You'll need a separate account to grant the read-only access to. I would suggest adding a role that you grant read-only access to as well-- you can then re-use that role if more users need this access in the future.
CREATE ROLE my_read_only_role;
BEGIN
FOR x IN (SELECT table_name FROM dba_tables WHERE owner=<<schema name>>)
LOOP
EXECUTE IMMEDIATE 'GRANT SELECT ON ' || x.table_name || ' TO my_read_only_role';
END LOOP;
FOR y IN (SELECT view_name FROM dba_views WHERE owner=<<schema name>>)
LOOP
EXECUTE IMMEDIATE 'GRANT SELECT ON ' || y.view_name || ' TO my_read_only_role';
END LOOP;
END;
/
GRANT my_read_only_role TO new_customer_account;
Once that is done, the new account will need to prefix the table names with the schema name to select the data. Alternatively, you could create public synonyms for each object (you can add another EXECUTE IMMEDIATE to each loop in the code above). Or you could have the user run the command
ALTER SESSION SET current_schema = <<schema name>>
on login. You could also create a login trigger in the new account that would do this automatically. That will cause <<schema name>>
to be implicitly added as the schema prefix. It does not affect the privileges of the session-- the user still has the read-only privileges, the default schema name has just been changed.
As requested, a bit of a tutorial on groups. Hopefully this isn't too elementary.
By default, most user accounts are also part of a group of the same name. To determine what groups an account is a member of, use the groups command.
# groups root
root : root bin daemon sys adm disk wheel
The first one listed is the primary group, and will be the default group owner of any files that user creates. That's listed in the output of ls as the second 'root' entry.
# touch testfile
# ls -l testfile
-rw-r--r-- 1 root root 19 Jan 29 08:37 testfile
In order to add a user to a group, you use usermod as shown. The lowercase "-g" flag you gave it changes the primary group. It may be better to change just a secondary one, using the "-G" and "-a" flag. Namely, to put the git user into luddico's group.
# usermod -G luddico -a git
# groups git
git : git luddico
This should give git access to any files that are owned by the luddico group, and have appropriate group permissions. Group permissions are the second "rwx" set listed in ls. The testfile I showed above only allows read access by the root group. If you wanted to give all members of that group write access, you would have to use chmod for that.
# ls -l testfile
-rw-r--r-- 1 root root 19 Jan 29 08:37 testfile
# chmod g+w testfile
# ls -l testfile
-rw-rw-r-- 1 root root 19 Jan 29 08:37 testfile
Now anyone in the root group can read or write to testfile. Apply the same concept to Luddico's files.
Best Answer
I answered a very similar question on stackoverflow.
Basically, it's this: