Oracle Security in CDBs and PDBs - OCP: Oracle Database 12c Administrator Certified Professional

Database Reference

In-Depth Information

Similarly, the next example shows how local user lne6_admin can grant the common

user c##mydba the AUDIT_VIEWER and c##passord_timeout common roles for use within

the lne6 PDB.

SQL> CONNECT lne6_admin/system06@lne6

SQL> GRANT AUDIT_VIEWER, c##password_timeout TO c##my_dba CONTAINER=CURRENT;

Grant succeeded.

SQL>

The next example shows how a local user lne6_admin can revoke a role from a PDB.

Remember that in a PDB CONTAINER=CURRENT is implied.

SQL> CONNECT lne6_admin/system06@lne6

SQL> REVOKE lne_boss FROM smith06 CONTAINER=CURRENT;

Revoke succeeded.

SQL>

Enabling Common Users to Access Data in Specific PDBs

In the following sections, we will discuss how to set up common users to access data in PDBs.

Since common users have by default the same identity across all containers in a multitenant

CDB environment, you'll need to grant them the ability to set the current container and grant

them access to specific objects within PDB schemas.

We'll first discuss how to grant common users privileges to create objects within PDBs.

Next we'll discuss the CONTAINER_DATA concept, and finally we'll show how a common user

can access objects related to PDBs in a common view.

Granting or Revoking Privileges to Create PDB Objects

To grant a privilege in a multitenant environment, include the CONTAINER clause in the GRANT

or REVOKE statement. Setting CONTAINER to ALL applies the privilege to all existing and future

containers; setting it to CURRENT applies the privilege to the local container only. The default

value of the CONTAINER is implied to be common if you're a common user and the current con-

tainer is CDB$ROOT ; it is implied to be local if your current container is a PDB. So, when the

current container is a PDB, the CONTAINER clause defaults to local, and the privilege applies to

the local container. If you issue the GRANT or REVOKE statement from the CDB$ROOT , the privi-

lege is granted or revoked commonly. Here's an example of granting a privilege to a common

user that will allow that user to create a table in any PDB.

SQL> CONNECT sys/system@CONT AS SYSDBA

Connected.

Search WWH ::

Custom Search

Home