Week 7 Lecture 1 Database Roles. Learning Objectives Discover when and why to use roles Learn how...
Transcript of Week 7 Lecture 1 Database Roles. Learning Objectives Discover when and why to use roles Learn how...
Week 7Lecture 1
Database Roles
Learning Objectives
Discover when and why to use roles Learn how to create, modify, and remove
roles Learn how to assign roles Examine data dictionary views of roles Assign roles and privileges using the
Enterprise Management console
Introduction to Roles
Role is a collection of privileges that is named and assigned to users or even to another role
Roles help simplify database maintenance by giving you an easy way to assign a set of privileges to new users
How to Use Roles
Simplify security Grant privileges once to a role and then assign that role to multiple
users Revise the privileges in a role and the change is automatically
reflected for every user who has the role.
Predefined Roles
CONNECT Logs onto the database and performs limited activities within the user’s own
schema, such as creating tables, views, synonyms, and database links. DBA
Manages the database, including these tasks: creates users, profiles, and roles, and grants privileges; manages storage and security; starts up and shuts down the database.
DELETE_CATALOG_ROLE Gives the user the ability to delete from tables owned by SYS. This role was
added because the system privilege DELETE ANY TABLE specifically excludes deleting from tables owned by SYS.
EXECUTE_CATALOG_ROLE Enables the user to execute any package supplied by Oracle that is owned by
SYS. Most supplied packages are owned by SYS, and those most commonly used already allow users to execute them. If additional packages are needed, grant the user this role.
More Predefined Roles EXP_FULL_DATABASE
Exports the database using the EXPORT utility. IMP_FULL_DATABASE
Imports the database using the IMPORT utility. RESOURCE
Provides more extensive abilities to create objects, such as procedures, triggers, and object types, for users who need to create their own objects.
SELECT_CATALOG_ROLE Allows the user to query any data dictionary view or table owned by SYS.
This can give a user more access to certain data dictionary views, although usually a user can already access those he needs, because the most common data dictionary views are viewable by all users.
Creating Roles
Roles used to consolidate a group of system or object privileges Syntax for creating a role:
CREATE ROLE <name>
NOT IDENTIFIED|IDENTIFIED BY <password>
Creating Roles
NOT IDENTIFIED means that no additional authorization is required. This is the default, so omitting the clause is the same as including NOT IDENTIFIED.
Alternative option is IDENTIFIED BY <password>, which means that the user must provide the correct password to be able to use the privileges within that role.
Granting Privileges to a Role
Granting privileges to a role is done in exactly the same way as granting privileges to a user
Syntax for the GRANT command, used to grant privileges to a role:
GRANT <privilege> TO <role>;
Cannot grant a privilege and add WITH ADMIN OPTION or WITH GRANT OPTION when granting to a role
Granting a Role to a User
To grant a role to a user, use the GRANT command again with the following syntax:
GRANT <role> TO <user>|<role>
WITH ADMIN OPTION;
Include the WITH ADMIN OPTION only when you want the user to be able to grant the role to other users.
If you grant a role to a second role with the WITH ADMIN OPTION, any user who is granted the second role is allowed to grant the first role to others
Modifying a Role
The only part of a role you can change is whether it uses a password. Syntax of the ALTER ROLE command:
ALTER ROLE <name>
NOT IDENTIFIED|IDENTIFIED BY <password>
When a role switches to requiring a password, users currently logged on who are granted the role are unaffected until they log off and back on again.
Limiting Availability and Removing Roles
You can control when a role becomes enabled for a user Default roles: The role’s creator or the DBA can adjust
the default roles for a user using the ALTER USER command. Automatically enabled when the user logs onto the database.
Enable roles: The user with a role can enable or disable his role with the SET ROLE command.
Drop roles: The DBA can drop the role from the database entirely and thereby cancel the role for all users who had it.
Limiting Availability and Removing Roles
Syntax for changing a user’s default role:
ALTER USER <username> DEFAULT ROLE
<role>,...|ALL|ALL EXCEPT <role>,... |NONE
Limiting Availability and Removing Roles
The DBA can issue the ALTER USER command to adjust the default roles for a user
When it is granted to a user, the role is automatically in the list of default roles
The only way to remove the role from the user’s default roles is by issuing the ALTER USER command
To remove all the roles at once, use the NONE clause
Limiting Availability and Removing Roles
The user can issue the SET ROLE command to adjust his enabled roles
The SET ROLE command has the following syntax:
SET ROLE
<role> IDENTIFIED BY <password>,...|ALL|ALL EXCEPT|NONE
Limiting Availability and Removing Roles
To enable roles with passwords, include the IDENTIFIED BY <password> clause
Any role not listed is disabled Enable all roles by using ALL Disable all roles by using NONE The roles remain enabled or disabled until the user issues another
SET ROLE command, or until the user logs off. When the user logs on again, his roles are reset to the default roles dictated by the DBA
Limiting Availability and Removing Roles
The user can issue the DROP ROLE command to revoke its privileges from all users and roles assigned it
The DROP ROLE command has the following syntax:
DROP ROLE <role>;
Data Dictionary Information about Roles
ALL_TAB_PRIVS_MADE All object privileges granted and by whom
DBA_ROLE_PRIVS All roles and grantees including users and roles
DBA_ROLES All the roles in the database
DBA_SYS_PRIVS All system privileges granted to users or roles
DBA_TAB_PRIVS All object privileges granted to users or roles
Data Dictionary Information about Roles
ROLE_ROLE_PRIVS Roles granted to other roles that the current user can enable
ROLE_SYS_PRIVS System privileges granted to roles that the current user can
enable ROLE_TAB_PRIVS
Object privileges granted to roles that the current user can enable
SESSION_ROLES Roles currently enabled in your session
Roles in the Enterprise Manager Console
Security manager contains Rolls folder If you select the Rolls folder you will see a list of all the defined rolls
Rolls Folder
Roll List
Roles in the Enterprise Manager Console
If you select a roll, the property sheet will be displayed for that roll Selecting the System tab will allow you to see all system privileges
granted to this roll
System Tab
CONNECT Roll
System Privileges
Roles in the Enterprise Manager Console
Selecting the Object tab will allow you to see all object privileges granted to this roll
Available privileges are at the top, and granted privileges are at the bottom
Object Tab
Active Privileges
SELALL Roll
Granted Privileges
Roles in the Enterprise Manager Console
Clicking the up and down arrows grants and revokes privileges
Available Privileges
WANT_AD Object
Grant and Revoke Arrows
Granted Privileges
Roles in the Enterprise Manager Console
Once you have used the arrow to select a privilege to grant or remove, you must execute it by pressing the apply button
Privilege to Grant
Not Yet Applied Icon
Apply Button
Privileges selected with the arrows but not yet applied are marked with an icon
Roles in the Enterprise Manager Console
Right click a role in the security manager and a popup will appear Select Show Grantees from to display a window of all users granted this
role
User List
Users Granted This Role
Admin Option
Lecture Summary
Roles simplify security administration. Roles can be granted other roles, system privileges, and
object privileges. Predefined roles help speed up administration by providing
basic groupings of roles. Roles with passwords add security to the roles. You can grant system privileges and object privileges to a
role, but you cannot use the WITH ADMIN OPTION or WITH GRANT OPTION clauses.
Lecture Summary
You can grant a role to a role and optionally include the WITH ADMIN OPTION clause.
Create a role with the CREATE ROLE command. Change a role with the ALTER ROLE command. Grant privileges to a role with the GRANT command. USER_TAB_PRIVS does not list privileges granted to the
user’s roles. DBA_TAB_PRIVS includes privileges granted to roles.
Lecture Summary
Use the ROLE_ROLE_PRIVS view to find roles granted to other roles.
After a user has been granted a role, subsequent grants to the role are effective immediately for the user.
Default roles are roles enabled when you log on. Use ALTER USER to change the default roles for a user. Use SET ROLE to enable or disable roles in your current
session.
Lecture Summary
Use DROP ROLE to drop a role. Dropped roles are automatically revoked from users and
other roles. DBA_TAB_PRIVS lists all object privileges granted to users
and roles. The console displays roles and privileges within the Security
Manager.