Administering User Security

9

Copyright © 2005, Oracle. All rights reserved.

Objectives
After completing this lesson, you should be able to do the following: • Create and manage database user accounts • Create and manage roles • Grant and revoke privileges • Control resource usage by users

9-2

Copyright © 2005, Oracle. All rights reserved.

User Management: Overview

• Users • Jenny • Roles HR_MGR • • Privileges Insert employees

Create a user with an assigned storage area (tablespace). Assign quota to limit storage usage. Limit resource usage with profile. Authenticate a user with a password. Manage password rules with profiles (expire passwords and lock account). Assign privileges to roles and roles to users.

9-3

Copyright © 2005, Oracle. All rights reserved.

Database Users and Schemas
• • • A schema is the collection of objects owned by a user. Username and schema are often used interchangeably. A user can be associated with only one schema, but he or she can use objects from many schemas with the appropriate permissions.

Schema Objects Tables Triggers Indexes Views Sequences Stored program units Synonyms User-defined data types Database links

9-4

Copyright © 2005, Oracle. All rights reserved.

Database User Accounts
Each database user account has: • A unique username • An authentication method • A default tablespace • A temporary tablespace • A user profile • A consumer group • A lock status

> User Privilege Role Profile

9-5

Copyright © 2005, Oracle. All rights reserved.

Database User Accounts Full Notes Page

9-6

Copyright © 2005, Oracle. All rights reserved.

Predefined Accounts: SYS and SYSTEM
• The SYS account:
– Is granted the DBA role – Has all privileges with ADMIN OPTION – Is required for startup, shutdown, and some maintenance commands – Owns the data dictionary – Owns the Automatic Workload Repository (AWR)

• •

The SYSTEM account is granted the DBA role. These accounts are not used for routine operations.

9-7

Copyright © 2005, Oracle. All rights reserved.

Creating a User

Select Administration > Schema > Users & Privileges > Users, and then click the Create button.
9-8 Copyright © 2005, Oracle. All rights reserved.

Privileges

User > Privilege Role Profile

There are two types of user privileges: • System: Enables users to perform particular actions in the database • Object: Enables users to access and manipulate a specific object

HR_DBA Object privilege: Update employees
9-9

System privilege: Create session

Copyright © 2005, Oracle. All rights reserved.

System Privileges

9-10

Copyright © 2005, Oracle. All rights reserved.

System Privileges Full Notes Page

9-11

Copyright © 2005, Oracle. All rights reserved.

Object Privileges

To grant object privileges: 1. Choose the object type. 2. Select objects. 3. Select privileges.

9-12

Copyright © 2005, Oracle. All rights reserved.

Revoking System Privileges with ADMIN OPTION
DBA Jeff Emi User

GRANT

Privilege

Object REVOKE DBA Jeff Emi

REVOKE CREATE TABLE FROM jeff;

9-13

Copyright © 2005, Oracle. All rights reserved.

Revoking Object Privileges with GRANT OPTION
Bob GRANT Jeff Emi

REVOKE

Bob

Jeff

Emi

9-14

Copyright © 2005, Oracle. All rights reserved.

Creating a Role

User Privilege > Role Profile

Select Administration > Schema > Users & Privileges > Roles.
9-15 Copyright © 2005, Oracle. All rights reserved.

Benefits of Roles
• • • Easier privilege management Dynamic privilege management Selective availability of privileges

9-16

Copyright © 2005, Oracle. All rights reserved.

Predefined Roles
CONNECT RESOURCE CREATE SESSION CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE CREATE ANY JOB, CREATE EXTERNAL JOB, CREATE JOB, EXECUTE ANY CLASS, EXECUTE ANY PROGRAM, MANAGE SCHEDULER Most system privileges, several other roles. Do not grant to nonadministrators. No system privileges, but HS_ADMIN_ROLE and over 1,700 object privileges on the data dictionary

SCHEDULER_ ADMIN DBA SELECT_ CATALOG_ ROLE

9-17

Copyright © 2005, Oracle. All rights reserved.

Secure Roles
• Roles may be nondefault.
SET ROLE vacationdba;

• Roles may be protected through authentication.

