Chapter 13

SECURITY

Users and privileges Object privileges Granting object privileges Using synonyms Revoking object privileges System privileges Using roles ALTER USER command Data dictionary views

Users and Privileges

Every ser in Oracle m st !ave a valid sername and password" #n order to access Oracle database$ one m st logon by sing sername and password" At t!e time o% creation o% database$ Oracle creates two sers & S'STE( and S'S" T!ese two sers !ave privileges to per%orm administrative operations s c! as creating sers$ altering and dropping sers$ roles$ pro%ile$ tablespaces )pieces t!at make p t!e database* etc" +owever$ it is possible to create new sers sing ,REATE USER command as %ollowsSQL> create user srikanth identified by oraclebook; User created. T!e above command creates a new ser wit! t!e name SR#.A/T+ and password ORA,LE0OO." Note: In order to create a new user you must logon either as SYSTEM or as SYS. T!o g! t!e acco nt wit! t!e name SR#.A/T+ is created$ it cannot even logon now as s!own below" SQL> connect srikanth/oraclebook; ERROR: ORA !"!#$: user SR%&A'() lacks *REA(E SESS%O' +ri,ile-e; lo-on denied ,O//E,T command is sed to move to anot!er ser %rom c rrent ser" #n t!e above e1ample$ we were moving %rom S'STE( to SR#.A/T+"

T!e error indicates t!at ser SR#.A/T+ lacks ,REATE SESS#O/ privilege" ,REATE SESS#O/ is a system privilege$ w!ic! allows ser to create a session wit! Oracle )logon*" Note: A session with Oracle start from the point of login and ends when user logs out. #n order to permit ser to create a session and per%orm ot!er operations s c! as creating tables$ view etc"$ ser m st be granted ,O//E,T and RESOUR,E roles as %ollows" SQL> -rant connect. resource to srikanth; /rant succeeded. 2e will disc ss more abo t roles later in t!is c!apter" 3or t!e time being it is s %%icient to know t!at t!ese two roles will enable SR#.A/T+ to connect to Oracle database and also allow !im to create and se object"

Privilege
A privilege is a rig!t to access an object s c! as a table$ view etc"$ or to e1ec te a partic lar type o% S4L command s c! as ,REATE TA0LE" 5rivileges are classi%ied into two categories depending pon w!at type o% rig!t t!ey con%er wit! t!e ser"

System privileges Object 5rivileges

System privilege
A system privilege is a rig!t to per%orm certain operation in t!e system" 3or e1ample$ ,REATE SESS#O/ privilege allows ser to create a session wit! Oracle$ ,REATE TA0LE privilege allows ser to create table and so on" Generally system privileges are granted to sers t!ro g! roles" Only D0As are concerned wit! system privileges"

Object privilege
An object privilege is a rig!t to per%orm a partic lar operation on an object" An object eit!er is a table$ view$ se6 ence$ proced re$ % nction$ or package" T!e ne1t section will disc ss more abo t object privileges"

Object Privileges
User owns t!e object t!at !e7s!e creates" Owner !as complete access to t!e object" 3or e1ample$ i% t!e object is a table t!en owner can select$ insert$ delete$ pdate$

alter$ create an inde1 on table and even drop t!e table" 2!ereas ot!er sers do not !ave any access to t!e object$ nless t!ey are granted a privilege e1plicitly" T!e %ollowing is t!e list o% object privileges available in Oracle" Privilege What is permitted? ALTER ,!anging t!e de%inition o% t!e object" DELETE Deleting rows %rom t!e object E8E,UTE E1ec te t!e object" #/DE8 ,reating an inde1 on t!e object" #/SERT #nserting rows into object RE3ERE/,ES Re%erencing t!e object in %oreign key constraint" SELE,T Selecting rows %rom t!e object" U5DATE Updating t!e data o% t!e object" Table 1: Object 5rivileges" As yo see in table 9$ eac! object privilege speci%ies w!at can be done wit! an object" 0 t not all object privileges are applicable to all objects" 3or instance$ ALTER privilege is not applicable to views$ similarly E8E,UTE privilege is applicable only to proced re and % nctions" 3or t!e list o% object privileges available on di%%erent types o% objects$ see table :" Object TA0LE Privileges Available SELE,T$ #/SERT$ DELETE$ U5DATE$ ALTER$ #/DE8$ RE3ERE/,ES" SELE,T$ #/SERT$ U5DATE$ A/D DELETE" SELE,T$ ALTER" E8E,UTE"

