Oracle "with admin" vs. "with grant" security privileges Oracle Database Tips by Donald Burleson

 

Question:  What is the difference between the "with admin" option and the "with grant" option.  How do these grant option affect user access?

 

Answer:  There is a very distinct difference, and it's important to carefully consider the ramifications of using either "with grant option" or "with admin option".  These option relinquish control of the database privileges from a single database owner to multiple users, something that must be carefully controlled to ensure proper security.

 

Beware:  Using "with admin" and "with grant" options are considered Oracle dangerous because if they are not managed carefully you can have unintended side effects, resulting to a security hole.

 

Both the 'with grant' and 'with admin' options serve to relinquish central security control, but they are for different types of privileges.

 

With Grant option:

• Only for object privileges, not system privileges.
  

• Only the person who granted the privilege can revoke the privilege.

• Revoked privileges can "cascade", allowing the first grantor to revoke many subsequent grants.

 

With Admin option:

• Only for system privileges, not object privileges.
  

 

Using the with admin option

Any 'global' privileges like roles and system privileges (e.g. CREATE TABLE) are granted using the WITH ADMIN OPTION. For table-specific privileges (e.g. GRANT select on emp) we use WITH GRANT OPTION syntax. Also, revoking any grant WITH GRANT will cascade and revoke any and all privileges assigned by the privileged user. On the other hand, revoking someone with the WITH ADMIN OPTION will only revoke their personal privileges, leaving intact all granted users.

 

When system privileges are passed to others using the WITH ADMIN OPTION, revoking the system privileges from the original user will not cascade. The system privileges granted to others must be revoked directly. In contrast, when object privileges are passed on to others using the WITH GRANT OPTION, the object privileges are revoked when the grantor's privileges are revoked.

It is important to note that only object privileges will cascade when revoked; system privileges will not.

When the WITH ADMIN OPTION or WITH GRANT OPTION has been included in a grant to another user, the privilege cannot be revoked directly. You must revoke the privilege and then issue another grant without the WITH ADMIN OPTION or WITH GRANT OPTION.
 

 

The "with admin" privilege

 

Sometime you want to grant privileges to users and have them be able to grant those privileges to other users. When this is the case, we include the WITH ADMIN OPTION keyword in the GRANT command. When this keyword is used, it will allow the user granted the privilege to grant that privilege to other users.
 

Privileges that are granted WITH ADMIN OPTION can be passed to other users. Hence, many companies prohibit this option, and others check to ensure that all user ID's are proper.  Here is an example of the usage of the with admin option keyword.

GRANT
   CREATE INDEX
TO
   Robert
WITH ADMIN OPTION;

 

The metadata security audit information for users having the WITH ADMIN OPTION is located in the DBA_SYS_PRIVS view. Read more here.

 

The "with grant" privilege
 

The WITH GRANT option allows you to give the user you are assigning the privilege to grant this privilege to other users.  Only the schema that owns the object can grant privileges to that object unless the WITH GRANT option is included in the command.  Here is an example of the use of the with grant option:

GRANT SELECT ON
   emp
TO
   scott
WITH GRANT OPTION;
 

See here for more on the WITH GRANT option.