特殊的權限授予需求

場景：HZQ用戶本身建立的表不能有grant 權限，須要A用戶能對HZQ表用戶進行表受權。

CREATE OR REPLACE TRIGGER TR_TABLE_GRANT
 BEFORE GRANT ON database
 DECLARE
 v_owner varchar(30);
 v_table_name varchar(30);
 v_oper_user varchar(30);
BEGIN
    v_owner := SYS.DICTIONARY_OBJ_OWNER;
    v_table_name := SYS.DICTIONARY_OBJ_NAME;
    v_oper_user := ora_login_user;
 IF( v_owner = 'HZQ' and v_oper_user not in ('DBADMIN','A'))
  THEN
    RAISE_APPLICATION_ERROR( -20001, 
                             ' No grant privilege on '||v_owner||'.'||v_table_name||' !!!' );
  END IF;  
END;
/

結果顯示

本身建立的表不能受權
SQL> conn hzq/hzq
Connected.
SQL> create table t1(id int);

Table created.
SQL> grant select on hzq.t1 to b;
grant select on hzq.t1 to b
                    *
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20001:  No grant privilege on HZQ.T1 !!!
ORA-06512: at line 11
目前只有sys用戶能夠受權

注意dbadmin有dba權限
SQL> conn dbadmin/pass
Connected.
SQL> grant select on hzq.t1 to c;

Grant succeeded.
即便sys用戶也沒有授予權限
SQL> conn / as sysdba
Connected.
SQL> grant select on hzq.t1 to b;
grant select on hzq.t1 to b
                    *
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20001:  No grant privilege on HZQ.T1 !!!
ORA-06512: at line 11

如今dbadmin將hzq.t1級聯授予給a,a在觸發器容許授予hzq用戶表權限，a用戶能夠授予權限
SQL> grant select on hzq.t1 to c with grant option;

Grant succeeded.

SQL> grant select on hzq.t1 to a with grant option;

Grant succeeded.
SQL> conn c/c
Connected.
SQL> grant select on hzq.t1 to dbadmin;
grant select on hzq.t1 to dbadmin
                    *
ERROR at line 1:
ORA-00604: error occurred at recursive SQL level 1
ORA-20001:  No grant privilege on HZQ.T1 !!!
ORA-06512: at line 11


SQL> conn a/a
Connected.
SQL> grant select on hzq.t1 to dbadmin;

Grant succeeded.