1.1 grant select any table
SQL> conn / as sysdba;
SQL> grant select any table on userA;
这种方法的缺点是授予的权限过大,userA不仅可以访问scott下的所有表,也可以访问其他用户包括sys,system下的所有表。
1.2 逐个授权
SQL> conn scott/tiger;
SQL> select 'GRANT SELECT ON '||table_name||' to query01;' from user_tables;
再把上面得到的结果逐一执行一遍:
这种方法的缺点是要执行比较多的语句,如果有100个表,就得执行100个grant语句;
另外scott新建的表不在被授权的范围内,新建的表要想被userA访问,也得执行grant语句:
grant select on 新建的表 to userA;
1.3 使用游标
先创建两个用户
SQL> create user test1 identified by oracle;
User created.
SQL> create user test2 identified by oracle;
User created
授权
SQL> grant connect, resource to test1;
Grant succeeded.
SQL> grant connect, resource to test2;
Grant succeeded.
在test2下建立一个表作测试用
SQL> conn test2/oracle;
Connected.
SQL> create table t(id number);
Table created.
创建角色并用游标给角色授权
SQL> conn /as sysdba;
Connected.
SQL> create role select_all_test2_tab;
Role created
SQL>
declare
CURSOR c_tabname is select table_name from dba_tables where owner = 'TEST2';
v_tabname dba_tables.table_name%TYPE;
sqlstr VARCHAR2(200);
begin
open c_tabname;
loop
fetch c_tabname into v_tabname;
exit when c_tabname%NOTFOUND;
sqlstr := 'grant select on test2.' || v_tabname ||' to select_all_test2_tab';
execute immediate sqlstr;
end loop;
close c_tabname;
end;
/
PL/SQL procedure successfully completed.
把角色授权给test1
SQL> grant select_all_test2_tab to test1;
Grant succeeded.
尝试用test1访问test2的表
SQL> conn test1/oracle;
Connected.
SQL> select * from test2.t;
no rows selected
在test2下新建表
SQL> conn test2/oracle;
Connected.
SQL> create table ta(id number);
Table created.
尝试用test1访问新建的表
SQL> conn test1/oracle;
Connected.
SQL> select * from test2.ta;
select * from test2.ta
*
ERROR at line 1:
ORA-00942: table or view does not exist
结论:与第二种方案相比,用这种方式不需逐一把test2下的表授权给test1访问,但test2新建的表无法被test1访问。
