The DBMS IMPERSONATE privilegesAuraDB Business CriticalAuraDB Virtual Dedicated CloudEnterprise Edition
The DBMS privileges for impersonation can be granted, denied, or revoked like other privileges.
Impersonation is the ability of a user to assume another user’s roles (and therefore privileges), with the restriction of not being able to execute updating admin commands as the impersonated user (i.e. they would still be able to use SHOW commands).
You can use the IMPERSONATE privilege to allow a user to impersonate another user.
|
For more details about the syntax descriptions, see Reading the administration commands syntax. |
| Command | Description |
|---|---|
|
Enables the specified roles to impersonate any user. |
|
Enables the specified roles to impersonate the specified users. |
Grant privilege to impersonate all users
You can grant the privilege to impersonate all users using the IMPERSONATE (*) privilege.
For example:
GRANT IMPERSONATE (*) ON DBMS TO allUserImpersonatorAs a result, the allUserImpersonator role has privileges that allow impersonating all users.
To list all privileges for the role allUserImpersonator as commands, use the following query:
SHOW ROLE allUserImpersonator PRIVILEGES AS COMMANDS;| command |
|---|
|
Rows: 1 |
Grant privilege to impersonate specific users
You can also grant the privilege to impersonate specific users or a subset of users.
For example:
GRANT IMPERSONATE (alice, bob) ON DBMS TO userImpersonator;As a result, the userImpersonator role has privileges that allow impersonating only alice and bob.
Then, you deny the privilege to impersonate alice:
DENY IMPERSONATE (alice) ON DBMS TO userImpersonator;As a result, the userImpersonator user would be able to impersonate only bob.
To list all privileges for the role userImpersonator as commands, use the following query:
SHOW ROLE userImpersonator PRIVILEGES AS COMMANDS;| command |
|---|
|
|
|
Rows: 3 |