In an Oracle database I have a local admin user called LOCAL_ADMIN. As SYS I granted a SELECT privilege including the grant option on the system view AUDSYS.UNIFIED_AUDIT_TRAIL.
Now I connect as LOCAL_ADMIN to grant a SELECT privilege to another user. Doing this I get the following error message:
GRANT SELECT ON AUDSYS.UNIFIED_AUDIT_TRAIL TO user_xyz
Fehlerbericht –
ORA-01720: Berechtigungsoption für ‘SYS.STMT_AUDIT_OPTION_MAP’ nicht vorhanden
01720. 00000 – “grant option does not exist for ‘%s.%s'”
*Cause: A grant was being performed on a view or a view was being replaced
and the grant option was not present for an underlying object.
*Action: Obtain the grant option on all underlying objects of the view or
revoke existing grants on the view.
as SYS
GRANT select ON AUDSYS.UNIFIED_AUDIT_TRAIL TO LOCAL_ADMIN with grant option;
grant select on SYS.STMT_AUDIT_OPTION_MAP to LOCAL_ADMIN with grant option;
as LOCAL_ADMIN
GRANT SELECT ON AUDSYS.UNIFIED_AUDIT_TRAIL TO user_xyz;
Fehlerbericht -
ORA-01720: Berechtigungsoption für 'SYS.STMT_AUDIT_OPTION_MAP' nicht vorhanden
01720. 00000 - "grant option does not exist for '%s.%s'"
*Cause: A grant was being performed on a view or a view was being replaced
and the grant option was not present for an underlying object.
*Action: Obtain the grant option on all underlying objects of the view or
revoke existing grants on the view.
I tried to grant other privileges to the LOCAL_ADMIN user without success.
BerndT is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
You are getting that error because AUDSYS does not itself have the grant option for the underlying objects owned by SYS:
sys.all_unified_audit_actions
sys.system_privilege_map
sys.stmt_audit_option_map
sys.gv_$unified_audit_trail
A view owner cannot take upon itself the power to grant access to objects it doesn’t own unless it has been given this ability by the owner with the WITH GRANT OPTION. In this case, it’s AUDSYS that lacks the privs to SYS objects. You can fix it by issuing the following grants:
grant select on sys.stmt_audit_option_map to audsys with grant option;
grant select on sys.system_privilege_map to audsys with grant option;
grant select on sys.all_unified_audit_actions to audsys with grant option;
grant select on sys.gv_$unified_audit_trail to audsys with grant option;
Now try using local_admin to issue your select grant on the view. It should work.
However, this isn’t a great idea, to modify the privs of an Oracle-maintained user like this. If you are using local_admin as a true admin account with grant abilities, it should probably just be given the grant any object privilege system priv:
grant grant any object privilege to local_admin;
Then local_admin can grant whatever it wants without having to mess with audsys privs. Life will be a lot simpler.
1