{"id":508,"date":"2013-09-20T09:31:59","date_gmt":"2013-09-20T12:31:59","guid":{"rendered":"http:\/\/www.dbarj.com.br\/?p=508"},"modified":"2015-06-25T10:02:46","modified_gmt":"2015-06-25T13:02:46","slug":"finding-oracle-users-dba-privilege-hidden-roles","status":"publish","type":"post","link":"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/","title":{"rendered":"Finding Oracle users with DBA privilege hidden by roles"},"content":{"rendered":"

Some users in Oracle may have very dangerous privileges without your consent, they can cause great damage to the database. Sometimes this privilege is hidden via a chain of roles, which makes it difficult to perception.<\/p>\n

Eg:<\/p>\n

SQL> CREATE USER SYSADM identified by \"sysadm1\";\r\n\r\nSQL> CREATE ROLE A;\r\nSQL> CREATE ROLE B;\r\nSQL> CREATE ROLE SYSROLE;\r\n\r\nSQL> GRANT A TO SYSADM;\r\nSQL> GRANT B TO A;\r\nSQL> GRANT SYSROLE TO B;\r\n\r\nSQL> GRANT DBA TO SYSROLE;\r\nSQL> GRANT CREATE SESSION TO SYSADM;<\/pre>\n
In this example, the GRANT DBA to SYSADM was hidden. As the DBA role, IMP_FULL_DATABASE is another dangerous role, granting virtually everything a user.<\/p>\n
Other form is also manually grant the “system grants” to a new role and hide this role through a chain of roles, as in the example above.<\/p>\n
Eg:<\/p>\n
SQL> CREATE USER SYSADM identified by \"sysadm1\";\r\n\r\nSQL> CREATE ROLE A;\r\nSQL> CREATE ROLE B;\r\nSQL> CREATE ROLE SYSROLE;\r\n\r\nSQL> GRANT A TO SYSADM;\r\nSQL> GRANT B TO A;\r\nSQL> GRANT SYSROLE TO B;\r\n\r\nSQL> GRANT GRANT ANY PRIVILEGE TO SYSROLE;\r\nSQL> GRANT CREATE SESSION TO SYSADM;<\/pre>\n
To track these hidden privileges, I developed the query below. After running it, the next step is to revoke unnecessary privileges and then run the query again to check if the user is clean.<\/p>\n
Query:<\/p>\n
SELECT GRANTEE,\r\n       PRIVILEGE,\r\n       ACCOUNT_STATUS\r\nFROM   (SELECT GRANTEE,\r\n               LTRIM(MAX(SYS_CONNECT_BY_PATH(PRIVILEGE, ', ')), ', ') PRIVILEGE\r\n        FROM   (SELECT GRANTEE,\r\n                       PRIVILEGE,\r\n                       ROW_NUMBER() OVER(PARTITION BY GRANTEE ORDER BY PRIVILEGE) RN\r\n                FROM   (SELECT DISTINCT NVL(A.GRANTEE, B.GRANTEE) GRANTEE,\r\n                                        NVL(A.PRIVILEGE, B.PRIVILEGE) PRIVILEGE\r\n                        FROM   (SELECT A.GRANTEE,\r\n                                       A.PATH PRIVILEGE\r\n                                FROM   (SELECT A.GRANTEE,\r\n                                               A.GRANTED_ROLE_ROOT PRIVILEGE,\r\n                                               A.PATH,\r\n                                               A.NIVEL,\r\n                                               RANK() OVER(PARTITION BY A.GRANTEE, A.FIRST_ROLE ORDER BY NIVEL ASC) RANK\r\n                                        FROM   (SELECT A.GRANTEE,\r\n                                                       GRANTED_ROLE FIRST_ROLE,\r\n                                                       CONNECT_BY_ROOT GRANTED_ROLE GRANTED_ROLE_ROOT,\r\n                                                       '(' || LTRIM(SYS_CONNECT_BY_PATH(GRANTED_ROLE, '->'), '->') || ')' PATH,\r\n                                                       LEVEL NIVEL\r\n                                                FROM   DBA_ROLE_PRIVS A\r\n                                                CONNECT BY PRIOR GRANTEE = GRANTED_ROLE) A,\r\n                                               DBA_SYS_PRIVS B\r\n                                        WHERE  A.GRANTEE NOT IN (SELECT ROLE\r\n                                                                 FROM   DBA_ROLES)\r\n                                        AND    A.GRANTED_ROLE_ROOT = B.GRANTEE\r\n                                        AND    (B.PRIVILEGE LIKE 'DROP ANY%' OR B.PRIVILEGE LIKE 'GRANT%' OR B.PRIVILEGE IN ('ADMINISTER DATABASE TRIGGER'))) A\r\n                                WHERE  A.RANK = 1) A\r\n                        FULL   OUTER JOIN (SELECT GRANTEE,\r\n                                                 PRIVILEGE\r\n                                          FROM   DBA_SYS_PRIVS\r\n                                          WHERE  (PRIVILEGE LIKE 'DROP ANY%' OR PRIVILEGE LIKE 'GRANT%' OR PRIVILEGE IN ('ADMINISTER DATABASE TRIGGER'))\r\n                                          AND    GRANTEE NOT IN (SELECT ROLE\r\n                                                                 FROM   DBA_ROLES)) B ON B.GRANTEE = A.GRANTEE))\r\n        START  WITH RN = 1\r\n        CONNECT BY PRIOR RN = RN - 1\r\n            AND    PRIOR GRANTEE = GRANTEE\r\n        GROUP  BY GRANTEE) A,\r\n       DBA_USERS B\r\nWHERE  A.GRANTEE = B.USERNAME\r\nORDER  BY 1;<\/pre>\n
