测试revoke DBA角色
--session 2回收DBA角色
sys@ORCL>revoke dba from linuxidc;
Revoke succeeded.
sys@ORCL>select * from dba_role_privs where grantee='linuxidc';
GRANTEE GRANTED_ROLE ADMIN_OPT DEFAULT_R
------------------------------ ------------------------------ --------- ---------
linuxidc CONNECT NO YES
--session 3查看会话的角色,仍然有DBA及相关角色
linuxidc@ORCL>select * from session_roles;
ROLE
------------------------------------------------------------------------------------------
CONNECT
DBA
SELECT_CATALOG_ROLE
......
20 rows selected.
--使用linuxidc用户打开session 4,查看只有CONNECT角色
[oracle@rhel6 ~]$ sqlplus linuxidc/zhaoxu
SQL*Plus: Release 11.2.0.4.0 Production on Sat Jan 21 16:30:19 2017
Copyright (c) 1982, 2013, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
linuxidc@ORCL>select * from session_roles;
ROLE
------------------------------------------------------------------------------------------
CONNECT
--session 3执行set role命令
linuxidc@ORCL>set role dba;
set role dba
*
ERROR at line 1:
ORA-01924: role 'DBA' not granted or does not exist
linuxidc@ORCL>set role all;
Role set.
linuxidc@ORCL>select * from session_roles;
ROLE
------------------------------------------------------------------------------------------
CONNECT
从上面的测试中可以总结出,grant和revoke系统权限和对象权限时会立即生效,而grant或revoke角色时对当前会话不会立即生效,除非使用set role语句启用角色或重新连接会话后设置才会生效。与官方文档的描述一致。
但是有一个问题是如果查看已经连接的其他会话所拥有的role呢?
官方文档:#DBSEG99974
system privilege:#BABEFFEE
object privilege:#BGBCIIEG
set role:#SQLRF01704