1Z0-062 · Question #167
In your multitenant container database (CDB) containing pluggable database (PDBs), you granted the CREATE TABLE privilege to the common user C # # A_ADMIN in root and all PDBs. You execute the followi
The correct answer is B. It fails and reports an error because the CONTAINER=ALL clause is not used.. Revoking a privilege that was originally granted with CONTAINER=ALL requires the CONTAINER=ALL clause in the REVOKE statement; omitting it causes an error.
Question
In your multitenant container database (CDB) containing pluggable database (PDBs), you granted the CREATE TABLE privilege to the common user C # # A_ADMIN in root and all PDBs. You execute the following command from the root container:
SQL > REVOKE create table FROM C # # A_ADMIN; What is the result?
Options
- AIt executes successfully and the CREATE TABLE privilege is revoked from C # # A_ADMIN in
- BIt fails and reports an error because the CONTAINER=ALL clause is not used.
- CIt excludes successfully and the CREATE TABLE privilege is revoked from C # # A_ADMIN in
- DIt fails and reports an error because the CONTAINER=CURRENT clause is not used.
- EIt executes successfully and the CREATE TABLE privilege is revoked from C # # A_ADMIN in all
How the community answered
(47 responses)- A4% (2)
- B83% (39)
- C2% (1)
- D9% (4)
- E2% (1)
Why each option
Revoking a privilege that was originally granted with CONTAINER=ALL requires the CONTAINER=ALL clause in the REVOKE statement; omitting it causes an error.
The statement does not execute successfully; the missing CONTAINER=ALL clause causes Oracle to report an error before any privilege is removed.
In a CDB, when a privilege is granted to a common user with CONTAINER=ALL, Oracle records it as a common grant spanning the root and all PDBs. A REVOKE issued from root without the CONTAINER=ALL clause does not match the common grant and fails with an error, because Oracle enforces symmetry between how a privilege was originally granted and how it must be revoked.
The REVOKE does not execute successfully here; the absent CONTAINER=ALL clause triggers an Oracle error rather than allowing the operation to complete.
CONTAINER=CURRENT is not the required clause; since the privilege was granted with CONTAINER=ALL, revocation must also specify CONTAINER=ALL, not CONTAINER=CURRENT.
The REVOKE fails entirely without CONTAINER=ALL and does not revoke the privilege from any container, including all PDBs.
Concept tested: CDB common user privilege revocation with CONTAINER=ALL
Source: https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/managing-security-for-oracle-db-users.html
Topics
Community Discussion
No community discussion yet for this question.