How SELECT ANY TABLE privilege work in Oracle?

Multi tool use
Multi tool use









1














I would like to know how the privilege SELECT ANY TABLE works internally in Oracle.



Is it treated as a single privilege? Or is it equivalent to make a GRANT SELECT ON MyTable TO MyUser for each table?



As example, I would like to know if this work :



GRANT SELECT ANY TABLE TO PUBLIC;
REVOKE ALL ON MY_TABLE FROM PUBLIC;


Would I still have access to MY_TABLE from any user after those queries?






sql oracle privileges







share|improve this question























  • After few tests it seems ANY TABLE privilege are treated as a single privileges but do not generate privilege for each table individually. But I would like confirmation :p
    – LostReality
    Nov 12 at 10:56















1














I would like to know how the privilege SELECT ANY TABLE works internally in Oracle.



Is it treated as a single privilege? Or is it equivalent to make a GRANT SELECT ON MyTable TO MyUser for each table?



As example, I would like to know if this work :



GRANT SELECT ANY TABLE TO PUBLIC;
REVOKE ALL ON MY_TABLE FROM PUBLIC;


Would I still have access to MY_TABLE from any user after those queries?






sql oracle privileges







share|improve this question























  • After few tests it seems ANY TABLE privilege are treated as a single privileges but do not generate privilege for each table individually. But I would like confirmation :p
    – LostReality
    Nov 12 at 10:56













1












1








1







I would like to know how the privilege SELECT ANY TABLE works internally in Oracle.



Is it treated as a single privilege? Or is it equivalent to make a GRANT SELECT ON MyTable TO MyUser for each table?



As example, I would like to know if this work :



GRANT SELECT ANY TABLE TO PUBLIC;
REVOKE ALL ON MY_TABLE FROM PUBLIC;


Would I still have access to MY_TABLE from any user after those queries?






sql oracle privileges







share|improve this question















I would like to know how the privilege SELECT ANY TABLE works internally in Oracle.



Is it treated as a single privilege? Or is it equivalent to make a GRANT SELECT ON MyTable TO MyUser for each table?



As example, I would like to know if this work :



GRANT SELECT ANY TABLE TO PUBLIC;
REVOKE ALL ON MY_TABLE FROM PUBLIC;


Would I still have access to MY_TABLE from any user after those queries?






sql oracle privileges




sql oracle privileges






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 12 at 11:07









WhatsThePoint

2,15342036




2,15342036










asked Nov 12 at 10:34









LostReality

277316




277316











  • After few tests it seems ANY TABLE privilege are treated as a single privileges but do not generate privilege for each table individually. But I would like confirmation :p
    – LostReality
    Nov 12 at 10:56
















  • After few tests it seems ANY TABLE privilege are treated as a single privileges but do not generate privilege for each table individually. But I would like confirmation :p
    – LostReality
    Nov 12 at 10:56















After few tests it seems ANY TABLE privilege are treated as a single privileges but do not generate privilege for each table individually. But I would like confirmation :p
– LostReality
Nov 12 at 10:56




After few tests it seems ANY TABLE privilege are treated as a single privileges but do not generate privilege for each table individually. But I would like confirmation :p
– LostReality
Nov 12 at 10:56












1 Answer
1






active

oldest

votes


















2














Yes, all users would still be able to query MY_TABLE.



You are looking at different privilege types:




The main types of user privileges are as follows:




  • System privileges—A system privilege gives a user the ability to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the system privilege CREATE TABLE permits a user to create tables in the schema associated with that user, and the system privilege CREATE USER permits a user to create database users.


  • Object privileges—An objectprivilege gives a user the ability to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects. The privilege to select rows from the EMPLOYEES table or to delete rows from the DEPARTMENTS table are examples of object privileges.



SELECT ANY TABLE is a system privilege that allows the grantee to:




Query tables, views, or materialized views in any schema except SYS. Obtain row locks using a SELECT ... FOR UPDATE.




When you grant that it is a standalone single privilege, visible in dba_sys_privs. When Oracle decides if the user is allowed to access a table it can look first at system privleges, and only goes on to look for specific object privileges (visible in dba_tab_privs) if there isn't a system privilege that allows the action being performed.



System privileges are not translated into individual privileges on each object in the database - maintaining that would be horrible, as creating a new object would have to automatically figure out who should be granted privileges on it based on the system privilege; and it would mean that you couldn't tell the difference between that and individually granted privileges. So, for instance, if you explicitly granted select privs on a specific table, then the user was granted SELECT ANY TABLE, and then they had SELECT ANY TABLE revoked - what happens to the previous explicit grant?



