Saturday, September 20, 2008

Minimum privilege needed to take data pump export

In your organization you may assign a user who is only responsible to take data pump export. Suppose everyday evening he will be responsible to take a logical backup of the database.
The minimum privilege need to perform data pump export operation is given below.
1)Create Session privilege. This is required to logon to database.
2)Create Table privilege. This is required as while doing export operation he needs to create a master table.
3)Read and write permission on a valid database directory. Or Create Directory privilege.
4)Sufficient tablespace quota on the user's default tablespace. As master table need to be created while data pump export operation.

In addition to above 4 privileges it is needed to grant EXP_FULL_DATABASE to the intended user if he might need the following things
- to run a full database Export or
- to run a transport_tablespace job or
- to run an Export DataPump job with the TRACE parameter or
- to run an operation that exports a different schema.

Now suppose I want to grant minimum privilege to user Dump_User to perform data pump export.
With minimum privilege granted to him you can create user named Dump_User as below.
Way 1:
CONNECT system/a
CREATE OR REPLACE DIRECTORY datapump_dir AS 'Give an OS directory here that already exist in database and OS user has permission on it';

Like, CREATE OR REPLACE DIRECTORY datapump_dir AS 'C:\'
GRANT create session, create table TO DUMP_USER IDENTIFIED BY a ;
ALTER USER DUMP_USER default tablespace users;
GRANT read, write ON DIRECTORY datapump_dir TO DUMP_USER;
ALTER USER DUMP_USER QUOTA unlimited ON users;


or:
Way 2: Using Role,
CONNECT system/a
CREATE OR REPLACE DIRECTORY datapump_dir AS 'full_pre_existing_directory_path_here';
CREATE ROLE expdp_role;
GRANT create session, create table TO expdp_role;
GRANT read, write ON DIRECTORY my_dir TO expdp_role;
GRANT expdp_role TO DUMP_USER;
ALTER USER DUMP_USER DEFAULT ROLE all;
ALTER USER DUMP_USER default tablespace users;
ALTER USER DUMP_USER QUOTA unlimited ON users;


Related Documents
Use SELECT ANY DICTIONARY or SELECT_CATALOG_ROLE or SELECT ANY TABLE
Privileges Required to Create Views
Public Privileges in Oracle
How to make global read only user

No comments:

Post a Comment