1. 权限的作用

2. 限制用户对数据的访问

    权限的分类

   1. 系统权限：能够存取数据库的权限 

3. 2. 对象权限：操作数据库对象的内容

4. 系统权限 
    1.1 如何创建用户：

   SQL> create user test default tablespace users identified by test;用户已创建。

   1.2 数据库中的系统权限

   SQL> desc system_privilege_map; Name                                   Null?    Type ----------------------------------------------------------------- -------- -------------------------------------------- PRIVILEGE                               NOT NULL NUMBER NAME                                   NOT NULL VARCHAR2(40) PROPERTY                               NOT NULL NUMBERSQL> select privilege,name,property from system_privilege_map; PRIVILEGE NAME                       PROPERTY---------- ---------------------------------------- ----------    -3 ALTER SYSTEM                      0    -4 AUDIT SYSTEM                      0    -5 CREATE SESSION                     0    -6 ALTER SESSION                     0    -7 RESTRICTED SESSION                     0

   1.3 查看某个用户拥有的系统权限

   SQL> select username,privilege,admin_option from user_sys_privs;USERNAME               PRIVILEGE                ADM------------------------------ ---------------------------------------- ---SYS                   AUDIT ANY                NOSYS                   DROP ANY INDEX                NOSYS                   CREATE ANY CLUSTER            NOSYS                   ALTER ANY TABLE                NO。。。。。。。。。。。。。。。。。。。。。。。。。159 rows selected.

   1.4 系统权限的授予与回收
   　　 sys授予select any table给scott

   SQL> conn /as sysdba已连接。SQL> grant select any table to scott;--任何普通用户下的表，scott都可以访问SQL> select USERNAME,PRIVILEGE from user_sys_privs;USERNAME                       PRIVILEGE------------------------------ ----------------------------------------SCOTT                          CREATE SYNONYMSCOTT                          CREATE VIEWSCOTT                          UNLIMITED TABLESPACESCOTT                          SELECT ANY TABLESQL> conn scott/tiger已连接。SQL> select count(*) from oe.CUSTOMERS;  COUNT(*)----------       319SQL> select count(*) from hr.employees;  COUNT(*)----------       107

           sys收回select any table给scott

   SQL> conn /as sysdba已连接。SQL> revoke select any table from scott;撤销成功。SQL> conn scott/tiger已连接。SQL> select USERNAME,PRIVILEGE from user_sys_privs;USERNAME                       PRIVILEGE------------------------------ ----------------------------------------SCOTT                          CREATE SYNONYMSCOTT                          CREATE VIEWSCOTT                          UNLIMITED TABLESPACESQL> select count(*) from hr.employees;select count(*) from hr.employees                        *第 1 行出现错误:ORA-00942: 表或视图不存在

   1.5 权限的转授
        系统权限不能被级联回收

   SQL> conn /as sysdba已连接。SQL> grant select any table to scott ;授权成功。SQL> conn scott/tiger已连接。SQL> grant select any table to hr;grant select any table to hr*第 1 行出现错误:ORA-01031: 权限不足SQL> conn /as sysdba已连接。SQL> revoke select any table from scott;撤销成功。SQL> grant select any table to scott with admin option;--把select any table的授予权限给scott授权成功。SQL> conn scott/tiger已连接。SQL> grant select any table to hr;授权成功。SQL> conn hr/hr已连接。SQL> select count(*) from oe.customers;  COUNT(*)----------       319
   
   

   SQL> conn /as sysdba
   已连接。
   SQL> revoke select any table from scott;

   撤销成功。

   SQL> conn scott/tiger
   已连接。
   SQL> select count(*) from oe.customers;
   select count(*) from oe.customers
   *
   第 1 行出现错误:
   ORA-00942: 表或视图不存在

   SQL> conn hr/hr
   已连接。
   SQL> select count(*) from oe.customers;

   COUNT(*)
   ----------
   319

5.  对象权限

   对象权限：在某个数据库对象上的权限
   
   4.1 在某个表上的所有对象权限：

   conn scott/tigergrant all on emp to hr;conn hr/hrSQL> select GRANTEE,OWNER,TABLE_NAME,GRANTOR,PRIVILEGE from user_tab_privs where table_name=‘EMP‘;GRANTEE OWNER  TABLE_NAME  GRANTOR PRIVILEGE------- ------ ----------- ------- --------------------HR      SCOTT  EMP         SCOTT   ALTERHR      SCOTT  EMP         SCOTT   DELETEHR      SCOTT  EMP         SCOTT   INDEXHR      SCOTT  EMP         SCOTT   INSERTHR      SCOTT  EMP         SCOTT   SELECTHR      SCOTT  EMP         SCOTT   UPDATEHR      SCOTT  EMP         SCOTT   REFERENCESHR      SCOTT  EMP         SCOTT   ON COMMIT REFRESHHR      SCOTT  EMP         SCOTT   QUERY REWRITEHR      SCOTT  EMP         SCOTT   DEBUGHR      SCOTT  EMP         SCOTT   FLASHBACK