Your scenario is basically the same, except you've specifed all privileges on the object to be revoked. If those are the only two commands involved then PUBLIC has no explicit privileges on MY_TABLE so revoking doesn't really do anything; but if any explicit privileges on that table had been granted then they would be revoked. That has no impact on the higher-level SELECT ANY TABLE system privileg though.



Privileges are cummulative; revoking a privilege on a specific object doesn't block access to that object, it just removes one possible access route.



Incidentally, hopefully you've used a contrived example, as such powerful system privileges should be granted sparingly and only when really needed. Letting any user query any table in your database potentially blows a big hole in the security model. Again from the docs:




Oracle recommends that you only grant the ANY privileges to trusted users




and




Oracle recommends against granting system privileges to PUBLIC.




and read more in the database security guide.






share|improve this answer






















  • Thank you, that's way clearer with your explanation
    – LostReality
    Nov 12 at 11:14










Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53260312%2fhow-select-any-table-privilege-work-in-oracle%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














Yes, all users would still be able to query MY_TABLE.



You are looking at different privilege types:




The main types of user privileges are as follows:




  • System privileges—A system privilege gives a user the ability to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the system privilege CREATE TABLE permits a user to create tables in the schema associated with that user, and the system privilege CREATE USER permits a user to create database users.


  • Object privileges—An objectprivilege gives a user the ability to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects. The privilege to select rows from the EMPLOYEES table or to delete rows from the DEPARTMENTS table are examples of object privileges.



SELECT ANY TABLE is a system privilege that allows the grantee to:




Query tables, views, or materialized views in any schema except SYS. Obtain row locks using a SELECT ... FOR UPDATE.




When you grant that it is a standalone single privilege, visible in dba_sys_privs. When Oracle decides if the user is allowed to access a table it can look first at system privleges, and only goes on to look for specific object privileges (visible in dba_tab_privs) if there isn't a system privilege that allows the action being performed.



System privileges are not translated into individual privileges on each object in the database - maintaining that would be horrible, as creating a new object would have to automatically figure out who should be granted privileges on it based on the system privilege; and it would mean that you couldn't tell the difference between that and individually granted privileges. So, for instance, if you explicitly granted select privs on a specific table, then the user was granted SELECT ANY TABLE, and then they had SELECT ANY TABLE revoked - what happens to the previous explicit grant?



Your scenario is basically the same, except you've specifed all privileges on the object to be revoked. If those are the only two commands involved then PUBLIC has no explicit privileges on MY_TABLE so revoking doesn't really do anything; but if any explicit privileges on that table had been granted then they would be revoked. That has no impact on the higher-level SELECT ANY TABLE system privileg though.



Privileges are cummulative; revoking a privilege on a specific object doesn't block access to that object, it just removes one possible access route.



Incidentally, hopefully you've used a contrived example, as such powerful system privileges should be granted sparingly and only when really needed. Letting any user query any table in your database potentially blows a big hole in the security model. Again from the docs:




Oracle recommends that you only grant the ANY privileges to trusted users




and




Oracle recommends against granting system privileges to PUBLIC.




and read more in the database security guide.






share|improve this answer






















  • Thank you, that's way clearer with your explanation
    – LostReality
    Nov 12 at 11:14















2














Yes, all users would still be able to query MY_TABLE.



You are looking at different privilege types:




The main types of user privileges are as follows:




  • System privileges—A system privilege gives a user the ability to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the system privilege CREATE TABLE permits a user to create tables in the schema associated with that user, and the system privilege CREATE USER permits a user to create database users.


  • Object privileges—An objectprivilege gives a user the ability to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects. The privilege to select rows from the EMPLOYEES table or to delete rows from the DEPARTMENTS table are examples of object privileges.



SELECT ANY TABLE is a system privilege that allows the grantee to:




Query tables, views, or materialized views in any schema except SYS. Obtain row locks using a SELECT ... FOR UPDATE.




When you grant that it is a standalone single privilege, visible in dba_sys_privs. When Oracle decides if the user is allowed to access a table it can look first at system privleges, and only goes on to look for specific object privileges (visible in dba_tab_privs) if there isn't a system privilege that allows the action being performed.



System privileges are not translated into individual privileges on each object in the database - maintaining that would be horrible, as creating a new object would have to automatically figure out who should be granted privileges on it based on the system privilege; and it would mean that you couldn't tell the difference between that and individually granted privileges. So, for instance, if you explicitly granted select privs on a specific table, then the user was granted SELECT ANY TABLE, and then they had SELECT ANY TABLE revoked - what happens to the previous explicit grant?



