Thinking Out Loud

April 8, 2021

Who Can Access

Filed under: Uncategorized — mdinh @ 12:22 am

I had a request to list the users who have read access (or greater) to the APP schema.

Base on the results below:

User DINH has SELECT on APP.INTERVAL table (view)

Role APP_ROLE has SELECT/UPDATE on APP.INTERVAL table (view)

User DINH/APP/SYS has APP_ROLE

SQL> show con_name

CON_NAME
------------------------------
ORCLPDB1
SQL> show user
USER is "SYS"
SQL> @priv.sql

SQL> select username from dba_users where created  > (select created from v$database) order by 1;

USERNAME
------------------------------
APP
AUDIT_TEST
DINH
DINH099PD
PDBADMIN
WMS099PD

6 rows selected.

SQL> select * from DBA_TAB_PRIVS where owner='APP';

GRANTEE              OWNER                TABLE_NAME                GRANTOR              PRIVILEGE            GRANTABLE HIERARCHY COM TYPE                     INH
-------------------- -------------------- ------------------------- -------------------- -------------------- --------- --------- --- ------------------------ ---
DINH                 APP                  INTERVAL                  APP                  SELECT               NO        NO        NO  TABLE                    NO
APP_ROLE             APP                  INTERVAL                  APP                  SELECT               NO        NO        NO  TABLE                    NO
APP_ROLE             APP                  INTERVAL                  APP                  UPDATE               NO        NO        NO  TABLE                    NO

SQL> --- ROLE_TAB_PRIVS describes table privileges granted to roles.
SQL> --- Information is provided only about roles to which the user has access.
SQL> select * from ROLE_TAB_PRIVS where OWNER='APP';

ROLE                           OWNER                TABLE_NAME                COLUMN_NAME               PRIVILEGE            GRANTABLE COM INH
------------------------------ -------------------- ------------------------- ------------------------- -------------------- --------- --- ---
APP_ROLE                       APP                  INTERVAL                                            UPDATE               NO        NO  NO
APP_ROLE                       APP                  INTERVAL                                            SELECT               NO        NO  NO

SQL> select * from DBA_ROLE_PRIVS where GRANTED_ROLE='APP_ROLE' order by 1;

GRANTEE              GRANTED_ ADMIN DEL DEFAULT COM INH
-------------------- -------- ----- --- ------- --- ---
APP                  APP_ROLE YES   NO  YES     NO  NO
DINH                 APP_ROLE NO    NO  YES     NO  NO
SYS                  APP_ROLE NO    NO  YES     NO  NO

SQL>

I also used Pete Finnigan’s who_can_access.sql for comparison.

Note who_can_access.sql is per object vs per schema.

If there were hundreds / thousands of table, then not sure how this will scale.

who_can_access: Release 1.0.3.0.0 - Production on Wed Apr 07 19:00:04 2021
Copyright (c) 2004 PeteFinnigan.com Limited. All rights reserved.

NAME OF OBJECT TO CHECK       [USER_OBJECTS]: INTERVAL
OWNER OF THE OBJECT TO CHECK          [USER]: APP
OUTPUT METHOD Screen/File                [S]:
FILE NAME FOR OUTPUT              [priv.lst]:
OUTPUT DIRECTORY [DIRECTORY  or file (/tmp)]:
EXCLUDE CERTAIN USERS                    [N]:
USER TO SKIP                         [TEST%]:

Checking object => APP.INTERVAL
====================================================================


Object type is => TABLE (TAB)
        Privilege => SELECT is granted to =>
        Role => APP_ROLE (ADM = NO) which is granted to =>
                User => DINH (ADM = NO)
                User => SYS (ADM = NO)
                User => APP (ADM = YES)
        User => DINH (ADM = NO)
        Privilege => UPDATE is granted to =>
        Role => APP_ROLE (ADM = NO) which is granted to =>
                User => DINH (ADM = NO)
                User => SYS (ADM = NO)
                User => APP (ADM = YES)

PL/SQL procedure successfully completed.


For updates please visit http://www.petefinnigan.com/tools.htm

SQL>

Did I do this right?

This is not 100% accurate, missing the followings, and does not take into consideration recursive roles grant:

  1. Column grants: GRANT update (column_name) ON table_name TO user_name;
  2. Code based access control (CBAC)
  3. REFERENCES privileges: GRANT references ON table_name to user_name

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

<span>%d</span> bloggers like this: