IT 21003 Database Administration Section 06. Managing Users and Their Roles Database Security ...

IT 21003 Database AdministrationIT 21003 Database Administration

Section 06Section 06

Managing Users and Their RolesManaging Users and Their Roles

Database SecurityDatabase Security Oracle’s database security provides the ability toOracle’s database security provides the ability to

Prevent unauthorized access to the databasePrevent unauthorized access to the database Prevent unauthorized access to schema objectsPrevent unauthorized access to schema objects Prevent unauthorized activity and audit user actionsPrevent unauthorized activity and audit user actions Control disk storage and system resource usage Control disk storage and system resource usage (profiles)(profiles)

Managing Users and Their RolesManaging Users and Their RolesDatabase SecurityDatabase Security

System SecuritySystem Security Checks for usernames and passwordsChecks for usernames and passwords Connect authorizationConnect authorization Controls availability of disk spaceControls availability of disk space Controls resource limits, enables and controls auditingControls resource limits, enables and controls auditing Specifies allowed system operationsSpecifies allowed system operations

Database SecurityDatabase Security Access to specific structuresAccess to specific structures Types of accessTypes of access

Managing Users and Their RolesManaging Users and Their RolesAuthenticating UsersAuthenticating Users

All users on Oracle must have an Oracle USERID All users on Oracle must have an Oracle USERID with an associated passwordwith an associated password Authentication is possible using various methodsAuthentication is possible using various methods

Operating SystemOperating System DatabaseDatabase

There are additional features for database administrator There are additional features for database administrator authenticationauthentication

All of these methods can be used within the same All of these methods can be used within the same databasedatabase Users cannot change their own authentication Users cannot change their own authentication methodmethod

Only users with ALTER USER privilege can change itOnly users with ALTER USER privilege can change it

Managing Users and Their RolesManaging Users and Their RolesOperating-System AuthenticationOperating-System Authentication

Authentication checks are made at the OS levelAuthentication checks are made at the OS level No userid and password necessary when logging on to No userid and password necessary when logging on to OracleOracle An Oracle ID must match the incoming OS-IDAn Oracle ID must match the incoming OS-ID

A prefix is normally added to the OS-ID to form A prefix is normally added to the OS-ID to form the matching Oracle useridthe matching Oracle userid

Prefix determined by the value of the parameter OS Prefix determined by the value of the parameter OS AUTHENT PREFIXAUTHENT PREFIX

Default is OPS$ but can be set to other values (including null)Default is OPS$ but can be set to other values (including null) A null string allows Oracle accounts to have the same userid A null string allows Oracle accounts to have the same userid as the corresponding OS-IDas the corresponding OS-ID


BenefitsBenefits No need to hardcode passwords when accessing No need to hardcode passwords when accessing Oracle applicationsOracle applications Users do not have to submit passwords twice to gain Users do not have to submit passwords twice to gain accessaccess

Oracle allows OS authentication in secure OS Oracle allows OS authentication in secure OS environments environments


Example:Example: OS Account IDOS Account ID fredfred Database useridDatabase userid ops$fredops$fred

Managing Users and Their RolesManaging Users and Their RolesCreating and Setting up UsersCreating and Setting up Users

The CREATE USER statementThe CREATE USER statement Create UserCreate User userid userid

Identified ExternallyIdentified Externally | | ByBy password password

{{Default TablespaceDefault Tablespace tablespace_name} tablespace_name}

{{Temporary TablespaceTemporary Tablespace tablespace_name} tablespace_name}

[[QuotaQuota integer K|M | integer K|M | Unlimited OnUnlimited On tablespace_name] tablespace_name]

[[ProfileProfile profile_name] profile_name]


A user with database authenticationA user with database authentication Create UserCreate User fred fred Identified ByIdentified By fredpw; fredpw;

A user with OS authenticationA user with OS authentication Create UserCreate User ops$smithmg ops$smithmg Identified ExternallyIdentified Externally;;

Note: These statements do not give users access Note: These statements do not give users access to the databaseto the database

They will require the CREATE SESSION system They will require the CREATE SESSION system privilegeprivilege

Managing Users and Their RolesManaging Users and Their RolesCreating a User: ExampleCreating a User: Example

Create UserCreate User ops$fred ops$fred

Identified ExternallyIdentified Externally

Default TablespaceDefault Tablespace user1 user1

Temporary TablespaceTemporary Tablespace temp1 temp1

ProfileProfile cashier; cashier;


Each user has a default tablespace in which to Each user has a default tablespace in which to store his or her objectsstore his or her objects

Can be overridden when the object is created Can be overridden when the object is created specifying an alternative tablespacespecifying an alternative tablespace Default may be changed in an ALTER USER statementDefault may be changed in an ALTER USER statement

Remember, if no default or temporary tablespace Remember, if no default or temporary tablespace is specified, the SYSTEM is used as bothis specified, the SYSTEM is used as both

02-03-0602-03-06

Managing Users and Their RolesManaging Users and Their RolesManipulating User AccountsManipulating User Accounts

The ALTER USER statement can be used toThe ALTER USER statement can be used to Change passwordsChange passwords Change default and temporary tablespacesChange default and temporary tablespaces Grant the use of space in a tablespace (Quota)Grant the use of space in a tablespace (Quota) Set a profile for the userSet a profile for the user Set default roles for the user (not covered in this class)Set default roles for the user (not covered in this class) Change the authentication methodChange the authentication method

Ordinary users may change only their passwordsOrdinary users may change only their passwords Alter UserAlter User jonesja jonesja Identified ByIdentified By newpass; newpass;

Managing Users and Their RolesManaging Users and Their RolesQuotas on TablespacesQuotas on Tablespaces

Users are not able to create database objects Users are not able to create database objects until they have a quota on a tablespace (this until they have a quota on a tablespace (this includes the default tablespace)includes the default tablespace)

Quota may be in Bytes, Kbytes, MbytesQuota may be in Bytes, Kbytes, Mbytes Default is 0Default is 0


QUOTA UNLIMITED ON allows unlimited space QUOTA UNLIMITED ON allows unlimited space within a tablespacewithin a tablespace Create UserCreate User john john Identified ByIdentified By johnpw johnpw

Default TablespaceDefault Tablespace ts_one ts_one

Quota Unlimited OnQuota Unlimited On ts_one; ts_one;


Quotas may be reducedQuotas may be reduced A user cannot consume any more space until total A user cannot consume any more space until total space consumed is less than the new quotaspace consumed is less than the new quota

Do Not allow user quotas on the SYSTEM Do Not allow user quotas on the SYSTEM tablepsacetablepsace

Managing Users and Their RolesManaging Users and Their RolesTablespace Quota InformationTablespace Quota Information

Information on tablespace quotas can be found in Information on tablespace quotas can be found in dba_ts_quotasdba_ts_quotas A value of -1 shows UNLIMITED ON tablespace A value of -1 shows UNLIMITED ON tablespace quota on the tablespacequota on the tablespace The quota limits extent allocation, not insert of The quota limits extent allocation, not insert of rows into existing extentsrows into existing extents Quotas are not necessary for temporary Quotas are not necessary for temporary tablespacestablespaces

Managing Users and Their RolesManaging Users and Their RolesControlling Tablespace UsageControlling Tablespace Usage

Example StatementExample Statement Alter UserAlter User fred fred QuotaQuota 20M 20M OnOn user_1; user_1; Fred is not allowed to consume any more space until Fred is not allowed to consume any more space until his consumption falls below 20MBhis consumption falls below 20MB Alter UserAlter User fred fred Quota Quota 0 0 OnOn user_1; user_1; Effectively removes the ability to create objects and Effectively removes the ability to create objects and extend existing objects in the tablespaceextend existing objects in the tablespace

Existing extents are unaffectedExisting extents are unaffected

Managing Users and Their RolesManaging Users and Their RolesControlling Tablespace UsageControlling Tablespace Usage

Sum of tablespace quotas can be greater than the Sum of tablespace quotas can be greater than the tablespace sizetablespace size

This is not accounting it doesn’t have to be equalThis is not accounting it doesn’t have to be equal

Quotas apply to owners of tables, not to users Quotas apply to owners of tables, not to users who access themwho access them

It is usual for applications to own tables, rather than the It is usual for applications to own tables, rather than the users who access themusers who access them

Managing Users and Their RolesManaging Users and Their RolesDropping UsersDropping Users

Use the DROP USER statementUse the DROP USER statement Drop UserDrop User fred; fred;

Works only if the user does not own any database objectsWorks only if the user does not own any database objects

Drop UserDrop User fred fred CascadeCascade;; Never Use ThisNever Use This Drops all objects owned by the userDrops all objects owned by the user Dependencies such as FK’s are also removedDependencies such as FK’s are also removed

Care is necessary because this is a DDL Care is necessary because this is a DDL statement so no rollback is possiblestatement so no rollback is possible

Managing Users and Their RolesManaging Users and Their RolesProfilesProfiles

Used to specify resource limits for usersUsed to specify resource limits for users Profiles ControlProfiles Control

Simultaneous sessions allowed per useridSimultaneous sessions allowed per userid Total CPU time allowed per sessionTotal CPU time allowed per session Total CPU time allowed per callTotal CPU time allowed per call Total connection time (minutes)Total connection time (minutes) Idle time (minutes)Idle time (minutes) Logical reads per sessionLogical reads per session Logical reads per callLogical reads per call Size of private SQL area within the shared poolSize of private SQL area within the shared pool

Will see profiles on the OCP certification examsWill see profiles on the OCP certification exams


Since Oracle 8i we have a resource managerSince Oracle 8i we have a resource manager Has similar features to OS resource schedulersHas similar features to OS resource schedulers Allows DBA’s better control over database resources Allows DBA’s better control over database resources that are not handled well by the OSthat are not handled well by the OS


CREATE PROFILE statementCREATE PROFILE statement Create ProfileCreate Profile clerk clerk LimitLimit Sessions_Per_UserSessions_Per_User 3 3 Cpu_Per_SessionCpu_Per_Session unlimited unlimited (hundredths of secs)(hundredths of secs)

Cpu_Per_CallCpu_Per_Call 7000 7000 (hundredths of secs)(hundredths of secs)

Connect_TimeConnect_Time 1440 1440 (in minutes)(in minutes)

Idle_Time Idle_Time 30 30 (minutes)(minutes)

Logical_Reads_Per_SessionLogical_Reads_Per_Session unlimited unlimited Logical_Reads_Per_CallLogical_Reads_Per_Call 1500 1500 Composite_LimitComposite_Limit 20000 20000 Private_Sga DefaultPrivate_Sga Default;;

Managing Users and Their RolesManaging Users and Their RolesProfile SpecificationsProfile Specifications

The example on the previous slide creates a profile with The example on the previous slide creates a profile with the following controls:the following controls:

The name of the profile is clerkThe name of the profile is clerk Three sessions per user may be active (concurrent)Three sessions per user may be active (concurrent) Amount of Cpu per call is limited to 70 secondsAmount of Cpu per call is limited to 70 seconds A session may stay connected for 24 hours (24 x 60 = 1440)A session may stay connected for 24 hours (24 x 60 = 1440) Thirty minutes of idle time is allowedThirty minutes of idle time is allowed

Elapsed time of long-running queries does not contribute to idle timeElapsed time of long-running queries does not contribute to idle time Logical data block reads have no limit for a session but are limited Logical data block reads have no limit for a session but are limited to 1500 per callto 1500 per call The composite limit of 20000 is a weighted sum of The composite limit of 20000 is a weighted sum of cpu_per_session, logical_reads_per_session, connect_time, and cpu_per_session, logical_reads_per_session, connect_time, and private_sgaprivate_sga The number of bytes of private space in the SGA is set to defaultThe number of bytes of private space in the SGA is set to default

The view dba_profiles shows information about all profilesThe view dba_profiles shows information about all profiles

Managing Users and Their RolesManaging Users and Their RolesDEFAULT ProfileDEFAULT Profile

Every database has a default profile called Every database has a default profile called DEFAULTDEFAULT When the database is created, all of the Default When the database is created, all of the Default profile’s limits are set to unlimitedprofile’s limits are set to unlimited Any user not explicitly assigned a profile are given Any user not explicitly assigned a profile are given the Default profilethe Default profile Any parameter not defined in a profile takes on Any parameter not defined in a profile takes on the value assigned for that parameter in the Default the value assigned for that parameter in the Default profileprofile The parameter specifications for the Default The parameter specifications for the Default profile can be altered using the ALTER PROFILE profile can be altered using the ALTER PROFILE statementstatement

Managing Users and Their RolesManaging Users and Their RolesAltering ProfilesAltering Profiles

Any parameter in a profile may be changed by a Any parameter in a profile may be changed by a user with the ALTER PROFILE system privilegeuser with the ALTER PROFILE system privilege

Change does not affect currently connected sessionsChange does not affect currently connected sessions

ExampleExample Alter ProfileAlter Profile clerk clerk LimitLimit

Idle_TimeIdle_Time 120 120

Logical_Reads_Per_SessionLogical_Reads_Per_Session 50000; 50000;

Managing Users and Their RolesManaging Users and Their RolesAssigning Users to ProfilesAssigning Users to Profiles

Use the CREATE USER or ALTER USER Use the CREATE USER or ALTER USER statementstatement

If a user is set to a new profile, the limits do not take If a user is set to a new profile, the limits do not take effect until the next user sessioneffect until the next user session A user can be in only one ProfileA user can be in only one Profile Look at dba_users to find details of user’s profilesLook at dba_users to find details of user’s profiles

Managing Users and Their RolesManaging Users and Their RolesAssigning Users to ProfilesAssigning Users to Profiles

ExamplesExamples

Create UserCreate User user2 user2 Identified ByIdentified By user2pw user2pw

ProfileProfile cashier; cashier;

Alter UserAlter User user3 user3 ProfileProfile cashier; cashier;

Create UserCreate User user4 user4 Identified ByIdentified By user4pw; user4pw;

Alter UserAlter User user5 user5 ProfileProfile default; default;

Managing Users and Their RolesManaging Users and Their RolesDropping ProfilesDropping Profiles

Use the DROP PROFILE statementUse the DROP PROFILE statement If users are currently assigned, the CASCADE option If users are currently assigned, the CASCADE option must be usedmust be used If a profile is dropped, all active sessions under the If a profile is dropped, all active sessions under the profile observe the resource limits until disconnectedprofile observe the resource limits until disconnected Drop ProfileDrop Profile clerk clerk CascasdeCascasde;;

Never use Cascade optionNever use Cascade option

All users in clerk are not set to the default profileAll users in clerk are not set to the default profile You cannot drop the Default ProfileYou cannot drop the Default Profile

Managing Users and Their RolesManaging Users and Their RolesActivating Resource LimitsActivating Resource Limits

Although profile resource limits can be specified, Although profile resource limits can be specified, they are not activated until resource limitation is they are not activated until resource limitation is enabledenabled Resource limits can be enabled while the Resource limits can be enabled while the database is opendatabase is open

Use the ALTER SYSTEM statement as follows:Use the ALTER SYSTEM statement as follows: Alter System Set Resource Limit =Alter System Set Resource Limit = True; True; False is the default for this statementFalse is the default for this statement

This enables resource limits but does not survive a This enables resource limits but does not survive a database shutdowndatabase shutdown Requires the ALTER SYSTEM system privilegeRequires the ALTER SYSTEM system privilege Limits can be permanently set to True in the parameter Limits can be permanently set to True in the parameter file with:file with:

Resource_Limit =Resource_Limit = True True

Managing Users and Their RolesManaging Users and Their RolesProfiles and Password ManagementProfiles and Password Management

Profiles can also be used to manage passwords Profiles can also be used to manage passwords by:by:

Controlling the number of failed login attemptsControlling the number of failed login attempts Appling account locking between attempted loginsAppling account locking between attempted logins Governing lifetime of passwordsGoverning lifetime of passwords Controlling warning periods for account expirationControlling warning periods for account expiration Limiting password reuseLimiting password reuse Using complex password management functionsUsing complex password management functions

This feature does not require Resource_Limit to This feature does not require Resource_Limit to be set to Truebe set to True

Managing Users and Their RolesManaging Users and Their RolesPassword ManagementPassword Management

As part of a user’s profile, you can specify:As part of a user’s profile, you can specify: Failed_Login_AttemptsFailed_Login_Attempts

Limits number of failures allowed between successful loginsLimits number of failures allowed between successful logins

Account_Lock_TimeAccount_Lock_Time Number of days account remains locked after the value of Number of days account remains locked after the value of Failed_Login_Attempts is exceededFailed_Login_Attempts is exceeded

Password_Life_TimePassword_Life_Time Number of days that the same password can be usedNumber of days that the same password can be used

Password_Grace_TimePassword_Grace_Time After password expires, this is the number of days after the After password expires, this is the number of days after the first successful login that the account remains accessible with first successful login that the account remains accessible with the same password (user receives a warning message)the same password (user receives a warning message)

Managing Users and Their RolesManaging Users and Their RolesPassword ManagementPassword Management

Password_Reuse_TimePassword_Reuse_Time Time interval during which a password may not be reused in Time interval during which a password may not be reused in daysdays

Password_Reuse_MaxPassword_Reuse_Max Number of password changes before current password can be Number of password changes before current password can be reusedreused

Password management is always in effect in Password management is always in effect in Oracle8i and aboveOracle8i and above

Managing Users and Their RolesManaging Users and Their RolesForcing Account ExpirationForcing Account Expiration

To expire an account in an interactive fashionTo expire an account in an interactive fashion Need the ALTER USER system privilegeNeed the ALTER USER system privilege Alter UserAlter User fred fred Password ExpirePassword Expire;;

To unlock an accountTo unlock an account Alter UserAlter User fred fred Account UnlockAccount Unlock;;

Managing Users and Their RolesManaging Users and Their RolesPassword Complexity Verification FunctionPassword Complexity Verification Function

There is a supplied script in There is a supplied script in OracleHome/rdbms/admin (80% of usable scripts OracleHome/rdbms/admin (80% of usable scripts are located in this folder) called utlpwdmg.sqlare located in this folder) called utlpwdmg.sql

This creates a function which performs the following This creates a function which performs the following checks on a new password:checks on a new password:

Length >= 4Length >= 4 Not Equal to useridNot Equal to userid Has at least one alpha, one numeric, and one punctuation Has at least one alpha, one numeric, and one punctuation markmark Does not match simple wordsDoes not match simple words Distinct from previous password by at least three charactersDistinct from previous password by at least three characters

DBA’s can generate and user their own checking DBA’s can generate and user their own checking function scriptfunction script

Managing Users and Their RolesManaging Users and Their RolesInformation on Password ManagementInformation on Password Management

Use the user_password_limits tableUse the user_password_limits table SelectSelect * *

FromFrom user_password_limits; user_password_limits;

Managing Users and Their RolesManaging Users and Their RolesMonitoring Users and SessionsMonitoring Users and Sessions

Users can be monitored by using the Enterprise Users can be monitored by using the Enterprise Manager orManager or Looking in the v$session tableLooking in the v$session table

SelectSelect sid, serial#, username sid, serial#, username

FromFrom v$session; v$session;

Managing Users and Their RolesManaging Users and Their RolesKilling SessionsKilling Sessions

User sessions can sometimes be left running after User sessions can sometimes be left running after becoming inactive, or need killing because of long-becoming inactive, or need killing because of long-running queries in a hung situationrunning queries in a hung situation Killing a user session involves identifying the Killing a user session involves identifying the details in v$sessiondetails in v$session

Issue the Alter System Kill Session statement:Issue the Alter System Kill Session statement: Alter System Kill SessionAlter System Kill Session ‘9,17’; ‘9,17’;

