How to prevent users from selecting other schemas' tables?
https://stackoverflow.com/questions/11748538
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have created a new database user. I found that the account can select data of other schemas' tables. So how can I restrict the new account to only manipulate its owned tables?
Solution
You can't. You can use REVOKE in certain cases but the most important thing to remember about REVOKE is that it can only revoke a permission that was explicitly GRANTed. Every database has GLOBAL permissions not tied to any specific schema and granted to PUBLIC. These permissions are inherited by all ROLES as long as they (the permissions) are in effect.
You can revoke certain PRIVILEGES such as SELECT, DELETE, INSERT etc. but you have to do it on an object level for every schema. What this means is, if a new table gets added to any of these schemas, the user will by default have access to it, unless the PRIVILEGES on that new table for that user are REVOKED.
As per Oracle documentation below are pre-requisites to REVOKE-
Prerequisites
To revoke a system privilege, you must have been granted the privilege with the ADMIN OPTION.
To revoke a role, you must have been granted the role with the ADMIN OPTION. You can revoke any role if you have the GRANT ANY ROLE system privilege.
To revoke an object privilege, you must previously have granted the object privilege to the user and role or you must have the GRANT ANY OBJECT PRIVILEGE system privilege. In the latter case, you can revoke any object privilege that was granted by the object owner or on behalf of the owner--that is, by a user with the GRANT ANY OBJECT PRIVILEGE. However, you cannot revoke an object privilege that was granted by way of a WITH GRANT OPTION grant.
