1/2
Agenda
Username Default Tablespace and Quotas Temporary Tablespace Profile Authentication Methods EXERCISE 7-1: Create Users
System Privileges Object Privileges EXERCISE 7-2: Grant and Revoke Privileges
http://asghars.blogspot.com
2/2
Agenda
EXERCISE 7-3: Create and Grant Roles EXERCISE 7-4: Create and Use Profiles
http://asghars.blogspot.com
1/10
To establish a session against an instance and a database, a user must connect to a user account In some applications, each user will have his own database user account This security model works well for small applications but is often impractical for larger systems with many hundreds or thousands of users This model relies on the application to map the real end user to a database user account, and it can make session-level security and auditing more complex Here we assume that every user is known to the database; they all have their own user accounts
http://asghars.blogspot.com
2/10
A user account has a number of attributes defined at account creation time These attributes are: Username
A username must begin with a letter, must be no more than 30 characters, and can consist of only letters, digits, and the characters dollar ($) and underscore (_) The letters are case sensitive but will be automatically converted to uppercase To change username, the account must be dropped and another account created. This is a drastic action, because all the objects in the users schema will be dropped along with the user
http://asghars.blogspot.com
3/10
Every user account has a default tablespace There is a database-wide default tablespace that will be applied to all user accounts if a default tablespace is not specified when creating the user The default can be set when creating the database and changed later with ALTER DATABASE DEFAULT
TABLESPACE
If a default tablespace is not specified when creating the database, it will be set to the SYSTEM tablespace (a very bad practice)
http://asghars.blogspot.com
4/10
http://asghars.blogspot.com
5/10
Temporary Tablespace
Operations that need temporary space (in memory if possible, in a temporary tablespace if necessary) include sorting rows, joining tables, building indexes, and using temporary tables To change a users temporary tablespace use ALTER
USER username TEMPORARY TABLESPACE tablespace_name;
If many users are logging on to the same user account, they will share use of one temporary tablespace. This can be a performance bottleneck, which may be avoided by using temporary tablespace groups
http://asghars.blogspot.com
6/10
Profile
A users profile controls his password settings and gives a limited amount of control over his resource usage
Authentication Methods
A user account must have an authentication method Following are the some of methods:
Granting sysdba or sysoper privileges will copy the users password from the data dictionary into the external password file where it can be read by the instance even if the database is not open
http://asghars.blogspot.com
7/10
To use password file authentication, the user can connect with this syntax
CONNECT username / password [@db_alias] AS [SYSOPER | SYSDBA];
To use operating system authentication, the user can connect with this syntax
CONNECT / AS [ SYSOPER | SYSDBA ] ;
To determine to whom the SYSDBA and SYSOPER privileges have been granted, query the view V$PWFILE_USERS
Password Authentication
10
With password authentication, the instance will validate the password given against that stored with the user account in the data dictionary http://asghars.blogspot.com
8/10
The user SYS is not permitted to connect with password authentication; only password file, operating system, or LDAP authentication are possible for SYS When a connection is made across a network, release 11g will always encrypt password using the AES algorithm before transmission Any user can change his/her user account password at any time
11
http://asghars.blogspot.com
9/10
External Authentication
If external authentication is used, Oracle will delegate the authentication to an external service; it will not prompt for a password With Advance Security option, the external service can be a Kerberos server, a Radius server etc. Without the Advanced Security option, the only form of external authentication is that can be used is OS authentication To create an oracle user and allow him to use the external authentication use the command:
12
10/10
Any user logged on to Unix as asghar will be able to issue this command and will be connected to the database user account ops$asghar
Global Authentication
A global user is a user who is defined within the LDAP directory, and global authentication is a means of delegating user authentication to the directory It doesnt requires the user to present a password to the database
13
http://asghars.blogspot.com
1/2
2.
Confirm that the users have been created with Database Control. From database home page, the navigation path is the Server tab and the Users link in the Security section
14
http://asghars.blogspot.com
2/2
alois can not connect because alois does not have the CREATE SESSION privilege
4.
Refresh the Database Control window, and note that the status of the ALOIS account is no longer EXPIRED but OPEN, because his password has been changed
http://asghars.blogspot.com
15
1/4
Privileges are assigned to user accounts with a GRANT command and withdrawn with a REVOKE A user cannot even connect without being granted a privilege Privileges come in two groups:
System privileges that let users perform actions that affect the data dictionary Object privileges that let users perform actions that affect data
16
http://asghars.blogspot.com
2/4
System Privileges
There are about two hundred system privileges These privileges affect the data dictionary, database or instance, or establishing a session Some of the more commonly used privileges are:
17
CREATE SESSION RESTRICTED SESSION; allows to users to connect when an instance is started in RESTRICTED mode ALTER DATABASE ALTER SYSTEM; allows control on instance parameters and memory structures CREATE TABLESPACE
http://asghars.blogspot.com
3/4
CREATE TABLE GRANT ANY OBJECT PRIVILEGE CREATE ANY TABLE DROP ANY TABLE INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE SELECT ANY TABLE
The syntax for granting system privileges is GRANT privilege [, privilege...] TO username [with admin option];
18
ANY privileges should be used with extreme caution, as it removes all protection from user tables
http://asghars.blogspot.com
4/4
Object Privileges
Object privileges give the ability to perform SELECT, INSERT, UPDATE, and DELETE commands against tables, and to execute PL/SQL objects The syntax is
TO username
Granting privileges at the column level is often said to be bad practice because of the massive workload involved
19
http://asghars.blogspot.com
1/5
Grant CREATE SESSION to user alois Now connect as alois. This time, the login will succeed As alois, attempt to create a table
2.