Your scenario is basically the same, except you've specifed all privileges on the object to be revoked. If those are the only two commands involved then PUBLIC has no explicit privileges on MY_TABLE so revoking doesn't really do anything; but if any explicit privileges on that table had been granted then they would be revoked. That has no impact on the higher-level SELECT ANY TABLE system privileg though.



Privileges are cummulative; revoking a privilege on a specific object doesn't block access to that object, it just removes one possible access route.



Incidentally, hopefully you've used a contrived example, as such powerful system privileges should be granted sparingly and only when really needed. Letting any user query any table in your database potentially blows a big hole in the security model. Again from the docs:




Oracle recommends that you only grant the ANY privileges to trusted users




and




Oracle recommends against granting system privileges to PUBLIC.




and read more in the database security guide.






share|improve this answer






















  • Thank you, that's way clearer with your explanation
    – LostReality
    Nov 12 at 11:14













2












2








2






Yes, all users would still be able to query MY_TABLE.



You are looking at different privilege types:




The main types of user privileges are as follows:




  • System privileges—A system privilege gives a user the ability to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the system privilege CREATE TABLE permits a user to create tables in the schema associated with that user, and the system privilege CREATE USER permits a user to create database users.


  • Object privileges—An objectprivilege gives a user the ability to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects. The privilege to select rows from the EMPLOYEES table or to delete rows from the DEPARTMENTS table are examples of object privileges.



SELECT ANY TABLE is a system privilege that allows the grantee to:




Query tables, views, or materialized views in any schema except SYS. Obtain row locks using a SELECT ... FOR UPDATE.




When you grant that it is a standalone single privilege, visible in dba_sys_privs. When Oracle decides if the user is allowed to access a table it can look first at system privleges, and only goes on to look for specific object privileges (visible in dba_tab_privs) if there isn't a system privilege that allows the action being performed.



System privileges are not translated into individual privileges on each object in the database - maintaining that would be horrible, as creating a new object would have to automatically figure out who should be granted privileges on it based on the system privilege; and it would mean that you couldn't tell the difference between that and individually granted privileges. So, for instance, if you explicitly granted select privs on a specific table, then the user was granted SELECT ANY TABLE, and then they had SELECT ANY TABLE revoked - what happens to the previous explicit grant?



Your scenario is basically the same, except you've specifed all privileges on the object to be revoked. If those are the only two commands involved then PUBLIC has no explicit privileges on MY_TABLE so revoking doesn't really do anything; but if any explicit privileges on that table had been granted then they would be revoked. That has no impact on the higher-level SELECT ANY TABLE system privileg though.



Privileges are cummulative; revoking a privilege on a specific object doesn't block access to that object, it just removes one possible access route.



Incidentally, hopefully you've used a contrived example, as such powerful system privileges should be granted sparingly and only when really needed. Letting any user query any table in your database potentially blows a big hole in the security model. Again from the docs:




Oracle recommends that you only grant the ANY privileges to trusted users




and




Oracle recommends against granting system privileges to PUBLIC.




and read more in the database security guide.






share|improve this answer














Yes, all users would still be able to query MY_TABLE.



You are looking at different privilege types:




The main types of user privileges are as follows:




  • System privileges—A system privilege gives a user the ability to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the system privilege CREATE TABLE permits a user to create tables in the schema associated with that user, and the system privilege CREATE USER permits a user to create database users.


  • Object privileges—An objectprivilege gives a user the ability to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects. The privilege to select rows from the EMPLOYEES table or to delete rows from the DEPARTMENTS table are examples of object privileges.



SELECT ANY TABLE is a system privilege that allows the grantee to:




Query tables, views, or materialized views in any schema except SYS. Obtain row locks using a SELECT ... FOR UPDATE.




When you grant that it is a standalone single privilege, visible in dba_sys_privs. When Oracle decides if the user is allowed to access a table it can look first at system privleges, and only goes on to look for specific object privileges (visible in dba_tab_privs) if there isn't a system privilege that allows the action being performed.



System privileges are not translated into individual privileges on each object in the database - maintaining that would be horrible, as creating a new object would have to automatically figure out who should be granted privileges on it based on the system privilege; and it would mean that you couldn't tell the difference between that and individually granted privileges. So, for instance, if you explicitly granted select privs on a specific table, then the user was granted SELECT ANY TABLE, and then they had SELECT ANY TABLE revoked - what happens to the previous explicit grant?



