Question:
Isn't it possible to grant privileges on someone else's table to yet
another user as sys, or anyone as sysdba for that matter?
Was trying to (paraphrased) - connect internal
svmgrl> grant select on INV.SOMETABLE to VANUSER;
and got
.....insufficient privileges.....
Must you be logged in as the owner of the object in order to grant
something?
Thanks,
Dc.
Answer 1:
According to the Oracle SQL Reference:
"You must own the object or the owner of the object granted you the
object privileges with the GRANT OPTION. This rule applies to users
with the DBA role."
This applies to ANY other user. A DBA may have all of the "ANY
TABLE"
privileges, but still has no authority to grant object permissions
to
another user.
This can be accomplished by connecting as the object owner and issuing
something like;
GRANT ALL PRIVILEGES ON <object> TO <user> WITH GRANT OPTION;
After this, the specified user may grant the specified privileges to
other
users (you may, of course, replace "ALL PRIVILEGES" with specific privileges
to limit what access may be given to other users).
Note also that you can only grant this authority to a specific user
-- not
to a role or to PUBLIC.
Basically, the idea is that while a user cannot prevent a DBA (or a
user
with SELECT ANY TABLE role) from seeing the data in his/her tables
(or a
user with UPDATE ANY TABLE from changing it, etc.), (s)he still retains
control over granting privileges to "ordinary mortals" unless (s)he
specifically decides to allow another user to do so.
Answer 2:
Of course you (as the DBA) can still change the user's password, perform
whatever grants you wish on their objects, then change the password
back. The
user really can't control this.
Using SELECT username, password FROM dba_users; (and saving the
encrypted
password)
ALTER USER username IDENTIFIED BY passwd;
{Then connecting as that user and performing your grants}
Then:
ALTER USER username IDENTIFIED BY VALUES
'theencryptedpasswordstringyousavedfromtheearlierquery';
You can assume a user's identity and do whatever you like, without ever
knowing
the user's password.
Answer 3:
Sure. Only object owner can grant any object privereles to someone.
But
object owner can grant privelege with admin option.