;#E2 SE4UE/,E 5RO,EDURE$ 3U/,T#O/$ 5A,.AGE and O0<E,T T'5E Table 2: Availability o% object privileges"

#n t!e ne1t section we will see !ow to grant privileges to ot!er sers so t!at t!ey can access and per%orm re6 ired operation"

Granting Object Privileges

#n order to grant object privileges se GRA/T ,ommand"

/RA'( 0ob1ect2+ri,3ALL4 56colu7n 5.colu7n8...98 5.0ob1ect2+ri, 3 ALL4 56colu7n 5.colu7n8...988... O' ob1ect (O 0user 3 role 3 :U;L%*4 5. 0user 3 role 3 :U;L%*48 ... 5<%() /RA'( O:(%O'8
Object_priv is any o% t!e object privileges listed in table 9" ALL is sed to grant all available object privileges on t!e object"

PUBLIC is sed to grant t!e privilege to all t!e sers o% t!e system" /ow ass me ser SR#.A/T+ is t!e owner o% ,OURSES table and !e wants to grant SELE,T privilege on ,OURSES table to ser 5RA/EET+" T!e %ollowing command will do j st t!at" -rant select on courses to +raneeth; T!e %ollowing command grants all available privileges on ,O(50AT,+ES view to 5RA/EET+" -rant all on co7+batches to +raneeth; #t is possible to restrict t!e privilege to a %ew col mns in case o% U5DATE$ #/SERT and RE3ERE/,ES privileges" T!e %ollowing command will grant U5DATE privilege to 5RA/EET+ on DURAT#O/ col mn o% ,OURSES table" -rant u+date6duration9 on courses to +raneeth; 2#T+ GRA/T O5T#O/ allows t!e grantee to grant t!e privilege to ot!er sers"

Accessing other users objects

2!en a ser wants to access a table o% ot!er ser$ t!e table name is to be preceded by t!e name o% t!e ser w!o owns t!e table" Ot!erwise Oracle ass mes t!at t!e c rrent ser owns t!e table and i% table is not %o nd nder c rrent ser=s acco nt t!en Oracle displays an error" 3or e1ample$ i% 5RA/EET+ is trying to access ,OURSES table to w!ic! !e !as been granted SELE,T privilege$ %rom !is acco nt$ t!e %ollowing !appens" SQL> select = fro7 courses; select = fro7 courses = ERROR at line ": ORA !!>#?: table or ,ie@ does not eAist Oracle ass mes ,OURSE table belongs to ser 5RA/EET+" To speci%y t!at ,OURSES table is belonging to SR#.A/T+ and not 5RA/EET+$ we !ave to precede t!e table name wit! sername"

o@ner.tablena7e

3or e1ample$ to access ,OURSES table %rom ser 5RA/EET+$ give t!e %ollowing command" select = fro7 srikanth.courses;

Using synonyms
To simplify accessing tables owned by other users, create a SYNONYM. A synonym is an alias to a table or a view. y creating a synonym you can avoid giving the owner name while accessing tables of others.
T!e %ollowing ,REATE S'/O/'( command creates a synonym$ w!ic! is an alias to ,OURSES table o% SR#.A/T+" Remember synonym is to be created in t!e acco nt o% 5RA/EET+ and not in t!e acco nt o% SR#.A/T+" SQL>create synony7 *OURSES for srikanth.courses; Synony7 created. Once a synonym is created$ yo can se synonym to re%er to t!e table" So to re%er to SR#.A/T+",OURSES$ ser 5RA/EET+ may giveSQL>select = fro7 courses;

PU !"C Synonym
#% synonym is to be available to all t!e sers o% t!e system$ create a p blic synonym by incl ding option 5U0L#, in ,REATE S'/O/'( command" T!e %ollowing se6 ence o% commands will create a p blic synonym t!at is accessible to all t!e sers in t!e system" /rant select on courses to +ublic; T!e above command grants SELE,T privilege on ,OURSES table to sers o% t!e database" T!en create a p blic synonym on SR#.A/T+",OURSES so t!at any ser can access t!e table sing t!e synonym" create +ublic synony7 courses for srikanth.courses; Note: To create a public synonym you must ha!e the CREATE PUBLIC SYNONYM system pri!ilege.

