Oracle System Privileges
Version 23c

General Information
Library Note Morgan's Library Page Header
ACE Director Alum Daniel Morgan, founder of Morgan's Library, is scheduling complimentary technical Workshops on Database Security for the first 30 Oracle Database customers located anywhere in North America, EMEA, LATAM, or APAC that send an email to asra_us@oracle.com. Request a Workshop for your organization today.
System privileges are privileges that do not relate to a specific schema or object. This library page has been updated for version 12.2 with new privileges related to the new Analytic Views and security enhancements. Demos will be published in the appropriate section of the library following 12.2's release for download.

Note: References to "Undocumented" below indicate that the privilege is not documented in the SQL Language Reference. They may be documented somewhere else but, for example the WRITE_ANY_ANALYTIC_VIEW_CACHE privilege it is in the system_privilege_map table but not findable even with Google except where posted by Morgan.

Are we absolutely certain it exists? You be the judge:

SQL> GRANT write any analytic view cache TO xdb;

Grant succeeded.

SQL> REVOKE write any analytic view cache FROM xdb;

Revoke succeeded.
Data Dictionary Objects
ALL_SYS_PRIVS DBA_SYS_PRIVS SYSTEM_PRIVILEGE_MAP
CDB_SYS_PRIVS SESSION_PRIVS USER_SYS_PRIVS
View All System Privileges: Including Undocumented System Privs SELECT name
FROM system_privilege_map
ORDER BY 1;
 
