Which three statements are true about the working of system privileges in a multitenant control
database (CDB) that has pluggable databases (PDBs)?
A.
System privileges apply only to the PDB in which they are used.
B.
Local users cannot use local system privileges on the schema of a common user.
C.
The granter of system privileges must possess the set container privilege.
D.
Common users connected to a PDB can exercise privileges across other PDBs.
E.
System privileges with the with grant option container all clause must be granted to a common
user before the common user can grant privileges to other users.
Explanation:
A, Not D: In a CDB, PUBLIC is a common role. In a PDB, privileges granted locally
to PUBLIC enable all local and common users to exercise these privileges in this PDB only.
C: A user can only perform common operations on a common role, for example, granting
privileges commonly to the role, when the following criteria are met:
The user is a common user whose current container is root.
The user has the SET CONTAINER privilege granted commonly, which means that the privilege
applies in all containers.
The user has privilege controlling the ability to perform the specified operation, and this privilege
has been granted commonly
Incorrect:
Note:
* Every privilege and role granted to Oracle-supplied users and roles is granted commonly except
for system privileges granted to PUBLIC, which are granted locally.
A C E
A B E
not C:
Only two types of users can grant system privileges to other users or revoke those privileges from them.
•Users who were granted a specific system privilege with the ADMIN OPTION
•Users with the system privilege GRANT ANY PRIVILEGE
(https://docs.oracle.com/database/121/DBSEG/authorization.htm#DBSEG99877)
why B:
With the appropriate privileges, a local user can access objects (SELECT) in a common user’s schema. But the local user can’t use system privilege (for ex. CREATE ANY TABLE) in a common user’s schema, “CREATE TABLE c##test1.t1 (f1 NUMBER);” is wrong with oracle error.