Solved : ORA-01927: cannot REVOKE privileges you did not grant ORA-01749: you may not GRANT/REVOKE privileges to/from yourself DB Vault Enabled.
An execute privilege on DBMS_RLS package has been granted by DVSYS user (that's DB vault sys user I assume)
I have been trying to revoke as SYS user and getting ORA-01927: cannot REVOKE privileges you did not grant
Also tried with DVADMIN user to revoke Got ORA-01749: you may not GRANT/REVOKE privileges to/from yourself DB Vault Enabled.
Objective is to Remove GRANT option to DVADMIN user
SYS (DEV_DB) SQL>revoke execute on DBMS_RLS from DVADMIN;
revoke execute on DBMS_RLS from DVADMIN
*
ERROR at line 1:
ORA-01927: cannot REVOKE privileges you did not grant
So tried to Grant and Revoke once again.,,,. Entries got added twice Revoke didn't succeed with option
SYS (DEV_DB) SQL>grant execute on dbms_rls to DVADMIN;
Grant succeeded.
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRA HIE
--------------- ---------- --------- ----------- - ---
DVADMIN SYS DBMS_RLS SYS EXECUTE NO NO
DVADMIN SYS DBMS_RLS DVSYS EXECUTE YES NO
SYS (DEV_DB) SQL>revoke execute on dbms_rls from DVADMIN;
Revoke succeeded.
SYS (DEV_DB) SQL>SELECT * FROM DBA_TAB_PRIVS WHERE GRANTEE LIKE 'DVADMIN';
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRA HIE
-------- ----- - ----------- ------- ---------- --- ---
DVADMIN SYS DBMS_RLS DVSYS EXECUTE YES NO
SYS (DEV_DB) SQL>revoke execute on dbms_rls from DVADMIN;
revoke execute on dbms_rls from DVADMIN
*
ERROR at line 1:
ORA-01927: cannot REVOKE privileges you did not grant
Solutions is :Revoked EXECUTE on DBMS_RLS from DVSYS (SYS is the grantor for DVSYS), Which eventually revoked
from DVADMIN as well DVSYS with grant option, Later I granted only Executed permission without grant
Revoked
-- Note I removed some columns for reading ease.
SYS (DEV_DB) SQL>SELECT * FROM DBA_TAB_PRIVS WHERE table_name like 'DBMS_RLS';
GRANTEE TABLE_NAME GRANTOR GRA HIE
----------------------- ------------ -------------- --- ---
EXECUTE_CATALOG_ROLE DBMS_RLS SYS NO NO
USER1 DBMS_RLS SYS NO NO
DVSYS DBMS_RLS SYS YES NO
DV_OWNER DBMS_RLS SYS NO NO
DVADMIN DBMS_RLS DVSYS YES NO
SYS (DEV_DB) SQL>REVOKE EXECUTE ON DBMS_RLS FROM DVSYS;
Revoke succeeded.
SYS (DEV_DB) SQL>SELECT * FROM DBA_TAB_PRIVS WHERE table_name like 'DBMS_RLS';
GRANTEE TABLE_NAME GRANTOR GRA HIE
--------------------- ----------- ------------- ---
EXECUTE_CATALOG_ROLE DBMS_RLS SYS NO NO
USER1 DBMS_RLS SYS NO NO
DV_OWNER DBMS_RLS SYS NO NO
SYS (DEV_DB) SQL>
SYS (DEV_DB) SQL>GRANT EXECUTE ON DBMS_RLS TO DVSYS;
Grant succeeded.
SYS (DEV_DB) SQL>SELECT * FROM DBA_TAB_PRIVS WHERE table_name like 'DBMS_RLS';
GRANTEE OWNER TABLE_NAME GRANTOR GRA HIE
--------------------- ------- ----------- --------- --- ---
EXECUTE_CATALOG_ROLE SYS DBMS_RLS SYS NO NO
USER1 SYS DBMS_RLS SYS NO NO
DV_OWNER SYS DBMS_RLS SYS NO NO
DVSYS SYS DBMS_RLS SYS NO NO
SYS (DEV_DB) SQL>
SYS (DEV_DB) SQL>GRANT EXECUTE ON DBMS_RLS TO DVADMIN;
Grant succeeded.
Successfully Revoked and granted only without GRANT OPTION to user.
Note :
====
please use the commands carefully before executing in your server
its advised to test in test server.