Privileges
Administer
  • Administer Any SQL Tuning Set
  • Administer Database Trigger (database level trigger)
  • Administer Firewall
  • Administer Key Management
  • Administer Redaction Policy
  • Administer Resource Manager (undocumented)
  • Administer SQL Management Object
  • Administer SQL Tuning Set
  • Flashback Archive Administer (undocumented)
  • Grant Any Object Privilege
  • Grant Any Privilege
  • Grant Any Role
  • Manage Any File Group (undocumented)
  • Manage Any Queue (undocumented)
  • Manage File Group (undocumented)
  • Manage Scheduler
  • Manage Tablespace
Advanced Queuing
  • Dequeue Any Queue (undocumented)
  • Enqueue Any Queue (undocumented)
  • Manage Any Queue (undocumented)
Advisor Framework
  • Administer Any SQL Tuning Set
  • Administer SQL Management Object
  • Administer SQL Tuning Set
  • Advisor
  • Alter Any SQL Profile
  • Create Any SQL Profile -deprecated use Administer SQL Management Object
  • Drop Any SQL Profile
Alter Any Privileges
  • Alter Any Analytic View
  • Alter Any Assembly (undocumented)
  • Alter Any Attribute Dimension 
  • Alter Any Cluster
  • Alter Any Cube
  • Alter Any Cube Build Process (undocumented)
  • Alter Any Cube Dimension
  • Alter Any Dimension
  • Alter Any Domain
  • Alter Any Edition (undocumented)
  • Alter Any Evaluation Context (undocumented)
  • Alter Any Hierarchy
  • Alter Any Index
  • Alter Any Indextype
  • Alter Any Library
  • Alter Any Materialized View
  • Alter Any Measure Folder (undocumented)
  • Alter Any Mining Model
  • Alter Any MLE
  • Alter Any Operator
  • Alter Any Outline
  • Alter Any Procedure
  • Alter Any Property Graph
  • Alter Any Role
  • Alter Any Rule (undocumented)
  • Alter Any Rule Set (undocumented)
  • Alter Any Sequence
  • Alter Any SQL Profile
  • Alter Any SQL Translation Profile
  • Alter Any Table
  • Alter Any Trigger
  • Alter Any Type
Alter Privileges
  • Alter Database
  • Alter Database Link
  • Alter Lockdown Profile
  • Alter Profile
  • Alter Public Database Link
  • Alter Resource Cost
  • Alter Rollback Segment
  • Alter Session
  • Alter System
  • Alter Tablespace
  • Alter User
Analytic Views
  • Alter Any Analytic View
  • Create Any Analytic View
  • Create Analytic View
  • Drop Any Analytic View
  • Read Any Analytic View Cache (undocumented)
  • Write Any Analytic View Cache (undocumented)
Analyze Privileges
  • Analyze Any
  • Analyze Any Dictionary
Assembly Privileges
  • Alter Any Assembly (undocumented)
  • Create Any Assembly (undocumented)
  • Create Assembly (undocumented)
  • Drop Any Assembly (undocumented)
  • Execute Any Assembly (undocumented)
  • Execute Assembly (undocumented)
Attribute Dimensions
  • Alter Any Attribute Dimension
  • Create Any Attribute Dimension
  • Create Attribute Dimension
  • Drop Any Attribute Dimension
Audit Privileges
  • Administer Fine Grained Audit Policy
  • Audit Any
  • Audit System
Backup Privileges
  • Backup Any Table
Clusters
  • Alter Any Cluster
  • Create Any Cluster
  • Create Cluster
  • Drop Any Cluster
Comment Privileges
  • Comment Any Mining Model
  • Comment Any Table
Container Database
  • Create Pluggable Database
  • Set Container
Contexts
  • Create Any Context
  • Drop Any Context
Create Any Privileges
  • Create Any Analytic View
  • Create Any Assembly (undocumented)
  • Create Any Attribute Dimension
  • Create Any Cluster
  • Create Any Context
  • Create Any Credential (undocumented)
  • Create Any Cube
  • Create Any Cube Build Process
  • Create Any Cube Dimension
  • Create Any Dimension
  • Create Any Directory
  • Create Any Domain
  • Create Any Edition
  • Create Any Evaluation Context (undocumented)
  • Create Any Hierarchy
  • Create Any Index
  • Create Any Indextype
  • Create Any Job
  • Create Any Library
  • Create Any Materialized View
  • Create Any Measure Folder
