Maybe we should consider that one more time:
Creating a user and give priviliges which can select "hr.employees" table.
SQL> create user myuser identified by ora123;
User created.
SQL> grant connect, resource to myuser;
Grant succeeded.
SQL> grant select on hr.employees to myuser;
Grant succeeded.
Connect with new user and select employees table with "FOR UPDATE" option:SQL> conn myuser
Enter password:
Connected.
SQL> show user
USER is "MYUSER"
SQL> select * from hr.employees for update;
.
.
.
107 rows selected.
SQL>
As you see I could lock whole table only with "SELECT" privilege.It means if you give "SELECT" privilege for a table to a specific user, that user is able to lock against DML transactions from other sessions.
So, it means you should be very careful while giving "SELECT" privilege or you can user "READ" privilege with 12c.
Let's try "READ" privilege
SQL> create user myuser2 identified by ora123;
User created.
SQL> grant connect, resource to myuser2;
Grant succeeded.
SQL> grant read on hr.employees to myuser2;
Grant succeeded.
Now, try to lock the table with "READ" privilegeSQL> conn myuser2;
Enter password:
SQL> show user;
USER is "MYUSER2"
SQL> select * from hr.employees for update;
select * from hr.employees for update
*
ERROR at line 1:
ORA-01031: insufficient privileges
If you are using Oracle Database 12c, it is much more better to give "READ" privilege to your users if they only need to see table's data.
Hiç yorum yok:
Yorum Gönder