/
userprivs.sql
240 lines (179 loc) · 5.59 KB
/
userprivs.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
set linesize 32000
set pagesize 50000
set long 2000000000
set longchunksize 1000
set head off;
set verify off;
set termout off;
column u new_value us noprint;
column n new_value ns noprint;
select name n from v$database;
select user u from dual;
set sqlprompt &ns:&us>
set head on
set echo off
set termout off
set trimspool on
set feedback off
set serveroutput on size 1000000
-- Pass the name of the user as the first argument
-- to this script. Will report on that users system
-- and table privileges.
-- create tables for procedure
drop table my_sys_privs;
drop table my_tab_privs;
drop table my_role_privs;
create table my_sys_privs as
select privilege
from dba_sys_privs where 1=2;
create table my_tab_privs as
select owner,table_name,privilege
from dba_tab_privs where 1=2;
create table my_role_privs as
select granted_role
from dba_role_privs where 1=2;
DECLARE
user_name varchar2(2000);
curr_role varchar2(2000);
BEGIN
-- set to name of user that you want to find all
-- system and table privileges for
-- argument to script
user_name := '&&1';
-- do initial load of tables with users privileges
-- empty tables
delete from my_sys_privs;
delete from my_tab_privs;
delete from my_role_privs;
commit;
-- insert into tables
insert into my_sys_privs
select distinct privilege
from dba_sys_privs
where grantee=user_name;
insert into my_tab_privs
select distinct owner,table_name,privilege
from dba_tab_privs
where grantee=user_name;
insert into my_role_privs
select distinct granted_role
from dba_role_privs
where grantee=user_name;
commit;
-- loop through roles filling out sys and tab privs
-- until all roles are removed
LOOP
-- get a role if any exist and remove from list of roles
select min(granted_role) into curr_role from my_role_privs;
EXIT WHEN (curr_role is null);
delete from my_role_privs where granted_role=curr_role;
commit;
-- add sys,tab,and role privs from that role
-- if they are not already in tables
insert into my_sys_privs
select distinct privilege
from dba_sys_privs
where grantee=curr_role and
privilege not in
(select privilege
from my_sys_privs);
insert into my_tab_privs
select distinct owner,table_name,privilege
from dba_tab_privs
where grantee=curr_role and
(owner,table_name,privilege) not in
(select owner,table_name,privilege
from my_tab_privs);
insert into my_role_privs
select distinct granted_role
from dba_role_privs
where grantee=curr_role and
granted_role not in
(select granted_role
from my_role_privs);
commit;
END LOOP;
END;
/
show errors
column owner format a20
column privilege format a40
column granted_role format a20
column table_name format a80
spool &ns.&&1.userprivs.log
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('**************************************************************************************');
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('Privileges granted directly to user '||'&&1');
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('Role privileges for user '||'&&1');
select distinct GRANTED_ROLE
from dba_role_privs
where grantee='&&1'
order by GRANTED_ROLE;
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('System privileges for user '||'&&1');
select distinct privilege
from dba_sys_privs
where grantee='&&1'
order by privilege;
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('Summarized table privileges for user '||'&&1');
select owner,privilege,count(*)
from dba_tab_privs
where grantee='&&1'
group by owner,privilege
order by owner,privilege;
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('Detailed table privileges for user '||'&&1');
select distinct privilege,owner,table_name
from dba_tab_privs
where grantee='&&1'
order by privilege,owner,table_name;
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('**************************************************************************************');
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('Privileges granted through a role or directly to user '||'&&1');
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('System privileges for user '||'&&1');
select * from my_sys_privs
order by privilege;
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('Summarized table privileges for user '||'&&1');
select owner,privilege,count(*)
from my_tab_privs
group by owner,privilege
order by owner,privilege;
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('Detailed table privileges for user '||'&&1');
select privilege,owner,table_name
from my_tab_privs
order by privilege,owner,table_name;
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('**************************************************************************************');
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('Account status, profile, last password change for user '||'&&1');
column account_status format a15
column profile format a10
select
du.account_status,
du.profile,
to_char(u.ptime,'YYYY-MM-DD HH24:MI:SS') last_password_chng
from
dba_users du,
sys.user$ u
where
du.username='&&1' and
du.username=u.name;
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('**************************************************************************************');
execute dbms_output.put_line(chr(9));
execute dbms_output.put_line('Role named '||'&&1');
select
role
from
dba_roles
where
role = '&&1';
spool off
exit