Given a Oracle normal(not DBA) user I need to find wha开发者_开发知识库t objects which are not owned by the user he has permissions on and how it was granted(through what role or direct grant).
Can you write a simple script for this.
I think this should get you pretty much what you need. ALL_TAB_PRIVS is available to all users in the database and lists all objects that the user performing the SELECT has permissions on, what the permission is, and who granted it. I've joined it to another view, ROLE_TAB_PRIVS, to find the role that granted the privilege to the user, if any. If the user was granted permissions via a role and a direct grant, both are listed.
SELECT atp.grantor, atp.privilege,
CASE WHEN NVL(rtp.role,'NULL') <> atp.grantee THEN atp.grantee
ELSE atp.grantee||' (ROLE)'
END grantee, atp.table_name
FROM all_tab_privs atp LEFT JOIN role_tab_privs rtp
ON (atp.table_name = rtp.table_name AND
atp.table_schema = rtp.owner)
WHERE grantor <> 'SYS' /* Optional - filter out SYS owned objects */
UNION ALL
SELECT owner, 'SELECT' /* Assume SELECT */, NULL, view_name||' (VIEW)'
FROM all_views
WHERE owner <> 'SYS' /* Optional - filter out SYS owned views */
ORDER BY 1,3;
EDIT:
ALL_TAB_PRIVS is a bit of a misnomer, as it includes PL/SQL executable objects as well.
EDIT 2:
It appears that this leaves out views. You could union the all_views results with the above query to give all the views you have some sort of access to, although I'm not sure at the moment how to give you the exact privileges you have been granted on the views.
A word of warning: including all the SYS objects you have access gives you a rather voluminous list. You may wish to filter out objects belonging to SYS, as I've shown here.
This should get you want you want, but is only applicable to that user.
select username
, 'ROL' type
, granted_role pv
from user_role_privs
union
select username
, 'PRV' type
, privilege pv
from user_sys_privs
union
select grantee as username
, 'OBJ' type,
regexp_replace(max(decode(privilege,'WRITE','WRITE,'))||
max(decode(privilege,'READ','READ,'))||
max(decode(privilege,'EXECUTE','EXECUTE')),'WRITE,READ,EXECUTE','ALL')||
regexp_replace(max(decode(privilege,'SELECT','SELECT'))||
max(decode(privilege,'DELETE',',DELETE'))||
max(decode(privilege,'UPDATE',',UPDATE'))||
max(decode(privilege,'INSERT',',INSERT')),'SELECT,DELETE,UPDATE,INSERT','ALL')||
' ON '||object_type||' "'||a.owner||'"."'||table_name||'"' pv
from user_tab_privs a
, all_objects b
where a.table_name = b.object_name
and a.owner=b.owner
group by a.owner
, table_name
, object_type
, grantee
union
select grantee AS username
, 'COL' type,
privilege||' ('||column_name||') ON "'||owner||'"."'||table_name||'"' pv
from user_col_privs
where grantee=:usercheck
order by 1
, type
, pv;
精彩评论