oracle 谨慎授予用户dba权限

4p80x1914t

　　//我们来看下面这个授权的二叉树，实际中肯定是个图(复杂的图):sys/     /test001(dba)  test002(dba)/   /          /  t1  t2          t3--//如上二叉树所示，假设test001和test002都被授予了dba权限，//test001和test002又各自创建了用户t1，t2，t3；//拥有了dba权限的用户，权限是无限大的，就和sys一样的；//下面来看一个实例：Connected as SYS//创建两个用户test001和test002，并授予dba权限:create user test001 identified by test001 default tablespace users;grant resource,connect,dba to test001;create user test002 identified by test002 default tablespace users;grant resource,connect,dba to test002;//在test001用户下面创建普通用户t1，t2，并在test001用户下面建立一张表：Connected as test001create user t1 identified by t1;grant resource,connect to t1;--create user t2 identified by t2;grant resource,connect to t2;--create table t_temp(col_1 number(5),col_2 date default sysdate,col_3 varchar2(30));--insert into t_tempselect 1001,to_date('2011-01-01','yyyy-mm-dd'),'begin of 2011' from dual union allselect 1002,to_date('2011-04-30','yyyy-mm-dd'),'end of april' from dual;//用户t1登陆，并创建一张表:Connected as t1create table t(id number(2),name varchar2(20),addr varchar2(30));insert into tselect 12,'James','shanghai' from dual union allselect 13,'Thomas','changchun' from dual union allselect 25,'Smith','beijing' from dual;//因为test002用户具有dba权限，那么他就能够访问任何用户下的对象(table，view，procedure...)//并且可以任意操作其他用户下的对象:Connected as test002select * from test001.t_temp;COL_1 COL_2       COL_3------ ----------- ------------------------------1001 2011-01-01  begin of 20111002 2011-04-30  end of april--select * from t1.t;ID NAME                 ADDR--- -------------------- ------------------------------12 James                shanghai13 Thomas               changchun25 Smith                beijing--drop table t1.t;commit;Connected as t1select * from t1ORA-00942: table or view does not exist--Connected as test002drop table test001.t_temp;--Connected as test001select * from t_tempORA-00942: table or view does not exist//从这里，你可以知道拥有dba权限的用户的权利是多大了吧！//所以在实际应用中，一定要谨慎的给予用户dba权限.//不具备dba权限的用户，在没有被授权访问的情况下，不能访问其他用户下的对象。Connected as test002grant resource,connect to t3;Connected as t3create table t3_temp(col_1 varchar2(10),col_2 number(5),col_3 varchar2(5));--select * from t1.tORA-00942: table or view does not existdrop table t1.tORA-00942: table or view does not exist//这里并没有提示ORA-01031:insufficient privileges，//而是告诉当前用户ORA-00942: table or view does not exist，//其实用户t3并不知道用户t1的存在.//但是我们可以通过授权机制，实现不同用户之间的相互访问，//前提是该普通用户具有授权的权限Connected as t1grant select on t to t3;Connected as t3select * from t1.t;ID NAME                 ADDR--- -------------------- ------------------------------12 James                shanghai13 Thomas               changchun25 Smith                beijing
　　原帖:http://topic.csdn.net/u/20110430/11/cce8abe1-fb23-4d1f-b257-e05b1db4f53c.html?99867
　　参考:
　　[1]oracle 创建用户:http://database.iyunv.com/art/200911/160283.htm