Chapter 11
Chapter 11
Managing Users
and Security
11
C H A P T E R
✦ ✦ ✦ ✦
In This Chapter
✦ ✦ ✦ ✦
Once you have these items in mind, you can create a new user by issuing a SQL
statement like this one:
This statement creates a new user named JOSEPH and assigns him an initial pass-
word of BIG_CAVE. Joseph’s default tablespace will be the USERS tablespace, and
his temporary tablespace will be TEMP. Joseph has been given unlimited quota on
the USERS tablespace, so he can use any amount of disk space in that tablespace.
Default Tablespaces
When a user creates an object such as a table or an index, that object must be
stored somewhere. In Oracle, you control an object’s storage by assigning it to a
tablespace. If you don’t specify a tablespace when you create an object, Oracle will
pick one for you. The tablespace that Oracle picks will be the one specified as your
default tablespace when your user ID was created.
The benefit of being able to specify a default tablespace for a user is that it allows
users who aren’t very sophisticated or knowledgeable about Oracle to create
tables, indexes, and so forth, without having to worry about where they are stored.
As the DBA, you can still exert some control over where objects are placed because
you control the default tablespace assignments.
You should assign every user a default tablespace. If you don’t specify a default
tablespace when creating a user, then the SYSTEM tablespace is used as the default,
which isn’t good. The SYSTEM tablespace contains the data dictionary and is
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 295
heavily used by Oracle. Placing user objects in the same tablespace can lead to
performance degradation because of disk contention. Even if you don’t ever expect
a user to create any objects, specify a default tablespace anyway. That way, you
won’t be surprised later.
Temporary Tablespaces
Several types of SQL queries require data to be sorted. The obvious examples are
those queries containing ORDER BY clauses, but Oracle can also perform sorts for
GROUP BY queries, DISTINCT queries, and for certain types of joins. Some sorts
can be done in memory, but if the amount of data to be sorted is large enough,
the sorting process requires that some of it be temporarily written to disk.
When Oracle needs temporary storage, it will look to see if the user has been
assigned a temporary tablespace and will perform the sort there. If that tablespace
has been created specifically as a temporary tablespace, the result will be better
performance, because Oracle’s sorting routines have been optimized to take
advantage of temporary tablespace features.
Quotas
A quota is a limit on the amount of disk space that one user is allowed to use. When
you create a user, you have the option of granting the user permission to use some
disk space in your database. You do this by placing one or more QUOTA clauses in
the CREATE USER command. The earlier example used the keyword UNLIMITED to
allow the user JOSEPH to use any amount of disk space in the USERS and TEMP
tablespaces.
You aren’t limited to specifying quota for just the default and temporary tablespaces.
You can assign quota on any tablespace in the database. If you were to later decide
that JOSEPH needed to create objects in the SEAPARK_DATA and SEAPARK_INDEXES
tablespaces, you could issue this command:
Here, Joseph has been granted the authority to use up to 10MB of space in the
SEAPARK_DATA tablespace, and up to 5MB of space in the SEAPARK_INDEXES
tablespace. The M following the numbers in the command stands for MB. You can
also use a suffix of K (for KB). If you give a user quota on a tablespace, and later
decide that you don’t want the user to have any quota on that tablespace, you can
set the user’s quota for that tablespace to zero.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 296
Note You can also click the Create button on the toolbar or select Create from the
Object menu to begin creating a user. With either of these two methods, you will
need to proceed through another dialog box where you choose the type of object
(user, role, or profile) that you are creating.
Tip There’s an easy way to use an existing user as a template when creating a new
user. Right-click the template user in the user list, and then select Create Like from
the pop-up menu. Fill in a new username and password. Make any other changes
that you would like, and then click the Create button to create the new user.
As you can see, this command is simple. You can issue it from either SQL*Plus
or SQLPlus Worksheet.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 300
4. Type the new password in the Enter Password box and again in the Confirm
Password box.
5. Click the Apply button to complete the job.
Security Manager executes the SQL statements necessary to apply the change
and returns you to the main window.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 301
Note The account lock/unlock feature enables you to lock out users from accessing
a database.
To make any of these changes from Security Manager, follow the procedure
described earlier for making a password change. Once you have a user record
selected for editing, you can make any changes you like to that record. The
following sections show you how to make these changes from SQL*Plus.
Changing Tablespaces
You can change the default tablespace for a user by issuing a command like this:
You can change a user’s temporary tablespace using the same method; just use
the keyword TEMPORARY in place of DEFAULT.
Note If you change a user’s default tablespace, don’t forget to assign quota on that
tablespace.
You can re-enable the user’s access by unlocking the account, using this command:
This account lock feature was introduced in Oracle release 8.0, and it provides a
convenient method for temporarily disabling a user without having to drop the user.
Replace profile_name with the name of any valid profile defined for the database.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 302
For example, to reduce Joseph’s quota on the USERS tablespace from 10MB to 5MB,
issue the following command:
You can use as many QUOTA clauses in the command as necessary. Reducing a user’s
quota doesn’t affect data that the user already has stored. Had Joseph already been
using 8MB of data, for example, in the USERS tablespace, reducing his quota to 5MB
would not result in any data being deleted.
Dropping a user
There are two ways to delete a user from the database. One way is to issue the
DROP USER command from SQL*Plus or SQLPlus Worksheet. The other way is
through Server Manager. If a user owns tables, indexes, or other objects, you
normally need to delete those objects before you can drop the user. Using the
CASCADE option allows you to drop a user and his or her data in one shot.
This form of the command requires that there are no tables, indexes, or other
objects owned by the user.
