ACE Director Alum Daniel Morgan, founder of Morgan's Library, is scheduling
complimentary technical Workshops on Database Security for the first 30
Oracle Database customers located anywhere in North America, EMEA, LATAM, or
APAC that send an email to
asra_us@oracle.com. Request a Workshop for
your organization today.
System privileges are privileges that do not relate to a specific schema or object.
This library page has been updated for version 12.2 with new privileges related to the new Analytic Views and security enhancements. Demos will be published in the appropriate section of the library following 12.2's release for download.
Note: References to "Undocumented" below indicate that the privilege is not documented in the SQL Language Reference.
They may be documented somewhere else but, for example the WRITE_ANY_ANALYTIC_VIEW_CACHE privilege it is in the system_privilege_map table but not findable even with Google except where posted by Morgan.
Are we absolutely certain it exists? You be the judge:
SQL> GRANT write any analytic view cache TO xdb;
Grant succeeded.
SQL> REVOKE write any analytic view cache FROM xdb;
Revoke succeeded.
Data Dictionary Objects
ALL_SYS_PRIVS
DBA_SYS_PRIVS
SYSTEM_PRIVILEGE_MAP
CDB_SYS_PRIVS
SESSION_PRIVS
USER_SYS_PRIVS
View All System Privileges: Including Undocumented System Privs
SELECT name
FROM system_privilege_map
ORDER BY 1;
Privileges
Administer
Administer Any SQL Tuning Set
Administer Database Trigger (database level trigger)
Administer Firewall
Administer Key Management
Administer Redaction Policy
Administer Resource Manager (undocumented)
Administer SQL Management Object
Administer SQL Tuning Set
Flashback Archive Administer (undocumented)
Grant Any Object Privilege
Grant Any Privilege
Grant Any Role
Manage Any File Group (undocumented)
Manage Any Queue (undocumented)
Manage File Group (undocumented)
Manage Scheduler
Manage Tablespace
Advanced Queuing
Dequeue Any Queue (undocumented)
Enqueue Any Queue (undocumented)
Manage Any Queue (undocumented)
Advisor Framework
Administer Any SQL Tuning Set
Administer SQL Management Object
Administer SQL Tuning Set
Advisor
Alter Any SQL Profile
Create Any SQL Profile -deprecated use Administer SQL Management Object
Drop Any SQL Profile
Alter Any Privileges
Alter Any Analytic View
Alter Any Assembly (undocumented)
Alter Any Attribute Dimension
Alter Any Cluster
Alter Any Cube
Alter Any Cube Build Process (undocumented)
Alter Any Cube Dimension
Alter Any Dimension
Alter Any Domain
Alter Any Edition (undocumented)
Alter Any Evaluation Context (undocumented)
Alter Any Hierarchy
Alter Any Index
Alter Any Indextype
Alter Any Library
Alter Any Materialized View
Alter Any Measure Folder (undocumented)
Alter Any Mining Model
Alter Any MLE
Alter Any Operator
Alter Any Outline
Alter Any Procedure
Alter Any Property Graph
Alter Any Role
Alter Any Rule (undocumented)
Alter Any Rule Set (undocumented)
Alter Any Sequence
Alter Any SQL Profile
Alter Any SQL Translation Profile
Alter Any Table
Alter Any Trigger
Alter Any Type
Alter Privileges
Alter Database
Alter Database Link
Alter Lockdown Profile
Alter Profile
Alter Public Database Link
Alter Resource Cost
Alter Rollback Segment
Alter Session
Alter System
Alter Tablespace
Alter User
Analytic Views
Alter Any Analytic View
Create Any Analytic View
Create Analytic View
Drop Any Analytic View
Read Any Analytic View Cache (undocumented)
Write Any Analytic View Cache (undocumented)
Analyze Privileges
Analyze Any
Analyze Any Dictionary
Assembly Privileges
Alter Any Assembly (undocumented)
Create Any Assembly (undocumented)
Create Assembly (undocumented)
Drop Any Assembly (undocumented)
Execute Any Assembly (undocumented)
Execute Assembly (undocumented)
Attribute Dimensions
Alter Any Attribute Dimension
Create Any Attribute Dimension
Create Attribute Dimension
Drop Any Attribute Dimension
Audit Privileges
Administer Fine Grained Audit Policy
Audit Any
Audit System
Backup Privileges
Backup Any Table
Clusters
Alter Any Cluster
Create Any Cluster
Create Cluster
Drop Any Cluster
Comment Privileges
Comment Any Mining Model
Comment Any Table
Container Database
Create Pluggable Database
Set Container
Contexts
Create Any Context
Drop Any Context
Create Any Privileges
Create Any Analytic View
Create Any Assembly (undocumented)
Create Any Attribute Dimension
Create Any Cluster
Create Any Context
Create Any Credential (undocumented)
Create Any Cube
Create Any Cube Build Process
Create Any Cube Dimension
Create Any Dimension
Create Any Directory
Create Any Domain
Create Any Edition
Create Any Evaluation Context (undocumented)
Create Any Hierarchy
Create Any Index
Create Any Indextype
Create Any Job
Create Any Library
Create Any Materialized View
Create Any Measure Folder
Create Any Mining Model
Create Any MLE
Create Any Operator
Create Any Outline
Create Any Procedure
Create Any Property Graph
Create Any Rule (undocumented)
Create Any Rule Set (undocumented)
Create Any Sequence
Create Any SQL Profile - deprecated Use Administer SQL Management Object
Create Any SQL Translation Profile
Create Any Synonym
Create Any Table
Create Any Trigger
Create Any Type
Create Any View
Create Privileges
Create Active Data Cache
Create Analytic View
Create Assembly (undocumented)
Create Attribute Dimension
Create Cluster
Create Credential (undocumented)
Create Cube
Create Cube Build Process
Create Cube Dimension
Create Database Link
Create Dimension
Create Domain
Create Evaluation Context (undocumented)
Create External Job
Create Hierarchy
Create Indextype
Create Job
Create Library
Create Lockdown Profile
Create Logical Partition Tracking
Create Materialized View
Create Measure Folder
Create Mining Model
Create MLE
Create Operator
Create Pluggable Database
Create Procedure
Create Profile
Create Property Graph
Create Public Database Link
Create Public Synonym
Create Role
Create Rollback Segment
Create Rule (undocumented)
Create Rule Set (undocumented)
Create Sequence
Create Session
Create SQL Translation Profile
Create Synonym
Create Table
Create Tablespace
Create Trigger
Create Type
Create User
Create View
Database & System
Alter Database
Alter System
Audit System
Create Pluggable Database
Database Links
Alter Database Link
Alter Public Database Link
Create Database Link
Create Public Database Link
Drop Public Database Link
Datastore
Text Datastore Access (undocumented)
Debug
Debug Any Procedure
Debug Connect Any (undocumented)
Debug Connect Session
Delete
Delete Any Cube Dimension
Delete Any Measure Folder
Delete Any Table
Diagnostics
Enable Diagnostics
Dimensions
Alter Any Dimension
Create Any Dimension
Create Dimension
Drop Any Dimension
Directories
Create Any Directory
Drop Any Directory
Domain
Alter Any Domain
Create Any Domain
Create Domain
Drop Any Domain
Execute Any Domain
Drop Any Privileges
Drop Any Analytic View
Drop Any Assembly (undocumented)
Drop Any Attribute Dimension
Drop Any Cluster
Drop Any Context
Drop Any Cube
Drop Any Cube Build Process
Drop Any Cube Dimension
Drop Any Dimension
Drop Any Directory
Drop Any Domain
Drop Any Edition
Drop Any Evaluation Context (undocumented)
Drop Any Hierarchy
Drop Any Index
Drop Any Indextype
Drop Any Library
Drop Any Materialized View
Drop Any Measure Folder
Drop Any Mining Model
Drop Any MLE
Drop Any Operator
Drop Any Outline
Drop Any Procedure
Drop Any Property Graph
Drop Any Role
Drop Any Rule (undocumented)
Drop Any Rule Set (undocumented)
Drop Any Sequence
Drop Any SQL Profile
Drop Any SQL Translation Profile
Drop Any Synonym
Drop Any Table
Drop Any Trigger
Drop Any Type
Drop Any View
Drop Privileges
Drop Lockdown Profile
Drop Logical Partition Tracking
Drop Profile
Drop Public Database Link
Drop Public Synonym
Drop Rollback Segment
Drop Tablespace
Drop User
Editions
Alter Any Edition (undocumented)
Create Any Edition
Drop Any Edition
Enterprise Manager
EM Express Connect (undocumented)
Evaluation Context
Alter Any Evaluation Context (undocumented)
Create Any Evaluation Context (undocumented)
Drop Any Evaluation Context (undocumented)
