Easiest way to check if granted privileges and if not then grant it (Oracle + bash)

Question

I have script in bash to grant privileges (30 grants) in oracle. This script is in cron and it's start every day in specific hour. I want by easiest / fastest way create check / if to grant privileges only if it's not already granted. Someone can help?

Answer 1

Do not bother checking if they have/have not got the privileges. Just grant/revoke them so that whichever user it is ends up with the correct privileges.

You can write a shell script to generate a file with the SQL commands in it and then run the script using SQL/Plus.

Answer 2

The below PL/SQL block only grants the missing privileges. I've used the "expected minus actual" pattern frequently, and I've learned the hard way to always display the problematic SQL statement in the error message.

--Grant missing privileges.
begin
    for missing_grants in
    (
        select grantee, table_name, privilege, 'grant ' || privilege || ' on ' || table_name || ' to asdf ' || grantee grant_ddl
        from
        (
            --Expected privileges:
            select 'TEST_USER' grantee, 'TEST1' table_name, 'SELECT' privilege from dual union all
            select 'TEST_USER' grantee, 'TEST2' table_name, 'SELECT' privilege from dual union all
            select 'TEST_USER' grantee, 'TEST2' table_name, 'INSERT' privilege from dual union all
            select 'TEST_USER' grantee, 'TEST2' table_name, 'UPDATE' privilege from dual union all
            select 'TEST_USER' grantee, 'TEST2' table_name, 'DELETE' privilege from dual
            minus
            --Actual privileges:
            select grantee, table_name, privilege
            from user_tab_privs
            where table_name in ('TEST1', 'TEST2')
        )
    ) loop
        begin
            execute immediate missing_grants.grant_ddl;
        exception when others then
            raise_application_error(-20000, 'Error with this SQL: ' || missing_grants.grant_ddl || chr(10) || sqlerrm);
        end;
    end loop;
end;
/

While it's true that you could simply re-run the grants every time, there are several reasons you may not want to do that:

1. Performance While 30 grants usually will run very quickly, if your privilege scripts grows it may start to slow down.
2. Locking If something else is altering the objects at the same time you might run into problems. (Although grants do seem to avoid most locking issues. For example, row locks don't stop a grant.)
3. Auditing If you audit DDL commands, re-granting frequently can fill the audit trail with noise, and make it hard to tell what changed.

Also, you might want to consider Gary Myers' suggestion to put this task inside the scheduler. With just a single call to DBMS_SCHEDULER, you could put the job inside the database and not have to worry about shell scripts or cron.