nerdexam
Oracle

1Z0-062 · Question #167

In your multitenant container database (CDB) containing pluggable database (PDBs), you granted the CREATE TABLE privilege to the common user C # # A_ADMIN in root and all PDBs. You execute the followi

The correct answer is B. It fails and reports an error because the CONTAINER=ALL clause is not used.. Revoking a privilege that was originally granted with CONTAINER=ALL requires the CONTAINER=ALL clause in the REVOKE statement; omitting it causes an error.

Administering User Security

Question

In your multitenant container database (CDB) containing pluggable database (PDBs), you granted the CREATE TABLE privilege to the common user C # # A_ADMIN in root and all PDBs. You execute the following command from the root container:

SQL > REVOKE create table FROM C # # A_ADMIN; What is the result?

Options

  • AIt executes successfully and the CREATE TABLE privilege is revoked from C # # A_ADMIN in
  • BIt fails and reports an error because the CONTAINER=ALL clause is not used.
  • CIt excludes successfully and the CREATE TABLE privilege is revoked from C # # A_ADMIN in
  • DIt fails and reports an error because the CONTAINER=CURRENT clause is not used.
  • EIt executes successfully and the CREATE TABLE privilege is revoked from C # # A_ADMIN in all

How the community answered

(47 responses)
  • A
    4% (2)
  • B
    83% (39)
  • C
    2% (1)
  • D
    9% (4)
  • E
    2% (1)

Why each option

Revoking a privilege that was originally granted with CONTAINER=ALL requires the CONTAINER=ALL clause in the REVOKE statement; omitting it causes an error.

AIt executes successfully and the CREATE TABLE privilege is revoked from C # # A_ADMIN in

The statement does not execute successfully; the missing CONTAINER=ALL clause causes Oracle to report an error before any privilege is removed.

BIt fails and reports an error because the CONTAINER=ALL clause is not used.Correct

In a CDB, when a privilege is granted to a common user with CONTAINER=ALL, Oracle records it as a common grant spanning the root and all PDBs. A REVOKE issued from root without the CONTAINER=ALL clause does not match the common grant and fails with an error, because Oracle enforces symmetry between how a privilege was originally granted and how it must be revoked.

CIt excludes successfully and the CREATE TABLE privilege is revoked from C # # A_ADMIN in

The REVOKE does not execute successfully here; the absent CONTAINER=ALL clause triggers an Oracle error rather than allowing the operation to complete.

DIt fails and reports an error because the CONTAINER=CURRENT clause is not used.

CONTAINER=CURRENT is not the required clause; since the privilege was granted with CONTAINER=ALL, revocation must also specify CONTAINER=ALL, not CONTAINER=CURRENT.

EIt executes successfully and the CREATE TABLE privilege is revoked from C # # A_ADMIN in all

The REVOKE fails entirely without CONTAINER=ALL and does not revoke the privilege from any container, including all PDBs.

Concept tested: CDB common user privilege revocation with CONTAINER=ALL

Source: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/managing-security-for-oracle-db-users.html

Topics

#Multitenant architecture#Common user#Privileges#CONTAINER clause

Community Discussion

No community discussion yet for this question.

Full 1Z0-062 Practice