Execute Any Evaluation Context (undocumented)
Create Evaluation Context (undocumented)
Execute Privileges
Execute Any Assembly (undocumented)
Execute Any Class
Execute Any Domain
Execute Any Evaluation Context (undocumented)
Execute Any Indextype
Execute Any Library
Execute Any Operator
Execute Any Procedure
Execute Any Program
Execute Any Rule (undocumented)
Execute Any Rule Set (undocumented)
Execute Any Type
Execute Assembly (undocumented)
Execute Dynamic MLE
Exempt Privileges
Exempt Access Policy
Exempt Firewall Policy
Exempt Identity Policy
Exempt Redaction Policy
Export & Import
Export Full Database (undocumented)
Import Full Database (undocumented)
Fine Grained Access Control
Exempt Access Policy (bypasses FGAC)
File Group
Manage Any File Group (undocumented)
Manage File Group (undocumented)
Read Any File Group (undocumented)
Firewall
Administer Firewall
Exempt Firewall Policy
Flashback
Flashback Any Table
Flashback Archive Administer
Purge DBA_RECYCLEBIN
Force
Force Any Transaction
Force Transaction
Grant
Grant Any Object Privilege
Grant Any Privilege
Grant Any Role
Grant Any Schema Privilege
Hierarchies
Alter Any Hierarchy
Create Any Hierarchy
Create Hierarchy
Drop Any Hierarchy
Indexes
Alter Any Index
Create Any Index
Drop Any Index
Indextype
Alter Any Indextype
Create Any Indextype
Create Indextype
Drop Any Indextype
Execute Any Indextype
Inherit
Inherit Any Privileges
Inherit Any Remote Privileges
Insert
Insert Any Cube Dimension
Insert Any Measure Folder
Insert Any Table
Job Scheduler
Create Any Job
Create External Job
Create Job
Execute Any Class
Execute Any Program
Manage Scheduler
Use Any Job Resource
Libraries
Alter Any Library
Create Any Library
Create Library
Drop Any Library
Execute Any Library
Locks
Lock Any Table
Lockdown Profile
Alter Lockdown Profile
Create Lockdown Profile
Drop Lockdown Profile
Log Mining
Logmining
Logical Partition Tracking
Create Logical Partition Tracking
Drop Logical Partition Tracking
Materialized Views
Alter Any Materialized View
Create Any Materialized View
Create Materialized View
Drop Any Materialized View
Flashback Any Table
Global Query Rewrite
On Commit Refresh
Query Rewrite
Measure Folders
Alter Any Measure Folder (undocumented)
Create Any Measure Folder
Create Measure Folder
Delete Any Measure Folder
Drop Any Measure Folder
Insert Any Measure Folder
Mining Models
Alter Any Mining Model
Comment Any Mining Model
Create Any Mining Model
Create Mining Model
Drop Any Mining Model
Select Any Mining Model
Multi-Lingual Engine
Alter Any MLE
Create Any MLE
Create MLE
Drop Any MLE
Execute Dynamic MLE
Notification Privilege
Change Notification
OLAP Cubes
Alter Any Cube
Create Any Cube
Create Cube
Drop Any Cube
Select Any Cube
Update Any Cube
OLAP Cube Build
Alter Any Cube Build Process (undocumented)
Create Any Cube Build Process
Create Cube Build Process
Drop Any Cube Build Process
Update Any Cube Build Process
OLAP Cube Dimensions
Alter Any Cube Dimension
Create Any Cube Dimension
Create Cube Dimension
Delete Any Cube Dimension
Drop Any Cube Dimension
Insert Any Cube Dimension
Select Any Cube Dimension
Update Any Cube Dimension
OLAP Cube Measure Folders
Create Any Measure Folder
Create Measure Folder
Delete Any Measure Folder
Drop Any Measure Folder
Insert Any Measure Folder
Operator
Alter Any Operator
Create Any Operator
Create Operator
Drop Any Operator
Execute Any Operator
Outlines
Alter Any Outline
Create Any Outline
Drop Any Outline
Plan Management
Administer SQL Management Object
Policies
Administer Fine Grained Audit Policy
Administer Redaction Policy
Administer Row Level Security Policy
Exempt Access Policy
Exempt Identity Policy (undocumented)
Exempt Redaction Policy
Procedures
Alter Any Procedure
Create Any Procedure
Create Procedure
Drop Any Procedure
Execute Any Procedure
Inherit Any Remote Privileges
Profiles
Alter Profile
Create Profile
Drop Profile
Property Graph
Alter Any Property Graph
Create Any Property Graph
Create Property Graph
Drop Property Graph
Read Any Property Graph
