Professional Documents
Culture Documents
For users to access your database, you must create user accounts and grant
appropriate database access privileges to those accounts.
A user account is identified by a user name and
defines the attributes of the user, including the following:
• Authentication method
• Password for database authentication
• Default tablespaces for permanent and temporary data storage
• Tablespace quotas
• Account status (locked or unlocked)
• Password status (expired or not)
When you create a user account, you must not only assign a user name,
a password, and default tablespaces for the account, but you must
also :
Grant the appropriate system privileges, (ex: For example,
the privileges to create tablespaces and to delete the rows of any
table in a database)
object privileges (object privileges include SELECT, INSERT, UPDATE,
DELETE, ALTER, INDEX on tables and views and EXECUTE on
procedures, functions, and packages.), and
roles to the account.
When you create a user account, you are also implicitly creating a schema
for that user. A schema is a logical container for the database objects (such
as tables, views, triggers, and so on) that the user creates. The schema
name is the same as the user name, and can be used to unambiguously
refer to objects owned by the user.
For example, hr.employees refers to the table named employees in
the hr schema. (The employees table is owned by hr.) The terms database
object and schema object are used interchangeably.
When you delete a user, you must either simultaneously delete all
schema objects of that user, or you must have previously deleted the
schema objects in separate operations.
Predefined User Accounts
• accounts SYS,
• SYSTEM, and
• DBSNMP
• Etc….
User Privileges and Roles
RESOURCE Enables a user to create, modify, and delete certain types of schema objects in the schema associated with that user.
Grant this role only to developers and to other users that must create schema objects. This role grants a subset of the
create object system privileges. For example, it grants the CREATE TABLE system privilege, but does not grant the CREATE
VIEW system privilege. It grants only the following privileges: CREATE CLUSTER, CREATE INDEXTYPE, CREATE
OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE.
DBA Enables a user to perform most administrative functions, including creating users and granting privileges; creating and
granting roles; creating, modifying, and deleting schema objects in any schema; and more. It grants all system privileges,
but does not include the privileges to start or shut down the database instance. It is by default granted to
users SYS and SYSTEM.
As a database administrator (DBA), you can create, modify, and delete
schema objects in your own schema and in any other schema. For
purposes of this discussion, a database administrator is defined as any
user who is granted the DBA role. This includes
the SYS and SYSTEM users by default. Oracle recommends granting
the DBA role only to those users who require administrative type
access.
You can enable other users to manage schema objects without
necessarily granting them DBA privileges.
For example, a common scenario is to enable an application developer
to create, modify, and delete schema objects in his or her own schema.
To do so, you grant the RESOURCE role to the application developer.
How to Create a User and Grant Permissions in Oracle
In some cases to create a more powerful user, you may also consider
adding the RESOURCE role (allowing the user to create named types for
custom schemas) or even the DBA role, which allows the user to not
only create custom named types but alter and destroy them as well.
you’ll want to ensure the user has privileges to actually connect to the
database and create a session using GRANT CREATE SESSION. We’ll also
combine that with all privileges using GRANT ANY PRIVILEGES.
While not typically necessary in newer versions of Oracle, some older installations may require
that you manually specify the access rights the new user has to a specific schema and database
tables.
For example, if we want our admin1 user to have the ability to perform SELECT, UPDATE, INSERT,
and DELETE capabilities on the books table, we might execute the following GRANT statement:
GRANT
SELECT,
INSERT,
UPDATE,
DELETE
ON
hr.hire_verify(this is a view)
TO
admin1;
These properties of roles allow for easier privilege management
within a database: