虚谷文档 v1.0.1

适用虚谷数据库版本

v12.9



适用虚谷数据库版本

v12.9


访问控制列表-SYS_ACLS

📄字数 3.5K
👁️阅读量 加载中...

功能描述

SYS_ACLS系统表用于管理数据库用户访问控制信息。

字段说明

序号字段名类型说明V11V12
0DB_IDINTEGER库ID
1GRANTOR_IDINTEGER授权者ID
2GRANTEE_IDINTEGER被授权者ID
3OBJECT_IDINTEGER授权客体ID
4OBJECT_TYPEINTEGER授权客体类型
5AUTHORITYBIGINT权限值
6REGRANTBIGINT转授权
7ORG_GRANTOR_IDINTEGER权限的原始拥有者
8IS_SYSBOOLEAN是否系统内建
9RESERVED1VARCHAR保留字段
10RESERVED2VARCHAR保留字段
11RESERVED3VARCHAR保留字段

AUTHORITY

权限级别权限权限值说明
对象级ACL_READ0x1读取权
对象级ACL_UPDATE0x2更改权
对象级ACL_INSERT0x4添加权
对象级ACL_DELETE0x8删除权
对象级ACL_REF0x10引用权
对象级ACL_EXECUTE0x20执行权
对象级ACL_INDEX0x40可创建索引
对象级ACL_ALTER0x80修改对象结构权
对象级ACL_DROP0x100删除对象权
对象级ACL_TRIG0x200可在对象上创建触发器
对象级ACL_VACUUM0x400可清多余空间
对象级ACL_TAB_ALL0x7df所有表(字段)级权
对象级ACL_PROC_ALL0x1a0所有存储过程函数级权
对象级ACL_VIEW_ALL0x18f所有视图级权
对象级ACL_PACK_ALL0x1a0所有包级权
对象级ACL_SEQ_ALL0x183所有序列值级权
对象级ACL_UDT_ALL0x1a0所有自定义数据类型级权
库级ACL_READ_ANY0x1对任何指定类型对象(对象类型由obj_type确定)拥有读取权
库级ACL_UPDATE_ANY0x2对任何指定类型对象(对象类型由obj_type确定)拥有更改权
库级ACL_INSERT_ANY0x4对全部表拥有插入权
库级ACL_DELETE_ANY0x8对全部表拥有删除权
库级ACL_REF_ANY0x10对全部表拥有引用权
库级ACL_EXECUTE_ANY0x20对全部过程拥有执行权
库级ACL_INDEX_ANY0x40可创建索引
库级ACL_CREATE0x80可在自身模式下创建任何指定类型对象(对象类型由obj_type确定)
库级ACL_CRE_ANY0x100可创建任何指定类型对象(对象类型由obj_type确定)
库级ACL_ALT_ANY0x200可修改任何指定类型对象(对象类型由obj_type确定)
库级ACL_DROP_ANY0x400可创删除何指定类型对象(对象类型由obj_type确定)
库级ACL_BACKUP_ANY0x800可备份所有对象(无对象类型)
库级ACL_RESTORE_ANY0x1000可恢复所有对象(无对象类型)
库级ACL_VACUUM_ANY0x2000可整理空余空间(无对象类型)
库级ACL_REPLICATION_ANY0x4000可做数据同步(无对象类型)
库级ACL_REFRESH_ANY0x8000可刷新数据(无对象类型)
库级ACL_GRANT_ANY0x10000可授权(无对象类型)
库级ACL_ENCRYPT_ANY0x20000可加密任何表(无对象类型)
库级ACL_CRE_JOB0x40000可创建定时任务(无对象类型)
库级ACL_TRACE0x80000可调试任何连接
库级ACL_AUDITOR0x10000000审计设置权(无对象类型)
库级ACL_AUDIT_ADMIN0x30000000审计管理权(无对象类型)
库级ACL_SSO0x40000000安全标记权(无对象类型)
库级ACL_SS_ADMIN0xc0000000安全管理权(无对象类型)
库级ACL_DBA0x7fffff所有库级权(无对象类型)
库级ACL_DBO0xffffffDBO权(与DBA相比,多一个对DBA权限用户的收授权)

应用举例

  • 查询权限授予信息
sql
SQL> CREATE TABLE tab_permission(id INT);

SQL> CREATE USER usr IDENTIFIED BY 'test_123@';

SQL> GRANT INSERT ON tab_permission TO usr;
SQL> GRANT UPDATE ON tab_permission TO usr;
SQL> GRANT DELETE ON tab_permission TO usr;

SQL> SELECT object_id,object_type,authority,regrant,org_grantor_id FROM SYS_ACLS t1 JOIN SYS_TABLES t2 ON t1.db_id=t2.db_id AND t1.object_id=t2.table_id WHERE t2.table_name='tab_permission';
+-----------+-------------+-----------+---------+----------------+
| OBJECT_ID | OBJECT_TYPE | AUTHORITY | REGRANT | ORG_GRANTOR_ID |
+-----------+-------------+-----------+---------+----------------+
| 1048576   | 5           | 14         | 0       | 1              |
+-----------+-------------+-----------+---------+----------------+

提示

AUTHORITY字段为所有权限的和。示例中INSERT权限:2, UPDATE:4, DELETE:8,三种权限之和为14。
详细解释可参考权限管理

  • 权限值相同时举例(针对权限值为0x1a0的三种情况)
sql
SQL> CREATE USER usr_acl IDENTIFIED BY 'test_123@';

-- 创建存储过程
SQL> CREATE PROCEDURE proc_acl(c1 int) AS
          BEGIN
          SEND_MSG('a');
          END;

-- 为用户usr_acl赋予存储过程proc_acl的所有权限
SQL> GRANT ALL PRIVILEGES ON PROCEDURE proc_acl TO usr_acl;

SQL> SELECT t1.grantor_id, t1.grantee_id, t1.object_id, t1.object_type, t1.authority, t2.obj_name FROM SYS_ACLS t1 JOIN SYS_OBJECTS t2 ON t1.db_id=t2.db_id AND t1.object_id=t2.obj_id WHERE t2.obj_name='proc_acl';
+------------+------------+-----------+-------------+-----------+----------+
| GRANTOR_ID | GRANTEE_ID | OBJECT_ID | OBJECT_TYPE | AUTHORITY | OBJ_NAME |
+------------+------------+-----------+-------------+-----------+----------+
| 1          | 101        | 1048578   | 7           | 416       | PROC_ACL |
+------------+------------+-----------+-------------+-----------+----------+

-- 为用户usr_acl赋予系统包DBMS_DBA的所有权限
SQL> GRANT ALL PRIVILEGES ON DBMS_DBA TO usr_acl;

SQL> SELECT t1.grantor_id, t1.grantee_id, t1.object_id, t1.object_type, t1.authority, t2.obj_name FROM SYS_ACLS t1 JOIN SYS_OBJECTS t2 ON t1.db_id=t2.db_id AND t1.object_id=t2.obj_id WHERE t2.obj_name='DBMS_DBA';
+------------+------------+-----------+-------------+-----------+----------+
| GRANTOR_ID | GRANTEE_ID | OBJECT_ID | OBJECT_TYPE | AUTHORITY | OBJ_NAME |
+------------+------------+-----------+-------------+-----------+----------+
| 1          | 101        | 8192      | 18          | 416       | DBMS_DBA |
+------------+------------+-----------+-------------+-----------+----------+

SQL> CREATE TYPE udt_acl AS OBJECT(a INT, b FLOAT);

-- 为用户usr_acl赋予自定义类型udt_acl的所有权限
SQL> GRANT ALL PRIVILEGES ON udt_acl TO usr_acl;

SQL> SELECT t1.grantor_id, t1.grantee_id, t1.object_id, t1.object_type, t1.authority, t2.obj_name FROM SYS_ACLS t1 JOIN SYS_OBJECTS t2 ON t1.db_id=t2.db_id AND t1.object_id=t2.obj_id WHERE t2.obj_name='udt_acl';
+------------+------------+-----------+-------------+-----------+----------+
| GRANTOR_ID | GRANTEE_ID | OBJECT_ID | OBJECT_TYPE | AUTHORITY | OBJ_NAME |
+------------+------------+-----------+-------------+-----------+----------+
| 1          | 101        | 1048579   | 19          | 416       | UDT_ACL  |
+------------+------------+-----------+-------------+-----------+----------+

SQL> SELECT t1.grantor_id, t1.grantee_id, t1.object_id, t1.object_type, t1.authority, t2.obj_name FROM SYS_ACLS t1 JOIN SYS_OBJECTS t2 ON t1.db_id=t2.db_id AND t1.object_id=t2.obj_id WHERE t1.AUTHORITY = 416;
+------------+------------+-----------+-------------+-----------+----------+
| GRANTOR_ID | GRANTEE_ID | OBJECT_ID | OBJECT_TYPE | AUTHORITY | OBJ_NAME |
+------------+------------+-----------+-------------+-----------+----------+
| 1          | 101        | 8192      | 18          | 416       | DBMS_DBA |
| 1          | 101        | 1048578   | 7           | 416       | PROC_ACL |
| 1          | 101        | 1048579   | 19          | 416       | UDT_ACL  |
+------------+------------+-----------+-------------+-----------+----------+

提示

十进制416对应十六进制0x1a0;
对象级权限不单一看AUTHORITY,而是由OBJECT_ID, OBJECT_TYPE和AUTHORITY组合共同标识权限。

相关系统表