Professional Documents
Culture Documents
11 User Management and Database Security PDF
11 User Management and Database Security PDF
: PPT/2K403/02
• Authenticating users
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Managing Users
3
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Direct Resource
privileges limits
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Database Schema
5
procedures, etc.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• Create a user.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
OS_ OS_USER15
No
empty string USER15
““ No
OPS$ OPS$USER15
(default) (default) Yes
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
– Sqlplus /
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
ALTER
ALTERUSER
USERanil
anil
IDENTIFIED
IDENTIFIEDBY
BYhisgrandpa
hisgrandpa
PASSWORD
PASSWORDEXPIRE;
EXPIRE;
ALTER
ALTERUSER
USERanil
anil
IDENTIFIED
IDENTIFIEDBY
BYhisgrandpa
hisgrandpa
ACCOUNT
ACCOUNTLOCK
LOCK||UNLOCK;
UNLOCK;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
ALTER
ALTERUSER
USERanil
anil
QUOTA
QUOTA00ON
ONdata01;
data01;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Dropping a User
13
DROP
DROPUSER
USERanil;
anil;
DROP
DROPUSER
USERanil
anilCASCADE;
CASCADE;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Monitoring Users
14
DBA_USERS
DBA_USERS DBA_TS_QUOTAS
DBA_TS_QUOTAS
USERNAME
USERNAME USERNAME
USERNAME
USER_ID
USER_ID TABLESPACE_NAME
TABLESPACE_NAME
CREATED
CREATED BYTES
BYTES
ACCOUNT_STATUS
ACCOUNT_STATUS MAX_BYTES
MAX_BYTES
LOCK_DATE
LOCK_DATE BLOCKS
BLOCKS
EXPIRY_DATE
EXPIRY_DATE MAX_BLOCKS
MAX_BLOCKS
DEFAULT_TABLESPACE
DEFAULT_TABLESPACE
TEMPORARY_TABLESPACE
TEMPORARY_TABLESPACE
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
dba_users;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Profiles
17
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
1. Create profiles.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
CREATE
CREATEPROFILE
PROFILEdeveloper_prof
developer_profLIMIT
LIMIT
SESSIONS_PER_USER
SESSIONS_PER_USER22
CPU_PER_SESSION
CPU_PER_SESSION10000
10000
IDLE_TIME
IDLE_TIME60
60
CONNECT_TIME
CONNECT_TIME480;
480;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Resource Description
CPU_PER_SESSION Total CPU time measured in
hundredths of seconds
SESSIONS_PER_USER Number of concurrent sessions
allowed for each username
CONNECT_TIME Elapsed connect time measured
in minutes
IDLE_TIME Periods of inactive time
measured in minutes
LOGICAL_READS_PER Number of data blocks (physical
_SESSION and logical reads)
PRIVATE_SGA Private space in the SGA
measured in bytes (for MTS
only)
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Resource Description
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Resource Parameter
22
• Composite_limit
– A composite limit is a sum of several of the resource parameters,
measured in service units.
– These resources are weighted by their importance.
– Oracle takes into account four parameters to compute a weighted
composite_limit:
• Cpu_per_session
• Connect_time
• Logical_reads_per_session
• Private_sga.
