I was using the script below to clone the user privileges of user1 and assign them to user2:
The issue turned out to be that bothe users wer granted two roles ROLE1 and ROLE2, but the only difference was that ROLE2 was a default role for both users, but ROLE1 was default only for USER1.
select 'grant ' || PRIVILEGE || ' on ' || owner || '.' || TABLE_NAME || ' to ' || 'USER2' || decode(GRANTABLE,'YES',' with grant option;','NO',';') from
dba_tab_privs
where
GRANTEE = upper('USER1')
union
select
'grant ' ||GRANTED_ROLE || ' to ' || 'USER2' || ';'
from
dba_role_privs
where
GRANTEE = upper('USER1')
union
select
'grant ' || PRIVILEGE || ' to ' || 'USER2' || ';'
from
dba_sys_privs
where
GRANTEE = upper('USER1')
union
select
'alter user ' || 'USER2' || ' quota ' || decode(MAX_BYTES,-1,'UNLIMITED', to_char(MAX_BYTES/(1024*1024),'9999') || 'M') || ' on ' || TABLESPACE_NAME || ';'
from
dba_ts_quotas
where
USERNAME = upper('USER1');
Everything seems to be working fine and both users had identical privileges, yet, USER2 was not able to see all the tables that USER1 could see.
The issue turned out to be that bothe users wer granted two roles ROLE1 and ROLE2, but the only difference was that ROLE2 was a default role for both users, but ROLE1 was default only for USER1.
SQL> SELECT GRANTED_ROLE, ADMIN_OPTION, DEFAULT_ROLE FROM dba_role_privs WHERE grantee='USER1'; GRANTED_ROLE ADM DEF ------------------------------ --- --- ROLE1 NO YES ROLE2 NO YES SQL> SELECT GRANTED_ROLE, ADMIN_OPTION, DEFAULT_ROLE FROM dba_role_privs WHERE grantee='USER2'; GRANTED_ROLE ADM DEF ------------------------------ --- --- ROLE1 NO NO ROLE2 NO YESRunning the sql below fixed the issue
ALTER USER USER2 DEFAULT ROLE ALL;or
ALTER USER USER2 DEFAULT ROLE ROLE1, ROLE2;Caution: Running
ALTER USER USER2 DEFAULT ROLE ROLE1;would set ROLE1 as a default role but remove all other roles (in this case ROLE2) from default role.
No comments:
Post a Comment