Copyright س Oracle Corporation, 1998. All rights reserved. 14 Controlling User Access.
-
Upload
hilary-garrett -
Category
Documents
-
view
218 -
download
4
Transcript of Copyright س Oracle Corporation, 1998. All rights reserved. 14 Controlling User Access.
Copyright س Oracle Corporation, 1998. All rights reserved.
1414
Controlling User AccessControlling User Access
14-2 Copyright س Oracle Corporation, 1998. All rights reserved.
ObjectivesObjectives
After completing this lesson, you should After completing this lesson, you should be able to do the following:be able to do the following:
• Create users
• Create roles to ease setup and maintenance of the security model
• Use the GRANT and REVOKE statements to grant and revoke object privileges
After completing this lesson, you should After completing this lesson, you should be able to do the following:be able to do the following:
• Create users
• Create roles to ease setup and maintenance of the security model
• Use the GRANT and REVOKE statements to grant and revoke object privileges
14-3 Copyright س Oracle Corporation, 1998. All rights reserved.
Controlling User AccessControlling User Access
DatabaseDatabaseadministratoradministrator
UsersUsers
Username and passwordprivileges
14-4 Copyright س Oracle Corporation, 1998. All rights reserved.
PrivilegesPrivileges
• Database security:– System security– Data security
• System privileges: Gain access to the database
• Object privileges: Manipulate the content of the database objects
• Schema: Collection of objects, such as tables, views, and sequences
• Database security:– System security– Data security
• System privileges: Gain access to the database
• Object privileges: Manipulate the content of the database objects
• Schema: Collection of objects, such as tables, views, and sequences
14-5 Copyright س Oracle Corporation, 1998. All rights reserved.
System PrivilegesSystem Privileges
• More than 80 privileges are available.
• The DBA has high-level system privileges:– Create new users– Remove users– Remove tables– Back up tables
• More than 80 privileges are available.
• The DBA has high-level system privileges:– Create new users– Remove users– Remove tables– Back up tables
14-6 Copyright س Oracle Corporation, 1998. All rights reserved.
Creating UsersCreating Users
The DBA creates users by using the The DBA creates users by using the CREATE USER statement.CREATE USER statement.The DBA creates users by using the The DBA creates users by using the CREATE USER statement.CREATE USER statement.
SQL> CREATE USER scott 2 IDENTIFIED BY tiger;User created.User created.
SQL> CREATE USER scott 2 IDENTIFIED BY tiger;User created.User created.
CREATE USER user IDENTIFIED BY password;
CREATE USER user IDENTIFIED BY password;
14-7 Copyright س Oracle Corporation, 1998. All rights reserved.
User System PrivilegesUser System Privileges
GRANT privilege [, privilege...]TO user [, user...];
GRANT privilege [, privilege...]TO user [, user...];
• An application developer may have the following system privileges:– CREATE SESSION– CREATE TABLE– CREATE SEQUENCE– CREATE VIEW– CREATE PROCEDURE
• An application developer may have the following system privileges:– CREATE SESSION– CREATE TABLE– CREATE SEQUENCE– CREATE VIEW– CREATE PROCEDURE
• Once a user is created, the DBA can grant specific system privileges to a user.
• Once a user is created, the DBA can grant specific system privileges to a user.
14-8 Copyright س Oracle Corporation, 1998. All rights reserved.
Granting System PrivilegesGranting System Privileges
The DBA can grant a user specific system The DBA can grant a user specific system privileges.privileges.The DBA can grant a user specific system The DBA can grant a user specific system privileges.privileges.
SQL> GRANT create table, create sequence, create view 2 TO scott;Grant succeeded.Grant succeeded.
SQL> GRANT create table, create sequence, create view 2 TO scott;Grant succeeded.Grant succeeded.
14-9 Copyright س Oracle Corporation, 1998. All rights reserved.
What Is a Role?What Is a Role?
Allocating privilegesAllocating privilegeswithout a rolewithout a role
Allocating privilegesAllocating privilegeswith a rolewith a role
PrivilegesPrivileges
UsersUsers
ManagerManager
14-10 Copyright س Oracle Corporation, 1998. All rights reserved.
Creating and Granting Privileges to a Role
Creating and Granting Privileges to a Role
SQL> CREATE ROLE manager;Role created.Role created.
SQL> CREATE ROLE manager;Role created.Role created.
SQL> GRANT create table, create view 2 to manager; Grant succeeded.Grant succeeded.
SQL> GRANT create table, create view 2 to manager; Grant succeeded.Grant succeeded.
SQL> GRANT manager to BLAKE, CLARK; Grant succeeded.Grant succeeded.
SQL> GRANT manager to BLAKE, CLARK; Grant succeeded.Grant succeeded.
14-11 Copyright س Oracle Corporation, 1998. All rights reserved.
Changing Your PasswordChanging Your Password
• The DBA creates your user account and initializes your password.
• You can change your password by using the ALTER USER statement.
• The DBA creates your user account and initializes your password.
• You can change your password by using the ALTER USER statement.
SQL> ALTER USER scott 2 IDENTIFIED BY lion;User altered.User altered.
SQL> ALTER USER scott 2 IDENTIFIED BY lion;User altered.User altered.
14-12 Copyright س Oracle Corporation, 1998. All rights reserved.
Object Privilege Table View Sequence Procedure
ALTER ضض
DELETE ضض
EXECUTE ض
INDEX ض
INSERT ضض
REFERENCES ض
SELECT ضضض
UPDATE ضض
Object PrivilegesObject Privileges
14-13 Copyright س Oracle Corporation, 1998. All rights reserved.