– You can set a weight for these four parameter by using the alter
resource cost statement.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
CREATE
CREATEUSER
USERuser3
user3IDENTIFIED
IDENTIFIEDBY
BYuser3
user3
DEFAULT
DEFAULTTABLESPACE
TABLESPACEdata01
data01
TEMPORARY
TEMPORARYTABLESPACE
TABLESPACEtemptemp
QUOTA
QUOTAunlimited
unlimitedON
ONdata01
data01
PROFILE
PROFILEdeveloper_prof;
developer_prof;
ALTER
ALTERUSER
USERscott
scott
PROFILE
PROFILEdeveloper_prof;
developer_prof;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
ALTER
ALTERSYSTEM
SYSTEMSET
SETRESOURCE_LIMIT=TRUE;
RESOURCE_LIMIT=TRUE;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Altering a Profile
25
ALTER
ALTERPROFILE
PROFILEdefault
defaultLIMIT
LIMIT
SESSIONS_PER_USER
SESSIONS_PER_USER55
CPU_PER_CALL
CPU_PER_CALL3600
3600
IDLE_TIME
IDLE_TIME30;
30;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Dropping a Profile
26
DROP
DROPPROFILE
PROFILEdeveloper_prof;
developer_prof;
DROP
DROPPROFILE
PROFILEdeveloper_prof
developer_profCASCADE;
CASCADE;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
DBA_USERS DBA_PROFILES
- profile - profile
- username - resource_name
- resource_type
(KERNEL)
- limit
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Password Management
28
Password Account
history locking
User Setting up
profiles
Password Password
expiration verification
and aging
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
them to users.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
CREATE
CREATEPROFILE
PROFILEgrace_5
grace_5LIMIT
LIMIT
FAILED_LOGIN_ATTEMPTS
FAILED_LOGIN_ATTEMPTS33
PASSWORD_LIFE_TIME
PASSWORD_LIFE_TIME30
30
PASSWORD_REUSE_TIME
PASSWORD_REUSE_TIME30 30
PASSWORD_VERIFY_FUNCTION
PASSWORD_VERIFY_FUNCTIONverify_function
verify_function
PASSWORD_GRACE_TIME
PASSWORD_GRACE_TIME5;
5;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Password Settings
31
Parameter Description
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Parameter Description
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
function_name(
function_name(
userid_parameter
userid_parameterIN
INVARCHAR2(30),
VARCHAR2(30),
password_parameter
password_parameterIN
INVARCHAR2(30),
VARCHAR2(30),
old_password_parameter
old_password_parameterIN
INVARCHAR2(30))
VARCHAR2(30))
RETURN
RETURNBOOLEAN
BOOLEAN
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
password by at least
Password
three letters verification
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• DBA_USERS
– profile
– username
– account_status
– lock_date
– expiry_date
• DBA_PROFILES
– profile
– resource_name
– resource_type (PASSWORD)
– limit
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• Before you can modify an old plan or create a new plan, you
need to activate or create a pending area using the Database
Resource Manager package.
• All resource plans created will be stored in the data dictionary.
SQL>
SQL>execute
executedbms_resource_manager.create_pending_area;
dbms_resource_manager.create_pending_area;
PL/SQL
PL/SQLprocedure
proceduresuccessfully
successfullycompleted.
completed.
SQL>
SQL>execute
executedbms_resource_manager.clear_pending_area;
dbms_resource_manager.clear_pending_area;
PL/SQL
PL/SQLprocedure
proceduresuccessfully
successfullycompleted.
completed.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
SQL>
SQL>SELECT
SELECTconsumer_group,
consumer_group,status
statusFROM
FROM
dba_rscr_consumer_groups;
dba_rscr_consumer_groups;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• Other_groups
– This isn’t really a group, because you can’t assign users to it.
– When a resource plan is active, other_groups is the catchall term
for all sessions that don’t belong to this active resource plan.
• Default_consumer_groups
– If you don’t assign users to any group, they will, by default,
become members of the default group.
• Sys_group and low_group
– These are part of the default system_plan that exists in every
database.
– Oracle supplies three plans for each database
• SYSTEM_PLAN : Plan to give system sessions priority.
• INTERNAL_QUIESCE : Plan to internally quiesce system.
• INTERNAL_PLAN : Plan to give system sessions priority
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• Once you create the groups, you can then validate your
pending area.
• Once the changes are accepted as being correct, you can
submit the changes through the Database Resource Manager.
SQL>
SQL>execute
executedbms_resource_manager.validate_pending_area;
dbms_resource_manager.validate_pending_area;
PL/SQL
PL/SQLprocedure
proceduresuccessfully
successfullycompleted.
completed.
SQL>
SQL>execute
executedbms_resource_manager.submit_pending_area;
dbms_resource_manager.submit_pending_area;
PL/SQL
PL/SQLprocedure
proceduresuccessfully
successfullycompleted.
completed.
SQL>
SQL>select
selectconsumer_group,
consumer_group,status
statusfrom
from
dba_rsrc_consumer_groups;
dba_rsrc_consumer_groups;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
SQL>
SQL>execute
executedbms_resource_manager.create_pending_area;
dbms_resource_manager.create_pending_area;
PL/SQL
PL/SQLprocedure
proceduresuccessfully
successfullycompleted.
completed.
