Accounts privileges, users and roles
Download
Report
Transcript Accounts privileges, users and roles
System Administration
Accounts
privileges, users and roles
What Is a User Account?
• A user account is identified by a user name
and defines the user's attributes, including the
following:
– Password for database authentication
– Privileges and roles
– Default tablespace for database objects
– Default temporary tablespace for query
processing work space
What Is the Relation of a User
Account and a Schema?
• User accounts and schemas have a one-to-one
relation.
• When you create a user, you are also implicitly
creating a schema for that user. A schema is a
logical container for the database objects
(such as tables, views, triggers, and so on) that
the user creates.
• The schema name is the same as the user
name, and can be used to unambiguously
refer to objects owned by the user.
What Are Internal User Account?
• An internal user account is a system predefined user account. Oracle 11g
comes with a number of internal accounts:
– SYSTEM - This is the user account that you log in with to perform all administrative
functions other than starting up and shutting down the database. SYSTEM is
automatically created when you install the server. It's password is the one you specified
during the installation process.
– SYS - This is another user account automatically created when you install the server. It's
password is the one you specified during the installation process. All base tables and
views for the database data dictionary are stored in the SYS schema. So avoid log in as
user SYS as much as possible to reduce the risk of damaging those important data
objects. User SYSTEM is preferred for all administrative tasks except starting up and
shutting down.
– Other internal user accounts - Other special user accounts are predefined for special
purposes. For example, CTXSYS is a special user account used by the Oracle Text product.
– Public account?
How To List All User Accounts?
• User accounts can be accessed through a
system view called ALL_USERS. A simple
SELECT statement can be used to get a list of
all user accounts.
How To Create a New User
Account?
• If you want to create a new user account, you
can log in as SYSTEM and use the CREATE
USER command as shown in the following
example:
• CREATE USER DEV IDENTIFIED BY developer
ACCOUNT UNLOCK;
How To Change User Password?
• If you want to change a user's password, you
can log in as SYSTEM and use the ALTER USER
command as shown in the following example:
• ALTER USER DEV IDENTIFIED BY beginner;
How To Delete a User Account?
• If you want to delete a user account and its
associated schema, you can log in as SYSTEM
and use the DROP USER command as shown
in the following example:
• DROP USER DEV CASCADE;
– Note that CASCADE tells the server drop the
associated schema.
What is a privilege?
• A privilege is a right
– to execute an SQL statement or to access another
user's object.
• A privileges can be assigned to a user or a role
• The set of privileges is predefined and fixed,
but grantable and revocable.
Two Types of Privileges
•
SYSTEM PRIVILEGES
– System Privileges are normally granted by a DBA to users. Examples of
system privileges are CREATE SESSION, CREATE TABLE, CREATE USER
etc.
– Usually about DDL
– System privileges are privileges that do not relate to a specific schema
or object.
• OBJECT PRIVILEGES
– Object privileges means privileges on objects such as tables, views,
synonyms, procedure. These are granted by owner of the object.
– Usually about DML.
– Owner already create an object, he can further decide who can
manipulate it.
– Create index is not a privilege (subtle, do not need to know, you will
see it why when you are a DBA.)
A List of Object Privileges are
granted by an owner
•
•
•
•
•
•
•
ALTER
– Change the table definition with the ALTER TABLE statement.
DELETE
– Remove rows from the table with the DELETE statement. You must grant the SELECT
privilege on the table along with the DELETE privilege.
INDEX
– Create an index on the table with the CREATE INDEX statement.
INSERT
– Add new rows to the table with the INSERT statement.
REFERENCES
– Create a constraint that refers to the table. You cannot grant this privilege to a role.
SELECT
– Query the table with the SELECT statement.
UPDATE
– Change data in the table with the UPDATE statement. You must grant the SELECT
privilege on the table along with the UPDATE privilege
• Suppose you want to grant all privileges on
employee table to robit. Then
grant all on employee to robi;
• Suppose you want to grant select privilege on
employee to all other users of the database.
Then
grant select on employee to public;
Column level priviledges
• As the owner of a table, you can control at column level at which you
specify which columns are manipulatable by other schema owners.
• Suppose you want to grant update and insert privilege on only certain
columns not on all the columns then include the column names in grant
statement.
• For example you want to grant update privilege on ename column only
and insert privilege on empno and ename columns only. Then give the
following statement
•
grant update (ename),insert (empno, ename) on emp to sami;
• To grant select statement on emp table to sami and to make sami be able
further pass on this privilege you have to give WITH GRANT OPTION clause
in GRANT statement like this.
•
grant select on emp to sami with grant option;
Subtle issues
• Owner of a table can always create indexes on
it, this is Not a privilege can be revoked by
admin.
• But owner can give create index priviledge to
other users to allow them to create index on
his tables.
• Also, admin can do is to grant create any index
to a user to allow him to create any index in
any user’s schema.
Data Control Language (DCL)
Statements
• Data Control Language Statements are used to
grant privileges on tables, views, sequences,
synonyms, procedures to other users or roles.
• The DCL statements are
– GRANT
:Use to grant privileges to other users
or roles.
– REVOKE
:Use to take back privileges granted to
other users and roles.
What Privilege Is Needed for a
User to Connect to Oracle Server?
• Oracle deny connection to users who has no
CREATE SESSION privilege. Try the following
tutorial exercise, you will find out how Oracle
denies connection:
• CREATE USER DEV IDENTIFIED BY developer
ACCOUNT UNLOCK;
• user DEV lacks CREATE SESSION privilege;
logon denied Oracle error message is pretty
clear.
How To Revoke CREATE SESSION
Privilege from a User?
• If you take away the CREATE SESSION privilege
from a user, you can use the REVOKE
command as shown in the following example
script:
• REVOKE CREATE SESSION FROM dev;
Privileges
• A privilege is a right to execute an SQL
statement or to access another user’s object.
– System privileges
– Object privileges
• A privilege can be assigned to a user a role
• Granting Oracle System Level Privileges
• The grant command is used to grant system
level privileges. System level privileges are
those privileges that you need to actually do
something on the system.
WITH ADMIN OPTION
• Sometime you want to grant privileges to users and
have them be able to grant those privileges to other
users.
• When this is the case, we include the with admin
keyword in the grant command. When this keyword
is used, it will allow the user granted the privilege to
grant that privilege to other users. Here is an
example of the usage of the with admin option
keyword.
• GRANT CREATE ANY INDEX TO Robert WITH ADMIN
OPTION;
What Privilege Is Needed for a
User to Create Tables?
• To be able to create tables in a user's own
schema, the user needs to have the CREATE
TABLE privilege, or the CREATE ANY TABLE
privilege, which is more powerful, and allows
the user to create tables in other user's
schema.
How To Assign a Tablespace to a
Users?
• When you create a new user, Oracle will
assign the SYSTEM tablespace to the user by
default.
• If you want to change this, you can assign a
different table space to a user using the ALTER
USER command.
How To Find Out What Privileges a
User Currently Has?
• Privileges granted to users are listed in two
system views:
– DBA_SYS_PRIVS
– USER_SYS_PRIVS.
• You can find out what privileges a user
currently has by running a query on those
views as shown in the tutorial exercise below:
• SELECT username, privilege FROM
USER_SYS_PRIVS;
LISTING INFORMATION ABOUT PRIVILEGES
• To see which table privileges are granted by you to other users.
– SELECT * FROM USER_TAB_PRIVS_MADE
• To see which table privileges are granted to you by other users
– SELECT * FROM USER_TAB_PRIVS_RECD;
• To see which column level privileges are granted by you to other users.
– SELECT * FROM USER_COL_PRIVS_MADE
• To see which column level privileges are granted to you by other users
•
• SELECT * FROM USER_COL_PRIVS_RECD;
•
• To see which privileges are granted to roles
•
• SELECT * FROM USER_ROLE_PRIVS;
What Is a User Role?
• A user role is a group of privileges. Privileges
are assigned to users through user roles. You
create new roles, grant privileges to the roles,
and then grant roles to users.
ROLES
•
•
•
A role is a designed for a category users who share a group of Privileges.
A role is very handy in managing privileges, Particularly in such situation when number of users should
have the same set of privileges. For example you have four users :Sami, Scott, Ashi, Tanya in the database.
To these users you want to grant select ,update privilege on emp table, select,delete privilege on dept
table. To do this first create a role by giving the following statement
–
•
•
Then grant privileges to this role.
grant select,update on emp to clerks;
–
•
•
•
•
•
•
•
•
•
•
•
create role clerks
grant select,delete on dept to clerks;
Now grant this clerks role to users like this
grant clerks to sami, scott, ashi, tanya ;
Now Sami, Scott, Ashi and Tanya have all the privileges granted on clerks role.
Suppose after one month you want grant delete on privilege on emp table all these users then just grant
this privilege to clerks role and automatically all the users will have the privilege.
grant delete on emp to clerks;
If you want to take back update privilege on emp table from these users just take it back from clerks role.
revoke update on emp from clerks;
To Drop a role
Drop role clerks;
What Are the System Predefined
User Roles?
• Oracle 11g comes with 3 predefined roles:
– CONNECT - Enables a user to connect to the database. Grant this role
to any user or application that needs database access.
– RESOURCE - Enables a user to create certain types of schema objects
in his own schema. Grant this role only to developers and to other
users that must create schema objects. This role grants a subset of the
create object system privileges.
– DBA - Enables a user to perform most administrative functions,
including creating users and granting privileges; creating and granting
roles; creating and dropping schema objects in other users' schemas;
and more. It grants all system privileges, but does not include the
privileges to start up or shut down the database. It is by default
granted to user SYSTEM.
• As a DBA, the best and most secure practice to
grant privileges is to always grant privileges
with caution and give Oracle users only what
they need.
• As a schema owner, grant privileges to other
users with caution and give them only what
they need within your grantable power.
• Some users, but hopefully only one or two,
should have the SYSDBA and/or SYSOPER
privileges.
• This can be determined from the
V$PWFILE_USERS view. This will tell you which
Oracle users have the above privileges.
Be careful!
• Depending on versions of Oracles, you may
get different group of privileges for different
default roles. For example, connect is a role
that has dramatically different default
priviledges between 9i and 10i.
• System privileges