Data control language (DCL)
A data control language (DCL) is a syntax similar to a computer programming language used to control access to data stored in a database (Authorization). In particular, it is a component of Structured Query Language (SQL).Examples of DCL commands include:
GRANT to allow specified users to perform specified tasks.
REVOKE to cancel previously granted or denied permissions.
The operations for which privileges may be granted to or revoked from a user or role apply to both the Data definition language (DDL) and the Data manipulation language (DML), and may include CONNECT, SELECT, INSERT, UPDATE, DELETE, EXECUTE, and USAGE.
In the Oracle database, executing a DCL command issues an implicit commit. Hence you cannot roll back the command.
Privileges
When multiple users can access database objects, authorization can be controlled to these objects with privileges. Every object has an owner. Privileges control if a user can modify an object owned by another user. Privileges are granted or revoked either by the instance administrator, a user with the ADMIN privilege or, for privileges to a certain object, by the owner of the object.There are two type of Privileges: System Privileges and Object privileges
System privileges
A system privilege is the right to perform a particular action or to perform an action on any object of a particular type. Objects include tables, views, materialized views, synonyms, indexes, sequences, cache groups, replication schemes and PL/SQL functions, procedures and packages. Only the instance administrator or a user with ADMIN privilege can grant or revoke system privileges.
System Privileges are normally granted by a DBA to users.
System privileges are
Privilege
|
Description
|
ADMIN
|
Enables a user to perform administrative tasks including checkpointing, backups, migration, and user creation and deletion.
|
ALTER ANY CACHE GROUP
|
Enables a user to alter any cache group in the database.
|
ALTER ANY INDEX
|
Enables a user to alter any index in the database.
|
Note: There is no ALTER INDEX statement.
|
|
ALTER ANY MATERIALIZED VIEW
|
Enables a user to alter any materialized view in the database.
|
Note: There is no ALTER MATERIALIZED VIEW statement.
|
|
ALTER ANY PROCEDURE
|
Enables a user to alter any PL/SQL procedure, function or package in the database.
|
ALTER ANY SEQUENCE
|
Enables a user to alter any sequence in the database.
|
Note: There is no ALTER SEQUENCE statement.
|
|
ALTER ANY TABLE
|
Enables a user to alter any table in the database.
|
ALTER ANY VIEW
|
Enables a user to alter any view in the database.
|
Note: There is no ALTER VIEW statement.
|
|
CACHE_MANAGER
|
Enables a user to perform operations related to cache groups.
|
CREATE ANY CACHE GROUP
|
Enables a user to create a cache group owned by any user in the database.
|
CREATE ANY INDEX
|
Enables a user to create an index on any table or materialized view in the database.
|
CREATE ANY MATERIALIZED VIEW
|
Enables a user to create a materialized view owned by any user in the database.
|
CREATE ANY PROCEDURE
|
Enables a user to create a PL/SQL procedure, function or package owned by any user in the database.
|
CREATE ANY SEQUENCE
|
Enables a user to create a sequence owned by any user in the database.
|
CREATE ANY SYNONYM
|
Enables a user to create a private synonym owned by any user in the database.
|
CREATE ANY TABLE
|
Enables a user to create a table owned by any user in the database.
|
CREATE ANY VIEW
|
Enables a user to create a view owned by any user in the database.
|
CREATE CACHE GROUP
|
Enables a user to create a cache group owned by that user.
|
CREATE MATERIALIZED VIEW
|
Enables a user to create a materialized view owned by that user.
|
CREATE PROCEDURE
|
Enables a user to create a PL/SQL procedure, function or package owned by that user.
|
CREATE PUBLIC SYNONYM
|
Enables a user to create a public synonym.
|
CREATE SEQUENCE
|
Enables a user to create a sequence owned by that user.
|
CREATE SESSION
|
Enables a user to create a connection to the database.
|
CREATE SYNONYM
|
Enables a user to create a private synonym.
|
CREATE TABLE
|
Enables a user to create a table owned by that user.
|
CREATE VIEW
|
Enables a user to create a view owned by that user.
|
DELETE ANY TABLE
|
Enables a user to delete from any table in the database.
|
DROP ANY CACHE GROUP
|
Enables a user to drop any cache group in the database.
|
DROP ANY INDEX
|
Enables a user to drop any index in the database.
|
DROP ANY MATERIALIZED VIEW
|
Enables a user to drop any materialized view in the database.
|
DROP ANY PROCEDURE
|
Enables a user to drop any PL/SQL procedure, function or package in the database.
|
DROP ANY SEQUENCE
|
Enables a user to drop any sequence in the database.
|
DROP ANY SYNONYM
|
Enables a user to drop a synonym owned by any user in the database.
|
DROP ANY TABLE
|
Enables a user to drop any table in the database.
|
DROP ANY VIEW
|
Enables a user to drop any view in the database.
|
DROP PUBLIC SYNONYM
|
Enables a user to drop a public synonym.