SQL>
SQL>execute
executedbms_resource_manager.create_plan
dbms_resource_manager.create_plan((plan
plan=>
=>
‘membership_plan’,
‘membership_plan’,comment
comment=>
=>‘New
‘NewMembership
Membership
Recruitment’);
Recruitment’);
PL/SQL
PL/SQLprocedure
proceduresuccessfully
successfullycompleted.
completed.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
SQL>
SQL>execute
executedbms_resource_manager.create_plan_directive
dbms_resource_manager.create_plan_directive
(plan
(plan=>
=>‘membership_plan’,
‘membership_plan’,GROUP_OR_SUBPLAN
GROUP_OR_SUBPLAN=> =>
‘local’,
‘local’,COMMENT
COMMENT=>=>‘LOCAL
‘LOCALGROUP’,
GROUP’,CPU_P1
CPU_P1=>=>70);
70);
SQL>
SQL>execute
executedbms_resource_manager.create_plan_directive
dbms_resource_manager.create_plan_directive
(plan
(plan=>
=>‘membership_plan’,
‘membership_plan’,GROUP_OR_SUBPLAN
GROUP_OR_SUBPLAN=> =>
‘REGIONAL’,
‘REGIONAL’,COMMENT
COMMENT=> =>‘regional
‘regionalgroup’,
group’,CPU_P1
CPU_P1=>
=>30);
30);
SQL>
SQL>execute
executedbms_resource_manager.create_plan_directive
dbms_resource_manager.create_plan_directive
(plan
(plan=>
=>‘membership_plan’,
‘membership_plan’,GROUP_OR_SUBPLAN
GROUP_OR_SUBPLAN=> =>
‘national’,
‘national’,COMMENT
COMMENT=>=>‘NATIONAL
‘NATIONALGROUP’,
GROUP’,CPU_P2
CPU_P2=> =>100);
100);
SQL>
SQL>execute
executedbms_resource_manager.create_plan_directive
dbms_resource_manager.create_plan_directive
(plan
(plan=>
=>'membership_plan',
'membership_plan',GROUP_OR_SUBPLAN
GROUP_OR_SUBPLAN=> =>
'OTHER_GROUPS',
'OTHER_GROUPS',comment
comment=> =>'Default
'Defaultplan',CPU_P3
plan',CPU_P3=>
=>100);
100);
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• You can now validate and submit your new top-level plan,
membership_plan.
• Determining the status of the Resource Plans from
dba_rsrc_plan_directives
SQL>
SQL>execute
executedbms_resource_manager.validate_pending_area;
dbms_resource_manager.validate_pending_area;
PL/SQL
PL/SQLprocedure
proceduresuccessfully
successfullycompleted.
completed.
SQL>
SQL>execute
executedbms_resource_manager.submit_pending_area;
dbms_resource_manager.submit_pending_area;
PL/SQL
PL/SQLprocedure
proceduresuccessfully
successfullycompleted.
completed.