• Roles may also be secured programmatically.
CREATE ROLE secure_application_role IDENTIFIED USING <security_procedure_name>;
9-18 Copyright © 2005, Oracle. All rights reserved.

Profiles and Users
Users are assigned only one profile at any given time. Profiles: • Control resource consumption • Manage account status and password expiration

User Privilege Role > Profile

9-19

Copyright © 2005, Oracle. All rights reserved.

Profiles and Users Full Notes Page

9-20

Copyright © 2005, Oracle. All rights reserved.

Where We Are
Done: Creating a user Creating a role Assigning system and object privileges to a role Creating a profile Limiting resource usage with a profile To Do—Modifying user accounts: • Assigning storage area (tablespace) • Assigning quota to limit storage usage • Authenticating users with passwords • Managing password rules with profiles (expiring passwords and locking accounts) • Assigning privileges to roles and roles to users

9-21

Copyright © 2005, Oracle. All rights reserved.

Modifying Users: Default and Temporary Tablespaces and Locking
• • Default: Default location of database objects Temporary: Used for sorting

Best practice: Be specific in your tablespace assignments.

9-22

Copyright © 2005, Oracle. All rights reserved.

Assigning Quota to Users
Users who do not have the UNLIMITED TABLESPACE system privilege must be given a quota before they can create objects in a tablespace. Quotas can be: • Unlimited • A specific value in megabytes or kilobytes

9-23

Copyright © 2005, Oracle. All rights reserved.

Assigning Quota to Users Full Notes Page

9-24

Copyright © 2005, Oracle. All rights reserved.

Authenticating Users
• • • Password External Global

9-25

Copyright © 2005, Oracle. All rights reserved.

Authenticating Users Full Notes Page

9-26

Copyright © 2005, Oracle. All rights reserved.

Administrator Authentication
Operating System Security: • DBAs must have the OS privileges to create and delete files. • Typical database users should not have the OS privileges to create or delete database files. Administrator Security: • SYSBA and SYSOPER connections are authorized via password file or OS.
– Password file authentication records the DBA user by name. – OS authentication does not record the specific user. – OS authentication takes precedence over password file authentication for SYSDBA and SYSOPER.
Copyright © 2005, Oracle. All rights reserved.

9-27

Locking and Unlocking Accounts

Failed login attempts User

Manual locking

Account locked

DBA Manual unlocking

Account unlocked
9-28 Copyright © 2005, Oracle. All rights reserved.

Setting Password Expiration
Password management includes the following: • Specifying the maximum lifetime for a password • Specifying a grace period for changing a password Note: Do not use profiles that cause the SYS, SYSMAN, and DBSNMP passwords to expire and the accounts to get locked.

9-29

Copyright © 2005, Oracle. All rights reserved.

Unlocking a User Account and Resetting the Password

Select the user, and click Unlock User.

9-30

Copyright © 2005, Oracle. All rights reserved.

Assigning Privileges to Roles and Roles to Users

Users

Jenny

David

Rachel

Roles

HR_MGR

HR_CLERK

Privileges

Delete employees Insert employees

Select employees

Update employees

9-31

Copyright © 2005, Oracle. All rights reserved.

Assigning Roles to Users

9-32

Copyright © 2005, Oracle. All rights reserved.

Checklist for Creating Users
• • • • • Select a profile. Select an authentication technique. Assign a default tablespace and temporary tablespace. Decide on quotas for each tablespace. Grant privileges and roles to the user.

9-33

Copyright © 2005, Oracle. All rights reserved.

Summary
In this lesson, you should have learned how to: • Create and manage user accounts • Create and manage roles • Grant and revoke privileges • Control resource usage by users

9-34

Copyright © 2005, Oracle. All rights reserved.

Practice Overview: Administering Users
This practice covers the following topics: • Creating a profile to limit resource consumption • Creating two roles:
a. HRCLERK b. HRMANAGER

Creating three new users: One manager and two clerks

9-35

Copyright © 2005, Oracle. All rights reserved.

9-36

Copyright © 2005, Oracle. All rights reserved.

Sign up to vote on this title
UsefulNot useful