info
held-informatik
de
Benutzer mit Rechten kopieren
Sie möchten einen neuen Benutzer erstellen, der einem bereits bestehenden Benutzer mit allen Rechten entspricht? Das folgende Skript unterstützt Sie dabei. Es stammt von Raymond Wauben, bei dem ich mich an dieser Stelle herzlich bedanken möchte. Ein wirklich schönes Skript, in dem eine Menge Arbeit steckt. Special thanks to Raymond! It is great!
Das Skript ist so umfangreich, dass es leider kaum in eine kleine Codebox paßt. Sie können es daher 
hier in einem Editor öffnen.
Oracle Datenbank-Benutzer duplizieren / kopieren
Rem Rem $Header: crusrlk.sql 03-apr-2007 $ Rem Rem Author: raymond.wauben@gmail.com Rem NAME Rem crusrlk.sql Rem DESCRIPTION Rem CREATE a new DATABASE schema/user LIKE an Rem existing DATABASE schema/user. Rem RETURNS Rem Rem NOTES Rem This script must be run while connected AS a Rem user WITH DBA privileges. Rem IN case of directory users, new users reside IN Rem the same directory information tree AS existing Rem users AND DATABASE account equals TO directory Rem account. Rem This script does NOT completely clone user SYS. Rem This script has been tested successfully against Rem the following Oracle Server version(s): Rem - Oracle Server 10g Release 1; Rem - Oracle Server 10g Release 2. Rem MODIFIED (MM/DD/YY) Rem rwauben 04/03/07 - Creation SET define '%' SET echo off SET feedback off SET heading off SET linesize 160 SET pagesize 0 SET pause ON SET trimspool ON SET verify off clear screen prompt -----------------------------------------------------------------; prompt CREATE a new schema/user LIKE an existing schema/user.; prompt Defaults are shown BETWEEN brackets [].; prompt -----------------------------------------------------------------; accept OriginalUser prompt "Enter existing database schema/user [%_USER]: " DEFAULT %_USER accept NewUser prompt "Enter new database schema/user [SCOTT]: " DEFAULT SCOTT accept NewPassword prompt "Enter password for new database schema/user (Leave blank to copy): " hide prompt ================================================================================; prompt You entered the following information: prompt ; prompt Existing DATABASE schema/user : %OriginalUser prompt New DATABASE schema/user : %NewUser prompt ; prompt IF this IS correct, press ENTER TO generate SQL AND PL/SQL statements AND prompt CREATE the new schema/user, otherwise press CTRL+C TO cancel AND RETURN TO the prompt SQL*Plus prompt.; prompt ; prompt Make sure you have DBA privileges before continuing!; prompt ================================================================================; pause undefine v_file_name COLUMN v_file_name new_value v_file_name undefine v_remove_command COLUMN v_remove_command new_value v_remove_command SET termout off SELECT to_char(sysdate,'YYYYMMDD_HH24MISS') || '_' || user || '.sql' AS v_file_name FROM dual; Rem Determine USE of either Windows 'del' command OR Linux/Unix 'rm' command. SELECT case when lower(program) LIKE '%.exe' then 'del' else 'rm' end AS v_remove_command FROM v$session WHERE sid = (SELECT DISTINCT sid FROM v$mystat); SET termout ON spool %v_file_name Rem Build CREATE USER statement. -------------------------------------------------- SELECT 'CREATE USER %NewUser ' || case when password = 'EXTERNAL' then 'IDENTIFIED EXTERNALLY' when password = 'GLOBAL' then 'IDENTIFIED GLOBALLY AS ''' || REPLACE (external_name,'%OriginalUser','%NewUser') || '''' else 'IDENTIFIED BY ' || decode(upper('%NewPassword'),NULL,'VALUES ''' || password || '''','%NewPassword') end || ' DEFAULT TABLESPACE ' || default_tablespace || ' TEMPORARY TABLESPACE ' || temporary_tablespace || ' PROFILE ' || profile || ' ACCOUNT ' || decode(account_status,'OPEN','UNLOCK', 'EXPIRED','UNLOCK PASSWORD EXPIRE', 'EXPIRED(GRACE)','UNLOCK', 'LOCKED(TIMED)','UNLOCK', 'LOCKED','LOCK', 'EXPIRED & LOCKED(TIMED)','UNLOCK PASSWORD EXPIRE', 'EXPIRED(GRACE) & LOCKED(TIMED)','UNLOCK', 'EXPIRED & LOCKED','LOCK PASSWORD EXPIRE', 'EXPIRED(GRACE) & LOCKED','LOCK', 'LOCK') || ';' FROM dba_users WHERE username = upper('%OriginalUser'); Rem ------------------------------------------------------------------------------- Rem CHECK tablespace quotas AND build ALTER USER statements. ---------------------- SELECT 'ALTER USER %NewUser QUOTA ' || decode(max_bytes,-1,'UNLIMITED',max_bytes) || ' ON ' || tablespace_name || ';' FROM sys.dba_ts_quotas WHERE username = upper('%OriginalUser'); Rem ------------------------------------------------------------------------------- Rem CHECK SYSDBA AND/OR SYSOPER privileges AND build GRANT statement. ------------- SELECT decode(sysdba, 'TRUE', 'GRANT SYSDBA TO %NewUser;', NULL) sysdba FROM v$pwfile_users WHERE username = upper('%OriginalUser'); SELECT decode(sysoper, 'TRUE', 'GRANT SYSOPER TO %NewUser;', NULL) sysoper FROM v$pwfile_users WHERE username = upper('%OriginalUser'); Rem ------------------------------------------------------------------------------- Rem CHECK system privileges AND build GRANT statements. --------------------------- SELECT 'GRANT ' || privilege || ' TO %NewUser' || decode(admin_option,'YES',' WITH ADMIN OPTION;',';') FROM sys.dba_sys_privs WHERE grantee = upper('%OriginalUser'); Rem ------------------------------------------------------------------------------- Rem CHECK roles AND build GRANT statements. --------------------------------------- SELECT 'GRANT ' || granted_role || ' TO %NewUser' || decode(admin_option,'YES',' WITH ADMIN OPTION;',';') FROM sys.dba_role_privs WHERE grantee = upper('%OriginalUser'); Rem ------------------------------------------------------------------------------- Rem CHECK DEFAULT roles AND build ALTER USER ... DEFAULT ROLE ... statement. ------ SET serveroutput ON declare v_default_roles varchar2(4000) := NULL; begin FOR c1 IN (SELECT * FROM sys.dba_role_privs WHERE grantee = upper('%OriginalUser') AND default_role = 'YES') loop IF length(v_default_roles) > 0 then v_default_roles := v_default_roles || ',' || c1.granted_role; else v_default_roles := v_default_roles || c1.granted_role; end IF; end loop; IF length(v_default_roles) > 0 then dbms_output.put_line('ALTER USER %NewUser DEFAULT ROLE ' || v_default_roles || ';'); end IF; end; / SET serveroutput off Rem ------------------------------------------------------------------------------- Rem CHECK TABLE AND COLUMN privileges AND build GRANT statements. ----------------- SELECT 'GRANT ' || privilege || ' ON ' || owner || '.' || table_name || ' TO %NewUser' || decode(grantable,'YES',' WITH GRANT OPTION;',';') FROM (SELECT usrge.name grantee, usr.name owner, obj.name table_name, NULL column_name, usrgr.name grantor, tabprivmap.name privilege, decode(mod(objauth.OPTION$,2), 1, 'YES', 'NO') grantable, decode(bitand(objauth.OPTION$,2), 2, 'YES', 'NO') hierarchy, decode(obj.type#, 2, 'TABLE', 4, 'VIEW', 6, 'SEQUENCE', 7, 'PROCEDURE', 8, 'FUNCTION', 9, 'PACKAGE', 13, 'TYPE', 22, 'LIBRARY', 23, 'DIRECTORY', 24, 'QUEUE', 28, 'JAVA SOURCE', 29, 'JAVA CLASS', 30, 'JAVA RESOURCE', 32, 'INDEXTYPE', 33, 'OPERATOR', 42, 'MATERIALIZED VIEW', 'UNDEFINED') object_type FROM sys.objauth$ objauth, sys.obj$ obj, sys.user$ usr, sys.user$ usrgr, sys.user$ usrge, sys.table_privilege_map tabprivmap WHERE objauth.obj# = obj.obj# AND objauth.grantor# = usrgr.user# AND objauth.grantee# = usrge.user# AND objauth.col# is null AND objauth.privilege# = tabprivmap.privilege AND usr.user# = obj.owner# AND obj.type# in (2, 4, 6, 7, 8, 9, 13, 22, 24, 28, 29, 30, 32, 33, 42) AND usrge.name = upper('%OriginalUser') union ALL SELECT usrge.name, usr.name, obj.name, col.name, usrgr.name, tabprivmap.name, decode(mod(objauth.OPTION$,2), 1, 'YES', 'NO'), NULL hierarhy, decode(obj.type#, 2, 'TABLE', 4, 'VIEW', 42, 'MATERIALIZED VIEW') FROM sys.objauth$ objauth, sys.obj$ obj, sys.user$ usr, sys.user$ usrgr, sys.user$ usrge, sys.col$ col, sys.table_privilege_map tabprivmap WHERE objauth.obj# = obj.obj# AND objauth.grantor# = usrgr.user# AND objauth.grantee# = usrge.user# AND objauth.obj# = col.obj# AND objauth.col# = col.col# AND objauth.col# is not null AND objauth.privilege# = tabprivmap.privilege AND usr.user# = obj.owner# AND obj.type# in (2, 4, 42) AND bitand(col.property, 32) = 0 AND usrge.name = upper('%OriginalUser')); Rem ------------------------------------------------------------------------------- Rem CHECK Java privileges AND build PL/SQL statements. ---------------------------- SET serveroutput ON declare i integer := 1; begin FOR c1 IN (SELECT kind, grantee, type_schema, type_name, name, action, enabled, seq FROM sys.dba_java_policy WHERE grantee = upper('%OriginalUser') ORDER BY seq) loop IF i = 1 then dbms_output.put_line('DECLARE'); dbms_output.put_line('KEYNUM NUMBER;'); dbms_output.put_line('BEGIN'); i := 2; end IF; IF c1.kind = 'GRANT' then dbms_output.put_line('SYS.DBMS_JAVA.GRANT_PERMISSION(GRANTEE => ''' || upper('%NewUser') || ''', PERMISSION_TYPE => ''' || c1.type_schema || ':' || c1.type_name || ''', PERMISSION_NAME => ''' || c1.name || ''', PERMISSION_ACTION => ''' || c1.action || ''', KEY => KEYNUM);'); elsif c1.kind = 'RESTRICT' then dbms_output.put_line('SYS.DBMS_JAVA.RESTRICT_PERMISSION(GRANTEE => ''' || upper('%NewUser') || ''', PERMISSION_TYPE => ''' || c1.type_schema || ':' || c1.type_name || ''', PERMISSION_NAME => ''' || c1.name || ''', PERMISSION_ACTION => ''' || c1.action || ''', KEY => KEYNUM);'); end IF; end loop; IF i = 2 then dbms_output.put_line('END;'); dbms_output.put_line('/'); end IF; end; / SET serveroutput off Rem ------------------------------------------------------------------------------- Rem CHECK resource GROUP privileges AND build PL/SQL statements. ------------------ SET serveroutput ON declare i integer := 1; v_initial_group varchar2(30) := NULL; begin FOR c1 IN (SELECT grantee, granted_group, decode(grant_option,'YES','TRUE','FALSE') grant_option, initial_group FROM dba_rsrc_consumer_group_privs WHERE grantee = upper('%OriginalUser')) loop IF i = 1 then dbms_output.put_line('BEGIN'); dbms_output.put_line('SYS.DBMS_RESOURCE_MANAGER.CLEAR_PENDING_AREA();'); dbms_output.put_line('SYS.DBMS_RESOURCE_MANAGER.CREATE_PENDING_AREA();'); i := 2; end IF; dbms_output.put_line('SYS.DBMS_RESOURCE_MANAGER_PRIVS.GRANT_SWITCH_CONSUMER_GROUP(''%NewUser'',''' || c1.granted_group || ''',' || c1.grant_option || ');'); IF c1.initial_group = 'YES' then v_initial_group := c1.granted_group; end IF; end loop; IF i = 2 then dbms_output.put_line('SYS.DBMS_RESOURCE_MANAGER.SUBMIT_PENDING_AREA();'); dbms_output.put_line('END;'); dbms_output.put_line('/'); end IF; IF v_initial_group IS NOT NULL then dbms_output.put_line('BEGIN'); dbms_output.put_line('SYS.DBMS_RESOURCE_MANAGER.SET_INITIAL_CONSUMER_GROUP(''%NewUser'',''' || v_initial_group || ''');'); dbms_output.put_line('END;'); dbms_output.put_line('/'); end IF; end; / SET serveroutput off Rem ------------------------------------------------------------------------------- Rem CHECK proxy authentication AND build ALTER USER ... statements. --------------- SET serveroutput ON declare v_proxy_roles varchar2(4000); begin FOR c1 IN (SELECT DISTINCT decode(proxy,NULL,'ENTERPRISE USERS',proxy) proxy, client, decode(authentication,'YES',' AUTHENTICATION REQUIRED') authentication FROM sys.dba_proxies WHERE client = upper('%OriginalUser')) loop v_proxy_roles := NULL; FOR c2 IN (SELECT role FROM sys.dba_proxies WHERE nvl(proxy,'ENTERPRISE USERS') = c1.proxy AND client = c1.client AND role IS NOT NULL) loop IF v_proxy_roles IS NULL then v_proxy_roles := ' WITH ROLES ' || c2.role; else v_proxy_roles := v_proxy_roles || ', ' || c2.role; end IF; end loop; dbms_output.put_line('ALTER USER %NewUser GRANT CONNECT THROUGH ' || c1.proxy || v_proxy_roles || c1.authentication || ';'); end loop; end; / SET serveroutput off Rem ------------------------------------------------------------------------------- spool off prompt --------------------------------------------------------------------------------; prompt Creating new DATABASE schema/user %NewUser LIKE %OriginalUser ...; prompt Only error messages are displayed. prompt --------------------------------------------------------------------------------; @%v_file_name prompt --------------------------------------------------------------------------------; prompt Ready.; prompt --------------------------------------------------------------------------------; host %v_remove_command %v_file_name