Can be disconnected with Enterprise Manager Can be disconnected with Enterprise Manager alsoalso

Managing Users and Their RolesManaging Users and Their RolesMaintaining Privileges and RolesMaintaining Privileges and Roles

Oracle has two main types of privilegesOracle has two main types of privileges SystemSystem

Statement Level Privileges – Big TimeStatement Level Privileges – Big Time ObjectObject

Single Object Privileges - Small TimeSingle Object Privileges - Small Time

System-Level privileges control the use of DDL statementsSystem-Level privileges control the use of DDL statements Creation, Alteration, and Removal of objectsCreation, Alteration, and Removal of objects Connecting to the databaseConnecting to the database Execution of DBA functionsExecution of DBA functions

Object-Level privileges provide access to database objectsObject-Level privileges provide access to database objects Selection from a tableSelection from a table Update of view informationUpdate of view information Execution of stored procedure codeExecution of stored procedure code

Managing Users and Their RolesManaging Users and Their RolesSystem PrivilegesSystem Privileges

Oracle has over 100 system privilegesOracle has over 100 system privileges Allows precise specification of what users can and Allows precise specification of what users can and cannot docannot do However, security strategy can become complex to However, security strategy can become complex to managemanage

System privileges convey much power to the System privileges convey much power to the recipientsrecipients

Careful planning is required before granting such Careful planning is required before granting such privilegesprivileges Syntax is simpleSyntax is simple

GrantGrant system_privilege_name system_privilege_name ToTo username; username;

Managing Users and Their RolesManaging Users and Their RolesSystem PrivilegesSystem Privileges

If a user needs to create tables, issue the If a user needs to create tables, issue the following:following:

Grant Create Table ToGrant Create Table To fred; fred; Fred can now create tables in the fred schemaFred can now create tables in the fred schema

System privileges are granted only by DBAs or System privileges are granted only by DBAs or users with the GRANT ANY PRIVILEGE system users with the GRANT ANY PRIVILEGE system privilegeprivilege To audit the system privileges granted to users, To audit the system privileges granted to users, query the dba_sys_privs tablequery the dba_sys_privs table

Managing Users and Their RolesManaging Users and Their RolesManaging System PrivilegesManaging System Privileges

System privileges may be granted with the ADMIN System privileges may be granted with the ADMIN OPTIONOPTION

Grant Alter Any Table ToGrant Alter Any Table To smith smith With Admin OptionWith Admin Option;; This allows smith to alter the structure of any table in This allows smith to alter the structure of any table in any user schema and to pass this privilege on to any any user schema and to pass this privilege on to any other userother user

When smith logs in, he or she can issue the following:When smith logs in, he or she can issue the following: Grant Alter Any Table ToGrant Alter Any Table To brown [ brown [With Admin OptionWith Admin Option];];

Managing Users and Their RolesManaging Users and Their RolesManaging System PrivilegesManaging System Privileges

System privileges may be removed from usersSystem privileges may be removed from users RevokeRevoke system_privilege_name system_privilege_name FromFrom username; username; Revoke Alter Any Table FromRevoke Alter Any Table From smith; smith;

Brown will still be able to change any user’s tables as this only Brown will still be able to change any user’s tables as this only affects smithaffects smith

Managing Users and Their RolesManaging Users and Their RolesObject PrivilegesObject Privileges

Object privileges are a mechanism to allow users Object privileges are a mechanism to allow users access to specific database objectsaccess to specific database objects By default, only the user who owns a database By default, only the user who owns a database object can perform any kind of activity or change on object can perform any kind of activity or change on itit The owner has the full set of access rights on the The owner has the full set of access rights on the objectobject Other users must be granted object privilegesOther users must be granted object privileges

Grant Update OnGrant Update On student student ToTo fred; fred;

Managing Users and Their RolesManaging Users and Their RolesSecurity of TablesSecurity of Tables

There are eight object privileges on tables:There are eight object privileges on tables:

ALTERALTER May perform DDL on the tableMay perform DDL on the table

DELETEDELETE Remove whole records (rows)Remove whole records (rows)

INDEXINDEX Create indexes based on the tableCreate indexes based on the table

INSERT [Columns]INSERT [Columns] Insert new rows into the table. If columns are Insert new rows into the table. If columns are specified, only those columns may receive data.specified, only those columns may receive data.

