Академический Документы
Профессиональный Документы
Культура Документы
11
C H A P T E R
In This Chapter
Using SQL to create Users Creating Roles Monitoring passwords Mastering profiles
C
Users
reating and assigning Roles is easy even using raw SQL. Sometimes the DBA enables people who create Tables to create Roles as well check with your DBA to find out. As with most of the SQL commands shown in the book, you can use either SQL*Plus or SQL Worksheet to execute your commands.
Often, one of the first DBA tasks involves defining new Users. Later, when a definitive security plan evolves, the DBA establishes Roles with specialized sets of privileges to enforce security. Each end User allowed database access becomes a member of at least one Role created by the DBA. This section examines how to use the SQL commands to create and manage Oracle8 Users.
CREATE USER
The SQL command for creating a User contains parameters for password and preferences. The syntax follows:
CREATE USER USER IDENTIFIED [BY PASSWORD | EXTERNALLY | GLOBALLY AS EXTERNAL_NAME] [ DEFAULT TABLESPACE TABLESPACE] [TEMPORARY TABLESPACE TABLESPACE] [QUOTA {N [K | M] | UNLIMITED} ON TABLESPACE]
236
At a minimum, a new User must have a name and a method of identification. The other parameters all have default values. For instance, to create a new User with a password, use the following command:
CREATE USER SMITH IDENTIFIED BY ABC123
Choose from three authentication types in the IDENTIFIED BY clause: 3 Global. New to Oracle8, a Username can be defined as unique across multiple databases by selecting global authentication. You must also specify a name in single quotes to identify the external User for Oracle8. 3 External. Oracle8 validates the Users name through the operating system. In these cases, you append a common prefix to the Users operating system name to create the Oracle Username. The default prefix is OPS$. If a User logs in to the operating system as MLAMB, then the Users Oracle Username is OPS$MLAMB. The User does not enter a password when logging in to Oracle8 with external authentication. 3 Password. The User must enter the designated password when logging in to the database. A new feature of Oracle8 enables you to require the User to enter a new password at the initial log in. Add the PASSWORD EXPIRE parameter to use this feature. The DEFAULT TABLESPACE parameter defines the Tablespace in which Oracle8 puts the new Users Tables if the User creates Tables without explicitly assigning them to a different Tablespace. The TEMPORARY TABLESPACE parameter is the Tablespace in which Oracle8 puts data while it generates query results or prepares a view temporarily grabbing some space and releasing it after the job is done.
CrossReference
The following Section Profiles in this chapter describes how to create a new profile. The QUOTA parameter assigns limits to the amount of space a User employs in each available Tablespace. To assign a limit, type in the number of kilobytes (such as 100K) or the number of megabytes (such as 5MB) and name the Tablespace. The ACCOUNT parameter is UNLOCK by default. If you wish to create the User without enabling the User to log in, specify the LOCK parameter.
Chapter 11 3 Users
237
Note
Oracle has rules for naming a User ID. See the Choosing Names for Users and Passwords sidebar for details and advice on names for Users and passwords.
Note
Oracle8 does not contain a utility to display a Users password it always appears as asterisks or encrypted. If a User forgets his password and you, as the security officer, dont know the password, you must assign a new password.
ALTER USER
If you are the DBA or security manager, you can change the password of any User defined to the database. A new feature of Oracle8 enables you to control aspects of the Users password, such as rate of expiration, complexity, and what to do when a User enters an incorrect password. See the following Managing password features with profile section in this chapter for more information. The following syntax changes a Users password:
ALTER USER USER IDENTIFIED BY NEWPASSWORD
CrossReference
For example, to change SMITHs password to hismithy, use the following command:
ALTER USER SMITH IDENTIFIED BY HISMITHY
The next section describes how to modify other portions of the Users security.
238
GRANT
A User may need changes to the current assigned Roles of privileges. In the case of Roles and system privileges, you dont need any special considerations. Simply complete the following steps. (In the case of Object privileges, however, you must consider whether to use the DBA or the Object Owner to grant the Object privileges.) The following syntax adds a Role to a User:
GRANT ROLE TO USER | PUBLIC [WITH ADMIN OPTION]
Use the word PUBLIC instead of a Username to grant the system privilege to all Users. To enable a User named HAROLD to select from any sequence, for example, use the following command:
GRANT SELECT ANY SEQUENCE TO HAROLD
Table 11-1 lists all system privileges available to you. Review the Oracle Server Administrators Guide for details on how to use each privileges.
Chapter 11 3 Users
239
Privilege BECOME ANY USER CREATE ANY LIBRARY CREATE ANY SEQUENCE CREATE ANY INDEX CREATE ANY TRIGGER CREATE ANY VIEW CREATE DATABASE LINK CREATE PROCEDURE CREATE PUBLIC DATABASE LINK CREATE ROLE CREATE SEQUENCE CREATE SNAPSHOT CREATE TABLE CREATE TRIGGER DELETE ANY TABLE DROP ANY CLUSTER DROP ANY LIBRARY DROP ANY SEQUENCE DROP ANY SYNONYM DROP ANY TRIGGER DROP LIBRARY DROP PUBLIC DATABASE LINK DROP ROLLBACK SEGMENT DROP USER FORCE ANY TRANSACTION GRANT ANY PRIVILEGE INSERT ANY TABLE MANAGE TABLESPACE PUBLIC SYNONYM ROLLBACK SEGMENT SELECT ANY TABLE UPDATE ANY TABLE
Privilege COMMENT ANY CREATE ANY PROCEDURE CREATE ANY CLUSTER CREATE ANY TABLE CREATE ANY USER CREATE CLUSTER CREATE LIBRARY CREATE PROFILE CREATE PUBLIC SYNONYM CREATE ROLLBACK SEGMENT CREATE SESSION CREATE SYNONYM CREATE TABLESPACE CREATE VIEW DROP ANY PROCEDURE DROP ANY INDEX DROP ANY ROLE DROP ANY SNAPSHOT DROP ANY TABLE DROP ANY VIEW DROP PROFILE DROP PUBLIC SYNONYM DROP TABLESPACE EXECUTE ANY PROCEDURE FORCE TRANSACTION GRANT ANY ROLE LOCK ANY TABLE PUBLIC DATABASE LINK RESTRICTED SESSION SELECT ANY SEQUENCE UNLIMITED TABLESPACE
240
Caution
The ability to assign privileges like SELECT and UPDATE belongs solely to the Object Owner, unless the privilege is assigned to another party. Even the DBA cannot assign Object privileges unless the Table Owner gives the DBA appropriate permissions. You must have appropriate privileges to grant the Object privileges. For example, you must have SELECT ON AMY.SALAD_BAR WITH ADMIN OPTION or SELECT ANY TABLE WITH ADMIN OPTION to assign the SELECT privilege on AMYs SALAD_BAR Table. Normally, Object privileges are granted by the Object Owner. However, if you want to enable the DBA to grant Object privileges, you must give the DBA the authority to grant Object privileges. The syntax is:
GRANT PRIVILEGE_NAME ON OBJECT_NAME TO DBA_NAME WITH ADMIN OPTION;
The WITH ADMIN OPTION means a User with this Role can grant the privilege to other Roles and Users. For example, the following SQL command enables the DBA (SYSTEM) to assign the SELECT privilege on the SALAD_BAR Table in the AMY Schema. The Object Owner (AMY) must execute the following SQL:
GRANT SELECT ON SALAD_BAR TO SYSTEM WITH ADMIN OPTION;
REVOKE
The following syntax removes a system privilege or a Role from a User or Role:
REVOKE SYSTEM_PRIVILEGE | ROLE FROM USER | ROLE | PUBLIC
Only the User who grants a privilege may revoke that privilege. If you attempt to revoke a privilege you did not grant, you receive the following error message:
ORA-01927: original Grantor must Revoke Privileges
Query the Data Dictionary view called ALL_TAB_PRIVS to find the grantor.
Chapter 11 3 Roles
241
ALTER USER
If you are the DBA or security manager, you can change the default Tablespaces, account lock, profile, or quotas assigned to any User. The account lock/unlock feature enables you to restrict or allow User access to the database. The syntax for the ALTER USER command follows:
ALTER USER USER [IDENTIFIED [BY PASSWORD | EXTERNALLY]] [ DEFAULT TABLESPACE TABLESPACE] [TEMPORARY TABLESPACE TABLESPACE] [QUOTA {N [K | M] | UNLIMITED} ON TABLESPACE] [,QUOTA {N [K | M] | UNLIMITED} ON TABLESPACE] [PROFILE PROFILE] [DEFAULT ROLE (ROLE1, ROLE2, ) | ALL EXCEPT (ROLE1, ROLE2, ) | NONE]
Write a command to modify any or all parameters in the preceding list. The next section shows how to modify another portion of the Users security.
Roles
This section shows you how to create Roles and assign Roles to Users.
CrossReference
The Security section in Chapter 3 discusses the concepts behind creating and using Roles in Oracle8. Briefly, you use Roles in Oracle8 to pull together sets of privileges, such as access to Tables, for easier management. Once the Role is created and the appropriate privileges are assigned to the Role, you can assign or revoke the Role to your Users. A User inherits all privileges granted to the Role. A User can be assigned any number of Roles. A Role can be assigned any number of privileges. Roles simplify the tasks of adding and removing Users.