SQL>
SQL>select
selectplan,
plan,group_or_subplan,
group_or_subplan,cpu_p1,
cpu_p1,cpu_p2,cpu_p3,
cpu_p2,cpu_p3,status
status
from
fromdba_rsrc_plan_directives;
dba_rsrc_plan_directives;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
SQL
SQLselect
select**from
fromv$rsrc_plan;
v$rsrc_plan;
SQL>
SQL>select
selectname,
name,active_sessions,
active_sessions,cpu_wait_time,
cpu_wait_time,
consumed_cpu_time,
consumed_cpu_time,
current_undo_consumption
current_undo_consumptionfrom
fromv$rsrc_consumer_group;
v$rsrc_consumer_group;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Managing Privileges
53
database
object
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
System Privileges
54
users.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Category Examples
INDEX CREATE ANY INDEX, ALTER ANY INDEX
DROP ANY INDEX
TABLE CREATE TABLE (includes dropping privilege, create index)
CREATE ANY TABLE, ALTER ANY TABLE
DROP ANY TABLE (need this for truncating)
SELECT ANY TABLE, UPDATE ANY TABLE
DELETE ANY TABLE
SESSION CREATE SESSION (need this to do anything)
ALTER SESSION
RESTRICTED SESSION(when db in restricted mode)
TABLESPACE CREATE TABLESPACE
ALTER TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
GRANT
GRANTCREATE
CREATESESSION,
SESSION,CREATE
CREATETABLE
TABLETO
TOuser1;
user1;
GRANT
GRANTCREATE
CREATESESSION
SESSIONTOTOscott
scott
WITH
WITHADMIN
ADMINOPTION;
OPTION;(enables
(enablesscott
scottto
togrant
grantthe
theprivilege
privilege
or
orrole
roleto
toother
otherusers
usersor
orroles)
roles)
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Category Examples
SYSOPER STARTUP
SHUTDOWN
ALTER DATABASE OPEN | MOUNT
ALTER DATABASE BACKUP CONTROLFILE
ALTER TABLESPACE BEGIN/END BACKUP
RECOVER DATABASE,
ALTER DATABASE ARCHIVELOG
RESTRICTED SESSION
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• User SYS:
– Owner of data dictionary, can make changes
– Granted SYSOPER and SYSDBA roles
– Can start and shutdown database
• User STSTEM:
– Not granted SYSOPER and SYSDBA roles
– Cannot start/shutdown database
– Cannot modify data dictionary
– Safer to be SYSTEM than SYS
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• Set REMOTE_LOGIN_
PASSWORD_FILE=EXCLUSIVE.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• O7_DICTIONARY_ACCESSIBILITY = TRUE
keyword
– Defaults to TRUE
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
REVOKE
REVOKECREATE
CREATETABLE
TABLEFROM
FROMuser1;
user1;
(can
(canREVOKE
REVOKEprivileges
privilegesgranted
grantedwith
withGRANT
GRANTcommand)
command)
REVOKE
REVOKECREATE
CREATESESSION
SESSIONFROM
FROMscott;
scott;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
GRANT
(doesn’t
cascade)
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
RESULT
DBA USER 1 SCOTT
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Object Privileges
65
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
GRANT
GRANTEXECUTE
EXECUTEON
ONdbms_pipe
dbms_pipeTO
TOpublic;
public;
GRANT
GRANTUPDATE(ename,sal)
UPDATE(ename,sal)ON
ONemp
empTO
TOuser1
user1
WITH
WITHGRANT
GRANTOPTION;
OPTION;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
DBA_TAB_PRIVS DBA_COL_PRIVS
GRANTEE GRANTEE
OWNER OWNER
TABLE_NAME TABLE_NAME
GRANTOR COLUMN_NAME
PRIVILEGE GRANTOR
GRANTABLE PRIVILEGE
GRANTABLE
REVOKE
REVOKEexecute
executeON
ONdbms_pipe
dbms_pipeFROM
FROMscott;
scott;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
GRANT
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
RESULT
SCOTT USER 1 USER 2
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Roles
71
– May be enabled/disabled
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Roles (contd.)