REFERENCESREFERENCES Reference the table for integrity purposesReference the table for integrity purposes

SELECTSELECT Query any data (all columns) in the tableQuery any data (all columns) in the table

UPDATE [Columns]UPDATE [Columns] Update any data in the table. If columns is Update any data in the table. If columns is specified, only those columns may be updatedspecified, only those columns may be updated

ALLALL All of the above may be performedAll of the above may be performed

Managing Users and Their RolesManaging Users and Their RolesGranting Access to TablesGranting Access to Tables

Issue the GRANT statementIssue the GRANT statement GrantGrant privilege(s) privilege(s) OnOn object object

ToTo user(s) | role(s) | user(s) | role(s) | PublicPublic

[[With Grant OptionWith Grant Option]] Object privileges cannot be granted along with system Object privileges cannot be granted along with system privileges and roles in the same GRANT statementprivileges and roles in the same GRANT statement

Oracle knows the nature of the object specified in Oracle knows the nature of the object specified in the GRANT statement because all objects owned the GRANT statement because all objects owned by a user must have unique namesby a user must have unique names

Managing Users and Their RolesManaging Users and Their RolesUseful Dictionary ViewsUseful Dictionary Views

dba_tab_privsdba_tab_privs Shows details of all table privileges in the databaseShows details of all table privileges in the database

dba_col_privsdba_col_privs Shows details of all column privilegesShows details of all column privileges

user_col_privs_recduser_col_privs_recd What column privileges I receivedWhat column privileges I received

user_col_privs_madeuser_col_privs_made What column privileges I createdWhat column privileges I created

Managing Users and Their RolesManaging Users and Their RolesRevoking PrivilegesRevoking Privileges

Revoke all privileges on an object from a user:Revoke all privileges on an object from a user: Revoke All OnRevoke All On student student FromFrom fred; fred; Can revoke privileges individually alsoCan revoke privileges individually also

If a table is being referenced by foreign keys built If a table is being referenced by foreign keys built on it using the References privilege, the CASCADE on it using the References privilege, the CASCADE CONSTRAINTS option is neededCONSTRAINTS option is needed

Revoke All OnRevoke All On company company FromFrom fred fred Cascade Cascade ConstraintsConstraints;; Removes any foreign key constraints created by fred Removes any foreign key constraints created by fred on other tableson other tables

Beware of PUBLIC grantsBeware of PUBLIC grants Revoking privileges does not always guarantee a denial Revoking privileges does not always guarantee a denial if a user has Publicly granted privilegesif a user has Publicly granted privileges

Managing Users and Their RolesManaging Users and Their RolesRevoking Privileges Granted with the Grant Revoking Privileges Granted with the Grant OptionOption

Example:Example: John granted Mary the GRANT OPTION privilegeJohn granted Mary the GRANT OPTION privilege Mary granted Steve and Marc a privilegeMary granted Steve and Marc a privilege John wishes to revoke Mary’s privilegesJohn wishes to revoke Mary’s privileges

Revoke Select OnRevoke Select On instructor instructor FromFrom mary; mary;

This effect is immediateThis effect is immediate This revokes Steve and Marc’s privileges alsoThis revokes Steve and Marc’s privileges also This is different from System Privileges that use the This is different from System Privileges that use the ADMIN OPTIONADMIN OPTION

Managing Users and Their RolesManaging Users and Their RolesManaging Privileges with RolesManaging Privileges with Roles

The complexity of privilege management can be The complexity of privilege management can be reduced by using roles to group system and object reduced by using roles to group system and object privileges for easier controlprivileges for easier control Benefits of using rolesBenefits of using roles

Reduce privilege administration by allowing a cohesive Reduce privilege administration by allowing a cohesive set of privileges to be granted to users through on role set of privileges to be granted to users through on role grantgrant Ease of maintenanceEase of maintenance

