13

Controlling User Access

Copyright © Oracle Corporation, 2001. All rights

 Objectives

After completing this lesson, you should be able to

do the following:
• Create users
• Create roles to ease setup and maintenance of the
security model
• Use the GRANT and REVOKE statements to grant
and revoke object privileges
• Create and access database links

13-2 Copyright © Oracle Corporation, 2001. All rights

 Controlling
Controlling User
User Access
Access

Database
administrator

Username and password

Privileges

Users

13-3 Copyright © Oracle Corporation, 2001. All rights

 Privileges

• Database security:
– System security
– Data security
• System privileges: Gaining access to the database
• Object privileges: Manipulating the content of the
database objects
• Schemas: Collections of objects, such as tables,
views, and sequences

13-4 Copyright © Oracle Corporation, 2001. All rights

 System Privileges

• More than 100 privileges are available.

• The database administrator has high-level system
privileges for tasks such as:
– Creating new users
– Removing users
– Removing tables
– Backing up tables

13-5 Copyright © Oracle Corporation, 2001. All rights

 Creating Users

The DBA creates users by using the CREATE USER

statement.

CREATE USER user

IDENTIFIED BY password;

CREATE
CREATE USER
USER scott
scott
IDENTIFIED
IDENTIFIED BY
BY tiger;
tiger;
User
User created.
created.

13-6 Copyright © Oracle Corporation, 2001. All rights

 User System Privileges

• Once a user is created, the DBA can grant specific

system privileges to a user.
GRANT
GRANT privilege
privilege [,
[, privilege...]
privilege...]
TO
TO user
user [,
[, user|
user| role,
role, PUBLIC...];
PUBLIC...];

• An application developer, for example, may have

the following system privileges:
– CREATE SESSION
– CREATE TABLE
– CREATE SEQUENCE
– CREATE VIEW
– CREATE PROCEDURE

13-7 Copyright © Oracle Corporation, 2001. All rights

 Granting System Privileges

The DBA can grant a user specific system privileges.

GRANT
GRANT create
create session,
session, create
create table,
table,
create
create sequence,
sequence, create
create view
view
TO
TO scott;
scott;
Grant
Grant succeeded.
succeeded.

13-8 Copyright © Oracle Corporation, 2001. All rights

 What
What is
is aa Role?
Role?

Users

Manager

Privileges

Allocating privileges Allocating privileges

without a role with a role

13-9 Copyright © Oracle Corporation, 2001. All rights

 Creating
Creating and
and Granting
Granting Privileges
Privileges to
to aa Role
Role

• Create a role
CREATE
CREATE ROLE
ROLE manager;
manager;
Role
Role created.
created.

• Grant privileges to a role

GRANT
GRANT create
create table,
table, create
create view
view
TO
TO manager;
manager;
Grant
Grant succeeded.
succeeded.
• Grant a role to users
GRANT
GRANT manager
manager TO
TO DEHAAN,
DEHAAN, KOCHHAR;
KOCHHAR;
Grant
Grant succeeded.
succeeded.

13-10 Copyright © Oracle Corporation, 2001. All rights

 Changing Your Password

• The DBA creates your user account and initializes

your password.
• You can change your password by using the
ALTER USER statement.

ALTER USER scott

IDENTIFIED BY lion;
User altered.

13-11 Copyright © Oracle Corporation, 2001. All rights

 Object
Object Privileges
Privileges

Object
Privilege Table View Sequence Procedure
ALTER 
DELETE 
EXECUTE 
INDEX 
INSERT 
REFERENCES 
SELECT 
UPDATE 

13-12 Copyright © Oracle Corporation, 2001. All rights

 Object Privileges

• Object privileges vary from object to object.

• An owner has all the privileges on the object.
• An owner can give specific privileges on that
owner’s object.

GRANT
GRANT object_priv
object_priv [(columns)]
[(columns)]
ON
ON object
object
TO
TO {user|role|PUBLIC}
{user|role|PUBLIC}
[WITH
[WITH GRANT
GRANT OPTION];
OPTION];

13-13 Copyright © Oracle Corporation, 2001. All rights

 Granting Object Privileges

• Grant query privileges on the EMPLOYEES table.

