OCA 07 - Administering User Security

07 - Administering User Security
By Muhammad Asghar Khan

Reference: OCA Oracle Database 11g - Admin I Exam Guide by John Watson
1/2
Agenda
Create and Manage Database User Accounts

Username Default Tablespace and Quotas Temporary Tablespace Profile Authentication Methods EXERCISE 7-1: Create Users
Grant and Revoke Privileges

2
System Privileges Object Privileges EXERCISE 7-2: Grant and Revoke Privileges
http://asghars.blogspot.com
2/2
Agenda
Create and Manage Roles
EXERCISE 7-3: Create and Grant Roles EXERCISE 7-4: Create and Use Profiles
Create and Manage Profiles
1/10
To establish a session against an instance and a database, a user must connect to a user account In some applications, each user will have his own database user account This security model works well for small applications but is often impractical for larger systems with many hundreds or thousands of users This model relies on the application to map the real end user to a database user account, and it can make session-level security and auditing more complex Here we assume that every user is known to the database; they all have their own user accounts
2/10
A user account has a number of attributes defined at account creation time These attributes are: Username
A username must begin with a letter, must be no more than 30 characters, and can consist of only letters, digits, and the characters dollar ($) and underscore (_) The letters are case sensitive but will be automatically converted to uppercase To change username, the account must be dropped and another account created. This is a drastic action, because all the objects in the users schema will be dropped along with the user
3/10
Default Tablespace and Quotas

Every user account has a default tablespace There is a database-wide default tablespace that will be applied to all user accounts if a default tablespace is not specified when creating the user The default can be set when creating the database and changed later with ALTER DATABASE DEFAULT
TABLESPACE
If a default tablespace is not specified when creating the database, it will be set to the SYSTEM tablespace (a very bad practice)
4/10
A quota is the amount of space in a tablespace that a user is allowed to occupy
-1 shows the u01 has unlimited quota on users tablespace
5/10
Temporary Tablespace
Operations that need temporary space (in memory if possible, in a temporary tablespace if necessary) include sorting rows, joining tables, building indexes, and using temporary tables To change a users temporary tablespace use ALTER
USER username TEMPORARY TABLESPACE tablespace_name;
If many users are logging on to the same user account, they will share use of one temporary tablespace. This can be a performance bottleneck, which may be avoided by using temporary tablespace groups
6/10
Profile
A users profile controls his password settings and gives a limited amount of control over his resource usage
Authentication Methods
A user account must have an authentication method Following are the some of methods:
Operating system & password file authentication
Granting sysdba or sysoper privileges will copy the users password from the data dictionary into the external password file where it can be read by the instance even if the database is not open
7/10
To use password file authentication, the user can connect with this syntax
CONNECT username / password [@db_alias] AS [SYSOPER | SYSDBA];
To use operating system authentication, the user can connect with this syntax
CONNECT / AS [ SYSOPER | SYSDBA ] ;
To determine to whom the SYSDBA and SYSOPER privileges have been granted, query the view V$PWFILE_USERS
Password Authentication
10
With password authentication, the instance will validate the password given against that stored with the user account in the data dictionary http://asghars.blogspot.com
8/10
The syntax for a connection with password authentication is
The user SYS is not permitted to connect with password authentication; only password file, operating system, or LDAP authentication are possible for SYS When a connection is made across a network, release 11g will always encrypt password using the AES algorithm before transmission Any user can change his/her user account password at any time
11
9/10
External Authentication
If external authentication is used, Oracle will delegate the authentication to an external service; it will not prompt for a password With Advance Security option, the external service can be a Kerberos server, a Radius server etc. Without the Advanced Security option, the only form of external authentication is that can be used is OS authentication To create an oracle user and allow him to use the external authentication use the command:
User name needed to be prefixed with the key string OPS$

12
10/10
Any user logged on to Unix as asghar will be able to issue this command and will be connected to the database user account ops$asghar
Global Authentication
A global user is a user who is defined within the LDAP directory, and global authentication is a means of delegating user authentication to the directory It doesnt requires the user to present a password to the database
13
1/2
EXERCISE 7-1: Create Users

1.
Create three users
2.
Confirm that the users have been created with Database Control. From database home page, the navigation path is the Server tab and the Users link in the Security section
14
2/2
EXERCISE 7-1: Create Users

3.
From SQL*Plus, attempt to connect as user alois
alois can not connect because alois does not have the CREATE SESSION privilege
4.
Refresh the Database Control window, and note that the status of the ALOIS account is no longer EXPIRED but OPEN, because his password has been changed
15
1/4

Privileges are assigned to user accounts with a GRANT command and withdrawn with a REVOKE A user cannot even connect without being granted a privilege Privileges come in two groups:

System privileges that let users perform actions that affect the data dictionary Object privileges that let users perform actions that affect data
16
2/4
System Privileges

There are about two hundred system privileges These privileges affect the data dictionary, database or instance, or establishing a session Some of the more commonly used privileges are:

17
CREATE SESSION RESTRICTED SESSION; allows to users to connect when an instance is started in RESTRICTED mode ALTER DATABASE ALTER SYSTEM; allows control on instance parameters and memory structures CREATE TABLESPACE
3/4

CREATE TABLE GRANT ANY OBJECT PRIVILEGE CREATE ANY TABLE DROP ANY TABLE INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE SELECT ANY TABLE
The syntax for granting system privileges is GRANT privilege [, privilege...] TO username [with admin option];
18
ANY privileges should be used with extreme caution, as it removes all protection from user tables
4/4
Object Privileges
GRANT privilege ON schema.object [WITH GRANT OPTION] ;
Object privileges give the ability to perform SELECT, INSERT, UPDATE, and DELETE commands against tables, and to execute PL/SQL objects The syntax is
TO username
Granting privileges at the column level is often said to be bad practice because of the massive workload involved
19
1/5
EXERCISE 7-2: Grant and Revoke Privileges

1.
Grant CREATE SESSION to user alois Now connect as alois. This time, the login will succeed As alois, attempt to create a table
2.
3.
20
2/5

4.
In the SYSTEM session, grant alois the CREATE TABLE privilege In the alois session, try again to create table As alois, grant object privileges on the new table
5.
6.
21
3/5

7.
Connect to Database Control as user SYSTEM. Confirm that the object privileges have been granted. SchemaDatabase ObjectsTables link. Enter ALOIS as the Schema and T1 as the Table and click the Go button. In the Actions drop-down box, select Object Privileges. ANJA has only SELECT, but AFRA has everything
22
4/5

8.
Confirm which privileges have granted to alois ServerSecurity SectionUsers link. Select the radio button for alois, and click the View button
9.
Retrieve the same information with SQL*Plus
23
5/5

10.
Revoke the privileges granted to AFRA and ANJA
24
1/4
A role is a collection of system and/or object privileges that can be granted and revoked as a unit, and having been granted can be temporarily activated or deactivated within a session Roles are not schema objects: they arent owned by anyone and so cannot be prefixed with a username Create a role with the CREATE ROLE command:
CREATE ROLE rolename;
Then grant privileges to the role with the usual syntax, including WITH ADMIN or WITH GRANT OPTION of desired
25 http://asghars.blogspot.com
2/4
There are at least 50 predefined roles in an Oracle database
CONNECT; exists for backward compatibility, with the current release, it only has CREATE SESSION RESOURCE; Also for backward compatibility, this role can create both data objects and procedural objects DBA; Any user granted DBA can manage virtually all aspects of the database, except for startup and shutdown SELECT_CATALOG_ROLE ; Has over 2000 object privileges against data dictionary objects, but no system privileges or privileges against user data
26
3/4
SCHEDULER_ADMIN ; Has the system privileges necessary for managing the Scheduler job scheduling service PUBLIC; always granted to every database user account. if a privilege is granted to PUBLIC, it will be available to all users
If a user has been granted a role, then the role will enabled by default This behavior can be modified by making the role non-default
27
4/4
The basic command to enable a role within a session is
28
1/6
EXERCISE 7-3: Create and Grant Roles

1.
Create two roles as follows
2.
Grant some privileges to the roles, and grant USR_ROLE to MGR_ROLE
29
2/6

3.
Grant the roles to AFRA Connect to the database as user AFRA and grant the USR_ROLE to ANJA
4.
5.
Confirm the ANJA can connect and query ALOIS.t1 but do nothing else
30
3/6
6.
As user SYSTEM, adjust ANJA so that by default he can log on but do nothing else
31
4/6

7.
Demonstrate the enabling and disabling of roles
32
5/6

8.
Use Database Control to inspect the roles. The navigation path from the Home PageServer tab Security sectionRoles link
33
6/6

