How to grant Oracle user/schema privileges properly

Environment: Oracle 11g 64bit
Objective: create and grant proper privileges to a user/schema


Steps:

create tablespace jephe datafile ‘/u01/app/oracle/oradata/jephe.dbf’ size 100m autoextend on next 10m [flashback off]
create user jephe identified by password default tablespace jephe temporary tablespace temp;
grant connect,resource,create view to jephe
revoke unlimited tablespace from jephe
alter user jephe quota unlimited on jephe;

note:
a. If you use impdp to import schema from expdp dump, the unlimited tablespace system privileges will remain, you have to manually revoke that system privilege.

Revoke unlimited tablespace from jephe

This will revoke systemwide unlimited tablespace privileges, otherwise, the user can write to any tablespace

UNLIMITED TABLESPACE system privilege: Overrides all individual tablespace quotas and
gives the user unlimited quota on all tablespaces, including SYSTEM and SYSAUX. This
privilege must be granted with caution.
Note: Be aware that granting the RESOURCE role includes granting this privilege.

b. CREATE PROCEDURE privilege is for creating procedures, functions, packages

c. you can check your privs after login:

select * from session_privs;
select * from session_roles;

d. check role sys,tab and role privileges
sqlplus / as sysdba
select distinct object_name from dba_objects where object_name like 'ROLE_%' order by object_name;

OBJECT_NAME
--------------------------------------------------------------------------------
ROLE_ROLE_PRIVS
ROLE_SYS_PRIVS
ROLE_TAB_PRIVS

SQL> select * from role_sys_privs where role like 'CONNECT';

ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
CONNECT CREATE SESSION NO

SQL> select * from role_sys_privs where role like '%RESOURCE%';

ROLE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE TYPE NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE TABLE NO
RESOURCE CREATE INDEXTYPE NO

8 rows selected.

SQL> select * from role_tab_privs where role like '%RESOURCE%';

no rows selected

SQL> select * from role_role_privs where role like '%RESOURCE%';

no rows selected

at 12/16/2009 03:26:00 PM

Labels: