Create a user who can only query data from a tablespace (oracle)

Question

I have 3 users in my oracle Database

user_admin user user_query

• The user_admin have dba rol.
• user have connect and resource rol
• and user_query the same as user.

I want to configure the last one to deny him of all kind of insert,update,delete but form the full tablespace not from a table, view or procedure...

The point is to have a secure-only-querying data user.

But i can't do it for a tablespace, at least as far i know.

Any idea?

Answer 1

You can loop through all table that use the tablespace in question and grant select. I would try to stay away from powerful privs like "SELECT ANY TABLE", as that would apply to the entire database.

For example, if your tablespace is named XXX then:

BEGIN
  FOR tbl IN (SELECT owner, table_name
                FROM dba_tables dt
               WHERE dt.tablespace_name = 'XXX') LOOP
  EXECUTE IMMEDIATE 'GRANT SELECT ON ' || tbl.owner || '.' || tbl.table_name || ' TO USER_QUERY';
  END LOOP;
END;

Answer 2

Firstly, the use of the CONNECT and RESOURCE roles is discouraged, and documented as such.

That aside, no, there is no privilege for granting by tablespace, or even by user. For one thing, a partitioned table or index can use multiple tablespaces, none of which might be the default for that object.

Grants are at the object level. You could create a procedure to grant privileges to a user (or better to a role) based on the tablespace of a table though.

Answer 3

there is the following which grants select to any table or view (except those owned by SYS):

    grant select any table to user_query;

It doesn't restrict to a single tablespace though - any table in the entire database would be available for select.