I always thought that SYS is the almighty user of the database like root on linux OS. But it seems that he isn’t. A few days ago a developer got following error on the database: ORA-01927: cannot REVOKE privileges you did not grant Ok, that seems to be clear, he tried to revoke a grant which he didn’t grant. But he told me that he granted it just before, so I logged on with SYS and had a look on the privileges. And he was right, he granted it with SYSTEM. So I tried to revoke the privilege with SYS and also got the same error?! Then a look at error messages page on oracle:
- ORA-01927: cannot REVOKE privileges you did not grant
-
Cause: You can only revoke privileges you granted.
-
Action: Don”t revoke these privileges.
Ok, i can’t revoke the privilege with SYS, but with SYSTEM from a SYS object?
Searching the Oracle Forums and Internet also said the same, can that be? Time for a little test:
Lets make a little function stored by sys and grant it to a simple user with SYSTEM and then try to revoke it with SYS:
SQL> conn sys@test1 as sysdba
Connected.
SQL> create function test return varchar2 as begin return ‘Hello World!’; end;
2 /
Function created.
SQL> create user venzi identified by venzi;
User created.
SQL> grant resource to venzi;
Grant succeeded.
SQL> grant connect to venzi;
Grant succeeded.
SQL> grant execute on SYS.test to system with grant option;
Grant succeeded.
Ok, now we’ve the function, the user and SYSTEM has the grant with the option to grant to other user. Now we gave the simple user the grant from SYSTEM:
SQL> conn system@test1
Connected.
SQL> grant execute on sys.test to venzi;
Grant succeeded.
And test it out:
SQL> conn venzi@test1
Connected.
SQL> select sys.test from dual;
TEST
——————————————————————————–
Hello World!
Ok, works fine, SYS now will try to revoke the grant:
SQL> conn sys@test1 as sysdba
Connected.
SQL> revoke execute on test from venzi;
revoke execute on test from venzi
*
ERROR at line 1:
ORA-01927: cannot REVOKE privileges you did not grant
With SYS it doesn’t work although it’s a SYS object…. the user still has the privilege to execute the function:
SQL> conn venzi@test1
Connected.
SQL> select sys.test from dual;
TEST
——————————————————————————–
Hello World!
With system it works fine:
SQL> conn system@test1
Connected.
SQL> revoke execute on sys.test from venzi;
Revoke succeeded.
Only chance with SYS is to revoke the privilege from SYSTEM:
SQL> conn system@test1
Connected.
SQL> grant execute on sys.test to venzi;
Grant succeeded.
SQL> conn venzi@test1
Connected.
SQL> select sys.test from dual;
TEST
——————————————————————————–
Hello World!
SQL> conn sys@test1 as sysdba
Connected.
SQL> revoke execute on test from system;
Revoke succeeded.
SQL> conn venzi@test1
Connected.
SQL> select sys.test from dual;
select sys.test from dual
*
ERROR at line 1:
ORA-00904: : invalid identifier
So very very strange, I always thought that with SYS you can perform all operations, but it seems that you can’t. I’m sure that there is a dirty solution from deleting it out from data dictionary but as said: Very dirty (never modify data dictionary except Oracle Support wants you to do this!)
Gerald on IT 
You also cannot drop db links not created by SYS. Quite frustrating.
LikeLike
Really strange behaviour. Everyone who comes from a Unix environment expect sys to be the root user of the database!
LikeLike