Note :
====
Implementing or trying any of the advice from this blog is at your own risk.
An execute privilege on DBMS_RLS package has been granted by DVSYS user (that's DB vault sys user I assume)
I have been trying to revoke as SYS user and getting ORA-01927: cannot REVOKE privileges you did not grant
Also tried with DVADMIN user to revoke Got ORA-01749: you may not GRANT/REVOKE privileges to/from yourself DB Vault Enabled.
Objective is to Remove GRANT option to DVADMIN user
SYS (DEV_DB) SQL>revoke execute on DBMS_RLS from DVADMIN;
revoke execute on DBMS_RLS from DVADMIN
*
ERROR at line 1:
ORA-01927: cannot REVOKE privileges you did not grant
So tried to Grant and Revoke once again.,,,. Entries got added twice Revoke didn't succeed with option
SYS (DEV_DB) SQL>grant execute on dbms_rls to DVADMIN;
Grant succeeded.
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRA HIE
--------------- ---------- --------- ----------- - ---
DVADMIN SYS DBMS_RLS SYS EXECUTE NO NO
DVADMIN SYS DBMS_RLS DVSYS EXECUTE YES NO
SYS (DEV_DB) SQL>revoke execute on dbms_rls from DVADMIN;
Revoke succeeded.
SYS (DEV_DB) SQL>SELECT * FROM DBA_TAB_PRIVS WHERE GRANTEE LIKE 'DVADMIN';
GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRA HIE
-------- ----- - ----------- ------- ---------- --- ---
DVADMIN SYS DBMS_RLS DVSYS EXECUTE YES NO
SYS (DEV_DB) SQL>revoke execute on dbms_rls from DVADMIN;
revoke execute on dbms_rls from DVADMIN
*
ERROR at line 1:
ORA-01927: cannot REVOKE privileges you did not grant
Solutions is :Revoked EXECUTE on DBMS_RLS from DVSYS (SYS is the grantor for DVSYS), Which eventually revoked
from DVADMIN as well DVSYS with grant option, Later I granted only Executed permission without grant
Revoked
-- Note I removed some columns for reading ease.
SYS (DEV_DB) SQL>SELECT * FROM DBA_TAB_PRIVS WHERE table_name like 'DBMS_RLS';
GRANTEE TABLE_NAME GRANTOR GRA HIE
----------------------- ------------ -------------- --- ---
EXECUTE_CATALOG_ROLE DBMS_RLS SYS NO NO
USER1 DBMS_RLS SYS NO NO
DVSYS DBMS_RLS SYS YES NO
DV_OWNER DBMS_RLS SYS NO NO
DVADMIN DBMS_RLS DVSYS YES NO
SYS (DEV_DB) SQL>REVOKE EXECUTE ON DBMS_RLS FROM DVSYS;
Revoke succeeded.
SYS (DEV_DB) SQL>SELECT * FROM DBA_TAB_PRIVS WHERE table_name like 'DBMS_RLS';
GRANTEE TABLE_NAME GRANTOR GRA HIE
--------------------- ----------- ------------- ---
EXECUTE_CATALOG_ROLE DBMS_RLS SYS NO NO
USER1 DBMS_RLS SYS NO NO
DV_OWNER DBMS_RLS SYS NO NO
SYS (DEV_DB) SQL>
SYS (DEV_DB) SQL>GRANT EXECUTE ON DBMS_RLS TO DVSYS;
Grant succeeded.
SYS (DEV_DB) SQL>SELECT * FROM DBA_TAB_PRIVS WHERE table_name like 'DBMS_RLS';
GRANTEE OWNER TABLE_NAME GRANTOR GRA HIE
--------------------- ------- ----------- --------- --- ---
EXECUTE_CATALOG_ROLE SYS DBMS_RLS SYS NO NO
USER1 SYS DBMS_RLS SYS NO NO
DV_OWNER SYS DBMS_RLS SYS NO NO
DVSYS SYS DBMS_RLS SYS NO NO
SYS (DEV_DB) SQL>
SYS (DEV_DB) SQL>GRANT EXECUTE ON DBMS_RLS TO DVADMIN;
Grant succeeded.
Successfully Revoked and granted only without GRANT OPTION to user.
Note :
====
please use the commands carefully before executing in your server
its advised to test in test server.
Note :
====
Implementing or trying any of the advice from this blog is at your own risk.
No comments:
Post a Comment