07 - Administering User Security

By Muhammad Asghar Khan
Reference: OCA Oracle Database 11g - Admin I Exam Guide by John Watson

1/2

Agenda

Create and Manage Database User Accounts
   


Username Default Tablespace and Quotas Temporary Tablespace Profile Authentication Methods EXERCISE 7-1: Create Users

Grant and Revoke Privileges
  
2

System Privileges Object Privileges EXERCISE 7-2: Grant and Revoke Privileges
http://asghars.blogspot.com

2/2

Agenda

Create and Manage Roles

EXERCISE 7-3: Create and Grant Roles EXERCISE 7-4: Create and Use Profiles

Create and Manage Profiles

3

http://asghars.blogspot.com

1/10

Create and Manage Database User Accounts



4

To establish a session against an instance and a database, a user must connect to a user account In some applications, each user will have his own database user account This security model works well for small applications but is often impractical for larger systems with many hundreds or thousands of users This model relies on the application to map the real end user to a database user account, and it can make session-level security and auditing more complex Here we assume that every user is known to the database; they all have their own user accounts
http://asghars.blogspot.com

2/10

Create and Manage Database User Accounts


A user account has a number of attributes defined at account creation time These attributes are: Username

  

A username must begin with a letter, must be no more than 30 characters, and can consist of only letters, digits, and the characters dollar ($) and underscore (_) The letters are case sensitive but will be automatically converted to uppercase To change username, the account must be dropped and another account created. This is a drastic action, because all the objects in the user’s schema will be dropped along with the user
http://asghars.blogspot.com

5

3/10

Create and Manage Database User Accounts

Default Tablespace and Quotas
 

Every user account has a default tablespace There is a database-wide default tablespace that will be applied to all user accounts if a default tablespace is not specified when creating the user The default can be set when creating the database and changed later with ALTER DATABASE DEFAULT
TABLESPACE

If a default tablespace is not specified when creating the database, it will be set to the SYSTEM tablespace (a very bad practice)
http://asghars.blogspot.com

6

4/10

Create and Manage Database User Accounts

A quota is the amount of space in a tablespace that a user is allowed to occupy

-1 shows the u01 has unlimited quota on users tablespace

7

http://asghars.blogspot.com

5/10

Create and Manage Database User Accounts

Temporary Tablespace

Operations that need temporary space (in memory if possible, in a temporary tablespace if necessary) include sorting rows, joining tables, building indexes, and using temporary tables To change a user’s temporary tablespace use ALTER
USER username TEMPORARY TABLESPACE tablespace_name;

If many users are logging on to the same user account, they will share use of one temporary tablespace. This can be a performance bottleneck, which may be avoided by using temporary tablespace groups
http://asghars.blogspot.com

8

6/10

Create and Manage Database User Accounts

Profile

A user’s profile controls his password settings and gives a limited amount of control over his resource usage

Authentication Methods

A user account must have an authentication method Following are the some of methods:

Operating system & password file authentication

Granting sysdba or sysoper privileges will copy the user’s password from the data dictionary into the external password file where it can be read by the instance even if the database is not open
http://asghars.blogspot.com

9

7/10

Create and Manage Database User Accounts

To use password file authentication, the user can connect with this syntax
CONNECT username / password [@db_alias] AS [SYSOPER | SYSDBA];

To use operating system authentication, the user can connect with this syntax
CONNECT / AS [ SYSOPER | SYSDBA ] ;

To determine to whom the SYSDBA and SYSOPER privileges have been granted, query the view V$PWFILE_USERS

Password Authentication

10

With password authentication, the instance will validate the password given against that stored with the user account in the data dictionary http://asghars.blogspot.com

8/10

Create and Manage Database User Accounts

The syntax for a connection with password authentication is

The user SYS is not permitted to connect with password authentication; only password file, operating system, or LDAP authentication are possible for SYS  When a connection is made across a network, release 11g will always encrypt password using the AES algorithm before transmission  Any user can change his/her user account password at any time

11

http://asghars.blogspot.com

9/10

Create and Manage Database User Accounts

External Authentication
If external authentication is used, Oracle will delegate the authentication to an external service; it will not prompt for a password  With Advance Security option, the external service can be a Kerberos server, a Radius server etc.  Without the Advanced Security option, the only form of external authentication is that can be used is OS authentication  To create an oracle user and allow him to use the external authentication use the command:

User name needed to be prefixed with the key string OPS$
http://asghars.blogspot.com

12

10/10

Create and Manage Database User Accounts

Any user logged on to Unix as asghar will be able to issue this command and will be connected to the database user account ops$asghar

Global Authentication
A global user is a user who is defined within the LDAP directory, and global authentication is a means of delegating user authentication to the directory  It doesn’t requires the user to present a password to the database

13

http://asghars.blogspot.com

1/2

EXERCISE 7-1: Create Users
1.

