IST 318 Database Administration Lecture 10 Managing Roles.
-
Upload
annabelle-bradley -
Category
Documents
-
view
218 -
download
1
Transcript of IST 318 Database Administration Lecture 10 Managing Roles.
IST 318Database Administration
Lecture 10
Managing Roles
Users
Privileges
Roles
UPDATE ON JOBS
INSERT ON JOBS
SELECT ON JOBS
CREATE TABLE
CREATE SESSION
HR_CLERKHR_MGR
A B C
Roles
Easier privilege management Dynamic privilege management Selective availability of privileges Can be granted through the operating system
Benefits of Roles
Roles with ADMIN option:Not identified:
By password:
Identified externally:
CREATE ROLE oe_clerk;
CREATE ROLE hr_clerkIDENTIFIED BY bonus;
CREATE ROLE hr_managerIDENTIFIED EXTERNALLY;
Creating Roles
Role Name Description
CONNECT, These roles are providedRESOURCE, DBA for backward compatibility
EXP_FULL_DATABASE Privileges to export thedatabase
IMP_FULL_DATABASE Privileges to import the database
DELETE_CATALOG_ROLE DELETE privileges ondata dictionary tables
EXECUTE_CATALOG_ROLE EXECUTE privilege ondata dictionary
packages
SELECT_CATALOG_ROLE SELECT privilege on datadictionary tables
Predefined Roles
ALTER ROLE hr_clerkIDENTIFIED EXTERNALLY;
ALTER ROLE hr_managerNOT IDENTIFIED;
ALTER ROLE oe_clerkIDENTIFIED BY order;
Modifying Roles
• Use ALTER ROLE to modify the authentication method.
• Requires the ADMIN option or ALTER ANY ROLE privilege.
GRANT hr_clerk TO hr_manager;
GRANT oe_clerk TO scott;
GRANT hr_manager TO scott WITH ADMIN OPTION;
Assigning Roles
Use GRANT command to assign a role
ALTER USER scottDEFAULT ROLE hr_clerk, oe_clerk;
ALTER USER scott DEFAULT ROLE ALL;
ALTER USER scott DEFAULT ROLE ALL EXCEPT hr_clerk;
ALTER USER scott DEFAULT ROLE NONE;
Establishing Default Roles
• A user can be assigned many roles.
• A user can be assigned a default role.
• Limit the number of default roles for a user.
Application roles can be enabled only by authorized PL/SQL packages.
The USING package clause creates an application role.CREATE ROLE admin_roleIDENTIFIED USING hr.employee;
Application Roles
Enabling and Disabling Roles
Disable a role to revoke the role from a user temporarily.
Enable a role to grant it temporarily.The SET ROLE command enables and disables roles.Default roles are enabled for a user at login.A password may be required to enable a role.
SET ROLE hr_clerk;
SET ROLE oe_clerk IDENTIFIED BY order;
SET ROLE ALL EXCEPT oe_clerk;
Enabling and Disabling Roles
• Revoking roles from users requires the ADMIN OPTION or GRANT ANY ROLE privilege.
• To revoke a role:
REVOKE hr_manager FROM PUBLIC;
REVOKE oe_clerk FROM scott;
Revoking Roles from Users
DROP ROLE hr_manager;
Removing Roles
Dropping a role: Removes it from all users and roles it was granted Removes it from the database
Requires the ADMIN OPTION or DROP ANY ROLE privilege
To drop a role:
HR_MANAGERHR_CLERK PAY_CLERK
Userroles
Applicationroles
Applicationprivileges
Users
Payroll privilegesBenefits privileges
Guidelines for Creating Roles
BENEFITS PAYROLL
Default rolePassword protected(not default)
Select privilegesINSERT, UPDATE, DELETE,and SELECT privileges
PAY_CLERK PAY_CLERK_RO
Guidelines for Using Passwords and Default Roles
Look at Database through the DBA Views Three Data Dictionary Views
USER_ ALL_ DBA_
Commonly used DBA_ views DBA_OBJECTS DBA_TABLESPACES, DBA_TABLES DBA_DATA_FILES, DBA_TEMP_FILES DBA_CONSTRAINTS DBA_USERS, DBA_ROLES