  • Create Any Mining Model
  • Create Any MLE
  • Create Any Operator
  • Create Any Outline
  • Create Any Procedure
  • Create Any Property Graph
  • Create Any Rule (undocumented)
  • Create Any Rule Set (undocumented)
  • Create Any Sequence
  • Create Any SQL Profile - deprecated Use Administer SQL Management Object
  • Create Any SQL Translation Profile
  • Create Any Synonym
  • Create Any Table
  • Create Any Trigger
  • Create Any Type
  • Create Any View
Create Privileges
  • Create Active Data Cache
  • Create Analytic View
  • Create Assembly (undocumented)
  • Create Attribute Dimension
  • Create Cluster
  • Create Credential (undocumented)
  • Create Cube
  • Create Cube Build Process
  • Create Cube Dimension
  • Create Database Link
  • Create Dimension
  • Create Domain
  • Create Evaluation Context (undocumented)
  • Create External Job
  • Create Hierarchy
  • Create Indextype
  • Create Job
  • Create Library
  • Create Lockdown Profile
  • Create Logical Partition Tracking
  • Create Materialized View
  • Create Measure Folder
  • Create Mining Model
  • Create MLE
  • Create Operator
  • Create Pluggable Database
  • Create Procedure
  • Create Profile
  • Create Property Graph
  • Create Public Database Link
  • Create Public Synonym
  • Create Role
  • Create Rollback Segment
  • Create Rule (undocumented)
  • Create Rule Set (undocumented)
  • Create Sequence
  • Create Session
  • Create SQL Translation Profile
  • Create Synonym
  • Create Table
  • Create Tablespace
  • Create Trigger
  • Create Type
  • Create User
  • Create View
Database & System
  • Alter Database
  • Alter System
  • Audit System
  • Create Pluggable Database
Database Links
  • Alter Database Link
  • Alter Public Database Link
  • Create Database Link
  • Create Public Database Link
  • Drop Public Database Link
Datastore
  • Text Datastore Access (undocumented)
Debug
  • Debug Any Procedure
  • Debug Connect Any (undocumented)
  • Debug Connect Session
Delete
  • Delete Any Cube Dimension
  • Delete Any Measure Folder
  • Delete Any Table
Diagnostics
  • Enable Diagnostics
Dimensions
  • Alter Any Dimension
  • Create Any Dimension
  • Create Dimension
  • Drop Any Dimension
Directories
  • Create Any Directory
  • Drop Any Directory
Domain
  • Alter Any Domain
  • Create Any Domain
  • Create Domain
  • Drop Any Domain
  • Execute Any Domain
Drop Any Privileges
  • Drop Any Analytic View
  • Drop Any Assembly (undocumented)
  • Drop Any Attribute Dimension
  • Drop Any Cluster
  • Drop Any Context
  • Drop Any Cube
  • Drop Any Cube Build Process
  • Drop Any Cube Dimension
  • Drop Any Dimension
  • Drop Any Directory
  • Drop Any Domain
  • Drop Any Edition
  • Drop Any Evaluation Context (undocumented)
  • Drop Any Hierarchy
  • Drop Any Index
  • Drop Any Indextype
  • Drop Any Library
  • Drop Any Materialized View
  • Drop Any Measure Folder
  • Drop Any Mining Model
  • Drop Any MLE
  • Drop Any Operator
  • Drop Any Outline
  • Drop Any Procedure
  • Drop Any Property Graph
  • Drop Any Role
  • Drop Any Rule (undocumented)
  • Drop Any Rule Set (undocumented)
  • Drop Any Sequence
  • Drop Any SQL Profile
  • Drop Any SQL Translation Profile
  • Drop Any Synonym
  • Drop Any Table
  • Drop Any Trigger
  • Drop Any Type
  • Drop Any View
Drop Privileges
  • Drop Lockdown Profile
  • Drop Logical Partition Tracking
  • Drop Profile
  • Drop Public Database Link
  • Drop Public Synonym
  • Drop Rollback Segment
  • Drop Tablespace
  • Drop User
Editions
  • Alter Any Edition (undocumented)
  • Create Any Edition
  • Drop Any Edition
Enterprise Manager
  • EM Express Connect (undocumented)
Evaluation Context
  • Alter Any Evaluation Context (undocumented)
  • Create Any Evaluation Context (undocumented)
  • Drop Any Evaluation Context (undocumented)
  • Execute Any Evaluation Context (undocumented)
     