(You can modify it by putting other privileges you want to find)<\/p>\n
If you are still using\u00a0Oracle 10g and receive the error\u00a0“ORA-00600: internal error code, arguments: [qctcte1], [0], [], [], [], [], [], []<\/strong><\/em>“, try the adapted version below\u00a0(less complex):<\/p>\n
SELECT GRANTEE,\r\n       PRIVILEGE,\r\n       ACCOUNT_STATUS\r\nFROM   (SELECT GRANTEE,\r\n               LTRIM(MAX(SYS_CONNECT_BY_PATH(PRIVILEGE, ', ')), ', ') PRIVILEGE\r\n        FROM   (SELECT GRANTEE,\r\n                       PRIVILEGE,\r\n                       ROW_NUMBER() OVER(PARTITION BY GRANTEE ORDER BY PRIVILEGE) RN\r\n                FROM   (SELECT DISTINCT NVL(A.GRANTEE, B.GRANTEE) GRANTEE,\r\n                                        NVL(A.PRIVILEGE, B.PRIVILEGE) PRIVILEGE\r\n                        FROM   (SELECT A.GRANTEE,\r\n                                       A.GRANTED_ROLE PRIVILEGE\r\n                                FROM   (SELECT A.*\r\n                                        FROM   DBA_ROLE_PRIVS A\r\n                                        CONNECT BY PRIOR GRANTEE = GRANTED_ROLE) A,\r\n                                       DBA_SYS_PRIVS B\r\n                                WHERE  A.GRANTEE NOT IN (SELECT ROLE\r\n                                                         FROM   DBA_ROLES)\r\n                                AND    A.GRANTED_ROLE = B.GRANTEE\r\n                                AND    (B.PRIVILEGE LIKE 'DROP ANY%' OR B.PRIVILEGE LIKE 'GRANT%' OR B.PRIVILEGE IN ('ADMINISTER DATABASE TRIGGER'))) A\r\n                        FULL   OUTER JOIN (SELECT GRANTEE,\r\n                                                 PRIVILEGE\r\n                                          FROM   DBA_SYS_PRIVS\r\n                                          WHERE  (PRIVILEGE LIKE 'DROP ANY%' OR PRIVILEGE LIKE 'GRANT%' OR PRIVILEGE IN ('ADMINISTER DATABASE TRIGGER'))\r\n                                          AND    GRANTEE NOT IN (SELECT ROLE\r\n                                                                 FROM   DBA_ROLES)) B ON B.GRANTEE = A.GRANTEE))\r\n        START  WITH RN = 1\r\n        CONNECT BY PRIOR RN = RN - 1\r\n            AND    PRIOR GRANTEE = GRANTEE\r\n        GROUP  BY GRANTEE) A,\r\n       DBA_USERS B\r\nWHERE  A.GRANTEE = B.USERNAME\r\nORDER  BY 1;<\/pre>\nHave you enjoyed? Please leave a comment or give a \ud83d\udc4d!<\/b>\n
Continue reading<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-508","post","type-post","status-publish","format-standard","hentry","category-security-en","item-wrap"],"yoast_head":"\nFinding Oracle users with DBA privilege hidden by roles - DBA - Rodrigo Jorge - Oracle Tips and Guides<\/title>\n<meta name=\"description\" content=\"Howto find out all Oracle users with some kind of hidden DBA privilege.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"DBA RJ\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2013\\\/09\\\/finding-oracle-users-dba-privilege-hidden-roles\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2013\\\/09\\\/finding-oracle-users-dba-privilege-hidden-roles\\\/\"},\"author\":{\"name\":\"DBA RJ\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"headline\":\"Finding Oracle users with DBA privilege hidden by roles\",\"datePublished\":\"2013-09-20T12:31:59+00:00\",\"dateModified\":\"2015-06-25T13:02:46+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2013\\\/09\\\/finding-oracle-users-dba-privilege-hidden-roles\\\/\"},\"wordCount\":175,\"commentCount\":8,\"publisher\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"articleSection\":[\"Database Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2013\\\/09\\\/finding-oracle-users-dba-privilege-hidden-roles\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2013\\\/09\\\/finding-oracle-users-dba-privilege-hidden-roles\\\/\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2013\\\/09\\\/finding-oracle-users-dba-privilege-hidden-roles\\\/\",\"name\":\"Finding Oracle users with DBA privilege hidden by roles - DBA - Rodrigo Jorge - Oracle Tips and Guides\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#website\"},\"datePublished\":\"2013-09-20T12:31:59+00:00\",\"dateModified\":\"2015-06-25T13:02:46+00:00\",\"description\":\"Howto find out all Oracle users with some kind of hidden DBA privilege.