Oracle DataBase Lesson 33 – User Roles & Privileges | Dataplexa

Oracle Database

I. Foundations
1. Introduction to Databases 2. SQL vs NoSQL Databases 3. What is Oracle Database 4. Oracle Editions & Use Cases 5. Installing Oracle & SQL Developer 6. Oracle Database Architecture 7. Tablespaces & Data Files 8. Tables, Rows & Columns 9. Oracle Data Types 10. Creating Tables in Oracle
II. Core SQL & Data
11. Constraints & Keys 12. Sequences & Identity Columns 13. INSERT Data 14. SELECT Queries 15. WHERE Clause & Filtering 16. ORDER BY & FETCH FIRST 17. UPDATE Data 18. DELETE Data 19. Aggregate Functions 20. GROUP BY 21. HAVING Clause 22. NULL Handling in Oracle
III. Joins & PL/SQL
23. Table Relationships 24. INNER JOIN 25. LEFT, RIGHT & FULL OUTER JOIN 26. Subqueries 27. Views 28. Indexes in Oracle 29. Introduction to PL/SQL 30. PL/SQL Procedures & Functions 31. Triggers 32. Performance Optimization Basics
IV. Enterprise & Admin
33. Users, Roles & Privileges 34. Transactions & Concurrency Control 35. Backup & Recovery (RMAN) 36. Oracle Security Best Practices 37. Oracle Performance Tuning 38. Oracle Data Pump (Export & Import) 39. Oracle Database in Cloud (OCI) 40. Mini Project

Users, Roles & Privileges

To follow along with the examples in this lesson, use the course dataset from Lesson 8.

Access control is how Oracle decides who can connect to the database and what they are allowed to do once connected. Every action in Oracle — querying a table, running a procedure, creating a user — requires a privilege. Privileges can be granted directly to a user or bundled into a role that is then granted to many users at once. Getting access control right is one of the most important responsibilities of a database administrator.

Users and Schemas

In Oracle, a user and a schema are the same thing. When you create a user, Oracle creates a schema of the same name to hold that user's objects — tables, views, procedures, and sequences. A user who owns no objects still has a schema; a schema always belongs to exactly one user. This is different from other databases where schemas and users are separate concepts.

Every user needs at least the CREATE SESSION privilege to connect to the database. Without it the account exists but cannot be used. A newly created user with only CREATE SESSION can connect but cannot create any objects or query any tables until further privileges are granted.

-- Create a new user with a password
-- The user account and schema are created simultaneously
CREATE USER reporting_user IDENTIFIED BY SecurePass123;
-- Grant the minimum privilege needed to connect
GRANT CREATE SESSION TO reporting_user;
-- Grant the ability to create tables and views in their own schema
GRANT CREATE TABLE, CREATE VIEW TO reporting_user;
-- Assign a tablespace quota -- without this the user cannot store any data
ALTER USER reporting_user QUOTA 100M ON users;
-- Lock an account without dropping it -- prevents login while preserving the schema
ALTER USER reporting_user ACCOUNT LOCK;
-- Unlock the account
ALTER USER reporting_user ACCOUNT UNLOCK;
-- Drop a user and all objects they own
DROP USER reporting_user CASCADE;  -- CASCADE removes all schema objects first
-- CREATE USER
User created.

-- GRANT CREATE SESSION
Grant succeeded.

-- ALTER USER QUOTA
User altered.

-- DROP USER CASCADE
User dropped.
  • A user without a tablespace quota can connect and query other schemas but cannot create any objects that store data in their own schema
  • DROP USER CASCADE drops the user and every object in their schema — use with care, this is irreversible
  • ACCOUNT LOCK is safer than dropping a user when you want to temporarily disable access — the schema and all objects are preserved
  • In Oracle, CREATE USER requires the DBA role or the CREATE USER system privilege

System Privileges vs Object Privileges

Oracle divides privileges into two categories. System privileges allow a user to perform a class of action anywhere in the database — CREATE TABLE, CREATE SESSION, ALTER ANY TABLE. They are broad and powerful. Object privileges allow a user to perform a specific action on a specific object owned by another user — SELECT ON hr.employees, EXECUTE ON store.get_customer_total. Object privileges are precise and follow the principle of least privilege.