Changing privileges for a role affects all users in the roleChanging privileges for a role affects all users in the role

Privileges lost when an object is dropped need to be re-Privileges lost when an object is dropped need to be re-granted only to the role when the object is re-createdgranted only to the role when the object is re-created Can allow ad-hoc or preprogrammed access to tables Can allow ad-hoc or preprogrammed access to tables through selective control of role availabilitythrough selective control of role availability

Managing Users and Their RolesManaging Users and Their RolesUser and Application RolesUser and Application Roles

Recommendation is to define:Recommendation is to define: Application RolesApplication Roles

Functional AreasFunctional Areas

User RolesUser Roles

This allows you toThis allows you to Grant application roles to users’ roles rather than Grant application roles to users’ roles rather than granting individual privilegesgranting individual privileges Grant both user roles and application roles to usersGrant both user roles and application roles to users

Roles do not belong to a schema (or user)Roles do not belong to a schema (or user) Creation of a role puts the creator in the role with the Creation of a role puts the creator in the role with the ADMIN OPTIONADMIN OPTION

Managing Users and Their RolesManaging Users and Their RolesCreating and Granting RolesCreating and Granting Roles

Use the CREATE ROLE statementUse the CREATE ROLE statement Roles can be created by users with the CREATE ROLE Roles can be created by users with the CREATE ROLE system privilegesystem privilege

CreateCreate RoleRole cashiers; cashiers;

Grant roles to users or to other rolesGrant roles to users or to other roles GrantGrant cashier cashier ToTo fred; fred; GrantGrant cashier cashier ToTo managers; managers;

The cashier role is now granted to the manager role (functional The cashier role is now granted to the manager role (functional role)role)

To grant a role, you must have the GRANT ANY To grant a role, you must have the GRANT ANY ROLE system privilege or have been granted the ROLE system privilege or have been granted the role with the ADMIN OPTIONrole with the ADMIN OPTION

Managing Users and Their RolesManaging Users and Their RolesRevoking RolesRevoking Roles

Roles are revoked in the same way as system Roles are revoked in the same way as system privilegesprivileges

RevokeRevoke cashiers cashiers FromFrom fred; fred; Immediately disables any activity allowed by the roleImmediately disables any activity allowed by the role

To selectively Revoke the ADMIN OPTION onlyTo selectively Revoke the ADMIN OPTION only The system privilege (or role) must be revoked and The system privilege (or role) must be revoked and then re-granted without the ADMIN OPTIONthen re-granted without the ADMIN OPTION

Beware of Revoking From (and Granting To) Beware of Revoking From (and Granting To) PUBLICPUBLIC

Causes large numbers of dependency tracking Causes large numbers of dependency tracking compilationscompilations

Managing Users and Their RolesManaging Users and Their RolesPre-Created Roles in OraclePre-Created Roles in Oracle

Look in dba_roles for these rolesLook in dba_roles for these roles Dictionary Information on Roles:Dictionary Information on Roles:

Role_sys_privsRole_sys_privs System privileges granted to rolesSystem privileges granted to roles

Role_tab_privsRole_tab_privs Object level privileges granted to rolesObject level privileges granted to roles

Role_role_privsRole_role_privs Roles granted to other rolesRoles granted to other roles

Session_rolesSession_roles Roles currently enabled for the userRoles currently enabled for the user

Session_privsSession_privs Privileges currently availablePrivileges currently available

User_role_privsUser_role_privs Roles granted to userRoles granted to user

Dba_sys_privsDba_sys_privs System privileges directly granted to users and rolesSystem privileges directly granted to users and roles

Dba_rolesDba_roles All roles in the databseAll roles in the databse

Managing Users and Their RolesManaging Users and Their RolesQuestions?Questions?

Date post:	21-Jan-2016
Category:	Documents
Upload:	eric-cannon
View:	222 times
Download:	0 times

IT 21003 Database Administration Section 06. Managing Users and Their Roles Database Security ...

Documents