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2013\\\/09\\\/finding-oracle-users-dba-privilege-hidden-roles\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2013\\\/09\\\/finding-oracle-users-dba-privilege-hidden-roles\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/2013\\\/09\\\/finding-oracle-users-dba-privilege-hidden-roles\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Finding Oracle users with DBA privilege hidden by roles\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/\",\"name\":\"DBA - Rodrigo Jorge - Oracle Tips and Guides\",\"description\":\"Blog about Databases, Security and High Availability\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/en\\\/#\\\/schema\\\/person\\\/28a44ca3a6633fe4156ad1ea209d40a9\",\"name\":\"DBA RJ\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"url\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"contentUrl\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\",\"width\":712,\"height\":712,\"caption\":\"DBA RJ\"},\"logo\":{\"@id\":\"https:\\\/\\\/www.dbarj.com.br\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/RodrigoJorgePOUG19.png\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Finding Oracle users with DBA privilege hidden by roles - DBA - Rodrigo Jorge - Oracle Tips and Guides","description":"Howto find out all Oracle users with some kind of hidden DBA privilege.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/","twitter_misc":{"Written by":"DBA RJ","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/#article","isPartOf":{"@id":"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/"},"author":{"name":"DBA RJ","@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"headline":"Finding Oracle users with DBA privilege hidden by roles","datePublished":"2013-09-20T12:31:59+00:00","dateModified":"2015-06-25T13:02:46+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/"},"wordCount":175,"commentCount":8,"publisher":{"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"articleSection":["Database Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/","url":"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/","name":"Finding Oracle users with DBA privilege hidden by roles - DBA - Rodrigo Jorge - Oracle Tips and Guides","isPartOf":{"@id":"https:\/\/www.dbarj.com.br\/en\/#website"},"datePublished":"2013-09-20T12:31:59+00:00","dateModified":"2015-06-25T13:02:46+00:00","description":"Howto find out all Oracle users with some kind of hidden DBA privilege.","breadcrumb":{"@id":"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbarj.com.br\/en\/2013\/09\/finding-oracle-users-dba-privilege-hidden-roles\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.dbarj.com.br\/en\/"},{"@type":"ListItem","position":2,"name":"Finding Oracle users with DBA privilege hidden by roles"}]},{"@type":"WebSite","@id":"https:\/\/www.dbarj.com.br\/en\/#website","url":"https:\/\/www.dbarj.com.br\/en\/","name":"DBA - Rodrigo Jorge - Oracle Tips and Guides","description":"Blog about Databases, Security and High Availability","publisher":{"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbarj.com.br\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.dbarj.com.br\/en\/#\/schema\/person\/28a44ca3a6633fe4156ad1ea209d40a9","name":"DBA RJ","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","url":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","contentUrl":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png","width":712,"height":712,"caption":"DBA RJ"},"logo":{"@id":"https:\/\/www.dbarj.com.br\/wp-content\/uploads\/2019\/09\/RodrigoJorgePOUG19.png"}}]}},"_links":{"self":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts\/508","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/comments?post=508"}],"version-history":[{"count":0,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/posts\/508\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/media?parent=508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/categories?post=508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbarj.com.br\/en\/wp-json\/wp\/v2\/tags?post=508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}