OBJECT PRIVILEGES FOR VIEWS IN ORACLE

OBJECT PRIVILEGES FOR VIEWS IN ORACLE

Privileges are basically rights to access any object or perform any operation on a view.

To create a view on a schema the user must have CREATE VIEW system privilege. To create a view on another schema the user needs to CREATE ANY VIEW system privilege

Below are the object privileges available for Views:

Privilege NamePrivilege Description
SELECTSelecting data from a view
INSERTInserting new row into the base table behind the view
UPDATEUpdating data of the base table behind the view
DELETEDeleting data from the base table behind the view

Creating two new users.

CREATE USER SCOTT IDENTIFIED BY TIGER;

GRANT CONNECT TO SCOTT;

GRANT RESOURCE TO SCOTT;

GRANT CREATE ANY VIEW TO SCOTT;
CREATE USER SAN IDENTIFIED BY SAN;

GRANT CONNECT TO SAN;

GRANT RESOURCE TO SAN;

GRANT CREATE ANY VIEW TO SAN;

Creating a new view in HR schema.

CONN HR/HR@ORCL;

CREATE OR REPLACE VIEW EMP_DEPT_VIEW
AS
SELECT A.EMPLOYEE_ID,
       A.FIRST_NAME,
       A.LAST_NAME,
       A.JOB_ID,
       A.SALARY,
       A.DEPARTMENT_ID,
       B.DEPARTMENT_NAME,
       B.LOCATION_ID
FROM EMPLOYEES A,
     DEPARTMENTS B
WHERE A.DEPARTMENT_ID = B.DEPARTMENT_ID
AND A.DEPARTMENT_ID = 30;
SELECT * FROM EMP_DEPT_VIEW;
Object Privileges For Views In Oracle : Output

Now if we try to access the view from schema SCOTT or SAN then oracle will raise error:

CONN SCOTT/TIGER@ORCL;

SELECT * FROM HR.EMP_DEPT_VIEW;
ORA-01031: insufficient privileges
01031. 00000 -  "insufficient privileges"
*Cause:    An attempt was made to perform a database operation without
           the necessary privileges.
*Action:   Ask your database administrator or designated security
           administrator to grant you the necessary privileges
Error at Line: 1 Column: 18

GRANTING SELECT

Giving access on view EMP_DEPT_VIEW to SCOTT and SAN schema.

CONN HR/HR@ORCL;

GRANT SELECT ON EMP_DEPT_VIEW TO SCOTT, SAN;
CONN SCOTT/TIGER@ORCL;

SELECT * FROM HR.EMP_DEPT_VIEW;
Object Privileges For Views In Oracle : Output

GRANTING INSERT

Creating a new view EMP_VIEW_GRANT from HR schema.

CONN HR/HR@ORCL;

CREATE TABLE EMP_TAB_GRANT
AS
SELECT A.EMPLOYEE_ID,
       A.FIRST_NAME,
       A.LAST_NAME,
       A.JOB_ID,
       A.SALARY,
       A.DEPARTMENT_ID
FROM EMPLOYEES A
WHERE A.DEPARTMENT_ID = 30;

CREATE OR REPLACE VIEW EMP_VIEW_GRANT
AS
SELECT A.EMPLOYEE_ID,
       A.FIRST_NAME,
       A.LAST_NAME,
       A.JOB_ID,
       A.SALARY,
       A.DEPARTMENT_ID
FROM EMP_TAB_GRANT A;
SELECT * FROM EMP_VIEW_GRANT;
Object Privileges For Views In Oracle : Output

If we try to insert data through the view EMP_VIEW_GRANT from SCOTT schema oracle will raise error as there is no access provided.

CONN SCOTT/TIGER@ORCL;

Insert into HR.EMP_VIEW_GRANT (EMPLOYEE_ID,FIRST_NAME,LAST_NAME,JOB_ID,SALARY,DEPARTMENT_ID) values (201,'Michael','Hartstein','MK_MAN',13000,20);
Error starting at line : 4 in command -
Insert into HR.EMP_VIEW_GRANT (EMPLOYEE_ID,FIRST_NAME,LAST_NAME,JOB_ID,SALARY,DEPARTMENT_ID) values (201,'Michael','Hartstein','MK_MAN',13000,20)
Error at Command Line : 4 Column : 16
Error report -
SQL Error: ORA-01031: insufficient privileges
01031. 00000 -  "insufficient privileges"
*Cause:    An attempt was made to perform a database operation without
           the necessary privileges.
*Action:   Ask your database administrator or designated security
           administrator to grant you the necessary privileges

Now providing SELECT, INSERT access to user SCOTT and SAN.

CONN HR/HR@ORCL;

GRANT SELECT ON EMP_VIEW_GRANT TO SCOTT, SAN;

GRANT INSERT ON EMP_VIEW_GRANT TO SCOTT, SAN;

Now trying to insert a new record from SCOTT schema through the view EMP_VIEW_GRANT.

