Re: User List for Certain Privs
From: Sanjay Mishra <smishra_97_at_yahoo.com>
Date: Tue, 19 May 2009 11:37:50 -0700 (PDT)
Message-ID: <740931.94798.qm_at_web51307.mail.re2.yahoo.com>
Date: Tue, 19 May 2009 11:37:50 -0700 (PDT)
Message-ID: <740931.94798.qm_at_web51307.mail.re2.yahoo.com>
Thanks Karl ________________________________ From: Karl Arao <karlarao_at_gmail.com> To: Mark.Bobak_at_proquest.com Cc: "smishra_97_at_yahoo.com" <smishra_97_at_yahoo.com>; "oracle-l_at_freelists.org" <oracle-l@freelists.org> Sent: Monday, May 18, 2009 10:09:31 PM Subject: Re: User List for Certain Privs Hi Sanjay, You could also take a look at Effective Oracle Database 10g Security by Design, very nice security book! http://www.mhprofessional.com/product.php?cat=7&isbn=0072231300 scripts here http://www.mhprofessional.com/downloads/products/0072231300/0072231300_code_old.zip Below will show you direct/indirect roles granted to a user: CREATE ROLE a; CREATE ROLE b; CREATE ROLE c; CREATE ROLE d; CREATE ROLE e; GRANT a TO b; GRANT b TO c; GRANT c TO d; GRANT e TO c; GRANT c TO d; GRANT e TO c; -- Granting D to SCOTT will give SCOTT all roles GRANT d TO scott; -- Create a table and grant privileges to role A CREATE TABLE obj_of_interest AS SELECT * FROM DUAL; GRANT SELECT ON obj_of_interest TO a; EXEC show_roles.display('scott') Direct Role:�� CONNECT�� Direct Role:�� D Indirect Role: ..C via D Indirect Role: ....B via C Indirect Role: ......A via B Indirect Role: ....E via C�� Direct Role:�� RESOURCE���� PL/SQL procedure successfully completed. scott_at_KNOX10g> COL privilege format a20�� scott_at_KNOX10g> COL object format a20�� scott_at_KNOX10g> COL grantee format a20�� scott_at_KNOX10g> SELECT privilege, object, grantee�� � 2��� FROM user_object_privs���� � 3�� WHERE owner = 'SEC_MGR' AND OBJECT = 'OBJ_OF_INTEREST'; � PRIVILEGE����������� OBJECT�������������� GRANTEE�� -------------------- -------------------- --------------------�� SELECT�������������� OBJ_OF_INTEREST����� A CREATE OR REPLACE PACKAGE show_roles AS � PROCEDURE display (p_username IN VARCHAR2); END; / CREATE OR REPLACE PACKAGE BODY show_roles AS -------------------------------------------------------- � FUNCTION convert_level (p_level IN NUMBER) ��� RETURN VARCHAR2 � AS ��� l_str� VARCHAR2 (32767); � BEGIN ��� FOR i IN 1 .. p_level ��� LOOP ����� l_str := l_str || '..'; ��� END LOOP; ��� RETURN l_str; � END; -------------------------------------------------------- � PROCEDURE recursive_role_getter ( ��� p_role�� IN� VARCHAR2, ��� p_level� IN� NUMBER) � AS � BEGIN ��� FOR irec IN (SELECT�� granted_role �������������������� FROM dba_role_privs ������������������� WHERE grantee = UPPER (p_role) ���������������� ORDER BY 1) ��� LOOP ����� DBMS_OUTPUT.put_line (�� 'Indirect Role: ' ��������������������������� || convert_level (p_level) ��������������������������� || irec.granted_role ��������������������������� || ' via ' ��������������������������� || p_role); ����� recursive_role_getter (irec.granted_role, ���������������������������� p_level + 1);� -- recurse ��� END LOOP; � EXCEPTION ��� WHEN OTHERS ��� THEN ����� NULL; � END; -------------------------------------------------------- � PROCEDURE display (p_username IN VARCHAR2) � AS � BEGIN ��� FOR rec IN (SELECT�� granted_role ������������������� FROM dba_role_privs ������������������ WHERE grantee = UPPER (p_username) ��������������� ORDER BY 1) ��� LOOP ����� DBMS_OUTPUT.put_line (�� 'Direct Role:�� ' ��������������������������� || rec.granted_role); ����� recursive_role_getter (rec.granted_role, 1); ��� END LOOP; � END; -------------------------------------------------------- END; / - Karl Arao http://karlarao.wordpress.com On Tue, May 19, 2009 at 2:41 AM, Bobak, Mark <Mark.Bobak_at_proquest.com> wrote: Sanjay, � I just saw a similar discussion on MetaLink Forum (Community, whatever) just now. � Someone posted this that you may find useful: undef username� col "User/Role" for a40� col "Priv/Role" for a30� select lpad(' ',level*2,' ')||c "User/Role" ,p "Priv/Role",a "With Admin" from (� select granted_role p, grantee c, admin_option a from dba_role_privs� union� select 'PUBLIC' p, upper('&&username') c, 'NO' a from dual� union� select privilege p, grantee c, admin_option a from dba_sys_privs� order by c� ) x� connect by c = prior p� start with c = upper('&&username');� � � Hope that helps, � -Mark From:oracle-l-bounce_at_freelists.org [mailto:oracle-l-bounce_at_freelists.org] On Behalf Of Sanjay Mishra Sent: Monday, May 18, 2009 12:40 PM To: smishra_97_at_yahoo.com; oracle-l_at_freelists.org Subject: Re: User List for Certain Privs � I am trying the following and�if somebody can suggest more effeciently � 1� select grantee, 'DIRECT' from dba_sys_privs where grantee not in (select role from role_sys_privs where privilege='CREATE SESSION') � 2� union � 3* select grantee ,granted_role from dba_role_privs where granted_role in (select role from role_sys_privs where privilege='CREATE SESSION') � ________________________________ From:Sanjay Mishra <smishra_97_at_yahoo.com> To: oracle-l_at_freelists.org Sent: Monday, May 18, 2009 12:31:02 PM Subject: User List for Certain Privs Hi � Can somebody shared the SQL who can give the list of user based on PRIVILEGE passed to the script. e. I want to create a list of user who has CREATE SESSION privlege. It should only show me the username or if�possible to include Direct/Role� � I need to create a report that can list the output as Username��� ��� Direct/Role sanjay��� ��� ��� ��� Direct santosh��� ��� ����� Role � Thanks Sanjay
-- http://www.freelists.org/webpage/oracle-lReceived on Tue May 19 2009 - 13:37:50 CDT