3.
20
http://asghars.blogspot.com
2/5
In the SYSTEM session, grant alois the CREATE TABLE privilege In the alois session, try again to create table As alois, grant object privileges on the new table
5.
6.
21
http://asghars.blogspot.com
3/5
Connect to Database Control as user SYSTEM. Confirm that the object privileges have been granted. SchemaDatabase ObjectsTables link. Enter ALOIS as the Schema and T1 as the Table and click the Go button. In the Actions drop-down box, select Object Privileges. ANJA has only SELECT, but AFRA has everything
22
http://asghars.blogspot.com
4/5
Confirm which privileges have granted to alois ServerSecurity SectionUsers link. Select the radio button for alois, and click the View button
9.
23
http://asghars.blogspot.com
5/5
24
http://asghars.blogspot.com
1/4
A role is a collection of system and/or object privileges that can be granted and revoked as a unit, and having been granted can be temporarily activated or deactivated within a session Roles are not schema objects: they arent owned by anyone and so cannot be prefixed with a username Create a role with the CREATE ROLE command:
CREATE ROLE rolename;
Then grant privileges to the role with the usual syntax, including WITH ADMIN or WITH GRANT OPTION of desired
25 http://asghars.blogspot.com
2/4
CONNECT; exists for backward compatibility, with the current release, it only has CREATE SESSION RESOURCE; Also for backward compatibility, this role can create both data objects and procedural objects DBA; Any user granted DBA can manage virtually all aspects of the database, except for startup and shutdown SELECT_CATALOG_ROLE ; Has over 2000 object privileges against data dictionary objects, but no system privileges or privileges against user data
http://asghars.blogspot.com
26
3/4
SCHEDULER_ADMIN ; Has the system privileges necessary for managing the Scheduler job scheduling service PUBLIC; always granted to every database user account. if a privilege is granted to PUBLIC, it will be available to all users
If a user has been granted a role, then the role will enabled by default This behavior can be modified by making the role non-default
27
http://asghars.blogspot.com
4/4
28
http://asghars.blogspot.com
1/6
2.
29
http://asghars.blogspot.com
2/6
Grant the roles to AFRA Connect to the database as user AFRA and grant the USR_ROLE to ANJA
4.
5.
Confirm the ANJA can connect and query ALOIS.t1 but do nothing else
30
http://asghars.blogspot.com
3/6
6.
As user SYSTEM, adjust ANJA so that by default he can log on but do nothing else
31
http://asghars.blogspot.com
4/6
32
http://asghars.blogspot.com
5/6
Use Database Control to inspect the roles. The navigation path from the Home PageServer tab Security sectionRoles link
33
http://asghars.blogspot.com
6/6
To see to whom a role has been granted, in the Actions drop-down box shown in the preceding illustration, select Show Grantees and click the Go button
34
http://asghars.blogspot.com
1/6
A profile enforce a password policy and to restrict the resources a session can take up Password controls are always enforced; resource limits are only enforced if the instance parameter RESOURCE_LIMIT is on TRUEby default, it is FALSE The limits that can be applied to passwords are:
FAILED_LOGIN_ATTEMPTS; Specifies the number of consecutive errors on a password before the account is locked PASSWORD_LOCK_TIME; The number of days to lock an account after FAILED_LOGIN_ATTEMPTS is reached PASSWORD_LIFE_TIME; The number of days before a password expires
http://asghars.blogspot.com
35
2/6
PASSWORD_GRACE_TIME; The number of days following the first successful login after the password has expired that prompts to change the password will be generated PASSWORD_REUSE_TIME; The number of days before a password can be reused PASSWORD_REUSE_MAX; Then number of times a password can be reused PASSWORD_VERIFY_FUNCTION; The name of a function to run whenever a password is changed
36
http://asghars.blogspot.com
3/6
The limits that can be applied to resource usage (also known as kernel limits) are:
SESSIONS_PER_USER CPU_PER_SESSION CPU_PER_CALL LOGICAL_READS_PER_SESSION LOGICAL_READS_PER_CALL PRIVATE_SGA CONNECT_TIME IDLE_TIME COMPOSITE_LIMIT (Sum of CPU_PER_SESSION, CONNECT_TIME, LOGICAL_READS_PER_SESSION, and PRIVATE_SGA
http://asghars.blogspot.com
37
4/6
When a session is terminated because a resource limit has been reached, if there was a transaction in progress it will be rolled back Profiles can be used to limit resource usage, but a much more sophisticated tool is the Resource Manager To see which profile is currently assigned to ach user, run this query
38
http://asghars.blogspot.com
5/6
With Database Control, from the database home page take the Server tab, and then click the Users link in the Security section to see which profile each user has
39
http://asghars.blogspot.com
6/6
To enable more sophisticated password management is to run a supplied script $ORACLE_HOME/rdbms/admin/utlpwdmg.sql On either platform, the script creates two functions called VERIFY_FUNCTION and VERIFY_FUNCTION_11G; This will adjust the profile called DEFAULT
40
http://asghars.blogspot.com
1/2
Create a profile that will lock accounts after two wrong passwords Assign this new profile to ALOIS Deliberately enter the wrong password for ALOIS a few times
2.
3.
41
http://asghars.blogspot.com
2/2
As user SYSTEM, unlock the ALOIS account Check that ALOIS can now connect
5.
42
http://asghars.blogspot.com