CONN SCOTT/TIGER@ORCL;

Insert into HR.EMP_VIEW_GRANT (EMPLOYEE_ID,FIRST_NAME,LAST_NAME,JOB_ID,SALARY,DEPARTMENT_ID) values (201,'Michael','Hartstein','MK_MAN',13000,20);
1 row inserted.
SELECT * FROM HR.EMP_VIEW_GRANT;
Object Privileges For Views In Oracle : Output

GRANTING UPDATE

We have created a new view EMP_VIEW_GRANT and provided the SELECT and INSERT access to user SCOTT and SAN. If we try to update the data of EMP_VIEW_GRANT from user SCOTT and SAN then oracle will raise error.

CONN SCOTT/TIGER@ORCL;

UPDATE HR.EMP_VIEW_GRANT
SET JOB_ID = 'PU_MAN'
WHERE EMPLOYEE_ID = 201;
Error starting at line : 6 in command -
UPDATE HR.EMP_VIEW_GRANT
SET JOB_ID = 'PU_MAN'
WHERE EMPLOYEE_ID = 201
Error at Command Line : 6 Column : 11
Error report -
SQL Error: ORA-01031: insufficient privileges
01031. 00000 -  "insufficient privileges"
*Cause:    An attempt was made to perform a database operation without
           the necessary privileges.
*Action:   Ask your database administrator or designated security
           administrator to grant you the necessary privileges

Now providing the UPDATE access to user SCOTT and SAN.

CONN HR/HR@ORCL;

GRANT UPDATE ON EMP_VIEW_GRANT TO SCOTT, SAN;
CONN SCOTT/TIGER@ORCL;

UPDATE HR.EMP_VIEW_GRANT
SET JOB_ID = 'PU_MAN'
WHERE EMPLOYEE_ID = 201;
1 row updated.

GRANTING DELETE

Trying to delete a record from view EMP_VIEW_GRANT through user SCOTT.

CONN SCOTT/TIGER@ORCL;

DELETE HR.EMP_VIEW_GRANT
WHERE EMPLOYEE_ID = 201;
Error starting at line : 6 in command -
DELETE HR.EMP_VIEW_GRANT
WHERE EMPLOYEE_ID = 201
Error at Command Line : 6 Column : 11
Error report -
SQL Error: ORA-01031: insufficient privileges
01031. 00000 -  "insufficient privileges"
*Cause:    An attempt was made to perform a database operation without
           the necessary privileges.
*Action:   Ask your database administrator or designated security
           administrator to grant you the necessary privileges

Now providing DELETE access to user SCOTT and SAN.

CONN HR/HR@ORCL;

GRANT DELETE ON EMP_VIEW_GRANT TO SCOTT, SAN;
CONN SCOTT/TIGER@ORCL;

DELETE HR.EMP_VIEW_GRANT
WHERE EMPLOYEE_ID = 201;
1 row deleted.
SELECT * FROM HR.EMP_VIEW_GRANT;

WITH GRANT OPTION

If we create a view and provide access to a second user, then the second user will be able to grant access to a third user if the owner of the view uses the WITH GRANT OPTION clause while providing grant to second user. Otherwise the third user will not be able to access the view.

CONN HR/HR@ORCL;

CREATE OR REPLACE VIEW EMP_VIEW_GRANT_20
AS
SELECT A.EMPLOYEE_ID,
       A.FIRST_NAME,
       A.LAST_NAME,
       A.JOB_ID,
       A.SALARY,
       A.DEPARTMENT_ID
FROM EMPLOYEES A
WHERE A.DEPARTMENT_ID = 20;
SELECT * FROM EMP_VIEW_GRANT_20;
GRANT SELECT ON EMP_VIEW_GRANT_20 TO SCOTT;
CONN SCOTT/TIGER@ORCL;

SELECT * FROM HR.EMP_VIEW_GRANT_20;

Now if we try to grant the SELECT access on view HR.EMP_VIEW_GRANT_20 to user SAN from SCOTT user then oracle will raise error. The reason is that the user HR has not provided the SELECT privilege to SCOTT user by using WITH GRANT OPTION clause.

GRANT SELECT ON HR.EMP_VIEW_GRANT_20 TO SAN;
Error starting at line : 3 in command -
GRANT SELECT ON HR.EMP_VIEW_GRANT_20 TO SAN
Error report -
ORA-01031: insufficient privileges
01031. 00000 -  "insufficient privileges"
*Cause:    An attempt was made to perform a database operation without
           the necessary privileges.
*Action:   Ask your database administrator or designated security
           administrator to grant you the necessary privileges
CONN HR/HR@ORCL;

GRANT SELECT ON EMP_VIEW_GRANT_20 TO SCOTT WITH GRANT OPTION;
CONN SCOTT/TIGER@ORCL;

GRANT SELECT ON HR.EMP_VIEW_GRANT_20 TO SAN;
Grant succeeded.
CONN SAN/SAN@ORCL;

SELECT * FROM HR.EMP_VIEW_GRANT_20;
Object Privileges For Views In Oracle : Output

RELATED OTHER TOPICS: