SlideShare ist ein Scribd-Unternehmen logo

User, roles and privileges

Als PPTX, PDF herunterladen
Y
Yogiji Creations

This PPT contains details about users, roles and privileges.

TechnologieBusiness
1 von 36
Users, Roles and Privileges By: Yogiji Creations www.yogijicreations.com
Index  1. Managing oracle Users: A. Creating Users B. Altering Users C. Dropping Users  2. Viewing information about database users and profiles. A. User and profile information in Data dictionary Views. B. Listing all users and associated information.  3. Predefined Accounts: SYS and SYSTEM  4. Privileges A. System privileges B. Object privileges 5. User Roles  6. Predefined Roles  7. Managing User Roles.  8. Granting user privileges and Roles  9. Revoking Privileges Yogiji Creations - Users, roles and privileges
Managing Oracle users:  1. Creating Users 2. Altering Users 3. Dropping Users 1. Creating Users: System privilege Required – CREATE USER. DBA or security administrator has the CREATE USER system privilege. Ex: CREATE USER jiten IDENTIFIED BY password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users QUOTA 100M ON my_data; Yogiji Creations - Users, roles and privileges
 Example Description:  CREATE USER command to create a user called jiten.  IDENTIFIED BY clause to define the password.  DEFAULT TABLESPACE keyword to define the location of the default tablespace, which is USERS.  TEMPORARY TABLESPACE keyword defines the temporary tablespace that will be assigned to the user, which in our case is the TEMP tablespace.  Unlimited quota to jiten on users tablespace.  Second, we limited jiten to a 100 megabyte quota on the My_Data tablespace. Yogiji Creations - Users, roles and privileges
Syntactical Diagram of Create user Yogiji Creations - Users, roles and privileges
 IDENTIFIED Clause - how Oracle Database authenticates the user.  BY password - creates a local user. User must specify password to log on to the database.  QUOTAS - How much space a user can take up in tablespace.  PROFILE Clause - Specify the profile you want to assign to the user. It limits the amount of database resources the user can use.  DEFAULT TABLESPACE Clause – Specifies for objects that the user creates. If omit - then the user's objects are stored in the database default tablespace. If no default tablespace has been specified for the database, then the user's objects are stored in the SYSTEM tablespace.  TEMPORARY TABLESPACE Clause Specify the tablespace or tablespace group for the user's temporary segments. Yogiji Creations - Users, roles and privileges
 EXTERNALLY Clause - creates an external user. Such a user must be authenticated by an external service, such as an operating system or a third-party service. In this case, Oracle Database relies on the login authentication of the operating system to ensure that a specific operating system user has access to a specific database user.  GLOBALLY Clause - creates a global user. Such a user must be authenticated by the enterprise directory service. Yogiji Creations - Users, roles and privileges
 Altering Users:  System Privileges Required - ALTER USER  Security administrators have this system privilege. Includes the ability to set tablespace quotas for a user on any tablespace in the database, even if the user performing the modification does not have a quota for a specified tablespace.  The following statement alters the security settings for the user, jiten:  ALTER USER jiten IDENTIFIED BY EXTERNALLY DEFAULT TABLESPACE data_ts TEMPORARY TABLESPACE temp_ts QUOTA 100M ON data_ts QUOTA 0 ON test_ts PROFILE clerk; Yogiji Creations - Users, roles and privileges
 The ALTER USER statement here changes the security settings for the user jiten as follows: Authentication is changed to use the operating system account of the user jiten. The default and temporary tablespaces are explicitly set for user jiten. jiten is given a 100M quota for the data_ts tablespace. The quota on the test_ts is revoked for the user jiten. jiten is assigned the clerk profile. Yogiji Creations - Users, roles and privileges
 Dropping Users:  When a user is dropped, the user and associated schema are removed from the data dictionary and all schema objects contained in the user schema.  Notes: Do not attempt to drop the SYS or SYSTEM user. Doing so will corrupt your database.  A user that is currently connected to a database cannot be dropped.  To drop a connected user, you must first terminate the user sessions using the SQL statement ALTER SYSTEM with the KILL SESSION clause.  To drop a user and all the user schema objects (if any), you must have the DROP USER system privilege. Yogiji Creations - Users, roles and privileges
 For dependent schema objects, use the CASCADE option to drop the user and all associated objects and foreign keys.  For example, if you intend to drop a user who owns a table, then check whether any views or procedures depend on that particular table.  The following statement drops the user, jones and all associated objects and foreign keys that depend on the tables owned by jones.  DROP USER jones CASCADE; Yogiji Creations - Users, roles and privileges
Viewing information about database users and profiles: User and Profile Information in Data Dictionary Views  The following data dictionary views contain information about database users and profiles: View Description DBA_USERS Describes all users of the database ALL_USERS Lists users visible to the current user, but does not describe them USER_USERS Describes only the current user DBA_TS_QUOTAS Describes tablespace quotas for users USER_TS_QUOTAS USER_PASSWORD_LIMITS Describes the password profile parameters that are assigned to the user USER_RESOURCE_LIMITS Displays the resource limits for the current user DBA_PROFILES Displays all profiles and their limits PROXY_USERS Describes users who can assume the identity of other users Yogiji Creations - Users, roles and privileges
 Listing All users and Associated Information  The following query lists all users and their associated information as defined in the database:  SELECT USERNAME, PROFILE, ACCOUNT_STATUS FROM DBA_USERS; USERNAME PROFILE ACCOUNT_STATUS SYS DEFAULT OPEN SYSTEM DEFAULT OPEN USERSCOTT DEFAULT OPEN JFEE CLERK OPEN DCRANNEY DEFAULT OPEN All passwords are encrypted to preserve security. If a user queries the PASSWORD column, then that user is not able to determine the password of another user. Yogiji Creations - Users, roles and privileges
Predefined Accounts: SYS and SYSTEM  The SYS and SYSTEM accounts have the database administrator(DBA) role granted to them by default.  The SYS account in addition has all privileges with ADMIN OPTION and owns the data dictionary. To connect to the SYS account, you must use the AS SYSDBA clause.  Any user that is granted the SYSDBA privilege can connect to the SYS account by using AS SYSDBA clause.  Only privileged users, who are granted the SYSDBA OR SYSOPER privilege, are allowed to start up and shut down the database instance.  The SYSTEM account is granted the DBA role by default, but not the SYSDBA privilege.  The SYS and SYSTEM accounts are required accounts in the database. They can’t be dropped. Yogiji Creations - Users, roles and privileges
Privileges  A right to run a particular type of SQL statement, or the right to access an object belonging to another user, run a PL/SQL package, and so on. The types of privileges are defined by Oracle Database. System Privileges Object Privileges System Privileges: defines what actions a user is allowed to take within a database. For Ex: The privilege to create tablespaces is a system privilege. It is granted by the administrator or by someone who explicitly gives permission to administer the privilege. There are more than a hundred system privileges.  The most important system privileges are: create session. create table create view create procedure sysdba sysoper Yogiji Creations - Users, roles and privileges
SYSOPER privilege allows operations such as: Startup a database, Shutdown a database, Backup a database, Recover a database and Create a database This privilege allows the user to perform basic operational tasks without the ability to look at user data. SYSDBA privilege includes all SYSOPER privileges plus full system privileges (with the ADMIN option), plus 'CREATE DATABASE' etc.. Yogiji Creations - Users, roles and privileges
 Object Privileges: Object privileges allow a user to perform a particular action on a specific object, such as Table View Sequence Package Directory Procedure Function Package Materialized View Without specific permission, users can access only their own objects.  Object privileges can be granted by the owner of an object, by the administrator, or by someone who has been explicitly given permission to grant privileges on the object. Yogiji Creations - Users, roles and privileges
User roles  A role is a set or group of privileges that can be granted to users or another role.  Oracle Database provides some predefined roles to help in database administration.  These roles, are automatically defined for Oracle databases when you run the standard scripts that are part of database creation.  You can grant privileges and roles to, and revoke privileges and roles from, these predefined roles in the same way as you do with any role you define. Yogiji Creations - Users, roles and privileges
Predefined Roles Role Name Description Connect: Includes only system privilege: Create Session Resource: Create Table, Create sequence, Create Procedure, Create Operator, Create Index, Create Cluster, Create Trigger, Create Type. Exp_full_database Select Any Table, Backup Any Table, Execute Any Procedure, Execute Any Type,administer Resource Manager, and INSERT, DELETE, And UPDATE On The Tables SYS.Incvid,sys.INCFIL, And SYS.Incexp DBA All system privileges WITH ADMIN OPTION Select_Catalog_Rol No System privileges e Recovery_catalog_ Create Session, Alter Session,create Synonym, Create View, Create owner Database Link, Create Table, Create Cluster, Create Sequence, Create Trigger, And Create Procedure Delete_catalog_rol Provides DELETE Privilege On The System Audit Table (AUD$) e Execute_catalog_r Provides EXECUTE Privilege On Objects In The Data Dictionary. ole Also, HS_ADMIN_ROLE. Select_catalog_rol Provides SELECT Privilege On Objects In The Data Dictionary. e Also, HS_ADMIN_ROLE. Yogiji Creations - Users, roles and privileges
 There are several roles that are defined automatically for Oracle databases when you can run database creation scripts. CONNECT is granted automatically to any user created with Enterprise manager. In earlier versions of the database(before 10g) the CONNECT role included more privileges, such as CREATE TABLE and CREATE DATABASE LINK, which have been removed for security reasons. Yogiji Creations - Users, roles and privileges
Managing User roles  This section describes aspects of managing roles, and contains the following topics: Creating Role Specifying the Type of Role Authorization Dropping Role 1. Creating Role You can use roles to administer database privileges. You can add privileges to a role and then grant the role to a user. The user can then enable the role and exercise the privileges granted by the role.  The syntax for creating a role is:  CREATE ROLE role_name [ NOT IDENTIFIED | IDENTIFIED {BY password | USING [schema.] package | EXTERNALLY | GLOBALLY } ; Ex: CREATE ROLE clerk IDENTIFIED BY bicentennial; Yogiji Creations - Users, roles and privileges
Syntactical Diagram of Create ROLE Yogiji Creations - Users, roles and privileges
 The NOT IDENTIFIED phrase means that the role is immediately enabled. No password is required to enable the role.  The IDENTIFIED phrase means that a user must be authorized by a specified method before the role is enabled.  The BY password phrase means that a user must supply a password to enable the role.  The USING package phrase means that you are creating an application role - a role that is enabled only by applications using an authorized package.  The EXTERNALLY phrase means that a user must be authorized by an external service to enable the role. An external service can be an operating system or third-party service.  The GLOBALLY phrase means that a user must be authorized by the enterprise directory service to enable the role. Yogiji Creations - Users, roles and privileges
 Later, you can set or change the authorization method for a role using the ALTER ROLE statement. The following statement alters the clerk role to specify that the user must have been authorized by an external source before enabling the role:  ALTER ROLE clerk IDENTIFIED EXTERNALLY;  To alter the authorization method for a role, you must have the ALTER ANY ROLE system privilege or have been granted the role with the ADMIN OPTION. Yogiji Creations - Users, roles and privileges
 2.Specifying the Type of Role Authorization  A database role can optionally require authorization when a user attempts to enable the role. Role authorization can be maintained by the database (using passwords), by the operating system, or by a network service. To alter the authorization method for a role, you must have the ALTER ANY ROLE system privilege or have been granted the role with the ADMIN OPTION. A. Role authorization by the database The use of a role can be protected by an associated password. If you are granted a role protected by a password, you can enable or disable the role only by supplying the proper password for the role in a SET ROLE statement. The following statement creates a role called manager. When it is enabled, the password morework must be supplied. CREATE ROLE manager IDENTIFIED BY morework; Yogiji Creations - Users, roles and privileges
B. Role authorization by the OS  Role authentication through the operating system is useful only when the operating system is able to dynamically link operating system privileges with applications.  When a user starts an application, the operating system grants an operating system privilege to the user. The granted operating system privilege corresponds to the role associated with the application.  At this point, the application can enable the application role. When the application is terminated, the previously granted operating system privilege is revoked from the operating system account of the user.  If a role is authorized by the operating system, then you must configure information for each user at the operating system level. This operation is operating system dependent.  If roles are granted by the operating system, then you do not need to have the operating system authorize them also. This is redundant. Yogiji Creations - Users, roles and privileges
C. Role authorization by an Enterprise Directory Service  If users connect to the database over Net8, by default their roles cannot be authenticated by the operating system. This includes connections through a multi-threaded server, as this connection requires Net8. This restriction is the default because a remote user could impersonate another operating system user over a network connection.  If you are not concerned with this security risk and want to use operating system role authentication for network clients, set the parameter REMOTE_OS_ROLES in the database's parameter file to TRUE. The change will take effect the next time you start the instance and mount the database. (The parameter is FALSE by default.) Yogiji Creations - Users, roles and privileges
 3.Dropping Roles  The security domains of all users and roles granted a dropped role are immediately changed to reflect the absence of the dropped role privileges. All indirectly granted roles of the dropped role are also removed from affected security domains. Dropping a role automatically removes the role from all user default role lists.  Because the creation of objects is not dependent on the privileges received through a role, tables and other objects are not dropped when a role is dropped.  To drop a role, you must have the DROP ANY ROLE system privilege or have been granted the role with the ADMIN OPTION.  The following statement drops the role CLERK:  DROP ROLE clerk; Yogiji Creations - Users, roles and privileges
Granting user privileges and roles  This section describes the granting of privileges and roles, and contains the following topics: Granting System Privileges and Roles Granting Object Privileges Granting Privileges on Columns 1. Granting System Privileges and Roles  You can grant system privileges and roles to other users and roles using the GRANT statement.  To grant a system privilege, ADMIN OPTION or GRANT ANY PRIVILEGE required.  To grant a role, you must have been granted the role with the ADMIN OPTION or have been granted the GRANT ANY ROLE system privilege.  The following statement grants the system privilege CREATE SESSION and the accts_pay role to the user jward:  GRANT CREATE SESSION, accts_pay TO jward; Yogiji Creations - Users, roles and privileges
 Granting the ADMIN OPTION  A user or role that is granted a privilege or role, which specifies the WITH ADMIN OPTION clause, has several expanded capabilities: The grantee can grant or revoke the system privilege or role to or from any user or other role in the database. Users cannot revoke a role from themselves. The grantee can further grant the system privilege or role with the ADMIN OPTION. The grantee of a role can alter or drop the role. In the following statement, the security administrator grants the new_dba role to michael:  GRANT new_dba TO michael WITH ADMIN OPTION;  Note: When a user creates a role, the role is automatically granted to the creator with the ADMIN OPTION Yogiji Creations - Users, roles and privileges
 Creating a New User with the GRANT Statement  Oracle enables you to create a new user with the GRANT statement.  If you specify a password using the IDENTIFIED BY clause, and the user name/password does not exist in the database, then a new user with that user name and password is created.  The following example creates ssmith as a new user while granting ssmith the CONNECT system privilege:  GRANT CONNECT TO ssmith IDENTIFIED BY p1q2r3; Yogiji Creations - Users, roles and privileges
 Granting Object Privileges  You also use the GRANT statement to grant object privileges to roles and users. To grant an object privilege, you must fulfill one of the following conditions: You own the object specified. You possess the GRANT ANY OBJECT PRIVILEGE system privilege that enables you to grant and revoke privileges on behalf of the object owner.  The WITH GRANT OPTION clause was specified when you were granted the object privilege by its owner.  The following statement grants the SELECT, INSERT, and DELETE object privileges for all columns of the emp table to the users, jfee and tsmith:  GRANT SELECT, INSERT, DELETE ON emp TO jfee, tsmith;  To grant all object privileges on the salary view to the user jfee, use the ALL keyword as shown in the following example:  GRANT ALL ON salary TO jfee; Yogiji Creations - Users, roles and privileges
 Granting Privileges on Columns  You can grant INSERT, UPDATE, or REFERENCES privileges on individual columns in a table.  The following statement grants INSERT privilege on the acct_no column of the accounts table to scott:  GRANT INSERT (acct_no) ON accounts TO scott;  In another example, object privilege for the ename and job columns of the emp table are granted to the users jfee and tsmith:  GRANT INSERT(ename, job) ON emp TO jfee, tsmith; Yogiji Creations - Users, roles and privileges
 Revoking User Privileges and Roles  This section describes aspects of revoking user privileges and roles, and contains the following topics: Revoking System Privileges and Roles Revoking Object Privileges 1. Revoking System Privileges and Roles  Any user with the ADMIN OPTION for a system privilege or role can revoke the privilege or role from any other database user or role.  The revoker does not have to be the user that originally granted the privilege or role. Users with GRANT ANY ROLE can revoke any role.  The following statement revokes the CREATE TABLE system privilege and the accts_rec role from tsmith:  REVOKE CREATE TABLE accts_rec FROM tsmith; Yogiji Creations - Users, roles and privileges
2. Revoking object privileges  To revoke an object privilege, you must fulfill one of the following conditions: You previously granted the object privilege to the user or role. You possess the GRANT ANY OBJECT PRIVILEGE that enables you to grant and revoke privileges on behalf of the object owner.  You can only revoke the privileges that you, the grantor, directly authorized, not the grants made by other users to whom you granted the GRANT OPTION.  Assuming you are the original grantor, the following statement revokes the SELECT and INSERT privileges on the emp table from the users jfee and tsmith:  REVOKE SELECT, insert ON emp FROM jfee, tsmith;  The following statement revokes all object privileges for the dept table that you originally granted to the human_resource role  REVOKE ALL ON dept FROM human_resources; Yogiji Creations - Users, roles and privileges
Thank You For queries mail me on: info@yogijicreatins.com

Empfohlen

Oracle User Management
Oracle User ManagementOracle User Management
Oracle User Management
Arun Sharma
 
Less08 users
Less08 usersLess08 users
Less08 users
Amit Bhalla
 
Backup & recovery with rman
Backup & recovery with rmanBackup & recovery with rman
Backup & recovery with rman
itsabidhussain
 
Introduction to Oracle Database
Introduction to Oracle DatabaseIntroduction to Oracle Database
Introduction to Oracle Database
puja_dhar
 
Standard Edition High Availability (SEHA) - The Why, What & How
Standard Edition High Availability (SEHA) - The Why, What & HowStandard Edition High Availability (SEHA) - The Why, What & How
Standard Edition High Availability (SEHA) - The Why, What & How
Markus Michalewicz
 
Oracle backup and recovery
Oracle backup and recoveryOracle backup and recovery
Oracle backup and recovery
Yogiji Creations
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
Controlling User Access -Data base
Controlling User Access -Data baseControlling User Access -Data base
Controlling User Access -Data base
Salman Memon
 

Empfohlen

Oracle User Management
Oracle User ManagementOracle User Management
Oracle User Management
Arun Sharma
 
Less08 users
Less08 usersLess08 users
Less08 users
Amit Bhalla
 
Backup & recovery with rman
Backup & recovery with rmanBackup & recovery with rman
Backup & recovery with rman
itsabidhussain
 
Introduction to Oracle Database
Introduction to Oracle DatabaseIntroduction to Oracle Database
Introduction to Oracle Database
puja_dhar
 
Standard Edition High Availability (SEHA) - The Why, What & How
Standard Edition High Availability (SEHA) - The Why, What & HowStandard Edition High Availability (SEHA) - The Why, What & How
Standard Edition High Availability (SEHA) - The Why, What & How
Markus Michalewicz
 
Oracle backup and recovery
Oracle backup and recoveryOracle backup and recovery
Oracle backup and recovery
Yogiji Creations
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
Controlling User Access -Data base
Controlling User Access -Data baseControlling User Access -Data base
Controlling User Access -Data base
Salman Memon
 
Oracle architecture ppt
Oracle architecture pptOracle architecture ppt
Oracle architecture ppt
Deepak Shetty
 
Sql grant, revoke, privileges and roles
Sql grant, revoke, privileges and rolesSql grant, revoke, privileges and roles
Sql grant, revoke, privileges and roles
Vivek Singh
 
Backup and recovery in oracle
Backup and recovery in oracleBackup and recovery in oracle
Backup and recovery in oracle
sadegh salehi
 
Less06 networking
Less06 networkingLess06 networking
Less06 networking
Amit Bhalla
 
Database backup & recovery
Database backup & recoveryDatabase backup & recovery
Database backup & recovery
Mustafa Khan
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
Nabeel Yoosuf
 
Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)
Bilal Arshad
 
DBA
DBADBA
DBA
Anuj Modi
 
Active Directory
Active Directory Active Directory
Active Directory
Sandeep Kapadane
 
Oracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best PracticesOracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best Practices
Bobby Curtis
 
PostgreSQL
PostgreSQLPostgreSQL
PostgreSQL
Amazon Web Services
 
Oracle data pump
Oracle data pumpOracle data pump
Oracle data pump
marcxav72
 
Basic oracle-database-administration
Basic oracle-database-administrationBasic oracle-database-administration
Basic oracle-database-administration
sreehari orienit
 
Less01 architecture
Less01 architectureLess01 architecture
Less01 architecture
Amit Bhalla
 
Oracle data guard for beginners
Oracle data guard for beginnersOracle data guard for beginners
Oracle data guard for beginners
Pini Dibask
 
Oracle Enterprise Manager
Oracle Enterprise ManagerOracle Enterprise Manager
Oracle Enterprise Manager
PebbleIT Solutions
 
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
Kenny Gryp
 
Sql Server Basics
Sql Server BasicsSql Server Basics
Sql Server Basics
rainynovember12
 
Database user and administrator.pptx
Database user and administrator.pptxDatabase user and administrator.pptx
Database user and administrator.pptx
Anusha sivakumar
 
STRUCTURE OF SQL QUERIES
STRUCTURE OF SQL QUERIESSTRUCTURE OF SQL QUERIES
STRUCTURE OF SQL QUERIES
VENNILAV6
 
Less07 Users
Less07 UsersLess07 Users
Less07 Users
vivaankumar
 
03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx
KareemBullard1
 

Weitere ähnliche Inhalte

Was ist angesagt?

Sql grant, revoke, privileges and roles
Sql grant, revoke, privileges and rolesSql grant, revoke, privileges and roles
Sql grant, revoke, privileges and roles
Vivek Singh
 
Oracle data pump
Oracle data pumpOracle data pump
Oracle data pump
marcxav72
 
Less01 architecture
Less01 architectureLess01 architecture
Less01 architecture
Amit Bhalla
 

Was ist angesagt? (20)

Oracle architecture ppt
Oracle architecture pptOracle architecture ppt
Oracle architecture ppt
 
Sql grant, revoke, privileges and roles
Sql grant, revoke, privileges and rolesSql grant, revoke, privileges and roles
Sql grant, revoke, privileges and roles
 
Backup and recovery in oracle
Backup and recovery in oracleBackup and recovery in oracle
Backup and recovery in oracle
 
Less06 networking
Less06 networkingLess06 networking
Less06 networking
 
Database backup & recovery
Database backup & recoveryDatabase backup & recovery
Database backup & recovery
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
 
Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)Introduction to oracle database (basic concepts)
Introduction to oracle database (basic concepts)
 
DBA
DBADBA
DBA
 
Active Directory
Active Directory Active Directory
Active Directory
 
Oracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best PracticesOracle GoldenGate 21c New Features and Best Practices
Oracle GoldenGate 21c New Features and Best Practices
 
PostgreSQL
PostgreSQLPostgreSQL
PostgreSQL
 
Oracle data pump
Oracle data pumpOracle data pump
Oracle data pump
 
Basic oracle-database-administration
Basic oracle-database-administrationBasic oracle-database-administration
Basic oracle-database-administration
 
Less01 architecture
Less01 architectureLess01 architecture
Less01 architecture
 
Oracle data guard for beginners
Oracle data guard for beginnersOracle data guard for beginners
Oracle data guard for beginners
 
Oracle Enterprise Manager
Oracle Enterprise ManagerOracle Enterprise Manager
Oracle Enterprise Manager
 
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
MySQL Database Architectures - MySQL InnoDB ClusterSet 2021-11
 
Sql Server Basics
Sql Server BasicsSql Server Basics
Sql Server Basics
 
Database user and administrator.pptx
Database user and administrator.pptxDatabase user and administrator.pptx
Database user and administrator.pptx
 
STRUCTURE OF SQL QUERIES
STRUCTURE OF SQL QUERIESSTRUCTURE OF SQL QUERIES
STRUCTURE OF SQL QUERIES
 

Ähnlich wie User, roles and privileges

Less06 users
Less06 usersLess06 users
Less06 users
Imran Ali
 
e computer notes - Controlling user access
e computer notes - Controlling user accesse computer notes - Controlling user access
e computer notes - Controlling user access
ecomputernotes
 

Ähnlich wie User, roles and privileges (20)

Less07 Users
Less07 UsersLess07 Users
Less07 Users
 
03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx03_DP_300T00A_Secure_Environment.pptx
03_DP_300T00A_Secure_Environment.pptx
 
Db pre
Db preDb pre
Db pre
 
Les13
Les13Les13
Les13
 
Les01
Les01Les01
Les01
 
Less06 users
Less06 usersLess06 users
Less06 users
 
Les14
Les14Les14
Les14
 
Create user database management security
Create user database management securityCreate user database management security
Create user database management security
 
Oracle Database Security For Developers
Oracle Database Security For DevelopersOracle Database Security For Developers
Oracle Database Security For Developers
 
e computer notes - Controlling user access
e computer notes - Controlling user accesse computer notes - Controlling user access
e computer notes - Controlling user access
 
OER-Unit 1 authentication -Lecturer Notes
OER-Unit 1 authentication -Lecturer NotesOER-Unit 1 authentication -Lecturer Notes
OER-Unit 1 authentication -Lecturer Notes
 
Write the query for creating the users exp 11
Write the query for creating the users exp 11Write the query for creating the users exp 11
Write the query for creating the users exp 11
 
Les14[1]Controlling User Access
Les14[1]Controlling User AccessLes14[1]Controlling User Access
Les14[1]Controlling User Access
 
Database administration commands
Database administration commands Database administration commands
Database administration commands
 
SAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docxSAP_HANA_SECURITY_overview_online_Resear.docx
SAP_HANA_SECURITY_overview_online_Resear.docx
 
Roles
RolesRoles
Roles
 
Cairo meetup low code best practices
Cairo meetup low code best practicesCairo meetup low code best practices
Cairo meetup low code best practices
 
TrackStudio Permissions
TrackStudio PermissionsTrackStudio Permissions
TrackStudio Permissions
 
Database administration
Database administrationDatabase administration
Database administration
 
MS SQL server audit
MS SQL server auditMS SQL server audit
MS SQL server audit
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

User, roles and privileges

  • 1. Users, Roles and Privileges By: Yogiji Creations www.yogijicreations.com
  • 2. Index  1. Managing oracle Users: A. Creating Users B. Altering Users C. Dropping Users  2. Viewing information about database users and profiles. A. User and profile information in Data dictionary Views. B. Listing all users and associated information.  3. Predefined Accounts: SYS and SYSTEM  4. Privileges A. System privileges B. Object privileges 5. User Roles  6. Predefined Roles  7. Managing User Roles.  8. Granting user privileges and Roles  9. Revoking Privileges Yogiji Creations - Users, roles and privileges
  • 3. Managing Oracle users:  1. Creating Users 2. Altering Users 3. Dropping Users 1. Creating Users: System privilege Required – CREATE USER. DBA or security administrator has the CREATE USER system privilege. Ex: CREATE USER jiten IDENTIFIED BY password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users QUOTA 100M ON my_data; Yogiji Creations - Users, roles and privileges
  • 4. Example Description:  CREATE USER command to create a user called jiten.  IDENTIFIED BY clause to define the password.  DEFAULT TABLESPACE keyword to define the location of the default tablespace, which is USERS.  TEMPORARY TABLESPACE keyword defines the temporary tablespace that will be assigned to the user, which in our case is the TEMP tablespace.  Unlimited quota to jiten on users tablespace.  Second, we limited jiten to a 100 megabyte quota on the My_Data tablespace. Yogiji Creations - Users, roles and privileges
  • 5. Syntactical Diagram of Create user Yogiji Creations - Users, roles and privileges
  • 6. IDENTIFIED Clause - how Oracle Database authenticates the user.  BY password - creates a local user. User must specify password to log on to the database.  QUOTAS - How much space a user can take up in tablespace.  PROFILE Clause - Specify the profile you want to assign to the user. It limits the amount of database resources the user can use.  DEFAULT TABLESPACE Clause – Specifies for objects that the user creates. If omit - then the user's objects are stored in the database default tablespace. If no default tablespace has been specified for the database, then the user's objects are stored in the SYSTEM tablespace.  TEMPORARY TABLESPACE Clause Specify the tablespace or tablespace group for the user's temporary segments. Yogiji Creations - Users, roles and privileges
  • 7. EXTERNALLY Clause - creates an external user. Such a user must be authenticated by an external service, such as an operating system or a third-party service. In this case, Oracle Database relies on the login authentication of the operating system to ensure that a specific operating system user has access to a specific database user.  GLOBALLY Clause - creates a global user. Such a user must be authenticated by the enterprise directory service. Yogiji Creations - Users, roles and privileges
  • 8. Altering Users:  System Privileges Required - ALTER USER  Security administrators have this system privilege. Includes the ability to set tablespace quotas for a user on any tablespace in the database, even if the user performing the modification does not have a quota for a specified tablespace.  The following statement alters the security settings for the user, jiten:  ALTER USER jiten IDENTIFIED BY EXTERNALLY DEFAULT TABLESPACE data_ts TEMPORARY TABLESPACE temp_ts QUOTA 100M ON data_ts QUOTA 0 ON test_ts PROFILE clerk; Yogiji Creations - Users, roles and privileges
  • 9. The ALTER USER statement here changes the security settings for the user jiten as follows: Authentication is changed to use the operating system account of the user jiten. The default and temporary tablespaces are explicitly set for user jiten. jiten is given a 100M quota for the data_ts tablespace. The quota on the test_ts is revoked for the user jiten. jiten is assigned the clerk profile. Yogiji Creations - Users, roles and privileges
  • 10. Dropping Users:  When a user is dropped, the user and associated schema are removed from the data dictionary and all schema objects contained in the user schema.  Notes: Do not attempt to drop the SYS or SYSTEM user. Doing so will corrupt your database.  A user that is currently connected to a database cannot be dropped.  To drop a connected user, you must first terminate the user sessions using the SQL statement ALTER SYSTEM with the KILL SESSION clause.  To drop a user and all the user schema objects (if any), you must have the DROP USER system privilege. Yogiji Creations - Users, roles and privileges
  • 11. For dependent schema objects, use the CASCADE option to drop the user and all associated objects and foreign keys.  For example, if you intend to drop a user who owns a table, then check whether any views or procedures depend on that particular table.  The following statement drops the user, jones and all associated objects and foreign keys that depend on the tables owned by jones.  DROP USER jones CASCADE; Yogiji Creations - Users, roles and privileges
  • 12. Viewing information about database users and profiles: User and Profile Information in Data Dictionary Views  The following data dictionary views contain information about database users and profiles: View Description DBA_USERS Describes all users of the database ALL_USERS Lists users visible to the current user, but does not describe them USER_USERS Describes only the current user DBA_TS_QUOTAS Describes tablespace quotas for users USER_TS_QUOTAS USER_PASSWORD_LIMITS Describes the password profile parameters that are assigned to the user USER_RESOURCE_LIMITS Displays the resource limits for the current user DBA_PROFILES Displays all profiles and their limits PROXY_USERS Describes users who can assume the identity of other users Yogiji Creations - Users, roles and privileges
  • 13. Listing All users and Associated Information  The following query lists all users and their associated information as defined in the database:  SELECT USERNAME, PROFILE, ACCOUNT_STATUS FROM DBA_USERS; USERNAME PROFILE ACCOUNT_STATUS SYS DEFAULT OPEN SYSTEM DEFAULT OPEN USERSCOTT DEFAULT OPEN JFEE CLERK OPEN DCRANNEY DEFAULT OPEN All passwords are encrypted to preserve security. If a user queries the PASSWORD column, then that user is not able to determine the password of another user. Yogiji Creations - Users, roles and privileges
  • 14. Predefined Accounts: SYS and SYSTEM  The SYS and SYSTEM accounts have the database administrator(DBA) role granted to them by default.  The SYS account in addition has all privileges with ADMIN OPTION and owns the data dictionary. To connect to the SYS account, you must use the AS SYSDBA clause.  Any user that is granted the SYSDBA privilege can connect to the SYS account by using AS SYSDBA clause.  Only privileged users, who are granted the SYSDBA OR SYSOPER privilege, are allowed to start up and shut down the database instance.  The SYSTEM account is granted the DBA role by default, but not the SYSDBA privilege.  The SYS and SYSTEM accounts are required accounts in the database. They can’t be dropped. Yogiji Creations - Users, roles and privileges
  • 15. Privileges  A right to run a particular type of SQL statement, or the right to access an object belonging to another user, run a PL/SQL package, and so on. The types of privileges are defined by Oracle Database. System Privileges Object Privileges System Privileges: defines what actions a user is allowed to take within a database. For Ex: The privilege to create tablespaces is a system privilege. It is granted by the administrator or by someone who explicitly gives permission to administer the privilege. There are more than a hundred system privileges.  The most important system privileges are: create session. create table create view create procedure sysdba sysoper Yogiji Creations - Users, roles and privileges
  • 16. SYSOPER privilege allows operations such as: Startup a database, Shutdown a database, Backup a database, Recover a database and Create a database This privilege allows the user to perform basic operational tasks without the ability to look at user data. SYSDBA privilege includes all SYSOPER privileges plus full system privileges (with the ADMIN option), plus 'CREATE DATABASE' etc.. Yogiji Creations - Users, roles and privileges
  • 17. Object Privileges: Object privileges allow a user to perform a particular action on a specific object, such as Table View Sequence Package Directory Procedure Function Package Materialized View Without specific permission, users can access only their own objects.  Object privileges can be granted by the owner of an object, by the administrator, or by someone who has been explicitly given permission to grant privileges on the object. Yogiji Creations - Users, roles and privileges
  • 18. User roles  A role is a set or group of privileges that can be granted to users or another role.  Oracle Database provides some predefined roles to help in database administration.  These roles, are automatically defined for Oracle databases when you run the standard scripts that are part of database creation.  You can grant privileges and roles to, and revoke privileges and roles from, these predefined roles in the same way as you do with any role you define. Yogiji Creations - Users, roles and privileges
  • 19. Predefined Roles Role Name Description Connect: Includes only system privilege: Create Session Resource: Create Table, Create sequence, Create Procedure, Create Operator, Create Index, Create Cluster, Create Trigger, Create Type. Exp_full_database Select Any Table, Backup Any Table, Execute Any Procedure, Execute Any Type,administer Resource Manager, and INSERT, DELETE, And UPDATE On The Tables SYS.Incvid,sys.INCFIL, And SYS.Incexp DBA All system privileges WITH ADMIN OPTION Select_Catalog_Rol No System privileges e Recovery_catalog_ Create Session, Alter Session,create Synonym, Create View, Create owner Database Link, Create Table, Create Cluster, Create Sequence, Create Trigger, And Create Procedure Delete_catalog_rol Provides DELETE Privilege On The System Audit Table (AUD$) e Execute_catalog_r Provides EXECUTE Privilege On Objects In The Data Dictionary. ole Also, HS_ADMIN_ROLE. Select_catalog_rol Provides SELECT Privilege On Objects In The Data Dictionary. e Also, HS_ADMIN_ROLE. Yogiji Creations - Users, roles and privileges
  • 20. There are several roles that are defined automatically for Oracle databases when you can run database creation scripts. CONNECT is granted automatically to any user created with Enterprise manager. In earlier versions of the database(before 10g) the CONNECT role included more privileges, such as CREATE TABLE and CREATE DATABASE LINK, which have been removed for security reasons. Yogiji Creations - Users, roles and privileges
  • 21. Managing User roles  This section describes aspects of managing roles, and contains the following topics: Creating Role Specifying the Type of Role Authorization Dropping Role 1. Creating Role You can use roles to administer database privileges. You can add privileges to a role and then grant the role to a user. The user can then enable the role and exercise the privileges granted by the role.  The syntax for creating a role is:  CREATE ROLE role_name [ NOT IDENTIFIED | IDENTIFIED {BY password | USING [schema.] package | EXTERNALLY | GLOBALLY } ; Ex: CREATE ROLE clerk IDENTIFIED BY bicentennial; Yogiji Creations - Users, roles and privileges
  • 22. Syntactical Diagram of Create ROLE Yogiji Creations - Users, roles and privileges
  • 23. The NOT IDENTIFIED phrase means that the role is immediately enabled. No password is required to enable the role.  The IDENTIFIED phrase means that a user must be authorized by a specified method before the role is enabled.  The BY password phrase means that a user must supply a password to enable the role.  The USING package phrase means that you are creating an application role - a role that is enabled only by applications using an authorized package.  The EXTERNALLY phrase means that a user must be authorized by an external service to enable the role. An external service can be an operating system or third-party service.  The GLOBALLY phrase means that a user must be authorized by the enterprise directory service to enable the role. Yogiji Creations - Users, roles and privileges
  • 24. Later, you can set or change the authorization method for a role using the ALTER ROLE statement. The following statement alters the clerk role to specify that the user must have been authorized by an external source before enabling the role:  ALTER ROLE clerk IDENTIFIED EXTERNALLY;  To alter the authorization method for a role, you must have the ALTER ANY ROLE system privilege or have been granted the role with the ADMIN OPTION. Yogiji Creations - Users, roles and privileges
  • 25. 2.Specifying the Type of Role Authorization  A database role can optionally require authorization when a user attempts to enable the role. Role authorization can be maintained by the database (using passwords), by the operating system, or by a network service. To alter the authorization method for a role, you must have the ALTER ANY ROLE system privilege or have been granted the role with the ADMIN OPTION. A. Role authorization by the database The use of a role can be protected by an associated password. If you are granted a role protected by a password, you can enable or disable the role only by supplying the proper password for the role in a SET ROLE statement. The following statement creates a role called manager. When it is enabled, the password morework must be supplied. CREATE ROLE manager IDENTIFIED BY morework; Yogiji Creations - Users, roles and privileges
  • 26. B. Role authorization by the OS  Role authentication through the operating system is useful only when the operating system is able to dynamically link operating system privileges with applications.  When a user starts an application, the operating system grants an operating system privilege to the user. The granted operating system privilege corresponds to the role associated with the application.  At this point, the application can enable the application role. When the application is terminated, the previously granted operating system privilege is revoked from the operating system account of the user.  If a role is authorized by the operating system, then you must configure information for each user at the operating system level. This operation is operating system dependent.  If roles are granted by the operating system, then you do not need to have the operating system authorize them also. This is redundant. Yogiji Creations - Users, roles and privileges
  • 27. C. Role authorization by an Enterprise Directory Service  If users connect to the database over Net8, by default their roles cannot be authenticated by the operating system. This includes connections through a multi-threaded server, as this connection requires Net8. This restriction is the default because a remote user could impersonate another operating system user over a network connection.  If you are not concerned with this security risk and want to use operating system role authentication for network clients, set the parameter REMOTE_OS_ROLES in the database's parameter file to TRUE. The change will take effect the next time you start the instance and mount the database. (The parameter is FALSE by default.) Yogiji Creations - Users, roles and privileges
  • 28. 3.Dropping Roles  The security domains of all users and roles granted a dropped role are immediately changed to reflect the absence of the dropped role privileges. All indirectly granted roles of the dropped role are also removed from affected security domains. Dropping a role automatically removes the role from all user default role lists.  Because the creation of objects is not dependent on the privileges received through a role, tables and other objects are not dropped when a role is dropped.  To drop a role, you must have the DROP ANY ROLE system privilege or have been granted the role with the ADMIN OPTION.  The following statement drops the role CLERK:  DROP ROLE clerk; Yogiji Creations - Users, roles and privileges
  • 29. Granting user privileges and roles  This section describes the granting of privileges and roles, and contains the following topics: Granting System Privileges and Roles Granting Object Privileges Granting Privileges on Columns 1. Granting System Privileges and Roles  You can grant system privileges and roles to other users and roles using the GRANT statement.  To grant a system privilege, ADMIN OPTION or GRANT ANY PRIVILEGE required.  To grant a role, you must have been granted the role with the ADMIN OPTION or have been granted the GRANT ANY ROLE system privilege.  The following statement grants the system privilege CREATE SESSION and the accts_pay role to the user jward:  GRANT CREATE SESSION, accts_pay TO jward; Yogiji Creations - Users, roles and privileges
  • 30. Granting the ADMIN OPTION  A user or role that is granted a privilege or role, which specifies the WITH ADMIN OPTION clause, has several expanded capabilities: The grantee can grant or revoke the system privilege or role to or from any user or other role in the database. Users cannot revoke a role from themselves. The grantee can further grant the system privilege or role with the ADMIN OPTION. The grantee of a role can alter or drop the role. In the following statement, the security administrator grants the new_dba role to michael:  GRANT new_dba TO michael WITH ADMIN OPTION;  Note: When a user creates a role, the role is automatically granted to the creator with the ADMIN OPTION Yogiji Creations - Users, roles and privileges
  • 31. Creating a New User with the GRANT Statement  Oracle enables you to create a new user with the GRANT statement.  If you specify a password using the IDENTIFIED BY clause, and the user name/password does not exist in the database, then a new user with that user name and password is created.  The following example creates ssmith as a new user while granting ssmith the CONNECT system privilege:  GRANT CONNECT TO ssmith IDENTIFIED BY p1q2r3; Yogiji Creations - Users, roles and privileges
  • 32. Granting Object Privileges  You also use the GRANT statement to grant object privileges to roles and users. To grant an object privilege, you must fulfill one of the following conditions: You own the object specified. You possess the GRANT ANY OBJECT PRIVILEGE system privilege that enables you to grant and revoke privileges on behalf of the object owner.  The WITH GRANT OPTION clause was specified when you were granted the object privilege by its owner.  The following statement grants the SELECT, INSERT, and DELETE object privileges for all columns of the emp table to the users, jfee and tsmith:  GRANT SELECT, INSERT, DELETE ON emp TO jfee, tsmith;  To grant all object privileges on the salary view to the user jfee, use the ALL keyword as shown in the following example:  GRANT ALL ON salary TO jfee; Yogiji Creations - Users, roles and privileges
  • 33. Granting Privileges on Columns  You can grant INSERT, UPDATE, or REFERENCES privileges on individual columns in a table.  The following statement grants INSERT privilege on the acct_no column of the accounts table to scott:  GRANT INSERT (acct_no) ON accounts TO scott;  In another example, object privilege for the ename and job columns of the emp table are granted to the users jfee and tsmith:  GRANT INSERT(ename, job) ON emp TO jfee, tsmith; Yogiji Creations - Users, roles and privileges
  • 34. Revoking User Privileges and Roles  This section describes aspects of revoking user privileges and roles, and contains the following topics: Revoking System Privileges and Roles Revoking Object Privileges 1. Revoking System Privileges and Roles  Any user with the ADMIN OPTION for a system privilege or role can revoke the privilege or role from any other database user or role.  The revoker does not have to be the user that originally granted the privilege or role. Users with GRANT ANY ROLE can revoke any role.  The following statement revokes the CREATE TABLE system privilege and the accts_rec role from tsmith:  REVOKE CREATE TABLE accts_rec FROM tsmith; Yogiji Creations - Users, roles and privileges
  • 35. 2. Revoking object privileges  To revoke an object privilege, you must fulfill one of the following conditions: You previously granted the object privilege to the user or role. You possess the GRANT ANY OBJECT PRIVILEGE that enables you to grant and revoke privileges on behalf of the object owner.  You can only revoke the privileges that you, the grantor, directly authorized, not the grants made by other users to whom you granted the GRANT OPTION.  Assuming you are the original grantor, the following statement revokes the SELECT and INSERT privileges on the emp table from the users jfee and tsmith:  REVOKE SELECT, insert ON emp FROM jfee, tsmith;  The following statement revokes all object privileges for the dept table that you originally granted to the human_resource role  REVOKE ALL ON dept FROM human_resources; Yogiji Creations - Users, roles and privileges
  • 36. Thank You For queries mail me on: info@yogijicreatins.com