Oracle 权限 role 权限 下次登录生效或者set role, sys permission 立即生效

grant或者revoke role时发现用户还是可以访问某些表,但是select any table 权限的添加和删除立即生效。

这就是role 和sys permisson的差异

select * from role_role permission

Applies To

All Users

Oracle Database - Enterprise Edition - Version 11.2.0.3 to Version 11.2.0.3

Oracle Database - Enterprise Edition - Version 8.1.7.4 to Version 11.1.0.7

Oracle Net Services - Version 19.1.0.0.0 to Version 19.1.0.0.0

Summary

  1. The alert.log is full with the following errors:

...

Tue Dec 30 18:15:42 2008

Errors in file d:\app\administrator\diag\rdbms\prod\prod\trace\prod_j000_3444.trc:

ORA-12012: error on auto execute of job 4002

ORA-28031: maximum of 148 enabled roles exceeded

Tue Dec 30 18:15:47 2008

Thread 1 cannot allocate new log, sequence 64

Checkpoint not complete

Current log# 3 seq# 63 mem# 0: D:\APP\ADMINISTRATOR\ORADATA\PROD\REDO03.LOG

Thread 1 advanced to log sequence 64 (LGWR switch)

Tue Dec 30 18:17:43 2008

Errors in file d:\app\administrator\diag\rdbms\prod\prod\trace\prod_j001_744.trc:

ORA-12012: error on auto execute of job 4005

ORA-28031: maximum of 148 enabled roles exceeded

...

Because of the ORA-28031 error no job is running. The user owning the job is able to connect to the database and furthermore has no errors while running the code executed via the job.

  1. An user gets the following error while connecting to the database:

SQL> conn testrole2

ERROR:

ORA-28031: maximum of 148 enabled roles exceeded

  1. While creating a queue table the following error occurs:

EXECUTE DBMS_AQADM.CREATE_QUEUE_TABLE (queue_table =>'QTEST', queue_payload_type => 'TTEST', multiple_consumers=> TRUE,compatible=>'10.2');

*

ERROR at line 1:

ORA-24166: evaluation context <schema>.AQ$_QTEST_V has errors

ORA-01925: maximum of 30 enabled roles exceeded

ORA-06512: at "SYS.DBMS_AQADM_SYS", line 2220

ORA-06512: at "SYS.DBMS_AQADM", line 58

ORA-06512: at line 1

Solution

  1. If this error does not occur while working with queues then check how many roles are going to be enabled in the user's session. Check all the default roles including those granted recursively:

SQL> select lpad(' ',2*level,' ')||granted_role

from dba_role_privs

where default_role='YES'

start with grantee='TESTROLE2' and default_role='YES'

connect by prior granted_role=grantee;

LPAD('',2*LEVEL,'')||GRANTED_ROLE


MYROLE

TROLE1

TROLE10

...

TROLE95

TROLE96

TROLE97

TROLE98

TROLE99

149 rows selected.

The list of distinct roles can be obtained with this query:

select distinct granted_role

from dba_role_privs

where default_role='YES'

start with grantee='<username>' and default_role='YES'

connect by prior granted_role=grantee

/

If there are indeed too many default roles being granted to that user then do the following:

A) Drop the roles that are not needed or merge some of the roles to reduce their total number.

B) Make sure that user has less than MAX_ENABLED_ROLES default roles(i.e. alter the user and specify a list of default roles)

C) Try to create all the custom roles while being connected with an user created for this purpose rather than creating them as SYS:

connect / as sysdba;

create user roleadmin identified by <password>;

grant create session, create role to roleadmin;

connect roleadmin;

... create roles...

connect / as sysdba;

alter user roleadmin default role none;

With this approach you avoid having too many roles granted automatically to SYS.

  1. When the error is encountered while working with queues one must take into account Bug 5523578 which is fixed in 10.2.0.5. Because of this bug, while working with the queue tables, the database counts the roles even if they are not default roles. In these situations the only solution is to count the roles granted to the user(even when they are not default roles) and if they are more than 148 to revoke some of them:

SQL> select lpad(' ',2*level,' ')||granted_role

from dba_role_privs

start with grantee='TESTROLE2'

connect by prior granted_role=grantee;

-- Note that the condition that checks whether the role is default has been removed

LPAD('',2*LEVEL,'')||GRANTED_ROLE


MYROLE

TROLE1

TROLE10

...

TROLE95

TROLE96

TROLE97

TROLE98

TROLE99

TROLE100

150 rows selected.

