SQL for Users, Roles, and Security

11
C H A P T E R

In This Chapter
Using SQL to create Users Creating Roles Monitoring passwords Mastering profiles

C
Users

reating and assigning Roles is easy even using raw SQL. Sometimes the DBA enables people who create Tables to create Roles as well check with your DBA to find out. As with most of the SQL commands shown in the book, you can use either SQL*Plus or SQL Worksheet to execute your commands.

Often, one of the first DBA tasks involves defining new Users. Later, when a definitive security plan evolves, the DBA establishes Roles with specialized sets of privileges to enforce security. Each end User allowed database access becomes a member of at least one Role created by the DBA. This section examines how to use the SQL commands to create and manage Oracle8 Users.

Creating a new User

See Reference Section

CREATE USER

The SQL command for creating a User contains parameters for password and preferences. The syntax follows:
CREATE USER USER IDENTIFIED [BY PASSWORD | EXTERNALLY | GLOBALLY AS EXTERNAL_NAME] [ DEFAULT TABLESPACE TABLESPACE] [TEMPORARY TABLESPACE TABLESPACE] [QUOTA {N [K | M] | UNLIMITED} ON TABLESPACE]

236

Chapter 11 3 SQL for Users, Roles, and Security

[PROFILE PROFILE] [ACCOUNT [LOCK | UNLOCK] [PASSWORD EXPIRE]

At a minimum, a new User must have a name and a method of identification. The other parameters all have default values. For instance, to create a new User with a password, use the following command:
CREATE USER SMITH IDENTIFIED BY ABC123

Choose from three authentication types in the IDENTIFIED BY clause: 3 Global. New to Oracle8, a Username can be defined as unique across multiple databases by selecting global authentication. You must also specify a name in single quotes to identify the external User for Oracle8. 3 External. Oracle8 validates the Users name through the operating system. In these cases, you append a common prefix to the Users operating system name to create the Oracle Username. The default prefix is OPS$. If a User logs in to the operating system as MLAMB, then the Users Oracle Username is OPS$MLAMB. The User does not enter a password when logging in to Oracle8 with external authentication. 3 Password. The User must enter the designated password when logging in to the database. A new feature of Oracle8 enables you to require the User to enter a new password at the initial log in. Add the PASSWORD EXPIRE parameter to use this feature. The DEFAULT TABLESPACE parameter defines the Tablespace in which Oracle8 puts the new Users Tables if the User creates Tables without explicitly assigning them to a different Tablespace. The TEMPORARY TABLESPACE parameter is the Tablespace in which Oracle8 puts data while it generates query results or prepares a view temporarily grabbing some space and releasing it after the job is done.
CrossReference

The following Section Profiles in this chapter describes how to create a new profile. The QUOTA parameter assigns limits to the amount of space a User employs in each available Tablespace. To assign a limit, type in the number of kilobytes (such as 100K) or the number of megabytes (such as 5MB) and name the Tablespace. The ACCOUNT parameter is UNLOCK by default. If you wish to create the User without enabling the User to log in, specify the LOCK parameter.

Chapter 11 3 Users

237

Choosing Names for Users and Passwords

As the DBA, you have the responsibility of creating every new Username for your Oracle8 database. When setting up a name for a new User, you must follow the same rules that apply for naming any Oracle8 Object: you can use up to 30 characters and a letter and single-digit number each count as one character. The same rules apply to setting up passwords. My advice is to use a single word or acronym for a new Username. Selecting passwords is more difficult, but with Oracle8s newest password features, you can set and expire a simple password. You can also require the User to choose a more cryptic password.

Note

Oracle has rules for naming a User ID. See the Choosing Names for Users and Passwords sidebar for details and advice on names for Users and passwords.

Note

Oracle8 does not contain a utility to display a Users password it always appears as asterisks or encrypted. If a User forgets his password and you, as the security officer, dont know the password, you must assign a new password.

Changing a Users password

See Reference Section

ALTER USER

If you are the DBA or security manager, you can change the password of any User defined to the database. A new feature of Oracle8 enables you to control aspects of the Users password, such as rate of expiration, complexity, and what to do when a User enters an incorrect password. See the following Managing password features with profile section in this chapter for more information. The following syntax changes a Users password:
ALTER USER USER IDENTIFIED BY NEWPASSWORD

CrossReference

For example, to change SMITHs password to hismithy, use the following command:
ALTER USER SMITH IDENTIFIED BY HISMITHY

The next section describes how to modify other portions of the Users security.

238

Chapter 11 3 SQL for Users, Roles, and Security

Adding Roles or privileges to Users

See Reference Section

GRANT

A User may need changes to the current assigned Roles of privileges. In the case of Roles and system privileges, you dont need any special considerations. Simply complete the following steps. (In the case of Object privileges, however, you must consider whether to use the DBA or the Object Owner to grant the Object privileges.) The following syntax adds a Role to a User:
GRANT ROLE TO USER | PUBLIC [WITH ADMIN OPTION]

The following syntax adds a system privilege to a User:

GRANT SYSTEM_PRIVILEGE TO USER | PUBLIC [WITH ADMIN OPTION]

Use the word PUBLIC instead of a Username to grant the system privilege to all Users. To enable a User named HAROLD to select from any sequence, for example, use the following command:
GRANT SELECT ANY SEQUENCE TO HAROLD

Table 11-1 lists all system privileges available to you. Review the Oracle Server Administrators Guide for details on how to use each privileges.

Table 11-1 Alphabetical List of System Privileges

Privilege ALTER ANY PROCEDURE ALTER ANY CLUSTER ALTER ANY ROLE ALTER ANY TRIGGER ALTER PROFILE ALTER ROLLBACK SEGMENT ALTER SNAPSHOT ALTER TABLESPACE ANALYZE ANY AUDIT SYSTEM Privilege ALTER ANY SEQUENCE ALTER ANY INDEX ALTER ANY TABLE ALTER DATABASE ALTER RESOURCE COST ALTER SESSION ALTER SYSTEM ALTER USER AUDIT ANY BACKUP ANY TABLE

Chapter 11 3 Users

239

Privilege BECOME ANY USER CREATE ANY LIBRARY CREATE ANY SEQUENCE CREATE ANY INDEX CREATE ANY TRIGGER CREATE ANY VIEW CREATE DATABASE LINK CREATE PROCEDURE CREATE PUBLIC DATABASE LINK CREATE ROLE CREATE SEQUENCE CREATE SNAPSHOT CREATE TABLE CREATE TRIGGER DELETE ANY TABLE DROP ANY CLUSTER DROP ANY LIBRARY DROP ANY SEQUENCE DROP ANY SYNONYM DROP ANY TRIGGER DROP LIBRARY DROP PUBLIC DATABASE LINK DROP ROLLBACK SEGMENT DROP USER FORCE ANY TRANSACTION GRANT ANY PRIVILEGE INSERT ANY TABLE MANAGE TABLESPACE PUBLIC SYNONYM ROLLBACK SEGMENT SELECT ANY TABLE UPDATE ANY TABLE

Privilege COMMENT ANY CREATE ANY PROCEDURE CREATE ANY CLUSTER CREATE ANY TABLE CREATE ANY USER CREATE CLUSTER CREATE LIBRARY CREATE PROFILE CREATE PUBLIC SYNONYM CREATE ROLLBACK SEGMENT CREATE SESSION CREATE SYNONYM CREATE TABLESPACE CREATE VIEW DROP ANY PROCEDURE DROP ANY INDEX DROP ANY ROLE DROP ANY SNAPSHOT DROP ANY TABLE DROP ANY VIEW DROP PROFILE DROP PUBLIC SYNONYM DROP TABLESPACE EXECUTE ANY PROCEDURE FORCE TRANSACTION GRANT ANY ROLE LOCK ANY TABLE PUBLIC DATABASE LINK RESTRICTED SESSION SELECT ANY SEQUENCE UNLIMITED TABLESPACE