Query Rewrite
Global Query Rewrite
Query Rewrite
Read Any
Read Any Analytic View Cache (undocumented)
Read Any File Group (undocumented)
Read Any Property Graph
Read Any Table
Real Application Testing
Keep Date Time
Keep SYSGUID
Redaction
Administer Redaction Policy
Exempt Redaction Policy
Resumable
Resumable
Roles
Alter Any Role
Create Role
Drop Any Role
Grant Any Role
Rollback Segment
Alter Rollback Segment
Create Rollback Segment
Drop Rollback Segment
Row Level Security
Administer Row Level Security Policy
Scheduler
Manage Scheduler
Schema
Grant Any Schema Privilege
Select
Select Any Cube
Select Any Cube Build Process (undocumented)
Select Any Cube Dimension
Select Any Dictionary
Select Any Measure Folder
Select Any Mining Model
Select Any Sequence
Select Any Table
Select Any Transaction
Sequence
Alter Any Sequence
Create Any Sequence
Create Sequence
Drop Any Sequence
Select Any Sequence
Session
Alter Resource Cost
Alter Session
Create Session
Restricted Session
Synonym
Create Any Synonym
Create Public Synonym
Create Synonym
Drop Any Synonym
Drop Public Synonym
SQL Translation
Alter Any SQL Translation Profile
Create Any SQL Translation Profile
Drop Any SQL Translation Profile
Translate Any SQL
Use Any SQL Translation Profile
Create SQL Translation Profile
System Privileges
SYSBACKUP
SYSDBA
SYSDG
SYSKM
SYSOPER
SYSRAC (undocumented)
Tables
Alter Any Table
Backup Any Table
Comment Any Table
Create Any Table
Create Table
Delete Any Table
Drop Any Table
Flashback Any Table
Insert Any Table
Lock Any Table
Read Any Table
Redefine Any Table
Select Any Table
Under Any Table
Update Any Table
Tablespaces
Alter Tablespace
Create Tablespace
Drop Tablespace
Manage Tablespace
Unlimited Tablespace
Transactions
Force Any Transaction
Force Transaction
Triggers
Administer Database Trigger
Alter Any Trigger
Create Any Trigger
Create Trigger
Drop Any Trigger
Types
Alter Any Type
Create Any Type
Create Type
Drop Any Type
Execute Any Type
Under Any Type
Under
Under Any Table (undocumented)
Under Any Type
Under Any View
Update
Update Any Cube
Update Any Cube Build Process
Update Any Cube Dimension
Update Any Table
User
Alter User
Become User
Create User
Drop User
View
Create Any View
Create View
Drop Any View
Flashback Any Table
Merge Any View
Under Any View
Write
Write Any Analytic View Cache (undocumented)
Granting System Privileges
Grant A Single Privilege
GRANT <privilege_name> TO <schema_name>;
GRANT create table TO uwclass;
Grant Multiple Privileges
GRANT <privilege_name, privilege_name, ...> TO <schema_name>;
GRANT create table, create view, create procedure TO uwclass;
Revoking System Privileges
Revoke A Single Privilege
REVOKE <privilege_name> FROM <schema_name>;
REVOKE create table FROM uwclass;
Revoke Multiple Privileges
REVOKE <privilege_name, privilege_name, ...> FROM <schema_name>;
REVOKE create table, create view FROM uwclass;
Determine User Privs
These queries will list the system privileges assigned to a user
SELECT LPAD(' ', 2*level) || granted_role "USER PRIVS"
FROM (
SELECT NULL grantee, username AS GRANTED_ROLE
FROM dba_users
WHERE username LIKE UPPER('%&uname%')
UNION
SELECT grantee, granted_role
FROM dba_role_privs
UNION
SELECT grantee, privilege
FROM dba_sys_privs)
START WITH grantee IS NULL
CONNECT BY grantee = prior granted_role;
or
SELECT path
FROM (
SELECT grantee,
sys_connect_by_path(privilege, ':')||':'||grantee path
FROM (
SELECT grantee, privilege, 0 role
FROM dba_sys_privs
UNION ALL
SELECT grantee, granted_role, 1 role
FROM dba_role_privs)
CONNECT BY privilege=prior grantee
START WITH role = 0)
WHERE grantee IN (
SELECT username
FROM dba_users
WHERE lock_date IS NULL
AND password != 'EXTERNAL'
AND username != 'SYS')
OR grantee='PUBLIC'
/
Dangerous Demo
Execute Any Procedure
SELECT *
FROM dba_sys_privs
WHERE privilege LIKE '%CREATE ANY PROC%';
conn owb/owb
CREATE OR REPLACE PROCEDURE <any owner>.do_sql(sqlin VARCHAR2) IS
BEGIN
EXECUTE IMMEDIATE sqlin;
END;
/
BEGIN
<any user>.do_sql('drop table emp cascade constraints');
END;
/