Cause

Error ORA-28031 occurs whenever one is attempting to enable more than 150 roles in the same session. A session is always enabling by default two roles(PUBLIC and the implicit role associated with the connected user). Besides these two roles, in the session, can be enabled up to 148 other roles. When a session is initializing, all default roles granted to the connecting user will be enabled. If the user is granted more than 148 default roles then the user will not be able to connect because of the ORA-28031 error. This does not apply for SYS normal connections. However when a user creates a job via DBMS_JOB or DBMS_SCHEDULER which runs as SYS the session created to execute the job will have all roles limits enabled.

It is important to note that we have to count the roles granted via a hierarchy(recursively) and not only the roles granted directly.

Usually an user is not granted (explicitly) so many default roles, however they can end up with so many roles because :

  1. There were many roles created by this user. Whenever a role gets created it is automatically granted to the user creating it :

SQL> conn / as sysdba

Connected.

SQL> create user testrole identified by ****;

User created.

SQL> grant create session, create role to ****;

Grant succeeded.

SQL> conn testrole

Connected.

SQL> select * from user_role_privs;

no rows selected

SQL> create role myrole1;

Role created.

SQL> select * from user_role_privs;

USERNAME GRANTED_ROLE ADM DEF OS_ROLE


TESTROLE MYROLE1 YES YES NO

The following example will show that an user gets this error although it is granted directly one role only:

SQL> create user testrole identified by *****;

User created.

SQL> create user testrole2 identified by ******;

User created.

SQL> grant create session, create role to testrole, testrole2;

Grant succeeded.

SQL> grant select on dba_role_privs to testrole;

Role granted.

SQL> conn testrole

Connected.

SQL> create role myrole;

Role created

begin

for rec in 1..148 loop

execute immediate 'create role trole'||rec;

execute immediate 'grant trole'||rec||' to myrole';

end loop;

end;

/

PL/SQL procedure successfully completed.

SQL> show user

USER is "TESTROLE"

SQL> grant myrole to testrole2;

Grant succeeded.

SQL> select count(*) from dba_role_privs where grantee='TESTROLE2';

COUNT(*)


1

SQL> conn testrole2

ERROR:

ORA-28031: maximum of 148 enabled roles exceeded

  1. Recently a full import was performed and all the roles from the source database are created on the target database by the same user. This is rather a consequence of the first cause presented above when roles are granted to the user who is creating them. However it is worth mentioning it separately since the roles were not explicitly created by the same user in the source database. Due to the way import tools are working the roles get created by the same user on the target DB.

  2. Recently an upgrade was performed. Before the upgrade the number of roles granted to a certain user was under 148 but in the new version new roles get created and eventually get granted to older roles. This way the total number of roles granted directly or recursively can exceed the limit.

References

MOS document id: 780749.1

Product Versions

product: Oracle Database - Enterprise Edition - min_version: 11.2.0.3 - max_version: 11.2.0.3; product: Oracle Database - Enterprise Edition - min_version: 8.1.7.4 - max_version: 11.1.0.7; product: Oracle Net Services - min_version: 19.1.0.0.0 - max_version: 19.1.0.0.0; Information in this article applies to GENERIC (All Platforms)

相关推荐
欢呼的太阳6 小时前
数据库设计Step by Step (10)——范式化
服务器·数据库·oracle
喜欢的名字被抢了7 小时前
MySQL基础入门:从零理解数据库与SQL
数据库·mysql·教程
Elastic 中国社区官方博客8 小时前
如何比较两个 Elasticsearch 索引并找出缺失的文档
大数据·运维·数据库·elasticsearch·搜索引擎
DLYSB_8 小时前
生命通道:如何用 HIS 医疗系统直连网络声光终端,打造“零延误”的危急值响应网关?
java·网络·数据库·报警灯
儒雅的大叔9 小时前
MySQL数据库InnoDB数据恢复工具使用总结
数据库·mysql·adb
观远数据9 小时前
ChatBI选型对比:从意图识别到SQL修复,六个维度打分决定是否值得投产
数据库·人工智能·sql
嘉&年华9 小时前
【第008篇】通过dexp和dimp命令导出和导入dmp文件(适用于达梦数据库)
数据库·sql
哥是强混11 小时前
Means:基于 .NET 10 打造的开源自部署 S3 兼容对象存储服务
网络·数据库·.net
ffqws_11 小时前
redis面试:如何保证双写一致
数据库·redis·缓存
水无痕simon11 小时前
6 数据库同义词
数据库