The DBMS SETTING privileges
AuraDB Business CriticalAuraDB Virtual Dedicated CloudEnterprise Edition

You can grant the privilege to show configuration settings using the SHOW SETTING privilege. A role with this privilege is allowed to list the configuration settings matched by the name-globbing.

For more details about the syntax descriptions, see Reading the administration commands syntax.
Table 1. Setting privileges command syntax
Command Description 
GRANT [IMMUTABLE] SHOW SETTING[S] name-globbing[, ...]
  ON DBMS
  TO role[, ...]

Enables the specified roles to list given configuration settings.

Grant privilege to show all settings

You can grant the privilege to show all settings using SHOW SETTING * or all settings in a namespace using SHOW SETTING namespace.*. The following query shows an example of how to grant SHOW SETTING privilege to view all settings in the server.bolt namespace:

GRANT SHOW SETTING server.bolt.* ON DBMS TO configurationViewer;

Users with the role configurationViewer can then view any setting in the server.bolt namespace.

As a result, the configurationViewer role has privileges that only allow listing settings in the server.bolt namespace. To list all privileges for the role configurationViewer as commands, use the following query:

SHOW ROLE configurationViewer PRIVILEGES AS COMMANDS;
Table 2. Result
command

"GRANT SHOW SETTING server.bolt.* ON DBMS TO `configurationViewer`"

Rows: 1

Grant privilege to show all but some settings

You can grant the privilege to show all but a few settings using SHOW SETTINGS * and deny the unwanted settings.
For example, the following queries allow you to view all settings, except those starting with dbms.security:

GRANT SHOW SETTINGS * ON DBMS TO deniedConfigurationViewer;
DENY SHOW SETTING dbms.security* ON DBMS TO deniedConfigurationViewer;

As a result, the deniedConfigurationViewer role has privileges that allow listing all settings except those starting with dbms.security. To list all privileges for the role deniedConfigurationViewer as commands, use the following query:

SHOW ROLE deniedConfigurationViewer PRIVILEGES AS COMMANDS;
Table 3. Result
command

"DENY SHOW SETTING dbms.security* ON DBMS TO `deniedConfigurationViewer`"

"GRANT SHOW SETTING * ON DBMS TO `deniedConfigurationViewer`"

Rows: 2

As the query result shows, viewing settings starting with dbms.security is blocked, but the rest can still be listed.