Retrieving all user privileges within Oracle can range from a simple task using a basic SQL query to an advanced script, depending primarily on how involved the roles and privileges are configured within the server.
In this brief tutorial, we’ll cover both the basic SQL query method as well as the advanced script method so you’ll have no issue regardless of the complexity of your setup.
Querying DBA/USER Privilege Views
A database administrator (DBA) for Oracle can simply execute a query to view the rows in
DBA_ROLE_PRIVS to retrieve information about user privileges related to the
For example, a DBA wishing to view all
system privileges granted to all users would issue the following query:
SELECT * FROM DBA_SYS_PRIVS;
DBA_SYS_PRIVS view contains three columns of data:
GRANTEEis the name, role, or user that was assigned the privilege.
PRIVILEGEis the privilege that is assigned.
ADMIN_OPTIONindicates if the granted privilege also includes the
To determine which users have direct grant access to a
table we’ll use the
SELECT * FROM DBA_TAB_PRIVS;
You can check the official documentation for more information about the columns returned from this query, but the critical columns are:
GRANTEEis the name of the user with granted access.
TABLE_NAMEis the name of the object (table, index, sequence, etc).
PRIVILEGEis the privilege assigned to the
GRANTEEfor the associated object.
Finally, querying the
DBA_ROLE_PRIVS view has much of the same information but applicable to
roles instead, where the
GRANTED_ROLE column specifies the role in question:
SELECT * FROM DBA_ROLE_PRIVS;
Querying the Current User’s Privileges
If DBA access isn’t possible or necessary, it is also possible to slightly modify the above queries to view the privileges solely for the current user.
This is done by alternatively querying
USER_ versions of the above
DBA_ views. Thus, instead of looking at
DBA_SYS_PRIVS we’d query
USER_SYS_PRIVS, like so:
SELECT * FROM USER_SYS_PRIVS;
USER_ privilege views are effectively the same as their
DBA_ counterparts, but specific to the current user only, the type of returned data and column names are all identical to those when querying
DBA_ views intead.
Advanced Script to Find All Privileges
While the above methods will work for basic system configurations, things start to become messy in Oracle when many roles exist which are in turn granting role privileges to other roles, and so on down the rabbit hole. Since the
USER_ privilege views only display
GRANTEES with directly assigned access, often privileges that are inhereted through other roles will not be readily shown.
To resolve this, it is advisable to use an advanced script such as the trusted work of Pete Finnigan and his
find_all_privs.sql script. You may also opt for a modified version by David Arthur,
In either case, the purpose of these scripts is to allow you to recursively locate all privileges granted to a particular user. When the script locates a
role for the user, it recursively searches for other roles and privileges granted to that role, repeating the process all the way down the chain. The results of the script can be output to the screen or to a file as desired.
More information on these scripts and their usage can be found at petefinnigan.com.