/ow$ it is possible %or anyone in t!e system to access SR#.A/T+",OURSES table by sing t!e p blic synonym" 3or e1ample$ ser A/URAG can access ,OURSES table sing p blic synonym as %ollowsselect = fro7 course;

#"$% G&A'$ OP$"O'

Using option 2#T+ GRA/T O5T#O/ wit! GRA/T command allows grantee to grant t!e privilege t!at !e7s!e received to ot!er sers" #n t!e %ollowing e1ample$ SR#.A/T+ grants SELE,T privilege on ,OURSE to 5RA/EET+ wit! option 2#T+ GRA/T O5T#O/" -rant select on courses to +raneeth @ith -rant o+tion; /ow ser 5RA/EET+ can grant SELE,T privilege t!at !e !as received %rom SR#.A/T+$ to A/URAG as %ollows-rant select to anura-; on srikanth.courses

/ow ser A/URAG can access ,OURSES table o% SR#.A/T+ as %ollows" select = fro7 srikanth.courses;

Note: Though A"#$A% has got pri!ilege from &$A"EET'( he has to gi!e S$I)A"T'.*O#$SES to access *O#$SES because it is owned by S$I)A"T'.

&evo(ing Object Privilege

To revoke t!e privileges t!at were granted earlier$ T!e %ollowing is t!e synta1 o% RE;O.E command" 0ot! GRA/T and RE;O.E commands are D,L commands" se RE;O.E command"

REBO&E 0ob1ect2+ri, 3 ALL4 5.0ob1ect2+ri, 3 ALL4 8 ... O' 5sche7a.8ob1ect CROD 0user 3role3:U;L%*4 5.0user3role3:U;L%*48 ... 5*AS*AEE *O'S(RA%'(S8
Object priv is t!e privilege t!at is to be revoked" ALL revokes all privileges"

CA!CA"# CO$!T%AI$T! drops any re%erential constraint t!at was based on RE3ERE/,ES privilege granted earlier" 3or e1ample$ ser A granted RE3ERE/,ES privilege to ser 0 on ,,ODE col mn o% ,OURSES table" And ser 0 !as re%erred to ,,ODE o% ,OURSES in re%erences constraint" #% ser A revokes RE3ERE/,ES privilege t!an re%erences constraint will be deleted$ i% ,AS,ADE ,O/STAR#/TS options is sed"

(he follo@in- co77and @ill re,oke SELE*( +ri,ile-e on *OURSES fro7 :RA'EE().
SQL> re,oke select on ? fro7 +raneeth; courses

&evo(ing is cascading
2!en a privilege is revoked %rom a ser$ i% t!at ser !as previo sly granted t!at privilege to ot!er sers t!en all grantees o% t!at privilege will also lose t!at privilege" 3or e1ample$ i% A grants a privilege to 0 and 0 grants t!at to ,$ t!en bot! 0 and , will lose t!e privilege w!en A revokes t!e privilege %rom 0"

#hat is a &ole)
Role is a collection o% privileges" #n cases w!ere granting privileges ser by ser and table by table is lengt!y$ a role can come to yo r resc e" T!e %ollowing are t!e important c!aracteristics o% roles

A role is a collection o% privileges" T!e privileges may consist o% bot! system A role is dynamic" Users o% t!e role will enjoy w!atever new privileges )added

and object privileges"

a%ter t!e role !as been granted to sers* t!e role !as been granted" #n ot!er words c!anges made to privileges o% t!e role will a%%ect all t!e sers o% t!e role"

To create a role one m st !ave ,REATE ROLE system privilege" Oracle comes wit! a %ew prede%ined roles s c! as ,O//E,T$ RESOUR,E$ and A single ser can be granted m ltiple roles"

D0A"

User will se only t!ose roles t!at are enabled by de%a lt" +owever$ ser can

enable7disable any roles t!at are granted to !im" T!e %ollowing sections will e1plain !ow to create and se role"

Creating and using role

A role is created sing ,REATE ROLE command w!ose synta1 is as %ollows-

*REA(E ROLE rolena7e 5identified by +ass@ord8

pass&'rd is t!e password o% t!e role" Users m st se password o% t!e role at t!e time o% enabling t!e role" 5assword may be sed %or e1tra sec rity" T!e %ollowing are t!e t!ree important steps related to roles" Let s see !ow to create and se a simple role called (A/AGER" ,reating a role sing ,REATE ROLE command" T!e %ollowing command creates a role wit! t!e name (A/AGER" create role 7ana-er;

Granting re*uired privileges to role

GRA/T command can be sed to grant privileges to role" T!e %ollowing GRA/T commands are sed to grant privilege to (A/AGER role" -rant select on courses to 7ana-er; -rant select. u+date. insert. delete on batches to 7ana-er; -rant all on students to 7ana-er; -rant select on +ay7ents;

Granting role to users

A role can be granted to ser sing GRA/T command as %ollows" -rant 7ana-er to +raneeth; -rant 7ana-er to anura-;

Enabling a role
#t is possible %or a single ser to !ave been granted more t!an one role" +owever$ all roles granted to ser may not be enabled by de%a lt" T!at means$ t!e role is granted to ser b t ser cannot se t!e privileges o% t!e role" At t!e time o% creating ser or even a%terwards$ administrator can speci%y w!ic! roles o% t!e ser m st be enabled by de%a lt" T!e remaining roles are to be enabled e1plicitly" #% role (A/AGER is granted to ser b t not enabled t!en ser can enable t!e role as %ollowsSQL > set role 7ana-er;

T!e privileges t!e ser c rrently !as$ depend on t!e roles t!at are enabled" T!e roles t!at are not c rrently enabled are called as disabled roles and roles t!at are c rrently enabled are called as enabled roles. 3or more details on SET ROLE command$ please see on>line !elp"

+ropping a role
#t is possible to drop a role sing DRO5 ROLE command" T!e %ollowing command drops role (A/AGER t!at we created earlier" dro+ role 7ana-er;

Using pass,ord ,ith role

#t is possible to assign a password to a role" T!e password is assigned at t!e time o% creating t!e role or a%ter t!e role is created sing ALTER ROLE command" create role 7ana-er identified by efficient; T!en grant a %ew privileges to (A/AGER role" T!o g! D0A can only create t!e role$ any ser can grant privileges to role" -rant select on courses to 7ana-er; /ow grant role to ser an rag? -rant 7ana-er to anura-; /ow i% ser A/URAG wants to access ,OURSES table t!ro g! t!e role$ %irst !e !as to enable t!e role as %ollows" set role 7ana-er identified by efficient; As t!e role is assigned a password$ ser m st s pply password at t!e time o% enabling role" #% ser doesn=t s pply password w!ile enabling role$ t!e %ollowing error occ rs" SQL> set role 7ana-er; set role 7ana-er = ERROR at line ": ORA !">F>: 7issin- or in,alid +ass@ord for role GDA'A/ERG

A!$-& US-& Command

ALTER USER command can be sed to modi%y t!e c!aracteristics o% a ser" 3or e1ample it can be sed to modi%y

5assword De%a lt roles

To c!ange t!e password o% t!e c rrent ser$ ser may givealter user +raneeth identified by tunu; #t is possible to speci%y t!e de%a lt roles o% a ser sing DE3AULT ROLE option o% ALTER USER command as %ollowsalter user book default role all eAce+t 7ana-er; Note: E+cept changing password user cannot change any other of his,her attributes. 5lease see on>line !elp %or remaining options in ALTER USER command and t!eir sage"