   4.2 对象权限的授予与回收

   授予单个权限：SQL> show userUSER 为 "SCOTT"SQL> grant select on emp to hr;授权成功。SQL> revoke select on emp from hr;撤销成功。针对于某个列：SQL> grant update(sal) on emp to hr;SQL> revoke update on emp from hr;撤销成功。

   4.3 查看对象权限：

   SQL> seSQL> col OWNER for a6SQL> col TABLE_NAME for a15SQL> col GRANTOR for a7SQL> col PRIVILEGE for a20SQL> show userUSER 为 "SCOTT"SQL> select grantee,owner,table_name,privilege from user_tab_privs;GRANTEE  OWNER    TABLE_NAME    PRIVILEGE-------- ------ --------------- --------------------HR     SCOTT    EMP        FLASHBACKHR     SCOTT    EMP        DEBUGHR     SCOTT    EMP        QUERY REWRITEHR     SCOTT    EMP        ON COMMIT REFRESHHR     SCOTT    EMP        REFERENCESHR     SCOTT    EMP        INSERTHR     SCOTT    EMP        INDEXHR     SCOTT    EMP        DELETEHR     SCOTT    EMP        ALTER9 rows selected.GRANTEE：接受权限的用户GRANTOR：授出权限的用户

   4.4 对象权限的转授

   SQL> show userUSER 为 "HR"SQL> revoke update on employees from scott;撤销成功。SQL> grant update on employees to scott with grant option;授权成功。SQL> show userUSER 为 "SCOTT"SQL> grant update on hr.employees to oe;授权成功。SQL> show userUSER 为 "SCOTT"SQL> update hr.employees set salary=salary+100;已更新107行。SQL> roll回退已完成。SQL> conn oe/oe已连接。SQL> update hr.employees set salary=salary+100;已更新107行。SQL> rollback;回退已完成。

   4.5 对象权限的级联回收

   conn hr/hrgrant update on employees to scott with grant option;conn scott/tigergrant update on hr.employees to oe;SQL> update hr.employees set salary=salary+100;已更新107行。SQL> rollconn oe/oeSQL> update hr.employees set salary=salary+100;已更新107行。SQL> rollconn hr/hrrevoke update on employees from scott;conn scott/tigerSQL> update hr.employees set salary=salary+100;update hr.employees set salary=salary+100          *第 1 行出现错误:ORA-01031: 权限不足conn oe/oeSQL> update hr.employees set salary=salary+100;--对象权限会被级联回收update hr.employees set salary=salary+100          *第 1 行出现错误:ORA-01031: 权限不足

6. 角色
   5.1 角色：角色是一组权限（包含对象权限和系统权限）的集合
   5.2 角色作用：

   比较容易的权限管理

   动态的权限管理

   选择权限的可获得性

   可通过操作系统授予
   5.3. 创建角色并给它授权

   SQL> conn /as sysdba已连接。SQL> create role r1;角色已创建。SQL> grant select any table to r1;授权成功。SQL> grant update on scott.emp to r1;授权成功。

   查看角色中有哪些系统权限：

   SQL> select PRIVILEGE from role_sys_privs where role=‘R1‘;PRIVILEGE--------------------SELECT ANY TABLE

   查看角色中的对象权限：

   SQL> select OWNER,TABLE_NAME,PRIVILEGE from role_tab_privs where role=‘R1‘;OWNER  TABLE_NAME      PRIVILEGE------ --------------- --------------------SCOTT  EMP             UPDATE

   5.4 角色授予与回收

   SQL> grant r1 to hr;--hr拥有角色r1中所有的权限授权成功。SQL> conn hr/hr已连接。SQL> select count(*) from oe.customers;  COUNT(*)----------       319SQL> update scott.emp set sal=sal+100;已更新14行。SQL> roll回退已完成。SQL> conn /as sysdba已连接。SQL> revoke r1 from hr;--r1中所有的权限都从hr中回收撤销成功。SQL> conn hr/hr已连接。SQL> select count(*) from oe.customers;select count(*) from oe.customers                        *第 1 行出现错误:ORA-00942: 表或视图不存在SQL> update scott.emp set sal=sal+100;update scott.emp set sal=sal+100             *第 1 行出现错误:ORA-00942: 表或视图不存在

   5.5 查看当前用户有哪些角色

   SQL> select GRANTED_ROLE from user_role_privs;GRANTED_ROLE------------------------------CONNECTPLUSTRACERESOURCE

   角色中的权限，在user_sys_privsH和user_tab_privs中看不到的

   SQL> select GRANTED_ROLE from user_role_privs;GRANTED_ROLE------------------------------CONNECTPLUSTRACERESOURCESQL> conn /as sysdba已连接。SQL> select privilege from role_sys_privs where role=‘CONNECT‘;PRIVILEGE--------------------CREATE SESSIONSQL> select PRIVILEGE from user_sys_privs;PRIVILEGE--------------------CREATE SYNONYMCREATE VIEWUNLIMITED TABLESPACECREATE SESSION这个系统权限在user_sys_privs中看不到

    

控制用户的访问之权限、角色【weber出品必属精品】