You are on page 1of 28

Controlling User Access

7

Copyright © 2004, Oracle. All rights reserved.

Objectives
After completing this lesson, you should be able to do the following: • Discuss the concepts of users, roles, and privileges • Create users • Create roles • Grant and revoke object privileges • Create and access database links

7-2

Copyright © 2004, Oracle. All rights reserved.

Controlling User Access
• Database security:
– System security – Data security
Database administrator

• •

System privileges: Access to the database Username Object privileges: Ability and password privileges to manipulate the content of the database objects Schema: A collection of objects, such as tables, views, and sequences
Users

7-3

Copyright © 2004, Oracle. All rights reserved.

7-4

Copyright © 2004, Oracle. All rights reserved.

Understanding System Privileges
• • There are more than 100 privileges. The DBA has high-level system privileges, including the right to:
– – – – Create new users Remove users Remove tables Back up tables

7-5

Copyright © 2004, Oracle. All rights reserved.

Creating Users
The DBA creates users by using the CREATE USER statement. Syntax:
CREATE USER user IDENTIFIED BY password;

Example:
CREATE USER scott IDENTIFIED BY tiger; User created.

7-6

Copyright © 2004, Oracle. All rights reserved.

Granting System Privileges to a User
• • After a user is created, the DBA can grant that user specific system privileges. An application developer may have the following system privileges:
– – – – – CREATE CREATE CREATE CREATE CREATE SESSION TABLE SEQUENCE VIEW PROCEDURE

7-7

Copyright © 2004, Oracle. All rights reserved.

Granting System Privileges
Syntax:
GRANT { system_privilege | role | ALL PRIVILEGES } [, { system_privilege | role | ALL PRIVILEGES }]... TO { user | role | PUBLIC } [, { user | role | PUBLIC }]... [IDENTIFIED BY password] [WITH ADMIN OPTION]

Example:
GRANT create table, create sequence, create view TO scott; Grant succeeded.

7-8

Copyright © 2004, Oracle. All rights reserved.

Understanding Roles

Users

Manager

Privileges Allocating privileges without a role Allocating privileges with a role

7-9

Copyright © 2004, Oracle. All rights reserved.

Creating a Role
• Create a role:

CREATE ROLE manager; Role created.

Grant privileges to a role:

GRANT create table, create view TO manager; Grant succeeded.

Grant a role to users:

GRANT manager to BLAKE, CLARK; Grant succeeded.

7-10

Copyright © 2004, Oracle. All rights reserved.

Changing Your Password
• • When the user account is created, a password is initialized. Users can change their passwords by using the ALTER USER statement.

ALTER USER scott IDENTIFIED BY lion; User altered.

7-11

Copyright © 2004, Oracle. All rights reserved.

Understanding Object Privileges
Object Privilege ALTER DELETE EXECUTE INDEX INSERT REFERENCES SELECT UPDATE
7-12

Table √ √ √

View √

Sequence Procedure

√ √ √ √ √ √ √ √ √ √

Copyright © 2004, Oracle. All rights reserved.

Understanding Object Privileges
• • • Object privileges vary from object to object. An owner has all the privileges on the object. An owner can grant specific privileges on the owner’s object to another user.
GRANT ON TO [WITH {ALL [PRIVILEGES]|object_priv [(columns)]} object {user|role|PUBLIC} GRANT OPTION];

7-13

Copyright © 2004, Oracle. All rights reserved.

Granting Object Privileges

Grant query privileges on the EMPLOYEES table.
select employees sue, rich; succeeded.

GRANT ON TO Grant

Grant privileges to update specific columns to users and roles.
update (department_id, location_id) departments scott, manager; succeeded.

GRANT ON TO Grant

To access the objects of other schemas on which you have access privileges, prefix the object name with the schema name followed by a period.
Copyright © 2004, Oracle. All rights reserved.

7-14

Using the WITH GRANT OPTION and PUBLIC Keywords
• Give a user authority to pass along the privileges.
GRANT select, insert ON departments TO scott WITH GRANT OPTION; Grant succeeded.

GRANT ON TO Grant

Allow all users on the system to query data from Alice’s DEPARTMENTS table.
select alice.departments PUBLIC; succeeded.

7-15

Copyright © 2004, Oracle. All rights reserved.

7-16

Copyright © 2004, Oracle. All rights reserved.

Confirming Privileges Granted

Data Dictionary View ROLE_SYS_PRIVS ROLE_TAB_PRIVS USER_ROLE_PRIVS USER_TAB_PRIVS_MADE USER_TAB_PRIVS_RECD USER_COL_PRIVS_MADE USER_COL_PRIVS_RECD USER_SYS_PRIVS

Description System privileges granted to roles Table privileges granted to roles Roles accessible by the user Object privileges granted on the user’s objects Object privileges granted to the user Object privileges granted on the columns of the user’s objects Object privileges granted to the user on specific columns System privileges granted to the user

7-17

Copyright © 2004, Oracle. All rights reserved.

7-18

Copyright © 2004, Oracle. All rights reserved.

Revoking Object Privileges
Syntax:
REVOKE {privilege [, privilege...]|ALL} ON object FROM {user[, user...]|role|PUBLIC} [CASCADE CONSTRAINTS];

Example: As user ALICE, revoke the SELECT and INSERT privileges given to user SCOTT on the DEPARTMENTS table.
REVOKE ON FROM Revoke
7-19

select, insert departments scott; succeeded.
Copyright © 2004, Oracle. All rights reserved.

Understanding Database Links
A database link connection allows local users to access data on a remote database.
Local Remote

EMP table

SELECT * FROM emp@HQ_ACME.COM;

HQ_ACME.COM database

7-20

Copyright © 2004, Oracle. All rights reserved.

7-21

Copyright © 2004, Oracle. All rights reserved.

Creating Database Links
• Create the database link.

CREATE PUBLIC DATABASE LINK hq.acme.com USING 'sales'; Database link created.

Write SQL statements that use the database link.

SELECT * FROM emp@HQ.ACME.COM;

7-22

Copyright © 2004, Oracle. All rights reserved.

7-23

Copyright © 2004, Oracle. All rights reserved.

Summary
In this lesson, you should have learned how to do the following: • Discuss the concepts of users, roles, and privileges • Create users • Create roles • Grant and revoke object privileges • Create and access database links

7-24

Copyright © 2004, Oracle. All rights reserved.

Practice 7: Overview
This practice covers the following topics: • Granting other users privileges to your table • Modifying another user’s table through the privileges granted to you • Querying the data dictionary views related to privileges

7-25

Copyright © 2004, Oracle. All rights reserved.

7-26

Copyright © 2004, Oracle. All rights reserved.

7-27

Copyright © 2004, Oracle. All rights reserved.

7-28

Copyright © 2004, Oracle. All rights reserved.