Create three users

2.

Confirm that the users have been created with Database Control. From database home page, the navigation path is the Server tab and the Users link in the Security section

14

http://asghars.blogspot.com

2/2

EXERCISE 7-1: Create Users
3.

From SQL*Plus, attempt to connect as user alois

alois can not connect because alois does not have the CREATE SESSION privilege

4.

Refresh the Database Control window, and note that the status of the ALOIS account is no longer EXPIRED but OPEN, because his password has been changed
http://asghars.blogspot.com

15

1/4

Grant and Revoke Privileges
  

Privileges are assigned to user accounts with a GRANT command and withdrawn with a REVOKE A user cannot even connect without being granted a privilege Privileges come in two groups:
 

System privileges that let users perform actions that affect the data dictionary Object privileges that let users perform actions that affect data

16

http://asghars.blogspot.com

2/4

Grant and Revoke Privileges

System Privileges
  

There are about two hundred system privileges These privileges affect the data dictionary, database or instance, or establishing a session Some of the more commonly used privileges are:
  



17

CREATE SESSION RESTRICTED SESSION; allows to users to connect when an instance is started in RESTRICTED mode ALTER DATABASE ALTER SYSTEM; allows control on instance parameters and memory structures CREATE TABLESPACE
http://asghars.blogspot.com

3/4

Grant and Revoke Privileges
 


  

CREATE TABLE GRANT ANY OBJECT PRIVILEGE CREATE ANY TABLE DROP ANY TABLE INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE SELECT ANY TABLE

 The syntax for granting system privileges is GRANT privilege [, privilege...] TO username [with admin option]; 
18

ANY privileges should be used with extreme caution, as it removes all protection from user tables
http://asghars.blogspot.com

4/4

Grant and Revoke Privileges

Object Privileges

 GRANT privilege ON schema.object [WITH GRANT OPTION] ; 

Object privileges give the ability to perform SELECT, INSERT, UPDATE, and DELETE commands against tables, and to execute PL/SQL objects The syntax is
TO username

Granting privileges at the column level is often said to be bad practice because of the massive workload involved

19

http://asghars.blogspot.com

1/5

EXERCISE 7-2: Grant and Revoke Privileges
1.

Grant CREATE SESSION to user alois Now connect as alois. This time, the login will succeed As alois, attempt to create a table

2.

3.

20

http://asghars.blogspot.com

2/5

EXERCISE 7-2: Grant and Revoke Privileges
4.

In the SYSTEM session, grant alois the CREATE TABLE privilege In the alois session, try again to create table As alois, grant object privileges on the new table

5.

6.

21

http://asghars.blogspot.com

3/5

EXERCISE 7-2: Grant and Revoke Privileges
7.

Connect to Database Control as user SYSTEM. Confirm that the object privileges have been granted. SchemaDatabase ObjectsTables link. Enter ALOIS as the Schema and T1 as the Table and click the Go button. In the Actions drop-down box, select Object Privileges. ANJA has only SELECT, but AFRA has everything

22

http://asghars.blogspot.com

4/5

EXERCISE 7-2: Grant and Revoke Privileges
8.

Confirm which privileges have granted to alois ServerSecurity SectionUsers link. Select the radio button for alois, and click the View button

9.

Retrieve the same information with SQL*Plus

23

http://asghars.blogspot.com

5/5

EXERCISE 7-2: Grant and Revoke Privileges
10.

Revoke the privileges granted to AFRA and ANJA

24

http://asghars.blogspot.com

1/4

Create and Manage Roles

A role is a collection of system and/or object privileges that can be granted and revoked as a unit, and having been granted can be temporarily activated or deactivated within a session Roles are not schema objects: they aren’t owned by anyone and so cannot be prefixed with a username Create a role with the CREATE ROLE command:
CREATE ROLE rolename;

 

Then grant privileges to the role with the usual syntax, including WITH ADMIN or WITH GRANT OPTION of desired
25 http://asghars.blogspot.com

2/4

Create and Manage Roles

There are at least 50 predefined roles in an Oracle database

 

CONNECT; exists for backward compatibility, with the current release, it only has CREATE SESSION RESOURCE; Also for backward compatibility, this role can create both data objects and procedural objects DBA; Any user granted DBA can manage virtually all aspects of the database, except for startup and shutdown SELECT_CATALOG_ROLE ; Has over 2000 object privileges against data dictionary objects, but no system privileges or privileges against user data
http://asghars.blogspot.com

26

3/4

Create and Manage Roles

SCHEDULER_ADMIN ; Has the system privileges necessary for managing the Scheduler job scheduling service PUBLIC; always granted to every database user account. if a privilege is granted to PUBLIC, it will be available to all users


If a user has been granted a role, then the role will enabled by default This behavior can be modified by making the role non-default

27

http://asghars.blogspot.com

4/4

Create and Manage Roles

The basic command to enable a role within a session is

28

http://asghars.blogspot.com

1/6

EXERCISE 7-3: Create and Grant Roles
1.