GRANT
GRANT select
select
ON
ON employees
employees
TO
TO sue,
sue, rich;
rich;
Grant
Grant succeeded.
succeeded.

• Grant privileges to update specific columns to

users and roles.
GRANT
GRANT update
update (department_name,
(department_name, location_id)
location_id)
ON
ON departments
departments
TO
TO scott,
scott, manager;
manager;
Grant
Grant succeeded.
succeeded.

13-14 Copyright © Oracle Corporation, 2001. All rights

 Using the WITH GRANT OPTION and
PUBLIC Keywords

• Give a user authority to pass along privileges.

GRANT
GRANT select,
select, insert
insert
ON
ON departments
departments
TO
TO scott
scott
WITH
WITH GRANT
GRANT OPTION;
OPTION;
Grant
Grant succeeded.
succeeded.

• Allow all users on the system to query data from

Alice’s DEPARTMENTS table.
GRANT
GRANT select
select
ON
ON alice.departments
alice.departments
TO
TO PUBLIC;
PUBLIC;
Grant
Grant succeeded.
succeeded.

13-15 Copyright © Oracle Corporation, 2001. All rights

 Confirming
Confirming Privileges
Privileges Granted
Granted
Data Dictionary View Description
ROLE_SYS_PRIVS System privileges granted to roles
ROLE_TAB_PRIVS Table privileges granted to roles
USER_ROLE_PRIVS Roles accessible by the user
USER_TAB_PRIVS_MADE Object privileges granted on the
user’s objects
USER_TAB_PRIVS_RECD Object privileges granted to the
user
USER_COL_PRIVS_MADE Object privileges granted on the
columns of the user’s objects
USER_COL_PRIVS_RECD Object privileges granted to the
user on specific columns
USER_SYS_PRIVS Lists system privileges granted to
the user

13-16 Copyright © Oracle Corporation, 2001. All rights

 How to Revoke Object Privileges

• You use the REVOKE statement to revoke privileges

granted to other users.
• Privileges granted to others through the WITH
GRANT OPTION clause are also revoked.

REVOKE
REVOKE {privilege
{privilege [,
[, privilege...]|ALL}
privilege...]|ALL}
ON
ON object
object
FROM
FROM {user[,
{user[, user...]|role|PUBLIC}
user...]|role|PUBLIC}
[CASCADE
[CASCADE CONSTRAINTS];
CONSTRAINTS];

13-17 Copyright © Oracle Corporation, 2001. All rights

 Revoking Object Privileges

As user Alice, revoke the SELECT and INSERT

privileges given to user Scott on the DEPARTMENTS
table.

REVOKE
REVOKE select,
select, insert
insert
ON
ON departments
departments
FROM
FROM scott;
scott;
Revoke
Revoke succeeded.
succeeded.

13-18 Copyright © Oracle Corporation, 2001. All rights

 Database Links

A database link connection allows local users to

access data on a remote database.

Local Remote

EMP Table

SELECT * FROM HQ_ACME.COM

emp@HQ_ACME.COM; database

13-19 Copyright © Oracle Corporation, 2001. All rights

 Database Links

• Create the database link.

CREATE
CREATE PUBLIC
PUBLIC DATABASE
DATABASE LINK
LINK hq.acme.com
hq.acme.com
USING
USING 'sales';
'sales';
Database
Database link
link created.
created.

• Write SQL statements that use the database link.

SELECT
SELECT **
FROM
FROM emp@HQ.ACME.COM;
emp@HQ.ACME.COM;

13-20 Copyright © Oracle Corporation, 2001. All rights

 Summary
Summary

In this lesson, you should have learned about DCL

statements that control access to the database and
database objects:
Statement Action
CREATE USER Creates a user (usually performed by
a DBA)
GRANT Gives other users privileges to
access the your objects
CREATE ROLE Creates a collection of privileges
(usually performed by a DBA)
ALTER USER Changes a user’s password
REVOKE Removes privileges on an object from
users

13-21 Copyright © Oracle Corporation, 2001. All rights

 Practice 13 Overview

This practice covers the following topics:

• Granting other users privileges to your table
• Modifying another user’s table through the
privileges granted to you
• Creating a synonym
• Querying the data dictionary views related to
privileges

13-22 Copyright © Oracle Corporation, 2001. All rights