------------- ALTER SYSTEM AUDIT SYSTEM CREATE SESSION ALTER SESSION RESTRICTED SESSION (中间结果省略) …………………………… 202 rows selected.
2、对象权限:允许用户访问和操纵特定的对象
A、查对象权限
[html] gyj@OCM> select * fromdba_tab_privs where grantee='GYJ'; no rows selected
B、查对象上列的权限
[html] gyj@OCM>select * from dba_col_privs wheregrantee='GYJ'; o rows selected
为什么没显示对象的权限和对象上列的权限呢,用户GYJ明明有对象的呀:
[html] gyj@OCM> show user; USER is "GYJ" gyj@OCM> select table_name from tabs; TABLE_NAME ------------------------------ T10
好,我登录到HR用户下给GYJ用户授对象权限
[html] sys@OCM> conn hr/hr Connected. hr@OCM> grant select on employees to gyj; Grant succeeded. hr@OCM> grant update (department_id) onemployees to gyj; Grant succeeded.
再次查对象权限就有结果了,这下明白这个意思了吧,好!这个就不多说了。
[html] hr@OCM> select * from dba_tab_privs wheregrantee='GYJ'; GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRA HIE ------------------------------------------------------------ ------------------------------------------------------------ ---------------------------------------- --- --- GYJ HR EMPLOYEES HR SELECT NO NO hr@OCM> select * from dba_col_privs where grantee='GYJ'; GRANTEE OWNER TABLE_NAME COLUMN_NAME GRANTOR PRIVILEGE GRA ------------------------------ ------------------------------------------------------------ ------------------------------------------------------------ ---------------------------------------- --- GYJ HR EMPLOYEES DEPARTMENT_ID HR UPDATE NO
答案A:
GRANT EXECUTE ON proc1 TO PUBLIC;
即grant 权限 on 数据库对象 to 用户是属于对象权限,而不是系统权限,所以答案不符合题意。
答案B:在create view后面不能加具体某个对象,没有这样的写法,操作如下直接报错
gyj@OCM> GRANT CREATE VIEW ON T1TO hr;
GRANT CREATE VIEW ON T1 TO hr
*
ERROR at line 1:
ORA-00990: missing or invalid privilege
分配创建视图的系统权限应该这样写
gyj@OCM> GRANT CREATE VIEW TOhr; Grant succeeded. gyj@OCM> GRANT CREATE ANY VIEW TO HR; Grant succeeded.
查整个库关于CREATE VIEW的系统权限,如下:
答案D:没有ALL这个用户
gyj@OCM> GRANT CREATE SESSION TO ALL;
GRANT CREATE SESSION TO ALL
*
ERROR at line 1:
ORA-00987: missing or invalid username(s)
应该具体某个用户,比如给hr用户授予连接的权限
gyj@OCM> GRANT CREATE SESSION TO HR;