242
CREATE ROLE
The NOT IDENTIFIED option is the default, which enables Users to obtain the Role without typing a password. If you wish to require a password, use the IDENTIFIED BY password. To identify a Role externally, use the IDENTIFIED EXTERNALLY parameters. New to Oracle8, a Role can be defined as unique across multiple databases by specifying the IDENTIFIED GLOBALLY parameter. You must log in as a Username with DBA authority or the CREATE ROLE privilege to create Roles. To modify Roles, you must have the ALTER ANY ROLE privilege. To remove a Role, you must have DROP ANY ROLE privilege. Follow the Oracle8 naming rules for Oracle8 Objects. Refer to the Choosing Names for Users and Passwords sidebar for a quick summary of Object naming guidelines.
See Reference Section
SET ROLE
If a Role requires a password, the User must enter the designated password when activating this Role. See the SET ROLE command in the Command Reference section for information on activating this kind of Role. Oftentimes, you split duties related to Roles between the DBA (who creates the Role) and the application developer (who grants privileges to the Role). In this case, the application developer assigns privileges using SQL*Plus or SQL Worksheet (see the GRANT command in the Command Reference section). You now have a new Role complete with privileges. To use a Roles privileges, you must assign one or more Users to the Role.
Tip
Chapter 11 3 Roles
243
For example, the User HAROLD is assigned a new Role called SALES in the following SQL command:
GRANT SALES TO HAROLD
The ability to assign privileges like SELECT and UPDATE belongs solely to the Object Owner. However, the ability to use Security Manager is usually reserved for the DBA.
GRANT
Refer to Table 11-1 for a list of system privileges. The following syntax assigns an Object privilege to a Role:
GRANT OBJECT_PRIVILEGE | ALL COLUMN ON SCHEMA.OBJECT TO ROLE [WITH GRANT OPTION]
The next section shows how to remove Roles and privileges from a Role.
REVOKE
Caution
Only the User that granted a privilege may revoke that privilege. If you attempt to revoke a privilege you did not grant, you receive the following error message:
ORA-01927: original Grantor must Revoke Privileges.
244
Query the Data Dictionary view called ALL_TAB_PRIVS to find the grantor. The next section shows how to create and manage profiles using SQL commands.
Profiles
Profiles, like Roles, can simplify and streamline the work of the DBA or security officer. A profile is a collection of capabilities given a name and assigned to one or more Oracle8 Users. Profiles, once created, can be assigned to Users. Oracle8 has one profile preloaded with its default database. The profile is named Default. This section shows you how to work with profiles using SQL.
CREATE PROFILE
When you select default on any of the parameters, this profile parameter receives the value of the same parameter in the default profile. You can control password parameters here. See the following Managing password features using profile section for more information.
Chapter 11 3 Profiles
245
ALTER USER
The next section discusses how to control passwords using the profile.
3 Keep password history. Do not enable a User in a specified profile to reuse a prior password. Choose either a number of days before reuse is allowed or a number of passwords before reuse is allowed. The syntax to limit the number of days:
ALTER PROFILE PROFILENAME LIMIT PASSWORD_REUSE_TIME[N]
These two password parameters are mutually exclusive. 3 Enforce complexity. Use a third-party script or write your own script to validate the password complexity for Users using the current profile. The syntax for password complexity:
ALTER PROFILE profilename LIMIT Password_VERIFY_FUNCTION [function]
The function named in this parameter is a password verification routine, possibly written by a third party.
246
3 Lock account on failed log on. Choose how many days a User is locked after failing to type a valid password a designated number of times. The syntax for adding this parameter to a profile:
ALTER PROFILE PROFILENAME LIMIT PASSWORD_LOCK_TIME[N]
The syntax for the CREATE PROFILE command is listed in the preceding section. Any of these password parameters can be listed in the CREATE PROFILE command as well as the ALTER PROFILE command.
Summary
Together, Users and Roles form a foundation for your Oracle8 database. Users are assigned privileges depending on how they will work with the database. Roles enable the DBA and the application developer to simplify privilege management by lumping related privileges together under a single Role. Subsequently, a new User can be assigned (granted) to a single Role rather than assigned numerous privileges individually. Profiles also manage the capabilities of individual Users without assigning each User a whole array of capabilities. A profile contains the set of capabilities needed for a certain type of User that User is then assigned to the appropriate profile. Again, this strategy saves time for the DBA and simplifies security management. The following chapter, SQL for Tables, shows how to create and modify Tables using SQL commands.