Object PrivilegesObject Privileges
• Object privileges vary from object to object.
• An owner has all the privileges on the object.
• An owner can give specific privileges on that owner’s object.
• Object privileges vary from object to object.
• An owner has all the privileges on the object.
• An owner can give specific privileges on that owner’s object.
GRANT object_priv [(columns)] ON object TO {user|role|PUBLIC} [WITH GRANT OPTION];
GRANT object_priv [(columns)] ON object TO {user|role|PUBLIC} [WITH GRANT OPTION];
14-14 Copyright س Oracle Corporation, 1998. All rights reserved.
Granting Object PrivilegesGranting Object Privileges
SQL> GRANT select 2 ON emp 3 TO sue, rich;Grant succeeded.Grant succeeded.
SQL> GRANT select 2 ON emp 3 TO sue, rich;Grant succeeded.Grant succeeded.
SQL> GRANT update (dname, loc) 2 ON dept 3 TO scott, manager;Grant succeeded.Grant succeeded.
SQL> GRANT update (dname, loc) 2 ON dept 3 TO scott, manager;Grant succeeded.Grant succeeded.
• Grant query privileges on the EMP table.• Grant query privileges on the EMP table.
• Grant privileges to update specific columns to users and roles.
• Grant privileges to update specific columns to users and roles.
14-15 Copyright س Oracle Corporation, 1998. All rights reserved.
Using WITH GRANT OPTION and PUBLIC Keywords
Using WITH GRANT OPTION and PUBLIC Keywords
• Allow all users on the system to query data from Alice’s DEPT table.
• Allow all users on the system to query data from Alice’s DEPT table.
SQL> GRANT select, insert 2 ON dept 3 TO scott 4 WITH GRANT OPTION;Grant succeeded.Grant succeeded.
SQL> GRANT select, insert 2 ON dept 3 TO scott 4 WITH GRANT OPTION;Grant succeeded.Grant succeeded.
SQL> GRANT select 2 ON alice.dept 3 TO PUBLIC;Grant succeeded.Grant succeeded.
SQL> GRANT select 2 ON alice.dept 3 TO PUBLIC;Grant succeeded.Grant succeeded.
• Give a user authority to pass along the privileges.
• Give a user authority to pass along the privileges.
14-16 Copyright س Oracle Corporation, 1998. All rights reserved.
Confirming Privileges GrantedConfirming Privileges Granted
Data Dictionary Table Description
ROLE_SYS_PRIVS System privileges granted to roles
ROLE_TAB_PRIVS Table privileges granted to roles
USER_ROLE_PRIVS Roles accessible by the user
USER_TAB_PRIVS_MADE Object privileges granted on the user’s objects
USER_TAB_PRIVS_RECD Object privileges granted to the user
USER_COL_PRIVS_MADE Object privileges granted on the columns of the user’s objects
USER_COL_PRIVS_RECD Object privileges granted to the user on specific columns
14-17 Copyright س Oracle Corporation, 1998. All rights reserved.
How to Revoke Object PrivilegesHow to Revoke Object Privileges
• You use the REVOKE statement to revoke privileges granted to other users.
• Privileges granted to others through the WITH GRANT OPTION will also be revoked.
• You use the REVOKE statement to revoke privileges granted to other users.
• Privileges granted to others through the WITH GRANT OPTION will also be revoked.
REVOKE {privilege [, privilege...]|ALL}ON objectFROM {user[, user...]|role|PUBLIC}[CASCADE CONSTRAINTS];
REVOKE {privilege [, privilege...]|ALL}ON objectFROM {user[, user...]|role|PUBLIC}[CASCADE CONSTRAINTS];
14-18 Copyright س Oracle Corporation, 1998. All rights reserved.
Revoking Object PrivilegesRevoking Object Privileges
As user Alice, revoke the SELECT and As user Alice, revoke the SELECT and INSERT privileges given to user Scott on INSERT privileges given to user Scott on the DEPT table.the DEPT table.
As user Alice, revoke the SELECT and As user Alice, revoke the SELECT and INSERT privileges given to user Scott on INSERT privileges given to user Scott on the DEPT table.the DEPT table.
SQL> REVOKE select, insert 2 ON dept 3 FROM scott;Revoke succeeded.Revoke succeeded.
SQL> REVOKE select, insert 2 ON dept 3 FROM scott;Revoke succeeded.Revoke succeeded.
14-19 Copyright س Oracle Corporation, 1998. All rights reserved.
SummarySummaryStatement Action
CREATE USER Allows the DBA to create a user
GRANT Allows the user to give other usersprivileges to access the user’sobjects
CREATE ROLE Allows the DBA to create a collectionof privileges
ALTER USER Allows users to change theirpassword
REVOKE Removes privileges on an object fromusers
14-20 Copyright س Oracle Corporation, 1998. All rights reserved.
Practice OverviewPractice Overview
• Granting other users privileges to your table
• Modifying another user’s table through the privileges granted to you
• Creating a synonym
• Querying the data dictionary views related to privileges
• Granting other users privileges to your table
• Modifying another user’s table through the privileges granted to you
• Creating a synonym
• Querying the data dictionary views related to privileges
14-21 Copyright س Oracle Corporation, 1998. All rights reserved.
GO TO LECTURE #15GO TO LECTURE #15