Chinaunix首页 | 论坛 | 博客
  • 博客访问: 2783372
  • 博文数量: 423
  • 博客积分: 7770
  • 博客等级: 少将
  • 技术积分: 4766
  • 用 户 组: 普通用户
  • 注册时间: 2006-11-09 11:58
个人简介

Oracle/DB2/Postgresql/Mysql/Hadoop/Greenplum/Postgres-xl/Mongodb

文章分类

全部博文(423)

文章存档

2019年(3)

2018年(6)

2017年(27)

2016年(23)

2015年(30)

2014年(16)

2013年(31)

2012年(73)

2011年(45)

2010年(14)

2009年(30)

2008年(30)

2007年(63)

2006年(32)

分类: Oracle

2012-08-03 15:27:22

Cannot be done. In Oracle privileges are granted on specific objects, unless you have the highpowered ANY privileges, which grant access to any object in any schema.

This is one of those things which seems quite annoying but actually is quite sound. There is no good business reason for granting privileges on all on the objects in a schema en masse. Either

  1. the second schema really needs just a sub-set of privilges on a sub-set of objects; or
  2. the second schema is entirely unnecessary.

Now it may be that the sub-set in the first instance is a very large sub-set. But laziness is not an excuse for poor security practices.

What we can do is generate the grant statements from the data dictionary:


 

点击(此处)折叠或打开

  1. select 'grant select on '||table_name||' to B'
  2. from user_tables
  3. /


 

for a script to be run by user A).

This is still better than granting privileges on the schema, because it means at least any new object added by user A will not automatically be propagated to B without an additional action and, hence, without some additional thought as to whether it is appropriate.

阅读(989) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~