Your scenario is basically the same, except you've specifed all privileges on the object to be revoked. If those are the only two commands involved then PUBLIC has no explicit privileges on MY_TABLE so revoking doesn't really do anything; but if any explicit privileges on that table had been granted then they would be revoked. That has no impact on the higher-level SELECT ANY TABLE system privileg though.



Privileges are cummulative; revoking a privilege on a specific object doesn't block access to that object, it just removes one possible access route.



Incidentally, hopefully you've used a contrived example, as such powerful system privileges should be granted sparingly and only when really needed. Letting any user query any table in your database potentially blows a big hole in the security model. Again from the docs:




Oracle recommends that you only grant the ANY privileges to trusted users




and




Oracle recommends against granting system privileges to PUBLIC.




and read more in the database security guide.







share|improve this answer














share|improve this answer



share|improve this answer








edited Nov 12 at 11:04

























answered Nov 12 at 10:58









Alex Poole

129k6101176




129k6101176











  • Thank you, that's way clearer with your explanation
    – LostReality
    Nov 12 at 11:14
















  • Thank you, that's way clearer with your explanation
    – LostReality
    Nov 12 at 11:14















Thank you, that's way clearer with your explanation
– LostReality
Nov 12 at 11:14




Thank you, that's way clearer with your explanation
– LostReality
Nov 12 at 11:14

















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53260312%2fhow-select-any-table-privilege-work-in-oracle%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







f UJcUuzDzY Ha
-
qjWzC,s qhebqRmbHrK5eUmca6sTYQGKU e5QQTT,NZgRGB 9 vMNhIv3K wOhVjfqOENfTWmuS5 b7 P1OWvw W,x7OU

Popular posts from this blog

Top Tejano songwriter Luis Silva dead of heart attack at 64

Image
Ramiro Burr's New Blog - to go back: www.ramiroburr.com From Latin rock to reggaeton, boleros to blues,Tex-Mex to Tejano, conjunto to corridos and beyond, Ramiro Burr has it covered. If you have a new CD release, a trivia question or are looking for tour info, post a message here or e-mail Ramiro directly at: musicreporter@gmail.com Top Tejano songwriter Luis Silva dead of heart attack at 64 By Ramiro Burr on October 23, 2008 8:40 AM | Permalink | Comments (12) | TrackBacks (0) UPDATE: Luis Silva Funeral Service details released Visitation 4-9 p.m. Saturday, Rosary service 6 p.m. Saturday at Porter Loring, 1101 McCullough Ave Funeral Service 10:30 a.m. Monday St. Anthony De Padua Catholic Church, Burial Service at Chapel Hills, 7735 Gibbs Sprawl Road. Porter Loring (210) 227-8221 Related New Flash: Irma Laura Lopez: long time record promoter killed in accident NewsFlash: 9:02 a.m. (New comments below) Luis Silva , one of the most well-known ...
Read more

Can't figure out why I get Error loading static resource from app.xaml

Image
1 I having trouble getting my ResourceDictionary.MergedDictionaries to load from app.xaml. My WPF app has a static class with a Main defined and startup object set to it. Within Main I created an instance of App and run it. The override OnStartup fires and the mainwindow.cs InitializeComponent gives the error "Message "Cannot find resource named 'MaterialDesignFloatingActionMiniAccentButton'. If I put the resources in the mainwindow.xaml everything is fine, but I wanted them to load at the app level so I they are not in each page. Any help appreciated. public partial class App protected override void OnStartup(StartupEventArgs e) base.OnStartup(e); var app = new MainWindow(); var context = new MainWindowViewModel(); app.DataContext = context; app.Show(); from the Main.. var app = new App(); app.Run(); app.xaml.. <Application x:Class="GS.Server.App" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:...
Read more

How to fill missing numeric if any value in a subset is missing, all other columns with the same subset are missing

Image
up vote 2 down vote favorite There is a clear pattern that show for two separate subsets (set of columns); If one value is missing in a column, values of other columns in the same subset are missing for any row. Here is a visualization of missing data My tries up until now, I used ycimpute library to learn from other values, and applied Iterforest. I noted, score of Logistic regression is so weak (0.6) and thought Iterforest might not learn enough or anyway, except from outer subset which might not be enough? for example the subset with 11 columns might learn from the other columns but not from within it's members, and the same goes for the subset with four columns. This bar plot show better quantity of missings So of course, dealing with missings is better than dropping rows because It would affect my prediction which does contain the same missings quantity relatively. Any better way to deal with these ? [EDIT] The nullity pattern is confirmed: machine-learning cor...
Read more