普通用戶授予select any table 權限

基於應用的需要，讓普通用戶有訪問sys表的權限，於是就想到了select any table 的權限，可是當授權以後發現還是不能訪問sys的表，經過查一系列資料，發現select any table不是真正的any table。下面做這個實驗：
SQL> select * from v$version where rownum<2;
**BANNER
——————————————————————————–**
Oracle Database 11g Enterprise Edition Release 11.2.0.1.0 - 64bit Production
SQL> show user;
USER is “SYS”
SQL> create table baby(name varchar2(10),sex char(5));
Table created.
SQL> insert into baby values(‘keren’,’nv’);
1 row created.
SQL> commit;
Commit complete.
SQL> grant select any table to mdu;
Grant succeeded.
SQL> conn mdu/oracle
Connected.
SQL> select * from user_sys_privs;
USERNAME PRIVILEGE ADM

---

MDU UNLIMITED TABLESPACE NO
MDU SELECT ANY TABLE NO
SQL> select * from sys.baby;
select * from sys.baby
*
ERROR at line 1:
ORA-00942: table or view does not exist
這是爲什麼呢？經過google,發現是O7_DICTIONARY_ACCESSIBILITY參數的緣故。那麼這個參數是什麼意思呢？參考官方文檔：
O7_DICTIONARY_ACCESSIBILITY
Property Description
Parameter type Boolean
Default value false
Modifiable No
Range of values true | false
O7_DICTIONARY_ACCESSIBILITY controls restrictions on SYSTEM privileges. If the parameter is set to true, access to objects in the SYS schema is allowed (Oracle7 behavior). The default setting of false ensures that system privileges that allow access to objects in “any schema” do not allow access to objects in the SYS schema.
For example, if O7_DICTIONARY_ACCESSIBILITY is set to false, then the SELECT ANY TABLE privilege allows access to views or tables in any schema except the SYS schema (data dictionary tables cannot be accessed). The system privilege EXECUTE ANY PROCEDURE allows access on the procedures in any schema except the SYS schema.
If this parameter is set to false and you need to access objects in the SYS schema, then you must be granted explicit object privileges. The following roles, which can be granted to the database administrator, also allow access to dictionary objects:
SELECT_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE

原來在oracle7及之前版本中，此參數默認設置爲true，也就說只要普通用戶被授予了select any table的權限，就可以訪問任意一個表了，包括sys的表；也正是因爲這樣，給系統帶來不少安全隱患，所以自從oracle8i開始此參數被默認設置爲false，也就是即使普通用戶被授予了select any table的權限，但sys用戶的表仍然不能被訪問（其它用戶的表是可以訪問的）。
那麼現在非常清楚了，如果非要訪問sys的表，就要把這個參數設置爲true，通過上面引用的官方文檔可以看出，此參數是靜態的，也就是修改參數值需要重啓database，也可以通過下面方法判斷修改此參數是需要重啓數據庫的：
SQL> select name,ISSYS_MODIFIABLE from v$parameter where name=’O7_DICTIONARY_ACCESSIBILITY’;
NAME ISSYS_MOD

---

O7_DICTIONARY_ACCESSIBILITY FALSE #####false 代表修改值後重啓才生效#####
SQL> conn /as sysdba
Connected.
SQL> show parameter O7_DICTIONARY_ACCESSIBILITY
NAME TYPE VALUE

---

O7_DICTIONARY_ACCESSIBILITY boolean FALSE
SQL> alter system set O7_DICTIONARY_ACCESSIBILITY=true scope=spfile;
System altered.
SQL> shutdown immediate
Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> startup
ORACLE instance started.
Total System Global Area 730714112 bytes
Fixed Size 2216944 bytes
Variable Size 515902480 bytes
Database Buffers 209715200 bytes
Redo Buffers 2879488 bytes
Database mounted.
Database opened.
SQL> show parameter O7_DICTIONARY_ACCESSIBILITY
NAME TYPE VALUE

---

O7_DICTIONARY_ACCESSIBILITY boolean TRUE
SQL> conn mdu/oracle
Connected.
SQL> select * from sys.baby;
NAME SEX

---

keren nv
SQL> desc v$instance;
Name Null? Type

---

INSTANCE_NUMBER NUMBER
INSTANCE_NAME VARCHAR2(16)
HOST_NAME VARCHAR2(64)
VERSION VARCHAR2(17)
STARTUP_TIME DATE
STATUS VARCHAR2(12)
PARALLEL VARCHAR2(3)
THREAD# NUMBER
ARCHIVER VARCHAR2(7)
LOG_SWITCH_WAIT VARCHAR2(15)
LOGINS VARCHAR2(10)
SHUTDOWN_PENDING VARCHAR2(3)
DATABASE_STATUS VARCHAR2(17)
INSTANCE_ROLE VARCHAR2(18)
ACTIVE_STATE VARCHAR2(9)
BLOCKED VARCHAR2(3)
發現修改完此參數後，select any table是真正意義上的any table了。
當然如果你的需求是普通用戶只訪問sys的某一個表或者幾個表，你完全沒必須費這麼大的周折和冒這麼大的安全風險來改這個參數，你完全可以授予普通用戶對象權限來實現查詢某張表。