授予 SELECT ANY TABLE 許可權後無法訪問sys 使用者的表,tablesys
SQL> show parameter dict
NAME TYPE VALUE
------------------------------------ ----------- -------------------------
O7_DICTIONARY_ACCESSIBILITY boolean FALSE ---------預設為false----設定為true後普通使用者擁有 select any table 許可權的就可以訪問 sys schema了
SQL> alter system set O7_DICTIONARY_ACCESSIBILITY=true scope=spfile
O7_DICTIONARY_ACCESSIBILITY 會控制普通用無法直接存取sys schema
FYI:O7_DICTIONARY_ACCESSIBILITY
Property |
Description |
Parameter type |
Boolean |
Default value |
false |
Modifiable |
No |
Range of values |
true | false |
O7_DICTIONARY_ACCESSIBILITY
controls restrictions on SYSTEM
privileges. If the parameter is set to true
, access to objects in the SYS
schema is allowed (Oracle7 behavior). The default setting of false
ensures that system privileges that allow access to objects in "any schema" do not allow access to objects in the SYS
schema.
For example, if O7_DICTIONARY_ACCESSIBILITY
is set to false
, then the SELECT ANY TABLE
privilege allows access to views or tables in any schema except the SYS
schema (data dictionary tables cannot be accessed). If O7_DICTIONARY_ACCESSIBILITY is set to false
, then to access objects in the SYS
schema, the user should have SELECT ANY DICTIONARY
system privilege or the user should have been granted SELECT
object privilege on the specific objects. The system privilegeEXECUTE ANY PROCEDURE
allows access on the procedures in any schema except the SYS
schema.
If this parameter is set to false
and you need to access objects in the SYS
schema, then you must be granted explicit object privileges. The following roles, which can be granted to the database administrator, also allow access to dictionary objects:
SELECT_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE