Oracle數據庫DBA權限回收操做參考

1. 基本操做指令

一、查看當前系統 ORACLE_SID（linux）

# su - oracle
$ cat /etc/oratab
orcl:/oracle/app/oracle/product/11.2.0/dbhome_1:N
crm:/oracle/app/oracle/product/11.2.0/dbhome_1:N

二、查看當前系統 ORACLE_SID（windows）
依次打開【控制面板】—【系統安全】—【管理工具】—【服務】
查找跟OracleService開頭的相關服務，好比OracleServiceORCL、OracleServiceCRM等，有幾個這樣的服務就有幾個實例
三、切換ORACLE_SID（linux）

$ echo $ORACLE_SID
orcl
$ export ORACLE_SID=crm
$ echo $ORACLE_SID
crm
$ sqlplus / as sysdba

四、切換ORACLE_SID（windows）

C:\Users\sqluser> sqlplus sys/passwd@crm as sysdba
或者
C:\Users\sqluser> set oracle_sid=crm
C:\Users\sqluser> sqlplus /nolog
SQL> connect /as sysdba  或 SQL> connect sys/passwd@crm as sysdba
SQL> select name from v$database;   或  SQL> select instance_name from v$instance;

2. 權限回收準備工做

備註：先執行以下語句，篩選是否具備DBA權限的用戶，若是沒有（除sys/system用戶外），以後的操做可忽略。

SQL> select * from dba_role_privs where GRANTED_ROLE= 'DBA';
GRANTEE    GRANTED_ROLE        ADM DEF
------------------------------ ------------------------------ --- ---
SYS                DBA                YES YES
SYSTEM             DBA                YES YES

一、統計各個實例下開放使用的用戶

SQL> select username from dba_users where account_status='OPEN';
USERNAME
------------------------------
SYS
SYSTEM
ERP
3 rows selected.

二、統計每一個用戶具備哪些角色權限（dba_role），注意用戶名要大寫，以用戶名ERP舉例以下

SQL> select * from dba_role_privs where GRANTEE= 'ERP';
GRANTEE                GRANTED_ROLE           ADM DEF
------------------------------ ------------------------------ --- ---
ERP                DBA                NO  YES
ERP                RESOURCE               NO  YES
ERP                CONNECT                NO  YES

三、統計每一個用戶具備哪些系統權限（dba_sys），注意用戶名要大寫，以用戶名ERP舉例以下

SQL> select * from dba_sys_privs where GRANTEE='ERP';
GRANTEE                PRIVILEGE                ADM
------------------------------ ---------------------------------------- ---
ERP                CREATE ANY SYNONYM           NO
ERP                UNLIMITED TABLESPACE         NO
ERP                CREATE SESSION               NO

3. 操做回收DBA權限

一、回收dba權限

SQL> revoke dba from ERP;
Revoke succeeded

.

2. 從新受權必要權限

SQL> grant connect,resource to ERP;
grant create view to ERP;
grant create public synonym to ERP;
grant drop public synonym to ERP;
grant unlimited tablespace to ERP;
Grant succeeded.

三、確認權限

SQL> select * from dba_role_privs where GRANTEE= 'ERP';
GRANTEE                GRANTED_ROLE           ADM DEF
------------------------------ ------------------------------ --- ---
ERP            CONNECT                NO  YES
ERP            RESOURCE               NO  YES
SQL> select * from dba_sys_privs where GRANTEE='ERP';
GRANTEE                PRIVILEGE                ADM
------------------------------ ---------------------------------------- ---
ERP            CREATE VIEW              NO
ERP            DROP PUBLIC SYNONYM          NO
ERP            CREATE PUBLIC SYNONYM            NO
ERP            UNLIMITED TABLESPACE         NO

四、其餘危險的dba角色權限的回收，特別是以DROP ANY、UPDATE ANY、ALTER ANY、ADMINISTER開頭的權限，要注意判斷並根據狀況回收，這裏以DROP ANY TABLE舉例

SQL> revoke DROP ANY TABLE from ERP;
Revoke succeeded.

4. 注意事項

備註：若是ADM列顯示爲YES表示該權限擁有WITH ADMIN OPTION（針對系統權限）或WITH GRANT OPTION（針對對象權限），須要對其權限進行回收操做，並從新受權。
舉例以下：

一、查詢ERP用戶具備哪些角色權限（dba_role）

SQL> select * from dba_role_privs where GRANTEE='ERP';
GRANTEE                GRANTED_ROLE           ADM DEF
------------------------------ ------------------------------ --- ---
ERP                CONNECT                YES YES
ERP                AQ_USER_ROLE           YES YES
ERP                RESOURCE               NO  YES

二、回收ADM列爲YES的權限，並從新受權

SQL> revoke connect from ERP;
Revoke succeeded.
SQL> revoke AQ_USER_ROLE from ERP;
Revoke succeeded.
SQL> grant connect to ERP;
Grant succeeded.

三、確認權限

SQL> select * from dba_role_privs where GRANTEE='ERP';
GRANTEE                GRANTED_ROLE           ADM DEF
------------------------------ ------------------------------ --- ---
ERP                CONNECT                NO  YES
ERP                AQ_USER_ROLE           NO  YES
ERP                RESOURCE               NO  YES

四、查看是否有dblink，避免因權限回收，致使跨庫出現異常

SQL> select * from dba_objects where object_type like '%LINK%';

5. 結束