Saturday, September 20, 2008

Query to check whether user has datapump privilege.

Check for whether user has full database export/import privilege
You can check whether user has privilege to export or import the full database using data pump. To export full database using data pump user must have EXP_FULL_DATABASE role or dba role and to import full database using data pump user must have IMP_FULL_DATABASE or dba role.
In order to see whether user has these privilege or not you can query,

SQL>SET lines 100
COL privilege FOR a50
SELECT grantee, granted_role, default_role
FROM dba_role_privs
WHERE granted_role IN ('DBA', 'EXP_FULL_DATABASE', 'IMP_FULL_DATABASE')
ORDER BY 1,2;

GRANTEE GRANTED_ROLE DEF
------------------------------ ------------------------------ ---
ARJU DBA YES
DBA EXP_FULL_DATABASE YES
DBA IMP_FULL_DATABASE YES
FARUK DBA YES
MOMIN DBA YES
SYS DBA YES
SYS EXP_FULL_DATABASE YES
SYS IMP_FULL_DATABASE YES
SYSMAN DBA YES
SYSTEM DBA YES
TEST EXP_FULL_DATABASE YES

which indicates user ARJU,FARUK,MOMIN,SYS,SYSTEM can do both full data pump export and full datapump import operation. And user Test only has datapump export operation. Note that DBA role includes both EXP_FULL_DATABASE and IMP_FULL_DATABASE roles.

Check for user has create table or create session privilege
In order to see whether a user has CREATE TABLE or CREATE SESSION privilege, query from dba_sys_privs table. Following is the check whether user TEST has these privilege or not.

SQL>SET lines 100 pages 100
COL privilege FOR a40
SELECT grantee, privilege
FROM dba_sys_privs
WHERE (grantee IN ('TEST', 'PUBLIC')
OR grantee IN (SELECT granted_role FROM dba_role_privs
WHERE grantee IN ('TEST', 'PUBLIC')))
AND privilege IN ('CREATE SESSION', 'CREATE TABLE')
ORDER BY 1,2;

If user test have it then output will be like below.
GRANTEE PRIVILEGE
------------------------------ ----------------------------------------
TEST CREATE SESSION
TEST CREATE TABLE

Check for granted privileges on directory objects
Suppose we want to check whether user TEST has privilege on directory objects query,

SET lines 110
COL privilege FOR a12
COL grantee FOR a25
COL owner FOR a25
SELECT p.grantee, p.privilege, p.owner, d.directory_name
FROM dba_tab_privs p, dba_directories d
WHERE p.table_name=d.directory_name
AND (grantee IN ('TEST', 'PUBLIC')
OR grantee IN (SELECT granted_role FROM dba_role_privs
WHERE grantee IN ('TEST', 'PUBLIC')))
ORDER BY 4,3,2;

A typical output is
GRANTEE PRIVILEGE OWNER DIRECTORY_NAME
-------------------- ---------- -------------------- ------------------------------
TEST READ SYS D
TEST WRITE SYS D
EXP_FULL_DATABASE READ SYS DATA_PUMP_DIR
EXP_FULL_DATABASE WRITE SYS DATA_PUMP_DIR


Check for default tablespace on a user
In order to check what is the default tablespace of user TEST query,

SQL>select default_tablespace from dba_users where username='TEST';

Check for tablespace quota

To check whether user TEST has quota on which tablespaces query,
SET lines 100 numwidth 12
SELECT q.username, q.tablespace_name, q.bytes, q.max_bytes
FROM dba_ts_quotas q, dba_users u
WHERE q.username=u.username AND q.username in ('TEST');

USERNAME TABLESPACE_NAME BYTES MAX_BYTES
------------------------------ ------------------------------ ------------ ------------
TEST SYSTEM 65536 10485760

From output we can see user TEST has quota on system tablespace 10M and he already used 65K.

Related Documents
Minimum privilege needed to take data pump export

No comments:

Post a Comment