9.
To see to whom a role has been granted, in the Actions drop-down box shown in the preceding illustration, select Show Grantees and click the Go button
34
1/6
A profile enforce a password policy and to restrict the resources a session can take up Password controls are always enforced; resource limits are only enforced if the instance parameter RESOURCE_LIMIT is on TRUEby default, it is FALSE The limits that can be applied to passwords are:
FAILED_LOGIN_ATTEMPTS; Specifies the number of consecutive errors on a password before the account is locked PASSWORD_LOCK_TIME; The number of days to lock an account after FAILED_LOGIN_ATTEMPTS is reached PASSWORD_LIFE_TIME; The number of days before a password expires
35
2/6
PASSWORD_GRACE_TIME; The number of days following the first successful login after the password has expired that prompts to change the password will be generated PASSWORD_REUSE_TIME; The number of days before a password can be reused PASSWORD_REUSE_MAX; Then number of times a password can be reused PASSWORD_VERIFY_FUNCTION; The name of a function to run whenever a password is changed
36
3/6
The limits that can be applied to resource usage (also known as kernel limits) are:
SESSIONS_PER_USER CPU_PER_SESSION CPU_PER_CALL LOGICAL_READS_PER_SESSION LOGICAL_READS_PER_CALL PRIVATE_SGA CONNECT_TIME IDLE_TIME COMPOSITE_LIMIT (Sum of CPU_PER_SESSION, CONNECT_TIME, LOGICAL_READS_PER_SESSION, and PRIVATE_SGA
37
4/6
When a session is terminated because a resource limit has been reached, if there was a transaction in progress it will be rolled back Profiles can be used to limit resource usage, but a much more sophisticated tool is the Resource Manager To see which profile is currently assigned to ach user, run this query
38
5/6
With Database Control, from the database home page take the Server tab, and then click the Users link in the Security section to see which profile each user has
39
6/6
To enable more sophisticated password management is to run a supplied script $ORACLE_HOME/rdbms/admin/utlpwdmg.sql On either platform, the script creates two functions called VERIFY_FUNCTION and VERIFY_FUNCTION_11G; This will adjust the profile called DEFAULT
40
1/2
EXERCISE 7-4: Create and Use Profiles

1.
Create a profile that will lock accounts after two wrong passwords Assign this new profile to ALOIS Deliberately enter the wrong password for ALOIS a few times
2.
3.
41
2/2
EXERCISE 7-4: Create and Use Profiles

4.
As user SYSTEM, unlock the ALOIS account Check that ALOIS can now connect
5.
42

OCA 07 - Administering User Security

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

OCA 07 - Administering User Security

Diunggah oleh

Hak Cipta:

Format Tersedia

07 - Administering User Security

By Muhammad Asghar Khan

Create and Manage Database User Accounts

Grant and Revoke Privileges

Create and Manage Roles

Create and Manage Profiles

Create and Manage Database User Accounts

Create and Manage Database User Accounts

Create and Manage Database User Accounts

Default Tablespace and Quotas

Create and Manage Database User Accounts

A quota is the amount of space in a tablespace that a user is allowed to occupy

-1 shows the u01 has unlimited quota on users tablespace

Create and Manage Database User Accounts

Create and Manage Database User Accounts

Operating system & password file authentication

Create and Manage Database User Accounts

Create and Manage Database User Accounts

The syntax for a connection with password authentication is

Create and Manage Database User Accounts

User name needed to be prefixed with the key string OPS$

Create and Manage Database User Accounts

EXERCISE 7-1: Create Users

Create three users

EXERCISE 7-1: Create Users

From SQL*Plus, attempt to connect as user alois

Grant and Revoke Privileges

Grant and Revoke Privileges

Grant and Revoke Privileges

Grant and Revoke Privileges

GRANT privilege ON schema.object [WITH GRANT OPTION] ;

EXERCISE 7-2: Grant and Revoke Privileges

EXERCISE 7-2: Grant and Revoke Privileges

EXERCISE 7-2: Grant and Revoke Privileges

EXERCISE 7-2: Grant and Revoke Privileges

Retrieve the same information with SQL*Plus

EXERCISE 7-2: Grant and Revoke Privileges

Revoke the privileges granted to AFRA and ANJA

Create and Manage Roles

Create and Manage Roles

There are at least 50 predefined roles in an Oracle database

Create and Manage Roles

Create and Manage Roles

The basic command to enable a role within a session is

EXERCISE 7-3: Create and Grant Roles

Create two roles as follows

Grant some privileges to the roles, and grant USR_ROLE to MGR_ROLE

EXERCISE 7-3: Create and Grant Roles

EXERCISE 7-3: Create and Grant Roles

EXERCISE 7-3: Create and Grant Roles

Demonstrate the enabling and disabling of roles

EXERCISE 7-3: Create and Grant Roles

EXERCISE 7-3: Create and Grant Roles

Create and Manage Profiles

Create and Manage Profiles

Create and Manage Profiles

Create and Manage Profiles

Create and Manage Profiles

Create and Manage Profiles

EXERCISE 7-4: Create and Use Profiles

EXERCISE 7-4: Create and Use Profiles

Anda mungkin juga menyukai