+ata +ictionary .ie,s

Data dictionary views contain in%ormation regarding database in a simple %orm so t!at ser can easily nderstand" All data dictionary views are based on tables owned by ser S'S" Data dictionary tables and views are created at t!e time o% creating database" T!e %ollowing is t!e list o% data dictionary views t!at are commonly sed"

10

What it c'(tai(s? ,ol mns o% all tables and views accessible to t!e ser" Objects accessible to ser" Description o% data dictionary view" Tables$ views$ synonyms and se6 ences owned by ser" Description o% ser=s own cl sters" Grants on col mns %or w!ic! t!e ser is t!e owner$ grantor or grantee" USER@ERRORS , rrent errors on stored objects owned by t!e ser" USER@#/DE8ES Description o% t!e ser=s own inde1es" USER@O0<E,TS Objects owned by t!e ser" USER@SE4UE/,ES Description o% t!e ser=s own se6 ences" USER@S'/O/'(S T!e ser=s private synonyms" USER@TA0LES Description o% t!e ser=s own tables" USER@TA0@5R#;S Grants on tables %or w!ic! t!e ser is t!e owner$ grantor$ or grantee" USER@TR#GGERS Triggers owned by t!e ser" USER@T'5ES Object types created by ser" USER@USER #n%ormation abo t t!e c rrent ser" USER@;#E2S Te1t o% views owned by t!e ser" Table *: Data dictionary views" T!e %ollowing is t!e list o% synonyms based on Data dictionary views" !)('()m "ata dicti'(ar) vie& D#,T D#,T#O/AR' O0< USER@O0<E,TS ,AT USER@,ATALOG TA0S USER@TA0LES ,OLS USER@TA0@,OLU(/S SE4 USER@SE4UE/,ES" S'/ USER@S'/O/'(" #/D USER@#/DE8ES" Table +:Synonyms %or Data dictionary views" To list all tables owned by c rrent ser$ enterSQL> select = fro7 tabs; To list t!e all t!e objects and t!eir types$ enterselect ob1ect2na7e. ob1ect2ty+e fro7 user2ob1ects; To get t!e 6 ery stored along wit! view$ enterselect ,ie@2na7e. teAt fro7 user2,ie@s;

"ata dicti'(ar) vie& ALL@TA0@,OLU(/S ALL@O0<E,TS D#,T#O/AR' USER@,ATALOG USER@,LUSTERS USER@,OL@5R#;S

11

12

Summary
Sec rity is an important %eat re o% any m lti> ser database system" Oracle implements sec rity sing system privileges and object privileges" System privileges speci%y w!ic! commands a ser can e1ec te" Unless ot!erwise speci%ied an object )table$ view etc"* can be accessed only by t!e owner" 0 t sing object privileges a ser can allow ot!er sers to access !is objects" Roles are sed to gro p privileges" 2!en a role is granted to a ser$ all t!e privileges t!at are granted to role are granted to grantee o% t!e role" #t greatly simpli%ies t!e job o% implementing sec rity beca se wit! one role many privileges can be granted" Data dictionary views may be sed to get se% l in%ormation regarding objects$ sers$ and system"

-/ercises
9" :" A" B" C" D" E" F" G" @@@@@@@@@ command is sed to c!ange ser password" 2!ic! object privilege allows ser to create an inde1 on t!e table @@@@@" @@@@@@@ Option is sed to grant a privilege along wit! permission to grant t!e privilege to ot!er sers" A Role is @@@@@@@@@@@@@@@@@@@@@@@@@@@@" @@@@@@ ,ommand is sed to revoke a system privilege" @@@@@@@@@@ data dictionary view may be sed to know t!e table t!at a ser can access" @@@@@@ data dictionary view is sed to know t!e list o% tables owned by t!e c rrent ser" @@@@ is t!e synonym %or USER@,ATALOG data dictionary" Grant U5DATE privilege on STDATE col mn o% 0AT,+ES table to ser 5RA/EET+ wit! permission to grant t!e privilege to ot!ers" 9H" ,reate a role and assign a %ew privileges to t!at role" Assign t!e role to ser A/URAG" 99" Enable t!e role LEADER" 9:" Display t!e table name$ col mn name o% all col mns t!at yo can access"

13