|
| 1 | +SET ECHO OFF |
| 2 | +/* |
| 3 | +** Copyright (c) 2023 Oracle and/or its affiliates |
| 4 | +** The Universal Permissive License (UPL), Version 1.0 |
| 5 | +** |
| 6 | +** Subject to the condition set forth below, permission is hereby granted to any |
| 7 | +** person obtaining a copy of this software, associated documentation and/or data |
| 8 | +** (collectively the "Software"), free of charge and under any and all copyright |
| 9 | +** rights in the Software, and any and all patent rights owned or freely |
| 10 | +** licensable by each licensor hereunder covering either (i) the unmodified |
| 11 | +** Software as contributed to or provided by such licensor, or (ii) the Larger |
| 12 | +** Works (as defined below), to deal in both |
| 13 | +** |
| 14 | +** (a) the Software, and |
| 15 | +** (b) any piece of software and/or hardware listed in the lrgrwrks.txt file if |
| 16 | +** one is included with the Software (each a "Larger Work" to which the Software |
| 17 | +** is contributed by such licensors), |
| 18 | +** |
| 19 | +** without restriction, including without limitation the rights to copy, create |
| 20 | +** derivative works of, display, perform, and distribute the Software and make, |
| 21 | +** use, sell, offer for sale, import, export, have made, and have sold the |
| 22 | +** Software and the Larger Work(s), and to sublicense the foregoing rights on |
| 23 | +** either these or other terms. |
| 24 | +** |
| 25 | +** This license is subject to the following condition: |
| 26 | +** The above copyright notice and either this complete permission notice or at |
| 27 | +** a minimum a reference to the UPL must be included in all copies or |
| 28 | +** substantial portions of the Software. |
| 29 | +** |
| 30 | +** THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| 31 | +** IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| 32 | +** FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 33 | +** AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| 34 | +** LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
| 35 | +** OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
| 36 | +** SOFTWARE. |
| 37 | +*/ |
| 38 | + |
| 39 | +-- TITLE |
| 40 | +-- Working with Oracle Database 23c Schema Privileges |
| 41 | +-- |
| 42 | +-- DESCRIPTION |
| 43 | +-- This tutorial script walks you through examples of working with |
| 44 | +-- schema-level privileges |
| 45 | +-- |
| 46 | +-- PREREQUISITES |
| 47 | +-- Ensure that you have Oracle database 23c or higher installed and running on a |
| 48 | +-- port. Ensure that the compatible parameter is set to at least 23.0.0.0. |
| 49 | +-- |
| 50 | +-- USAGE |
| 51 | +-- Connect to the database as a database adminstrator (or any user with permissions |
| 52 | +-- to create users and grant tablespace privileges) user and run this |
| 53 | +-- script. A demo user (janus) can be created using this statement: |
| 54 | +-- GRANT create user, create session, unlimited tablespace TO janus IDENTIFIED BY ORacle__123 with admin option; |
| 55 | +-- |
| 56 | +-- |
| 57 | +-- NOTES |
| 58 | +-- Oracle Database 23c Free - Developer Release is the first release of |
| 59 | +-- the next-generation Oracle Database, allowing developers a head-start |
| 60 | +-- on building applications with innovative 23c features that simplify |
| 61 | +-- development of modern data-driven apps. The entire feature set of |
| 62 | +-- Oracle Database 23c is planned to be generally available within the |
| 63 | +-- next 12 months. |
| 64 | +-- |
| 65 | +-- Please go through the database security documentation |
| 66 | +-- (https://docs.oracle.com/en/database/oracle/oracle-database/23/dbseg/index.html) |
| 67 | +-- to learn more about new security features in Database 23c |
| 68 | +-- Oracle CloudWorld 2022 keynote - https://www.youtube.com/watch?v=e8-jBkO1NqY&t=17s |
| 69 | + |
| 70 | + |
