Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,420 --> 00:00:04,700 In this lesson, we're going to look at object privileges. 2 00:00:04,700 --> 00:00:08,050 So the two basic classes of privileges 3 00:00:08,050 --> 00:00:11,110 in an Oracle database are system privileges and object 4 00:00:11,110 --> 00:00:12,310 privileges. 5 00:00:12,310 --> 00:00:16,310 Object privileges are specific to a given object. 6 00:00:16,310 --> 00:00:19,780 So whereas system privileges are system-wide abilities that 7 00:00:19,780 --> 00:00:22,210 are given to a user, object privileges 8 00:00:22,210 --> 00:00:26,020 are going to relate to a specific given object. 9 00:00:26,020 --> 00:00:30,370 To use the object privilege to give that to a user, 10 00:00:30,370 --> 00:00:32,350 we use the GRANT command. 11 00:00:32,350 --> 00:00:37,780 So we say grant privilege on an object to a given user. 12 00:00:37,780 --> 00:00:40,810 When we want to remove a privilege, either a system 13 00:00:40,810 --> 00:00:42,670 privilege or an object privilege, 14 00:00:42,670 --> 00:00:44,920 we use the REVOKE command. 15 00:00:44,920 --> 00:00:48,160 So revoke privilege from user. 16 00:00:48,160 --> 00:00:49,960 So let's get set up here. 17 00:00:49,960 --> 00:00:52,150 We have three connections in our database now. 18 00:00:52,150 --> 00:00:55,690 We have our Kara user, we have our Scott user, 19 00:00:55,690 --> 00:00:57,130 and we have system. 20 00:00:57,130 --> 00:01:00,970 When we're using GRANT commands, the user 21 00:01:00,970 --> 00:01:03,880 needs to have the power or the ability 22 00:01:03,880 --> 00:01:07,570 to grant those privileges to another user. 23 00:01:07,570 --> 00:01:10,450 So, certainly, system will be able to. 24 00:01:10,450 --> 00:01:14,800 But let's go ahead and work with the objects in Scott's schema 25 00:01:14,800 --> 00:01:16,870 and the Kara user. 26 00:01:16,870 --> 00:01:21,910 I'm going to connect to my Kara user and my Scott user. 27 00:01:21,910 --> 00:01:23,860 So notice that, as we're familiar with, 28 00:01:23,860 --> 00:01:28,660 Scott has a number of tables, bonus step, so on and so forth. 29 00:01:28,660 --> 00:01:33,220 If we look at Kara's table, she has a TEST TAB table. 30 00:01:36,580 --> 00:01:38,790 So let's see if Scott can give the ability 31 00:01:38,790 --> 00:01:42,490 to see his objects to the Kara user. 32 00:01:42,490 --> 00:01:44,480 I'm going to click on this tabs back and forth 33 00:01:44,480 --> 00:01:46,040 here a little bit. 34 00:01:46,040 --> 00:01:49,050 So the Kara user, just to prove this, 35 00:01:49,050 --> 00:01:53,650 let's say select star from bonus. 36 00:01:57,250 --> 00:01:59,290 Well, that's certainly not going to work. 37 00:01:59,290 --> 00:02:02,140 It says table or view does not exist. 38 00:02:02,140 --> 00:02:05,350 Because, when we use the select command like this, 39 00:02:05,350 --> 00:02:10,260 the assumption here is that the bonus table is in Kara's schema 40 00:02:10,260 --> 00:02:14,200 But we know the bonus table is actually in the Scott schema. 41 00:02:14,200 --> 00:02:16,330 So we need to have a way of clarifying 42 00:02:16,330 --> 00:02:21,220 that, of identifying the schema that the table is in. 43 00:02:21,220 --> 00:02:26,410 And we do that by saying, Scott.bonus. 44 00:02:26,410 --> 00:02:29,470 So we're saying, select from the bonus table 45 00:02:29,470 --> 00:02:31,450 that's in the Scott schema. 46 00:02:31,450 --> 00:02:32,380 Let's try this. 47 00:02:35,430 --> 00:02:38,370 Notice that we get the same error. 48 00:02:38,370 --> 00:02:40,950 Well, that's how Oracle handles security. 