  • Create Evaluation Context (undocumented)
Execute Privileges
  • Execute Any Assembly (undocumented)
  • Execute Any Class
  • Execute Any Domain
  • Execute Any Evaluation Context (undocumented)
  • Execute Any Indextype
  • Execute Any Library
  • Execute Any Operator
  • Execute Any Procedure
  • Execute Any Program
  • Execute Any Rule (undocumented)
  • Execute Any Rule Set (undocumented)
  • Execute Any Type
     
  • Execute Assembly (undocumented)
  • Execute Dynamic MLE
Exempt Privileges
  • Exempt Access Policy
  • Exempt Firewall Policy
  • Exempt Identity Policy
  • Exempt Redaction Policy
Export & Import
  • Export Full Database (undocumented)
  • Import Full Database (undocumented)
Fine Grained Access Control
  • Exempt Access Policy (bypasses FGAC)
File Group
  • Manage Any File Group (undocumented)
  • Manage File Group (undocumented)
  • Read Any File Group (undocumented)
Firewall
  • Administer Firewall
  • Exempt Firewall Policy
Flashback
  • Flashback Any Table
  • Flashback Archive Administer
  • Purge DBA_RECYCLEBIN
Force
  • Force Any Transaction
  • Force Transaction
Grant
  • Grant Any Object Privilege
  • Grant Any Privilege
  • Grant Any Role
  • Grant Any Schema Privilege
Hierarchies
  • Alter Any Hierarchy
  • Create Any Hierarchy
  • Create Hierarchy
  • Drop Any Hierarchy
Indexes
  • Alter Any Index
  • Create Any Index
  • Drop Any Index
Indextype
  • Alter Any Indextype
  • Create Any Indextype
  • Create Indextype
  • Drop Any Indextype
  • Execute Any Indextype
Inherit
  • Inherit Any Privileges
  • Inherit Any Remote Privileges
Insert
  • Insert Any Cube Dimension
  • Insert Any Measure Folder
  • Insert Any Table
Job Scheduler
  • Create Any Job
  • Create External Job
  • Create Job
  • Execute Any Class
  • Execute Any Program
  • Manage Scheduler
  • Use Any Job Resource
Libraries
  • Alter Any Library
  • Create Any Library
  • Create Library
  • Drop Any Library
  • Execute Any Library
Locks
  • Lock Any Table
Lockdown Profile
  • Alter Lockdown Profile
  • Create Lockdown Profile
  • Drop Lockdown Profile
Log Mining
  • Logmining
Logical Partition Tracking
  • Create Logical Partition Tracking
  • Drop Logical Partition Tracking
Materialized Views
  • Alter Any Materialized View
  • Create Any Materialized View
  • Create Materialized View
  • Drop Any Materialized View
  • Flashback Any Table
  • Global Query Rewrite
  • On Commit Refresh
  • Query Rewrite
Measure Folders
  • Alter Any Measure Folder (undocumented)
  • Create Any Measure Folder
  • Create Measure Folder
  • Delete Any Measure Folder
  • Drop Any Measure Folder
  • Insert Any Measure Folder
Mining Models
  • Alter Any Mining Model
  • Comment Any Mining Model
  • Create Any Mining Model
  • Create Mining Model
  • Drop Any Mining Model
  • Select Any Mining Model
Multi-Lingual Engine
  • Alter Any MLE
  • Create Any MLE
  • Create MLE
  • Drop Any MLE
  • Execute Dynamic MLE
Notification Privilege
  • Change Notification
OLAP Cubes
  • Alter Any Cube
  • Create Any Cube
  • Create Cube
  • Drop Any Cube
  • Select Any Cube
  • Update Any Cube
OLAP Cube Build
  • Alter Any Cube Build Process (undocumented)
  • Create Any Cube Build Process
  • Create Cube Build Process
  • Drop Any Cube Build Process
  • Update Any Cube Build Process
OLAP Cube Dimensions
  • Alter Any Cube Dimension
  • Create Any Cube Dimension
  • Create Cube Dimension
  • Delete Any Cube Dimension
  • Drop Any Cube Dimension
  • Insert Any Cube Dimension
  • Select Any Cube Dimension
  • Update Any Cube Dimension
OLAP Cube Measure Folders
  • Create Any Measure Folder
  • Create Measure Folder
  • Delete Any Measure Folder
  • Drop Any Measure Folder
  • Insert Any Measure Folder
Operator
  • Alter Any Operator
  • Create Any Operator
  • Create Operator
  • Drop Any Operator
  • Execute Any Operator
Outlines
  • Alter Any Outline
  • Create Any Outline
  • Drop Any Outline
Plan Management
  • Administer SQL Management Object
Policies
  • Administer Fine Grained Audit Policy
  • Administer Redaction Policy
  • Administer Row Level Security Policy
  • Exempt Access Policy
  • Exempt Identity Policy (undocumented)
  • Exempt Redaction Policy
Procedures
  • Alter Any Procedure
  • Create Any Procedure
  • Create Procedure
  • Drop Any Procedure
  • Execute Any Procedure
  • Inherit Any Remote Privileges
Profiles
  • Alter Profile
  • Create Profile
  • Drop Profile
Property Graph
  • Alter Any Property Graph
  • Create Any Property Graph
  • Create Property Graph
  • Drop Property Graph
  • Read Any Property Graph
Query Rewrite
  • Global Query Rewrite
  • Query Rewrite
Read Any
  • Read Any Analytic View Cache (undocumented)
  • Read Any File Group (undocumented)
  • Read Any Property Graph
  • Read Any Table
Real Application Testing
  • Keep Date Time
  • Keep SYSGUID
Redaction
  • Administer Redaction Policy
  • Exempt Redaction Policy
Resumable
  • Resumable
Roles
  • Alter Any Role
  • Create Role
  • Drop Any Role
  • Grant Any Role
Rollback Segment
  • Alter Rollback Segment
  • Create Rollback Segment
  • Drop Rollback Segment
Row Level Security
  • Administer Row Level Security Policy
Scheduler
  • Manage Scheduler
Schema
  • Grant Any Schema Privilege
Select
  • Select Any Cube
  • Select Any Cube Build Process (undocumented)
  • Select Any Cube Dimension
  • Select Any Dictionary
  • Select Any Measure Folder
  • Select Any Mining Model
  • Select Any Sequence
  • Select Any Table
  • Select Any Transaction
Sequence
  • Alter Any Sequence
  • Create Any Sequence
  • Create Sequence
  • Drop Any Sequence
  • Select Any Sequence
Session
  • Alter Resource Cost
  • Alter Session
  • Create Session
  • Restricted Session
Synonym
  • Create Any Synonym
  • Create Public Synonym
  • Create Synonym
  • Drop Any Synonym
  • Drop Public Synonym
SQL Translation
  • Alter Any SQL Translation Profile
  • Create Any SQL Translation Profile
  • Drop Any SQL Translation Profile
  • Translate Any SQL
  • Use Any SQL Translation Profile
     