| 71 | +SET FEEDBACK 1 |
| 72 | +SET NUMWIDTH 10 |
| 73 | +SET LINESIZE 80 |
| 74 | +SET TRIMSPOOL ON |
| 75 | +SET TAB OFF |
| 76 | +SET PAGESIZE 100 |
| 77 | +SET LONG 20000 |
| 78 | +col username format a30 |
| 79 | +col privilege format a30 |
| 80 | +col schema format a30 |
| 81 | +cle scre |
| 82 | + |
| 83 | +prompt |
| 84 | +prompt ** Working with Schema-level privileges** |
| 85 | +prompt |
| 86 | +prompt During this tutorial you will create two users. What password should |
| 87 | +prompt we use for those two users? |
| 88 | +prompt Enter the password to use &&PASSWORD |
| 89 | +prompt |
| 90 | +prompt During this tutorial we will connect and reconnect to |
| 91 | +prompt this database several times. Which TNS Alias should we use |
| 92 | +prompt for the connection? &&DATABASE_ALIAS |
| 93 | +prompt |
| 94 | +prompt Lets test that the password you gave us meets your own |
| 95 | +prompt password complexity standards by creating a dummy user. |
| 96 | +prompt What username should we use? &&DUMMY_USER_NAME |
| 97 | + |
| 98 | +create user &&DUMMY_USER_NAME identified by &&PASSWORD; |
| 99 | +prompt If the create user statement failed, please either adjust the username |
| 100 | +prompt to an unused username, or the password to meet your systems |
| 101 | +prompt password complexity rules. Click enter to continue, <ctrl>-c to exit and |
| 102 | +pause retry. |
| 103 | +drop user &&DUMMY_USER_NAME; |
| 104 | + |
| 105 | +-- Do cleanup for previous run (if any). |
| 106 | +-- |
| 107 | +select username, count(*) from dba_users a left outer join dba_objects b on b.owner=a.username where a.username in ('APP_SCHEMA', 'APP_USER') group by username; |
| 108 | +prompt |
| 109 | +prompt **If you do NOT want to drop these two users and all objects |
| 110 | +prompt in their schemas, use <ctrl>-c to exit this script now! |
| 111 | +pause Press enter to continue, or <ctrl>-c to exit without dropping these users |
| 112 | + |
| 113 | +drop user APP_SCHEMA cascade; |
| 114 | +drop user APP_USER; |
| 115 | + |
| 116 | + |
| 117 | +prompt ================================================== |
| 118 | +prompt Step 1: Create users and a few test tables |
| 119 | +prompt ================================================== |
| 120 | +pause Press enter to continue, |
| 121 | + |
| 122 | +-- Create users and a few tables for the test. |
| 123 | +-- |
| 124 | +CREATE USER APP_SCHEMA identified by &&PASSWORD; |
| 125 | +CREATE USER APP_USER identified by &&PASSWORD; |
| 126 | +grant create session to APP_USER; |
| 127 | +grant create session, create table, unlimited tablespace to APP_SCHEMA; |
| 128 | + |
| 129 | + |
| 130 | +CREATE TABLE APP_SCHEMA.DATA1 |
| 131 | + (name VARCHAR2(255)); |
| 132 | + |
| 133 | +INSERT INTO APP_SCHEMA.DATA1 VALUES ('Bob'); |
| 134 | +INSERT INTO APP_SCHEMA.DATA1 VALUES ('Jane'); |
| 135 | + |
| 136 | +CREATE TABLE APP_SCHEMA.DATA2 |
| 137 | + (city VARCHAR2(255)); |
| 138 | + |
| 139 | +INSERT INTO APP_SCHEMA.DATA2 VALUES ('London'); |
| 140 | +INSERT INTO APP_SCHEMA.DATA2 VALUES ('Dubai'); |
| 141 | +COMMIT; |
| 142 | + |
| 143 | +prompt ================================================== |
| 144 | +prompt Step 2: Connect as APP_USER and verify you can not see data in APP_SCHEMA tables |
| 145 | +prompt ================================================== |
| 146 | +prompt |
| 147 | +prompt |
| 148 | +pause Press enter to continue |
| 149 | +prompt |
| 150 | +prompt connect APP_USER@DATABASE_ALIAS |
| 151 | +connect APP_USER/&&PASSWORD@&DATABASE_ALIAS |
| 152 | +set echo on |
| 153 | +select * from APP_SCHEMA.DATA1; |
| 154 | +select * from APP_SCHEMA.DATA2; |
| 155 | +set echo off |
| 156 | + |
| 157 | + |
| 158 | +prompt ================================================== |
| 159 | +prompt APP_USER could not select from the APP_SCHEMA tables because |
| 160 | +prompt the user had no privileges on the objects or schema |