72
Users
A A A
CREATE UPDATE ON
CREATE EMP
TABLE SESSION
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Benefits of Roles
73
• No cascading revokes
• Improved performance
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Creating Roles
74
CREATE
CREATEROLE
ROLEsales_clerk;
sales_clerk;
CREATE
CREATEROLE
ROLEhr_clerk
hr_clerk
IDENTIFIED
IDENTIFIEDBY
BYbonus;
bonus;
CREATE
CREATEROLE
ROLEhr_manager
hr_manager
IDENTIFIED
IDENTIFIEDEXTERNALLY;
EXTERNALLY;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Modifying Roles
76
ALTER
ALTERROLE
ROLEsales_clerk
sales_clerk
IDENTIFIED
IDENTIFIEDBY
BYcommission;
commission;
ALTER
ALTERROLE
ROLEhr_clerk
hr_clerk
IDENTIFIED
IDENTIFIEDEXTERNALLY;
EXTERNALLY;
ALTER
ALTERROLE
ROLEhr_manager
hr_manager
NOT
NOTIDENTIFIED;
IDENTIFIED;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Assigning Roles
77
GRANT
GRANTsales_clerk
sales_clerkTO
TOscott;
scott;
GRANT
GRANThr_clerk,
hr_clerk,
TO
TOhr_manager;
hr_manager;
GRANT
GRANThr_manager
hr_managerTO
TOscott
scott
WITH
WITHADMIN
ADMINOPTION;
OPTION;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
GRANT
GRANTcreate
createtable,
table,create
createany
anyindex
indexTO
TOhr_clerk;
hr_clerk;
GRANT
GRANTcreate_session
create_sessionTO
TOhr_manager;
hr_manager;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
disables roles.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
SET
SETROLE
ROLEsales_clerk
sales_clerkIDENTIFIED
IDENTIFIEDBY
BY Enable: this is how
SET ROLE hr_clerk;
SET ROLE hr_clerk; users would activate
commission;
commission; their role
SET
SETROLE
ROLEALL
ALLEXCEPT
EXCEPTsales_clerk;
sales_clerk;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
REVOKE
REVOKEsales_clerk
sales_clerkFROM
FROMscott;
scott;
REVOKE
REVOKEhr_manager
hr_managerFROM
FROMPUBLIC;
PUBLIC;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Removing Roles
82
DROP
DROPROLE
ROLEhr_manager;
hr_manager;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Users
User
roles HR_CLERK HR_MANAGER PAY_CLERK
Application
roles BENEFITS PAYROLL
Application
privileges
Benefits privileges Payroll privileges
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
PAY_CLERK PAY_CLERK_RO
PUBLIC
85
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Auditing Categories
89
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
System-level Triggers
90
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Value-Based Auditing:
An Example
91
CREATE
CREATE TRIGGER
TRIGGERscott.auditemployee
scott.auditemployee
AFTER
AFTERINSERT
INSERTOR
ORDELETE
DELETEOR ORUPDATE
UPDATE
ON
ONscott.emp
scott.emp
FOR
FOREACH
EACHROWROW
BEGIN
BEGIN
INSERT
INSERTINTO
INTOscott.audit_employee
scott.audit_employee
VALUES
VALUES(( :OLD.empno,
:OLD.empno,:OLD.name,…,
:OLD.name,…,
:NEW.empno,
:NEW.empno,:NEW.name,…,
:NEW.name,…,
USER,
USER,SYSDATE);
SYSDATE);
END;
END;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Database Auditing
92
DBA User
Parameter file
Server
process
Specify
audit options
Audit options
AUDIT_TRAIL Parameter
DBA file
DB NONE
AUD$ Instance
table
OS audit OS
OS No trail
trail
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
• Statement auditing
AUDIT
AUDITuser;
user;
• Privilege auditing
AUDIT
AUDITselect
selectany
anytable
table
BY
BYscott
scottBY
BYACCESS;
ACCESS;
AUDIT
AUDITLOCK
LOCKON
ONscott.emp
scott.emp
BY
BYACCESS
ACCESSWHENEVER
WHENEVERSUCCESSFUL;
SUCCESSFUL;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Object Stored
Table View Seq- Pro- Snap-
Option uence gram shot
ALTER X X X
AUDIT X X X X X
COMMENT X X X
DELETE X X X
EXECUTE X
GRANT X X X X X
INDEX X X
INSERT X X X
LOCK X X X
READ
RENAME X X X
SELECT X X X X X
UPDATE X X X
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
NOAUDIT
NOAUDITuser
userWHENEVER
WHENEVERSUCCESSFUL;
SUCCESSFUL;
NOAUDIT
NOAUDITcreate
createtable
tableBY
BYscott;
scott;
NOAUDIT
NOAUDITLOCK
LOCKON
ONemp;
emp;
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
circumstances.
• The auditing actions and the audit records are written to the
– Database start-up
– Database shutdown
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Auditing Guidelines
101
• Focus auditing
– Object auditing, where possible
– By session
– Successful or unsuccessful
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Encrypted Passwords
103
• ora_encrypt_login=true (client)
• dblink_encrypt_login=true (server)
across a network.
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
Authentication Methods
104
• External Authentication
• Proxy Authentication
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
© CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute
Revision no.: PPT/2K403/02
107