How to revoke user privileges and roles – Oracle DBA

Revoking User Privileges and Roles in Oracle

In Oracle, the REVOKE statement is used to remove system or object privileges from a user or role. This is crucial for maintaining database security and ensuring that users only have the necessary permissions to perform their tasks.

Basic Syntax

The basic syntax for revoking privileges is:

REVOKE {system_privilege | object_privilege} FROM user;

For revoking roles:

REVOKE role FROM user;

Scenario 1: Revoking System Privileges

Context: A user named alice was granted the CREATE SESSION and CREATE TABLE system privileges. However, due to a change in her role, she no longer needs the CREATE TABLE privilege.

Steps:
  1. Granting Privileges:
CREATE USER alice IDENTIFIED BY password;
GRANT CREATE SESSION, CREATE TABLE TO alice;

2. Revoking the CREATE TABLE Privilege:

REVOKE CREATE TABLE FROM alice;

Outcome: After executing the REVOKE statement, alice will still be able to log in to the database (due to the CREATE SESSION privilege) but will no longer be able to create new tables.

Scenario 2: Revoking Object Privileges

Context: A user named bob was granted SELECTINSERTUPDATE, and DELETE privileges on the employees table. Due to security policies, his INSERT and DELETE privileges need to be revoked.

Steps:

1. Granting Privileges:

CREATE USER bob IDENTIFIED BY password;
GRANT SELECT, INSERT, UPDATE, DELETE ON employees TO bob;

2. Revoking the INSERT and DELETE Privileges:

REVOKE INSERT, DELETE ON employees FROM bob;

Outcome: After executing the REVOKE statement, bob will still be able to read and update records in the employees table but will no longer be able to insert new records or delete existing ones.

Scenario 3: Revoking Roles

Context: A user named charlie was assigned the DBA role, which grants extensive privileges. Due to a change in responsibilities, this role needs to be revoked.

Steps:

1. Granting the Role:

CREATE USER charlie IDENTIFIED BY password;
GRANT DBA TO charlie;

2. Revoking the DBA Role:

REVOKE DBA FROM charlie;

Outcome: After executing the REVOKE statement, charlie will lose all the privileges associated with the DBA role.

Key Points to Remember

  • System Privileges: These are powerful and should be granted and revoked carefully.
  • Object Privileges: These are specific to database objects like tables and views.
  • Roles: These group multiple privileges and can be managed collectively.

By carefully managing and revoking user privileges and roles, you can maintain a secure and well-organized database environment.

Leave a comment