| 161 | +pause Press enter to continue |
| 162 | +prompt |
| 163 | +prompt Step 3: Grant schema privileges to APP_USER |
| 164 | +prompt Now we will switch to APP_SCHEMA |
| 165 | +prompt and give APP_USER permission view data in APP_SCHEMA |
| 166 | +prompt ================================================== |
| 167 | +prompt |
| 168 | +prompt connect APP_SCHEMA@DATABASE_ALIAS |
| 169 | +connect APP_SCHEMA/&&PASSWORD@&&DATABASE_ALIAS |
| 170 | +prompt ********** |
| 171 | +prompt ********** Pay close attention to the next statement - THIS is the new feature! |
| 172 | +prompt ********** |
| 173 | +set echo on |
| 174 | +grant select any table on schema app_schema to app_user; |
| 175 | +set echo off |
| 176 | + |
| 177 | +prompt ================================================== |
| 178 | +prompt APP_USER should now be able to see all data in APP_SCEMA |
| 179 | +prompt |
| 180 | +pause Press enter to continue |
| 181 | +prompt |
| 182 | +prompt Step 4: Test the schema privileges |
| 183 | +prompt Lets verify that APP_USER can now view data in APP_SCHEMA |
| 184 | +prompt ================================================== |
| 185 | +prompt |
| 186 | +prompt connect APP_USER@DATABASE_ALIAS |
| 187 | +connect APP_USER/&&PASSWORD@&DATABASE_ALIAS |
| 188 | +set echo on |
| 189 | +select * from session_schema_privs; |
| 190 | +prompt |
| 191 | +prompt Notice that APP_USER has session privileges |
| 192 | +prompt to SELECT ANYT TABLE from the APP_SCHEMA schema |
| 193 | +pause Press enter to continue |
| 194 | +select * from APP_SCHEMA.DATA1; |
| 195 | +select * from APP_SCHEMA.DATA2; |
| 196 | +set echo off |
| 197 | + |
| 198 | +prompt ================================================== |
| 199 | +prompt Here comes the good part - when APP_SCHEMA adds a new table |
| 200 | +prompt APP_USER should automatically have access to the new table |
| 201 | +prompt |
| 202 | +pause Press enter to continue |
| 203 | +prompt |
| 204 | +prompt Step 5: Create a new table in APP_SCHEMA |
| 205 | +prompt Now we will switch to APP_SCHEMA and create a new table. We do not |
| 206 | +prompt need to worry about granting APP_USER permission to select from the table |
| 207 | +prompt because we have permission to select from the entire schema |
| 208 | +prompt ================================================== |
| 209 | +prompt |
| 210 | +prompt connect APP_SCHEMA@DATABASE_ALIAS |
| 211 | +connect APP_SCHEMA/&&PASSWORD@&DATABASE_ALIAS |
| 212 | +set echo on |
| 213 | +CREATE TABLE APP_SCHEMA.DATA3 |
| 214 | + (country VARCHAR2(255)); |
| 215 | + |
| 216 | +INSERT INTO APP_SCHEMA.DATA3 VALUES ('United Kingdom'); |
| 217 | +INSERT INTO APP_SCHEMA.DATA3 VALUES ('United Arab Emirates'); |
| 218 | +COMMIT; |
| 219 | +set echo off |
| 220 | + |
| 221 | +prompt ================================================== |
| 222 | +pause Press enter to continue |
| 223 | +prompt |
| 224 | +prompt Step 6: Test the schema privileges again |
| 225 | +prompt Lets verify that APP_USER can see the new table added to APP_SCHEMA |
| 226 | +prompt ================================================== |
| 227 | + |
| 228 | +prompt |
| 229 | +prompt connect APP_USER@DATABASE_ALIAS |
| 230 | +connect APP_USER/&&PASSWORD@&DATABASE_ALIAS |
| 231 | +set echo on |
| 232 | +select * from APP_SCHEMA.DATA3; |
| 233 | +set echo off |
| 234 | + |
| 235 | + |
| 236 | +prompt |
| 237 | +prompt |
| 238 | +prompt ================================================== |
| 239 | +prompt As you have seen, the new schema-level privileges make it easy to |
| 240 | +prompt grant access to ALL of an applications data and objects, and as |
| 241 | +prompt new objects are added to the schema there is no need to update |
| 242 | +prompt grants for those new objects |
| 243 | +prompt ================================================== |
| 244 | +prompt |
| 245 | + |
| 246 | + |
0 commit comments