240
Caution

Chapter 11 3 SQL for Users, Roles, and Security

The ability to assign privileges like SELECT and UPDATE belongs solely to the Object Owner, unless the privilege is assigned to another party. Even the DBA cannot assign Object privileges unless the Table Owner gives the DBA appropriate permissions. You must have appropriate privileges to grant the Object privileges. For example, you must have SELECT ON AMY.SALAD_BAR WITH ADMIN OPTION or SELECT ANY TABLE WITH ADMIN OPTION to assign the SELECT privilege on AMYs SALAD_BAR Table. Normally, Object privileges are granted by the Object Owner. However, if you want to enable the DBA to grant Object privileges, you must give the DBA the authority to grant Object privileges. The syntax is:
GRANT PRIVILEGE_NAME ON OBJECT_NAME TO DBA_NAME WITH ADMIN OPTION;

The WITH ADMIN OPTION means a User with this Role can grant the privilege to other Roles and Users. For example, the following SQL command enables the DBA (SYSTEM) to assign the SELECT privilege on the SALAD_BAR Table in the AMY Schema. The Object Owner (AMY) must execute the following SQL:
GRANT SELECT ON SALAD_BAR TO SYSTEM WITH ADMIN OPTION;

Removing Roles or privileges from Users

See Reference Section

REVOKE

The following syntax removes a system privilege or a Role from a User or Role:
REVOKE SYSTEM_PRIVILEGE | ROLE FROM USER | ROLE | PUBLIC

The following syntax removes an Object privilege from a User or Role:

REVOKE OBJECT_PRIVILEGE | ALL ON SCHEMA.OBJECT FROM USER | ROLE | PUBLIC CASCADE CONSTRAINTS
Caution

Only the User who grants a privilege may revoke that privilege. If you attempt to revoke a privilege you did not grant, you receive the following error message:
ORA-01927: original Grantor must Revoke Privileges

Query the Data Dictionary view called ALL_TAB_PRIVS to find the grantor.

Chapter 11 3 Roles

241

Changing a Users default Tablespaces, account lock, profile, or quota

See Reference Section

ALTER USER

If you are the DBA or security manager, you can change the default Tablespaces, account lock, profile, or quotas assigned to any User. The account lock/unlock feature enables you to restrict or allow User access to the database. The syntax for the ALTER USER command follows:
ALTER USER USER [IDENTIFIED [BY PASSWORD | EXTERNALLY]] [ DEFAULT TABLESPACE TABLESPACE] [TEMPORARY TABLESPACE TABLESPACE] [QUOTA {N [K | M] | UNLIMITED} ON TABLESPACE] [,QUOTA {N [K | M] | UNLIMITED} ON TABLESPACE] [PROFILE PROFILE] [DEFAULT ROLE (ROLE1, ROLE2, ) | ALL EXCEPT (ROLE1, ROLE2, ) | NONE]

Write a command to modify any or all parameters in the preceding list. The next section shows how to modify another portion of the Users security.

Switching User or database in SQL

The syntax to switch from one User to another is:
CONNECT USERNAME/PASSWORD [@DATABASENAME]

Type the command while in SQL*Plus or SQL Worksheet.

Roles
This section shows you how to create Roles and assign Roles to Users.
CrossReference

The Security section in Chapter 3 discusses the concepts behind creating and using Roles in Oracle8. Briefly, you use Roles in Oracle8 to pull together sets of privileges, such as access to Tables, for easier management. Once the Role is created and the appropriate privileges are assigned to the Role, you can assign or revoke the Role to your Users. A User inherits all privileges granted to the Role. A User can be assigned any number of Roles. A Role can be assigned any number of privileges. Roles simplify the tasks of adding and removing Users.

