Object permission test: in the Initial State, neither user2 nor user3 has the object permission of user1.t1.
Object permission test: in the Initial State, neither user2 nor user3 has the object permission of user1.t1.
Object permission test:
In the initial state, neither user2 nor user3 has the object permission of user1.t1.
Table t1 exists in user1:
Duzz $ user1 @ orcl> select * from t1;
C1
----------
1111
Elapsed: 00:00:00. 00
User2 cannot query user1.t1:
Duzz $ user2 @ orcl> select * from user1.t1;
Select * from user1.t1
*
ERROR at line 1:
ORA-00942: table or view does not exist
Elapsed: 00:00:00. 00
User3 cannot query user1.t1:
Duzz $ user3 @ orcl> select * from user1.t1;
Select * from user1.t1
*
ERROR at line 1:
ORA-00942: table or view does not exist
Elapsed: 00:00:00. 01
User1 grants user2 the object permission on t1 and allows user2 to grant this permission to other users:
Duzz $ user1 @ orcl> grant all on t1 to user2 with grant option;
Grant succeeded.
Elapsed: 00:00:00. 00
User2 can query user1.t1 and grant the object permission of user1.t1 to user3:
Duzz $ user2 @ orcl> select * from user1.t1;
C1
----------
1111
Elapsed: 00:00:00. 00
Duzz $ user2 @ orcl> grant all on user1.t1 to user3;
Grant succeeded.
Elapsed: 00:00:00. 00
Duzz $ user2 @ orcl>
User3 can also query user1.t1:
Duzz $ user3 @ orcl> select * from user1.t1;
C1
----------
1111
Elapsed: 00:00:00. 00
User1 tries to revoke permissions directly from user3. Although the execution statement does not report an error, it does not actually work:
Duzz $ user1 @ orcl> revoke all on t1 from user3;
Revoke succeeded.
Elapsed: 00:00:00. 00
User3 can still query user1.t1:
Duzz $ user3 @ orcl> select * from user1.t1;
C1
----------
1111
Elapsed: 00:00:00. 00
User1 revokes permissions from user2 this time,
Duzz $ user1 @ orcl> revoke all on t1 from user2;
Revoke succeeded.
Elapsed: 00:00:00. 01
User2 permission revoked:
Duzz $ user2 @ orcl> select * from user1.t1;
Select * from user1.t1
*
ERROR at line 1:
ORA-00942: table or view does not exist
Elapsed: 00:00:00. 01
At the same time, the permissions of user3 are also revoked:
Duzz $ user3 @ orcl> select * from user1.t1;
Select * from user1.t1
*
ERROR at line 1:
ORA-00942: table or view does not exist
Elapsed: 00:00:00. 01
Object permissions cannot be recycled from non-directly granted users, but they are cascade.
System permission test:
User1 has the system permission to create view, and can grant this permission to other users. user2 and user3 do not have this permission:
Duzz $ user1 @ orcl> select * from session_privs;
PRIVILEGE
---------------------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE VIEW
Elapsed: 00:00:00. 00
User2 has no system permission for create view:
Duzz $ user2 @ orcl> select * from session_privs;
PRIVILEGE
------------------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
Elapsed: 00:00:00. 01
User3 also has no system permission for create view:
Duzz $ user3 @ orcl> select * from session_privs;
PRIVILEGE
------------------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
Elapsed: 00:00:00. 01
User1 grants the create view permission to user2 and user2 to grant this permission to other users:
Duzz $ user1 @ orcl> grant create view to user2 with admin option;
Grant succeeded.
Elapsed: 00:00:00. 01
User2 permission to create view:
Duzz $ user2 @ orcl> select * from session_privs;
PRIVILEGE
-------------------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE VIEW
Elapsed: 00:00:00. 00
User2 grants the create view permission to user3:
Duzz $ user2 @ orcl> grant create view to user3;
Grant succeeded.
Elapsed: 00:00:00. 00
User3: Get the create view permission:
Duzz $ user3 @ orcl> select * from session_privs;
PRIVILEGE
--------------------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE VIEW
Elapsed: 00:00:00. 01
Different from object permissions, system permissions can be directly revoked from non-directly granted users.
User1 tries to revoke the create view permission from user3 directly:
Duzz $ user1 @ orcl> revoke create view from user3;
Revoke succeeded.
Elapsed: 00:00:00. 01
The create view permission of user3 is revoked:
Duzz $ user3 @ orcl> select * from session_privs;
PRIVILEGE
---------------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
Elapsed: 00:00:00. 01
Whether or not the system permission is the same as the object permission.
User2 again grants the create view permission to user3:
Duzz $ user2 @ orcl> grant create view to user3;
Grant succeeded.
Elapsed: 00:00:00. 01
User1 revokes the create view permission of user2:
Duzz $ user1 @ orcl> revoke create view from user2;
Revoke succeeded.
Elapsed: 00:00:00. 00
The create view permission of user2 is revoked:
Duzz $ user2 @ orcl> select * from session_privs;
PRIVILEGE
------------------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
Elapsed: 00:00:00. 00
However, user3 still has the create view permission:
Duzz $ user3 @ orcl> select * from session_privs;
PRIVILEGE
-------------------------------------------------
CREATE SESSION
UNLIMITED TABLESPACE
CREATE TABLE
CREATE VIEW
Elapsed: 00:00:00. 00
System permissions can be revoked from non-directly granted users, but do not have the permission to be recycled.
Summary:
Object permissions cannot be recycled from non-directly granted users, but they are cascade.
System permissions can be revoked from non-directly granted users, but do not have the permission to be recycled.