-- System privilege: allows the user to create tables in their OWN schema
GRANT CREATE TABLE TO reporting_user;
-- System privilege with ANY: allows the user to create tables in ANY schema
-- Grant these sparingly -- they are very powerful
GRANT CREATE ANY TABLE TO reporting_user;
-- Object privilege: SELECT on a specific table in another schema
GRANT SELECT ON dataplexa_store.orders TO reporting_user;
-- Object privilege: execute a specific procedure
GRANT EXECUTE ON dataplexa_store.update_category_price TO reporting_user;
-- Grant multiple object privileges at once
GRANT SELECT, INSERT, UPDATE ON dataplexa_store.products TO reporting_user;
-- Revoke a privilege -- removes it immediately
REVOKE SELECT ON dataplexa_store.orders FROM reporting_user;
-- WITH GRANT OPTION: allows the recipient to grant the same privilege to others
GRANT SELECT ON dataplexa_store.customers TO reporting_user WITH GRANT OPTION;
-- All GRANT statements
Grant succeeded.

-- REVOKE
Grant revoked.
  • System privileges with ANYDROP ANY TABLE, SELECT ANY TABLE — are extremely powerful and should only ever be granted to DBAs
  • REVOKE takes effect immediately — the user loses the privilege the moment it is revoked, even in an active session
  • WITH GRANT OPTION allows privilege chains — if reporting_user grants SELECT to another user and reporting_user's privilege is later revoked, the downstream grant is also revoked automatically
  • Object privileges on a view do not require privileges on the underlying tables — this is how views are used for secure access

Roles

A role is a named collection of privileges. Instead of granting dozens of privileges to each user individually, you grant them to a role once and then grant the role to users. When the privileges needed by a job function change, you update the role and every user with that role inherits the change automatically. Oracle provides several built-in roles — CONNECT, RESOURCE, and DBA are the most commonly referenced — but creating your own roles is almost always better practice in production.

-- Create a custom role for read-only reporting access
CREATE ROLE reporting_role;
-- Grant privileges to the role
GRANT CREATE SESSION                             TO reporting_role;
GRANT SELECT ON dataplexa_store.orders           TO reporting_role;
GRANT SELECT ON dataplexa_store.customers        TO reporting_role;
GRANT SELECT ON dataplexa_store.products         TO reporting_role;
GRANT SELECT ON dataplexa_store.customer_order_summary TO reporting_role;
-- Grant the role to users -- each user inherits all role privileges
GRANT reporting_role TO reporting_user;
GRANT reporting_role TO analyst_user;
-- Revoke the role from a user
REVOKE reporting_role FROM reporting_user;
-- Drop a role -- automatically revoked from all users who held it
DROP ROLE reporting_role;
-- CREATE ROLE
Role created.

-- GRANT privileges to role
Grant succeeded. (x5)

-- GRANT role to users
Grant succeeded. (x2)

-- DROP ROLE
Role dropped.
  • Granting a role to a user is identical in syntax to granting a privilege — GRANT role_name TO user_name
  • When a role is dropped every user who held it loses all the privileges that came with it immediately
  • The built-in DBA role grants almost every system privilege — never grant it to application users or reporting accounts
  • Roles cannot be granted to themselves or create circular grants — Oracle prevents this

Viewing Privileges and Roles

Oracle's data dictionary stores every privilege grant and role assignment. Use USER_SYS_PRIVS to see system privileges granted to the current user, USER_TAB_PRIVS for object privileges, and USER_ROLE_PRIVS for roles. DBAs can query the equivalent DBA_ views to see grants across all users in the database.

