What Is the Become User Privilege
You might be learning something new today, as I did when I ran the DBSAT Oracle utility! In the generated report, I noticed a privilege that was mentioned: Become User Privilege. I found it interesting, so I started reading up on it. The only thing is, there is not much information in the documentation about this privilege. The reason behind it, I think, would be that Oracle uses it internally, and it is not really a privilege that you must grant to a user explicitly.
The Become User Privilege is required by DataPump to be able to import objects into a different schema, on behalf of the schema owner.
The privilege is granted explicitly to IMP_FULL_DATABASE role (through a direct grant) and DBA role, and implicitly to DATAPUMP_IMP_FULL_DATABASE role (through a role grant), and of course t is also granted to SYS.
select PRIVILEGE from dba_sys_privs
where GRANTEE='IMP_FULL_DATABASE' order by 1;
PRIVILEGE
----------------------------------------
...
BECOME USER
...
select GRANTED_ROLE from dba_role_privs
where GRANTEE='DATAPUMP_IMP_FULL_DATABASE';
GRANTED_ROLE
------------------------------
EXP_FULL_DATABASE
IMP_FULL_DATABASE
When you enable Database Vault, this privilege is revoked from the two roles mentioned above: IMP_FULL_DATABASE, DATAPUMP_IMP_FULL_DATABASE, and disabling Database Vault will grant the privilege back again. This is expected behaviour.
I’d like to emphasize this that this privilege will not give you proxy privileges to other schemas. This privilege is strictly used by DataPump import. In order to proxy to other schemas, you require other privilege (connect through proxy).
If you enjoyed this article, and would like to learn more about databases, please sign up to my weekly email, and you will receive my FREE guide: 7 Questions to Ask When Troubleshooting Database Performance Problems!
If you are interested in improving your Oracle Tuning skills, check out my course theultimatesqltuningformula.com. Follow the link to get Today‘s Special, only $13.99 CAD !