242

Chapter 11 3 SQL for Users, Roles, and Security

Creating a new Role

See Reference Section

CREATE ROLE

The following syntax creates a new Role:

CREATE ROLE ROLE [ NOT IDENTIFIED | IDENTIFIED [ BY PASSWORD | EXTERNALLY | GLOBALLY ] ]

The NOT IDENTIFIED option is the default, which enables Users to obtain the Role without typing a password. If you wish to require a password, use the IDENTIFIED BY password. To identify a Role externally, use the IDENTIFIED EXTERNALLY parameters. New to Oracle8, a Role can be defined as unique across multiple databases by specifying the IDENTIFIED GLOBALLY parameter. You must log in as a Username with DBA authority or the CREATE ROLE privilege to create Roles. To modify Roles, you must have the ALTER ANY ROLE privilege. To remove a Role, you must have DROP ANY ROLE privilege. Follow the Oracle8 naming rules for Oracle8 Objects. Refer to the Choosing Names for Users and Passwords sidebar for a quick summary of Object naming guidelines.
See Reference Section

SET ROLE

If a Role requires a password, the User must enter the designated password when activating this Role. See the SET ROLE command in the Command Reference section for information on activating this kind of Role. Oftentimes, you split duties related to Roles between the DBA (who creates the Role) and the application developer (who grants privileges to the Role). In this case, the application developer assigns privileges using SQL*Plus or SQL Worksheet (see the GRANT command in the Command Reference section). You now have a new Role complete with privileges. To use a Roles privileges, you must assign one or more Users to the Role.

Tip

Assigning Users to a Role

After you create the Role, you, as the DBA, can assign this new Role to Users. Here is the syntax to assign a Role to a User:
GRANT ROLENAME TO USERNAME

Chapter 11 3 Roles

243

For example, the User HAROLD is assigned a new Role called SALES in the following SQL command:
GRANT SALES TO HAROLD

Adding Roles or privileges to a Role is very similar.

Adding Roles or privileges to Roles

When you use Roles for security, the Role subsequently receives Object privileges such as the capability to query a Table.
Caution

The ability to assign privileges like SELECT and UPDATE belongs solely to the Object Owner. However, the ability to use Security Manager is usually reserved for the DBA.
GRANT

See Reference Section

The following syntax assigns a Role to a Role:

GRANT ROLENAME1 TO ROLENAME2 [WITH ADMIN OPTION]

The following syntax assigns system privileges to a Role:

GRANT SYSTEM_PRIVILEGE TO ROLENAME2 [WITH ADMIN OPTION]

Refer to Table 11-1 for a list of system privileges. The following syntax assigns an Object privilege to a Role:
GRANT OBJECT_PRIVILEGE | ALL COLUMN ON SCHEMA.OBJECT TO ROLE [WITH GRANT OPTION]

The next section shows how to remove Roles and privileges from a Role.

Removing (revoking) Roles or privileges from Roles

See Reference Section

REVOKE

The following syntax removes a Role from a Role:

REVOKE ROLE FROM ROLE

Caution

Only the User that granted a privilege may revoke that privilege. If you attempt to revoke a privilege you did not grant, you receive the following error message:
ORA-01927: original Grantor must Revoke Privileges.

244

Chapter 11 3 SQL for Users, Roles, and Security

Query the Data Dictionary view called ALL_TAB_PRIVS to find the grantor. The next section shows how to create and manage profiles using SQL commands.

Profiles
Profiles, like Roles, can simplify and streamline the work of the DBA or security officer. A profile is a collection of capabilities given a name and assigned to one or more Oracle8 Users. Profiles, once created, can be assigned to Users. Oracle8 has one profile preloaded with its default database. The profile is named Default. This section shows you how to work with profiles using SQL.

