with admin option选项和权限的关系测试

这篇文章衔接上文，当时问题查出来是用户登录一个普通账户对其他账户进行了授权

所以比较迷惑为什么这个用户可以赋权给其他人

 

查看uuser1 的系统权限

SQL> select * from dba_sys_privs where GRANTEE='UUSER1';

GRANTEE                        PRIVILEGE                                ADM
------------------------------ ---------------------------------------- ---
UUSER1                           ADVISOR                                  NO
UUSER1                           AUDIT ANY                                NO
UUSER1                           DROP USER                                NO
UUSER1                           RESUMABLE                                NO
UUSER1                           ALTER USER                               NO
UUSER1                           CREATE JOB                               NO
UUSER1                           ANALYZE ANY                              NO
UUSER1                           BECOME USER                              NO
UUSER1                           CREATE CUBE                              NO
UUSER1                           CREATE ROLE                              NO
UUSER1                           CREATE RULE                              NO
UUSER1                           CREATE TYPE                              NO
UUSER1                           CREATE USER                              NO
UUSER1                           CREATE VIEW                              NO
UUSER1                           ALTER SYSTEM                             NO
UUSER1                           AUDIT SYSTEM                             NO
UUSER1                           CREATE TABLE                             NO
UUSER1                           DROP PROFILE                             NO
UUSER1                           ALTER PROFILE                            NO
UUSER1                           ALTER SESSION                            NO
UUSER1                           DROP ANY CUBE                            NO
...
UUSER1                           DROP ANY CUBE BUILD PROCESS              NO
UUSER1                           DROP ANY EVALUATION CONTEXT              NO
UUSER1                           ALTER ANY EVALUATION CONTEXT             NO
UUSER1                           CREATE ANY MATERIALIZED VIEW             NO
UUSER1                           FLASHBACK ARCHIVE ADMINISTER             NO
UUSER1                           ADMINISTER ANY SQL TUNING SET            NO
UUSER1                           CREATE ANY CUBE BUILD PROCESS            NO
UUSER1                           CREATE ANY EVALUATION CONTEXT            NO
UUSER1                           UPDATE ANY CUBE BUILD PROCESS            NO
UUSER1                           EXECUTE ANY EVALUATION CONTEXT           NO
UUSER1                           ADMINISTER SQL MANAGEMENT OBJECT         NO

202 rows selected.

系统权限高达202个

查看角色

SQL> select * from dba_role_privs where GRANTEE='UUSER1';

GRANTEE                        GRANTED_ROLE                   ADM DEF
------------------------------ ------------------------------ --- ---
UUSER1                          CONNECT                        NO  YES
UUSER1                          RESOURCE                       NO  YES
UUSER1                          JAVA_ADMIN                     NO  YES
UUSER1                          JAVA_DEPLOY                    NO  YES
UUSER1                          OLAP_XS_ADMIN                  NO  YES
UUSER1                          WM_ADMIN_ROLE                  NO  YES
UUSER1                          SCHEDULER_ADMIN                NO  YES
UUSER1                          XDB_SET_INVOKER                NO  YES
UUSER1                          EXP_FULL_DATABASE              NO  YES
UUSER1                          IMP_FULL_DATABASE              NO  YES
UUSER1                          DELETE_CATALOG_ROLE            NO  YES
UUSER1                          SELECT_CATALOG_ROLE            NO  YES
UUSER1                          EXECUTE_CATALOG_ROLE           NO  YES
UUSER1                          GATHER_SYSTEM_STATISTICS       NO  YES
UUSER1                          DATAPUMP_EXP_FULL_DATABASE     NO  YES
UUSER1                          DATAPUMP_IMP_FULL_DATABASE     NO  YES

16 rows selected.

高达202个系统权限，但是uuser1用户没有with admin option权限，也没有dba权限，怎么可以授予其他用户这个权限？

 

测试1：只有select any dictionary能否赋权给其他用户

	SQL> create user test1 identified by oracle;

User created.

SQL> grant connect,resource to test1;

Grant succeeded.

SQL>  grant select any distionary to

SQL>  grant select any dictionary to test1;

Grant succeeded.

SQL> creat user test2 identified by oracle;
SP2-0734: unknown command beginning "creat user..." - rest of line ignored.
SQL> create user test2 identified by oracle;

User created.

SQL> conn test1/oracle
Connected.
SQL> grant  select any dictionary to test2;
grant  select any dictionary to test2
*
ERROR at line 1:
ORA-01031: insufficient privileges

只有一些简单权限，没有admin权限明显是不行的。

测试2：对test1授权与umon相同的系统权限，能否赋权给其他用户

SQL>  grant           ADVISOR                            to test1;      

Grant succeeded.

SQL>  grant           AUDIT ANY                          to test1;
…
SQL>  grant           UPDATE ANY CUBE BUILD PROCESS      to test1;      

Grant succeeded.

SQL>  grant           EXECUTE ANY EVALUATION CONTEXT     to test1;      

Grant succeeded.

SQL>  grant           ADMINISTER SQL MANAGEMENT OBJECT   to test1; 

Grant succeeded.

SQL> conn test1/oracle
Connected.
SQL> grant select any dictionary to test2;

Grant succeeded.

赋权成功了。其实Admin也是权限的一种，用其他权限是完全可以组成admin权限的，所有在权限管理上还是用多少给多少，尽量不要用any类的权限。