-- System privileges granted to the current user
SELECT privilege, admin_option
FROM   user_sys_privs
ORDER  BY privilege;
-- Object privileges granted TO the current user by others
SELECT owner, table_name, privilege, grantable
FROM   user_tab_privs
WHERE  grantee = USER        -- USER is a function returning the current username
ORDER  BY owner, table_name;
-- Roles granted to the current user
SELECT granted_role, default_role, admin_option
FROM   user_role_privs
ORDER  BY granted_role;
-- DBA view: see all object privileges granted on a specific table (requires DBA access)
SELECT grantee, privilege, grantable
FROM   dba_tab_privs
WHERE  owner      = 'DATAPLEXA_STORE'
AND    table_name = 'ORDERS'
ORDER  BY grantee;
-- USER_SYS_PRIVS
PRIVILEGE | ADMIN_OPTION
-------------------|-------------
CREATE SESSION | NO
CREATE TABLE | NO
CREATE VIEW | NO
(3 rows selected)

-- USER_TAB_PRIVS
OWNER | TABLE_NAME | PRIVILEGE | GRANTABLE
-----------------|------------|-----------|----------
DATAPLEXA_STORE | CUSTOMERS | SELECT | YES
DATAPLEXA_STORE | ORDERS | SELECT | NO
(2 rows selected)

-- USER_ROLE_PRIVS
GRANTED_ROLE | DEFAULT_ROLE | ADMIN_OPTION
----------------|-------------|-------------
REPORTING_ROLE | YES | NO
(1 row selected)
  • USER is an Oracle function that returns the current session's username — useful in queries that should always reflect the caller's own grants
  • GRANTABLE = YES means the privilege was granted WITH GRANT OPTION — the user can pass it on to others
  • ADMIN_OPTION = YES on a system privilege means the user can grant that system privilege to others
  • The DBA_ prefix views require the DBA role or SELECT ANY DICTIONARY privilege — use them to audit grants across the entire database

Lesson Summary

Concept What It Means
User = Schema Creating a user automatically creates a schema of the same name to hold their objects
CREATE SESSION Minimum privilege needed to connect to the database
System privilege Allows a class of action anywhere — CREATE TABLE, CREATE SESSION, ALTER ANY TABLE
Object privilege Allows a specific action on a specific object — SELECT ON store.orders
Role Named collection of privileges — grant the role to many users instead of each privilege individually
WITH GRANT OPTION Allows the recipient to pass the privilege on to other users
REVOKE Removes a privilege or role — takes effect immediately
DROP USER CASCADE Drops the user and all objects in their schema — irreversible
USER_SYS_PRIVS Data dictionary view — system privileges granted to the current user
USER_TAB_PRIVS Data dictionary view — object privileges granted to or by the current user

Practice Questions

Practice 1. What is the minimum privilege a user needs to connect to an Oracle database?



Practice 2. What is the difference between a system privilege and an object privilege?



Practice 3. A role is dropped. What happens to the users who were granted that role?



Practice 4. What does WITH GRANT OPTION do when granting an object privilege?



Practice 5. How do you disable a user account without losing their schema objects?



Quiz

Quiz 1. In Oracle, what happens when you create a new user?






Quiz 2. You grant SELECT ANY TABLE to an application user. What is the problem with this?






Quiz 3. What is the advantage of granting a role to users instead of granting privileges individually?






Quiz 4. A user was granted SELECT on orders WITH GRANT OPTION and passed it to a second user. You then revoke SELECT on orders from the first user. What happens to the second user's grant?






Quiz 5. Which data dictionary view shows the object privileges granted to the current user by others?






Next up — Transactions & Concurrency — How Oracle manages transactions with COMMIT and ROLLBACK, what savepoints do, and how Oracle's multi-version read consistency keeps queries accurate without blocking writers.

← Previous Course Index Next →