Oracle permission management: After Revoking DBA Role

Oracle permission management: After Revoking DBA Role

Oracle revoking DBA permissions:
 
ORA-01536 After Revoking DBA Role [ID 465737.1]
 
Applies:
Oracle Server-Enterprise Edition-Version: 8.1.7.4 to 10.2.0.3
This problem can occur on any platform.
Symptoms
ORA-01536: space quota exceeded for tablespace''
After revoking DBA or Resource Role from a user
Example:
SQL> conn/as sysdba
Connected.
SQL> create user testrights identified by testos;
User created.
SQL> grant connect, resource to testrights;
Grant succeeded.
SQL> connect testrights/testos;
Connected.
SQL> CREATE TABLE "TESTRIGHTS". "TESTTAB" ("TESTFIELD" VARCHAR2 (200) NOT NULL
, CONSTRAINT "TESTPK" primary key ("TESTFIELD") VALIDATE) TABLESPACE "USERS" STORAGE (INITIAL 64 M );
Table created.
SQL> conn/as sysdba
Connected.
SQL> grant dba to testrights;
Grant succeeded.
SQL> revoke dba from testrights;
Revoke succeeded.
SQL> show user
USER is "SYS"
SQL> drop table testrights. testtab;
Table dropped.
SQL> conn testrights/testos;
Connected.
SQL> CREATE TABLE "TESTRIGHTS". "TESTTAB" ("TESTFIELD" VARCHAR2 (200) NOT NULL
, CONSTRAINT "TESTPK" primary key ("TESTFIELD") VALIDATE) TABLESPACE "USERS" STORAGE (INITIAL 64 M );
Create table "TESTRIGHTS". "TESTTAB" ("TESTFIELD" VARCHAR2 (200) not null,
CONSTRAINT "TESTPK" primary key ("TESTFIELD") VALIDATE) TABLESPACE "USERS"
STORAGE (INITIAL 64 M)
*
ERROR at line 1:
ORA-1536: space quota exceeded for tablespace 'users'
SQL> conn/as sysdba
Connected.
SQL> grant connect, resource to testrights;
Grant succeeded.
SQL> conn testrights/testos;
Connected.
SQL>
SQL> CREATE TABLE "TESTRIGHTS". "TESTTAB" ("TESTFIELD" VARCHAR2 (200) NOT NULL, CONSTRAINT "TESTPK" PRIMARY KEY ("TESTFIELD") VALIDATE) TABLESPACE "USERS"
STORAGE (INITIAL 64 M );
Table created.
 
Cause
This issue has been discussed in Bug 6494010.
The behavior. seen in the above example is expected and not a bug
When roles were first introduced into Oracle in 7.0, the old Oracle V6 privileges of RESOURCE and DBA were migrated to use the new role functionality. but because the RESOURCE and DBA roles are not allowed to be granted unlimited tablespace, in order to preserve the backwards compatibility with V6, the parser automatically transforms statements such that "grant resource to abc" automatically becomes "grant resource, unlimited tablespace to abc" and "revoke resource from abc" automatically becomes "revoke resource, unlimited tablespace from abc ". the same is true when granting and revoking the DBA role. this behaviour used to be well known ented in the SQL reference guide which read:
Note: If you grant or revoke the RESOURCE or DBA role to or from a user, Oracle implicitly grants or revokes the unlimited tablespace system privilege to or from the user.
 
Solution
 
To Resolve this issue you need:
1] Grant DBA or Resource Role back to the user from whom it was revoked.

For more information about Oracle, see Oracle topics page http://www.bkjia.com/topicnews.aspx? Tid = 12