table level privileges
Normally we grant or revoke roles or privileges to/from a schema. Can we do the same to/from a table or any other object?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are three types of privileges: system privileges, object privileges and role privileges.
A system privilege is a privilege to do something in the database - for example CREATE SESSION. These privileges can be granted to users (ie. schemas) and/or roles.
An object privilege is a privilege to do something with regards to a particular database object - for example, to SELECT from a particular table, to INSERT into a particular table, to EXECUTE a particular procedure.These privileges can be granted only on a specific database object by users (schemas) with grant authority on them. (A user can have grant authority by owning the object, or by having the privilege granted to him with the GRANT option.) There is no statement that allows you to grant SELECT on all the tables in a particular schema to a particular user, you have to specify each table individually. Also you cannot issue a default grant that applies to tables that haven't even been created yet.
Object privileges can be granted to users (schemas) or roles.
Role privileges (ie roles) can be granted to users or to other roles.
Where ever you might grant something to a user can also grant it to PUBLIC. Then it becomes available to all the users, even those users that get created later will have the privilege.
When you grant a privilege through a role the user cannot use it to create a database object. For example, suppose you have a table TAB_NEWS with fields ITEM, SEQID, TIMESTAMP, NEWSLINE and you grant SELECT on that TABLE to the role READ_NEWS. Assume you have a public synonym for that table. Then a user with that role can issue the command
SELECT NEWSLINE FROM TAB_NEWS WHERE TIMESTAMP > SYSDATE - 3 ORDER BY TIMESTAMP, ITEM, SEQID;
that will show him the news from the last 3 days. He cannot create a view LAST_3_DAYS with the command:
CREATE VIEW LAST_3_DAYS AS SELECT NEWSLINE FROM TAB_NEWS WHERE TIMESTAMP > SYSDATE - 3 ORDER BY TIMESTAMP, ITEM, SEQID;
This is because the object (the view) would depend on a privilege he had through a role.
If you had granted SELECT on TAB_NEWS to PUBLIC, then he could have created the view. However he could not have granted SELECT on his view to anyone else. The only solution to that would be for you to grant SELECT on TAB_NEWS to PUBLIC with the GRANT option. Then he could have granted SELECT on his view to other users.
Besides views this also applies to procedures, packages and functions. However you do not have the option of granting a privilege to the object directly. If you want user ABC to be able to create the view LAST_3_DAYS on your table, then you have to grant the privilege to the user, you cannot grant it specifically to the VIEW. (And similarly you cannot grant object privileges directly to a PROCEDURE, PACKAGE or FUNCTION.)
A system privilege is a privilege to do something in the database - for example CREATE SESSION. These privileges can be granted to users (ie. schemas) and/or roles.
An object privilege is a privilege to do something with regards to a particular database object - for example, to SELECT from a particular table, to INSERT into a particular table, to EXECUTE a particular procedure.These privileges can be granted only on a specific database object by users (schemas) with grant authority on them. (A user can have grant authority by owning the object, or by having the privilege granted to him with the GRANT option.) There is no statement that allows you to grant SELECT on all the tables in a particular schema to a particular user, you have to specify each table individually. Also you cannot issue a default grant that applies to tables that haven't even been created yet.
Object privileges can be granted to users (schemas) or roles.
Role privileges (ie roles) can be granted to users or to other roles.
Where ever you might grant something to a user can also grant it to PUBLIC. Then it becomes available to all the users, even those users that get created later will have the privilege.
When you grant a privilege through a role the user cannot use it to create a database object. For example, suppose you have a table TAB_NEWS with fields ITEM, SEQID, TIMESTAMP, NEWSLINE and you grant SELECT on that TABLE to the role READ_NEWS. Assume you have a public synonym for that table. Then a user with that role can issue the command
SELECT NEWSLINE FROM TAB_NEWS WHERE TIMESTAMP > SYSDATE - 3 ORDER BY TIMESTAMP, ITEM, SEQID;
that will show him the news from the last 3 days. He cannot create a view LAST_3_DAYS with the command:
CREATE VIEW LAST_3_DAYS AS SELECT NEWSLINE FROM TAB_NEWS WHERE TIMESTAMP > SYSDATE - 3 ORDER BY TIMESTAMP, ITEM, SEQID;
This is because the object (the view) would depend on a privilege he had through a role.
If you had granted SELECT on TAB_NEWS to PUBLIC, then he could have created the view. However he could not have granted SELECT on his view to anyone else. The only solution to that would be for you to grant SELECT on TAB_NEWS to PUBLIC with the GRANT option. Then he could have granted SELECT on his view to other users.
Besides views this also applies to procedures, packages and functions. However you do not have the option of granting a privilege to the object directly. If you want user ABC to be able to create the view LAST_3_DAYS on your table, then you have to grant the privilege to the user, you cannot grant it specifically to the VIEW. (And similarly you cannot grant object privileges directly to a PROCEDURE, PACKAGE or FUNCTION.)
ASKER
Dear Mr. Highmarks,
If you would like more than allocated 50 points, please be elaborate like Mr. Marek_wiechula. He has given a comrehensive answer. But to my question, yours is a precise answer assuming i am good. But I have started off 5 months ago and for a weak case like me more upload is required. Anyway, thanx a ton, your answer was equally viable.
with regards
( K. Murli Krishna )
If you would like more than allocated 50 points, please be elaborate like Mr. Marek_wiechula. He has given a comrehensive answer. But to my question, yours is a precise answer assuming i am good. But I have started off 5 months ago and for a weak case like me more upload is required. Anyway, thanx a ton, your answer was equally viable.
with regards
( K. Murli Krishna )
ASKER
Dear Mr. Warek_wiechula,
I love you. You gave such a fantastic answer that i am dumbfounded. I have started off as oracle dba in effect 4 months back. I accepted Mr. Highmarks comment as a answer and graded him A with 50 unchanged points since he gave a very precise answer. I want to accept yours and give you 75 points but somehow that button stands disabled. My mailid is kmkrishna@dev.vsofti.stph.
with regards
( K. Murli Krishna )
I love you. You gave such a fantastic answer that i am dumbfounded. I have started off as oracle dba in effect 4 months back. I accepted Mr. Highmarks comment as a answer and graded him A with 50 unchanged points since he gave a very precise answer. I want to accept yours and give you 75 points but somehow that button stands disabled. My mailid is kmkrishna@dev.vsofti.stph.
with regards
( K. Murli Krishna )
ASKER