  • Create SQL Translation Profile
System Privileges
  • SYSBACKUP
  • SYSDBA
  • SYSDG
  • SYSKM
  • SYSOPER
  • SYSRAC (undocumented)
Tables
  • Alter Any Table
  • Backup Any Table
  • Comment Any Table
  • Create Any Table
  • Create Table
  • Delete Any Table
  • Drop Any Table
  • Flashback Any Table
  • Insert Any Table
  • Lock Any Table
  • Read Any Table
  • Redefine Any Table
  • Select Any Table
  • Under Any Table
  • Update Any Table
Tablespaces
  • Alter Tablespace
  • Create Tablespace
  • Drop Tablespace
  • Manage Tablespace
  • Unlimited Tablespace
Transactions
  • Force Any Transaction
  • Force Transaction
Triggers
  • Administer Database Trigger
  • Alter Any Trigger
  • Create Any Trigger
  • Create Trigger
  • Drop Any Trigger
Types
  • Alter Any Type
  • Create Any Type
  • Create Type
  • Drop Any Type
  • Execute Any Type
  • Under Any Type
Under
  • Under Any Table (undocumented)
  • Under Any Type
  • Under Any View
Update
  • Update Any Cube
  • Update Any Cube Build Process
  • Update Any Cube Dimension
  • Update Any Table
User
  • Alter User
  • Become User
  • Create User
  • Drop User
View
  • Create Any View
  • Create View
  • Drop Any View
  • Flashback Any Table
  • Merge Any View
  • Under Any View
Write
  • Write Any Analytic View Cache (undocumented)
 
Granting System Privileges
Grant A Single Privilege GRANT <privilege_name> TO <schema_name>;
GRANT create table TO uwclass;
Grant Multiple Privileges GRANT <privilege_name, privilege_name, ...> TO <schema_name>;
GRANT create table, create view, create procedure TO uwclass;
 
Revoking System Privileges
Revoke A Single Privilege REVOKE <privilege_name> FROM <schema_name>;
REVOKE create table FROM uwclass;
Revoke Multiple Privileges REVOKE <privilege_name, privilege_name, ...> FROM <schema_name>;
REVOKE create table, create view FROM uwclass;
 
Determine User Privs
These queries will list the system privileges assigned to a user SELECT LPAD(' ', 2*level) || granted_role "USER PRIVS"
FROM (
  SELECT NULL grantee, username AS GRANTED_ROLE
  FROM dba_users
  WHERE username LIKE UPPER('%&uname%')
  UNION
  SELECT grantee, granted_role
  FROM dba_role_privs
  UNION
  SELECT grantee, privilege
  FROM dba_sys_privs)
START WITH grantee IS NULL
CONNECT BY grantee = prior granted_role;

or

SELECT path
FROM (
  SELECT grantee,
    sys_connect_by_path(privilege, ':')||':'||grantee path
  FROM (
    SELECT grantee, privilege, 0 role
    FROM dba_sys_privs
    UNION ALL
    SELECT grantee, granted_role, 1 role
    FROM dba_role_privs)
  CONNECT BY privilege=prior grantee
  START WITH role = 0)
WHERE grantee IN (
  SELECT username
  FROM dba_users
  WHERE lock_date IS NULL
  AND password != 'EXTERNAL'
  AND username != 'SYS')
OR grantee='PUBLIC'
/
 
Dangerous Demo
Execute Any Procedure SELECT *
FROM dba_sys_privs
WHERE privilege LIKE '%CREATE ANY PROC%';

conn owb/owb

CREATE OR REPLACE PROCEDURE <any owner>.do_sql(sqlin VARCHAR2) IS
BEGIN
  EXECUTE IMMEDIATE sqlin;
END;
/

BEGIN
  <any user>.do_sql('drop table emp cascade constraints');
END;
/

Related Topics
Object Privileges
Roles
Security
What's New In 21c
What's New In 23c

Morgan's Library Page Footer
This site is maintained by Dan Morgan. Last Updated: This site is protected by copyright and trademark laws under U.S. and International law. © 1998-2023 Daniel A. Morgan All Rights Reserved
  DBSecWorx