最近在做数据治理的过程中,回收了部分账号的权限,因为角色RESOURCE里拥有CREATE TABLE的权限,所以我想回收RESOURCE角色。例如,对于TEST账号,收回其创建表的权限,就收回了授予其的RESOURCE的角色,结果不到几小时,SUPPORT人员就反馈这个账号遇到了ORA-01536错误。开始还有点懵,后面梳理清楚后,才感慨自己踩了一个大坑。下面简单的重新构造、模拟这样的一个案例。
SQL> select * from v$version;
BANNER
----------------------------------------------------------------
Oracle Database 10g Release 10.2.0.5.0 - 64bit Production
PL/SQL Release 10.2.0.5.0 - Production
CORE 10.2.0.5.0 Production
TNS for Linux: Version 10.2.0.5.0 - Production
NLSRTL Version 10.2.0.5.0 - Production
SQL>CREATE TABLESPACE TBS_TEST_DATA
DATAFILE '/u03/oradata/gps/tbs_test_data.dbf'
SIZE 200M
EXTENT MANAGEMENT LOCAL
SEGMENT SPACE MANAGEMENT AUTO ONLINE;
SQL> CREATE USER TEST IDENTIFIED BY "Test#1232134$#3" DEFAULT TABLESPACE TBS_TEST_DATA TEMPORARY TABLESPACE TEMP;
User created.
SQL> GRANT CONNECT, RESOURCE TO TEST;
Grant succeeded.
SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='TEST';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
TEST UNLIMITED TABLESPACE NO
SQL> SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTEE='TEST';
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
TEST RESOURCE NO YES
TEST CONNECT NO YES
SQL> SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='RESOURCE';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
RESOURCE CREATE TRIGGER NO
RESOURCE CREATE SEQUENCE NO
RESOURCE CREATE TYPE NO
RESOURCE CREATE PROCEDURE NO
RESOURCE CREATE CLUSTER NO
RESOURCE CREATE OPERATOR NO
RESOURCE CREATE INDEXTYPE NO
RESOURCE CREATE TABLE NO
8 rows selected.