|
EXECUTE ANY PROCEDURE
|
Enables a user to execute any PL/SQL procedure, function or package in the database.
|
FLUSH ANY CACHE GROUP
|
Enables a user to flush any cache group in the database.
|
INSERT ANY TABLE
|
Enables a user to insert into any table in the database. It also enables the user to insert into any table using the synonym, public or private, to that table.
|
LOAD ANY CACHE GROUP
|
Enables a user to load any cache group in the database.
|
REFRESH ANY CACHE GROUP
|
Enables a user to flush any cache group in the database.
|
SELECT ANY SEQUENCE
|
Enables a user to select from any sequence or synonym on a sequence in the database.
|
SELECT ANY TABLE
|
Enables a user to select from any table, view, materialized view, or synonym in the database.
|
UNLOAD ANY CACHE GROUP
|
Enables a user to unload any cache group in the database.
|
UPDATE ANY TABLE
|
Enables a user to update any table or synonym in the database.
|
XLA
|
Enables a user to connect to a database as an XLA reader.
|
Object Privileges
Object privileges mean privileges on tables, views, materialized views, indexes, synonyms, sequences, cache groups, replication schemes and PL/SQL functions, procedures and packages.
An object's owner has all object privileges for that object, and those privileges cannot be revoked. The object's owner can grant object privileges for that object to other database users. A user with ADMIN privilege can grant and revoke object privileges from users who do not own the objects on which the privileges are granted.
Object Privileges are
Privilege
|
Object type
|
Description
|
DELETE
|
Table
|
Enables a user to delete from a table.
|
EXECUTE
|
PL/SQL package, procedure or function
|
Enables a user to execute a PL/SQL package, procedure or function directly.
|
FLUSH
|
Cache group
|
Enables a user to flush a cache group.
|
INDEX
|
Table or materialized view
|
Enables a user to create an index on a table or materialized view.
|
INSERT
|
Table or synonym
|
Enables a user to insert into a table or into the table through a synonym.
|
LOAD
|
Cache group
|
Enables a user to load a cache group.
|
REFERENCES
|
Table or materialized view
|
Enables a user to create a foreign key dependency on a table or materialized view.
The REFERENCES privilege on a parent table implicitly grants SELECT privilege on the parent table. |
REFRESH
|
Cache group
|
Enables a user to refresh a cache group.
|
SELECT
|
Table, sequence, view, materialized view, or synonym
|
Enables a user to select from a table, sequence, view, materialized view, or synonym.
The SELECT privilege enables a user to perform all operations on a sequence. A user can be granted the SELECT privilege on a synonym or a view without being explicitly granted the SELECT privilege on the originating table. |
UNLOAD
|
Cache group
|
Enables a user to unload a cache group.
|
UPDATE
|
Table
|
Enables a user to update a table.
|
Dictionary views which show the granted privileges and roles
DBA_SYS_PRIVS - contains information about System privilegesDBA_TAB_PRIVS - contains information about Object Privileges
DBA_ROLE_PRIVS - contains information about assigned rows;
* You can use user_sys_priv, user_tab_privs and user_role_privs to list the privileges information to the current user.
Examples
To grant the SELECT privilege on table tab1 to the authorization IDs maria and harry, use the following syntax:
GRANT SELECT ON TABLE tab1 TO maria,harry
To grant the UPDATE and TRIGGER privileges on table tab1 to the authorization IDs anita and zhi, use the following syntax:
GRANT UPDATE, TRIGGER ON TABLE tab1 TO anita,zhi
To grant the SELECT privilege on table tab1 to all users, use the following syntax:
GRANT SELECT ON TABLE tab1 to PUBLIC
To grant the EXECUTE privilege on procedure proc_1 to the authorization ID george, use the following syntax:
GRANT EXECUTE ON PROCEDURE proc_1 TO george
To grant the role purchases_reader_role to the authorization IDs george and maria, use the following syntax:
GRANT purchases_reader_role TO george,maria
To grant the SELECT privilege on table tab_1 to the role purchases_reader_role, use the following syntax:
GRANT SELECT ON TABLE tab_1 TO purchases_reader_role
To grant the USAGE privilege on the sequence generator order_id to the role sales_role, use the following syntax:
GRANT USAGE ON SEQUENCE order_id TO sales_role;
To grant the USAGE privilege on the user-defined type price to the role finance_role, use the following syntax:
GRANT USAGE ON TYPE price TO finance_role;
The following statement revokes the DROP ANY TABLE system privilege from the users george and oe:
REVOKE DROP ANY TABLE FROM hr, oe;
The following statement revokes the role dw_manager from the user sh:
REVOKE dw_manager FROM sh;
The following statement revokes the CREATE TABLESPACE system privilege from the dw_manager role:
REVOKE CREATE TABLESPACE FROM dw_manager;
To revoke the DELETE privilege on orders from hr, issue the following statement:
REVOKE DELETE ON orders FROM hr;