49 00:02:40,950 --> 00:02:44,640 Because, if the user does not have the privilege 50 00:02:44,640 --> 00:02:47,760 to look at the bonus table in the Scott schema, 51 00:02:47,760 --> 00:02:50,730 it treats it as if it's not even there. 52 00:02:50,730 --> 00:02:53,070 And that's a good approach because it 53 00:02:53,070 --> 00:02:55,770 doesn't give an error like, you don't 54 00:02:55,770 --> 00:02:58,170 have privileges on Scott bonus. 55 00:02:58,170 --> 00:03:01,050 It just says the table or view does not exist. 56 00:03:01,050 --> 00:03:03,870 If it gave an error, like you don't have privileges 57 00:03:03,870 --> 00:03:07,140 on that table, then that would give an attacker 58 00:03:07,140 --> 00:03:08,580 a little bit of information. 59 00:03:08,580 --> 00:03:11,700 So that would say, oh, there is a bonus table in the Scott 60 00:03:11,700 --> 00:03:15,270 schema and now I have to find a way to get access to it. 61 00:03:15,270 --> 00:03:17,580 This way is a little more obscure 62 00:03:17,580 --> 00:03:20,490 and prevents anyone from knowing that that table is actually 63 00:03:20,490 --> 00:03:21,570 there. 64 00:03:21,570 --> 00:03:24,600 But Kara cannot select from the bonus table because she 65 00:03:24,600 --> 00:03:25,920 doesn't have privileges on it. 66 00:03:25,920 --> 00:03:28,830 She doesn't have an object privilege granted 67 00:03:28,830 --> 00:03:32,170 to be able to see that table. 68 00:03:32,170 --> 00:03:34,500 So let's move over to the Scott schema 69 00:03:34,500 --> 00:03:36,620 and use the GRANT command. 70 00:03:36,620 --> 00:03:40,080 Grant select on bonus. 71 00:03:40,080 --> 00:03:43,620 Notice that we can refer to the bonus table without the schema 72 00:03:43,620 --> 00:03:48,820 notation because we're actually connected in this tab as Scott 73 00:03:48,820 --> 00:03:53,030 to Kara. 74 00:03:53,030 --> 00:03:57,980 Now we come back over to the Kara session. 75 00:03:57,980 --> 00:04:01,310 And we're able to select that data. 76 00:04:01,310 --> 00:04:03,380 This is what's known as a direct grant. 77 00:04:03,380 --> 00:04:07,070 So it's directly granted from Scott to Kara 78 00:04:07,070 --> 00:04:09,870 to be able to select from that table. 79 00:04:09,870 --> 00:04:15,870 So, now that Kara is moving, let's insert some data 80 00:04:15,870 --> 00:04:16,950 into the bonus table. 81 00:04:21,740 --> 00:04:24,520 Notice that we have an insufficient privileges error 82 00:04:24,520 --> 00:04:26,180 message that comes out. 83 00:04:26,180 --> 00:04:29,140 And that's because Scott has granted Kara 84 00:04:29,140 --> 00:04:35,750 the ability to select, but not the ability to insert. 85 00:04:35,750 --> 00:04:41,590 Let's have Scott grant insert on bonus to Kara. 86 00:04:44,560 --> 00:04:47,440 Grant succeeds. 87 00:04:47,440 --> 00:04:51,130 Rerun the statement and the row is inserted. 88 00:04:51,130 --> 00:04:54,490 So the same would be true of update and delete. 89 00:04:54,490 --> 00:04:57,670 So if Kara, right now, was to attempt 90 00:04:57,670 --> 00:05:01,240 to update the bonus table or delete from it, 91 00:05:01,240 --> 00:05:05,080 she would again have the insufficient privileges error. 92 00:05:05,080 --> 00:05:06,400 So what Scott could do-- 93 00:05:11,900 --> 00:05:14,810 this would give Kara select insert update 94 00:05:14,810 --> 00:05:17,710 and delete on the bonus table. 95 00:05:17,710 --> 00:05:19,060 So now back to Kara. 96 00:05:22,440 --> 00:05:24,620 And we see this. 97 00:05:24,620 --> 00:05:28,780 We could say, update Scott bonus. 98 00:05:43,080 --> 00:05:45,000 And she has that ability now. 99 00:05:45,000 --> 00:05:48,060 So object privileges are what we use 100 00:05:48,060 --> 00:05:52,720 to give a user specific privileges on a given object. 7932