Creating a new profile

See Reference Section

CREATE PROFILE

The following syntax creates a new profile:

CREATE PROFILE LIMIT [SESSIONS_PER_USER [ N | UNLIMITED | DEFAULT ] ] [CPU_PER_SESSION [ N | UNLIMITED | DEFAULT ] ] [CPU_PER_CALL [ N | UNLIMITED | DEFAULT ] ] [CONNECT_TIME [ N | UNLIMITED | DEFAULT ] ] [IDLE_TIME [ N | UNLIMITED | DEFAULT ] ] [LOGICAL_READS_PER_SESSION [ N | UNLIMITED | DEFAULT ] ] [LOGICAL_READS_PER_CALL [ N | UNLIMITED | DEFAULT ] ] [PRIVATE_SGA [ N [ K | M ] | UNLIMITED | DEFAULT ] ] [FAILED_LOGIN_ATTEMPTS [ N | UNLIMITED | DEFAULT ] ] [PASSWORD_LIFE_TIME [ N | UNLIMITED | DEFAULT ] ] [PASSWORD_REUSE_TIME [ N | UNLIMITED | DEFAULT ] ] [PASSWORD_REUSE_MAX [ N | UNLIMITED | DEFAULT ] ] [PASSWORD_LOCK_TIME [ N | UNLIMITED | DEFAULT ] ] [PASSWORD_GRACE_TIME [ N | UNLIMITED | DEFAULT ] ] [PASSWORD_VERIFY_FUNCTION [ FUNCTION | UNLIMITED | DEFAULT ] ] [COMPOSITE_LIMIT [ N | UNLIMITED | DEFAULT ] ]

When you select default on any of the parameters, this profile parameter receives the value of the same parameter in the default profile. You can control password parameters here. See the following Managing password features using profile section for more information.

Chapter 11 3 Profiles

245

Next, assign Users to the newly-created profile.

Assigning a profile to a User

See Reference Section

ALTER USER

The following syntax assigns a profile to a User:

ALTER USERNAME PROFILE PROFILENAME

The next section discusses how to control passwords using the profile.

Managing password features with profile

New Oracle8 features give you, as the DBA, more control over passwords for Oracle8 Users. The new features follow: 3 Expire password. Expire a Users password now or in a designated number of days. Lock the password if not renewed within a designated number of days after expiration. The syntax:
ALTER USER USERNAME EXPIRE PASSWORD

3 Keep password history. Do not enable a User in a specified profile to reuse a prior password. Choose either a number of days before reuse is allowed or a number of passwords before reuse is allowed. The syntax to limit the number of days:
ALTER PROFILE PROFILENAME LIMIT PASSWORD_REUSE_TIME[N]

The syntax to limit the number of passwords:

ALTER PROFILE PROFILENAME LIMIT PASSWORD_REUSE_MAX[N]

These two password parameters are mutually exclusive. 3 Enforce complexity. Use a third-party script or write your own script to validate the password complexity for Users using the current profile. The syntax for password complexity:
ALTER PROFILE profilename LIMIT Password_VERIFY_FUNCTION [function]

The function named in this parameter is a password verification routine, possibly written by a third party.

246

Chapter 11 3 SQL for Users, Roles, and Security

3 Lock account on failed log on. Choose how many days a User is locked after failing to type a valid password a designated number of times. The syntax for adding this parameter to a profile:
ALTER PROFILE PROFILENAME LIMIT PASSWORD_LOCK_TIME[N]

The syntax for the CREATE PROFILE command is listed in the preceding section. Any of these password parameters can be listed in the CREATE PROFILE command as well as the ALTER PROFILE command.

Summary
Together, Users and Roles form a foundation for your Oracle8 database. Users are assigned privileges depending on how they will work with the database. Roles enable the DBA and the application developer to simplify privilege management by lumping related privileges together under a single Role. Subsequently, a new User can be assigned (granted) to a single Role rather than assigned numerous privileges individually. Profiles also manage the capabilities of individual Users without assigning each User a whole array of capabilities. A profile contains the set of capabilities needed for a certain type of User that User is then assigned to the appropriate profile. Again, this strategy saves time for the DBA and simplifies security management. The following chapter, SQL for Tables, shows how to create and modify Tables using SQL commands.