Create two roles as follows

2.

Grant some privileges to the roles, and grant USR_ROLE to MGR_ROLE

29

http://asghars.blogspot.com

2/6

EXERCISE 7-3: Create and Grant Roles
3.

Grant the roles to AFRA Connect to the database as user AFRA and grant the USR_ROLE to ANJA

4.

5.

Confirm the ANJA can connect and query ALOIS.t1 but do nothing else

30

http://asghars.blogspot.com

3/6

EXERCISE 7-3: Create and Grant Roles

6.

As user SYSTEM, adjust ANJA so that by default he can log on but do nothing else

31

http://asghars.blogspot.com

4/6

EXERCISE 7-3: Create and Grant Roles
7.

Demonstrate the enabling and disabling of roles

32

http://asghars.blogspot.com

5/6

EXERCISE 7-3: Create and Grant Roles
8.

Use Database Control to inspect the roles. The navigation path from the Home PageServer tab Security sectionRoles link

33

http://asghars.blogspot.com

6/6

EXERCISE 7-3: Create and Grant Roles
9.

To see to whom a role has been granted, in the Actions drop-down box shown in the preceding illustration, select Show Grantees and click the Go button

34

http://asghars.blogspot.com

1/6

Create and Manage Profiles


A profile enforce a password policy and to restrict the resources a session can take up Password controls are always enforced; resource limits are only enforced if the instance parameter RESOURCE_LIMIT is on TRUE—by default, it is FALSE The limits that can be applied to passwords are:
FAILED_LOGIN_ATTEMPTS; Specifies the number of consecutive errors on a password before the account is locked PASSWORD_LOCK_TIME; The number of days to lock an account after FAILED_LOGIN_ATTEMPTS is reached PASSWORD_LIFE_TIME; The number of days before a password expires
http://asghars.blogspot.com



35

2/6

Create and Manage Profiles

  

PASSWORD_GRACE_TIME; The number of days following the first successful login after the password has expired that prompts to change the password will be generated PASSWORD_REUSE_TIME; The number of days before a password can be reused PASSWORD_REUSE_MAX; Then number of times a password can be reused PASSWORD_VERIFY_FUNCTION; The name of a function to run whenever a password is changed

36

http://asghars.blogspot.com

3/6

Create and Manage Profiles

The limits that can be applied to resource usage (also known as kernel limits) are:

     


SESSIONS_PER_USER CPU_PER_SESSION CPU_PER_CALL LOGICAL_READS_PER_SESSION LOGICAL_READS_PER_CALL PRIVATE_SGA CONNECT_TIME IDLE_TIME COMPOSITE_LIMIT (Sum of CPU_PER_SESSION, CONNECT_TIME, LOGICAL_READS_PER_SESSION, and PRIVATE_SGA
http://asghars.blogspot.com

37

4/6

Create and Manage Profiles

When a session is terminated because a resource limit has been reached, if there was a transaction in progress it will be rolled back Profiles can be used to limit resource usage, but a much more sophisticated tool is the Resource Manager To see which profile is currently assigned to ach user, run this query

38

http://asghars.blogspot.com

5/6

Create and Manage Profiles

With Database Control, from the database home page take the Server tab, and then click the Users link in the Security section to see which profile each user has

39

http://asghars.blogspot.com

6/6

Create and Manage Profiles

To enable more sophisticated password management is to run a supplied script $ORACLE_HOME/rdbms/admin/utlpwdmg.sql On either platform, the script creates two functions called VERIFY_FUNCTION and VERIFY_FUNCTION_11G; This will adjust the profile called DEFAULT

40

http://asghars.blogspot.com

1/2

EXERCISE 7-4: Create and Use Profiles
1.

Create a profile that will lock accounts after two wrong passwords Assign this new profile to ALOIS Deliberately enter the wrong password for ALOIS a few times

2.

3.

41

http://asghars.blogspot.com

2/2

EXERCISE 7-4: Create and Use Profiles
4.

As user SYSTEM, unlock the ALOIS account Check that ALOIS can now connect

5.

42

http://asghars.blogspot.com

Sign up to vote on this title
UsefulNot useful