Be careful with this command. You can easily delete a lot of data by mistake.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 303
Unlike issuing the DROP USER command, you don’t need to decide ahead of time
whether you need to use the CASCADE option. If you are deleting some objects that
the user owns, Security Manager will warn you and then apply the CASCADE option
automatically.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 304
Privileges are frequently bundled together into roles. You’ll learn more about roles,
including how to create them, later in this chapter. One of the most commonly granted
roles is the CONNECT role, a default role that you get when you create a database. It
conveys the privileges required to log on to the database and to create common
objects such as views, tables, indexes, and so forth.
Tip To see a list of privileges conveyed by a role such as CONNECT, navigate to that role
in Security Manager and click it. The list of privileges granted to the role will appear
in the right pane.
Oracle provides two types of privileges: system privileges and object privileges.
System privileges give you the ability to do various tasks in an Oracle database.
System privileges are not used to provide access to the tables and views within
that database. Object privileges are used to specify the type of access to the data
a user can have in various objects such as tables, views, and sequences.
GRANT {privilege|role}[,{privilege|role}...]
TO {username|rolename};
You can list as many privileges and roles in the command as you need. The CREATE
SESSION privilege allows a user to log on to a database. The CREATE TABLE command
allows a user to create tables and indexes. You can grant both to the user named
JOSEPH using this command:
You grant a role in the same way that you grant a privilege. To grant Joseph
the CONNECT role, you can issue this command:
You can grant a privilege or a role to all users in the database by using the keyword
PUBLIC in place of a username. For example, the following GRANT allows any user to
use any amount of disk space within the database:
Granting UNLIMITED TABLESPACE to a user has the same effect as if you had given
that user an unlimited quota on each tablespace within the database.
Table 11-1
Commonly Granted Privileges and Roles
Privilege/Role Description
For a complete list of Oracle database privileges, see the entry for the GRANT
command in Appendix A, “SQL Statement Reference.”
The ADMIN option allows Joseph to further grant CREATE TABLE to other users besi-
des himself. The ADMIN option can be very useful if you have created a set of roles in
support of a specific application. You can grant those roles, with the ADMIN option, to
an application administrator, who can then shoulder the burden of properly granting
those roles to application users.
REVOKE {privilege|role}[,{privilege|role}...]
FROM {username|rolename}
For example, the following command revokes CREATE TABLE from the user named
JOSEPH:
If you have granted a privilege to PUBLIC, you can revoke it by using PUBLIC in
place of the username. For example:
As with the GRANT statement, you may revoke any number of roles and privileges
using one command.
You use the GRANT and REVOKE commands to manage object privileges, but the syntax
is slightly different than that used when dealing with system privileges and roles.
Note Object privileges must be granted and revoked by the owner of the object in ques-
tion. Even database administrators cannot grant object privileges for objects
owned by another user.
Only an object owner can grant access to its objects. Even database administrators,
who may be able to read that data because of system privileges that they hold, are
not allowed to grant access to objects owned by another user.
Note By using WITH GRANT OPTION, an object owner can grant a specific object privi-
lege to another user and allow that user to further grant it to others.
As an example, suppose that you want to grant the user named HAROLD the ability
to query the checkup history of animals in Seapark, and that you also want HAROLD
to be able to insert new checkup records. To do all this, you need to log on as the
SEAPARK user and issue the following commands:
The SELECT privileges are needed on the first two tables, because HAROLD will need
to query for the animal names and for the checkup types. The INSERT privilege is
needed on CHECKUP_HISTORY, because each checkup is recorded by adding a
record to that table.
With two exceptions, the syntax elements in the REVOKE command have the same
meanings as in the GRANT command. The two exceptions are CASCADE
CONSTRAINTS and FORCE; the GRANT command doesn’t have these two options.
The following REVOKE command revokes the object privileges granted in the previ-
ous section:
Note Take note of the use of the REVOKE ALL command in the previous example. You
can use the REVOKE ALL command if you want to save typing or if you can’t
remember exactly what was granted and you want to revoke everything anyway.
When you have finished editing a user’s privileges, click the Apply button to make
your changes permanent. If you make a mistake during the editing process, you can
press the Revert button to cancel all the edits that you’ve made.
You can manage roles by using Security Manager in the same manner as system
privileges. Just click the Role tab.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 310
You probably don’t want to grant the DBA role to all your users just so they can use
Security Manager to grant object privileges, so what are you to do? One solution to
this problem is to grant your users the role named SELECT_CATALOG_ROLE. Another
is to grant them the SELECT ANY TABLE system privilege. Either solution allows
them to select from the data dictionary views, which allows them to run Security
Manager.
Once a user has access to the data dictionary views, he or she can use Security
Manager to grant other users access to his or her tables, views, and so forth. Just
follow these steps:
Figure 11-7: Granting the SELECT privilege on the AQUATIC_ANIMAL table to user
HAROLD
Other than the need to log on as the object owner, the process you use for managing
object privileges is identical to the process you use for managing system privileges.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 312
Creating Roles
You use roles to pull together sets of privileges, such as access to tables, for easier
management. Consider the task of creating 1,000 users and granting the following
privileges to each:
CREATE TABLE
CREATE SEQUENCE
CREATE VIEW
CREATE SYNONYM
CREATE SESSION
ALTER SESSION
CREATE CLUSTER
CREATE DATABASE LINK
When you grant a role to a user, that user inherits all privileges granted to the role.
A user can be assigned any number of roles. A role can be assigned any number of
privileges. Roles simplify the tasks of managing the privileges granted to users. They
allow changes to be made at one central point — the role — rather than having to be
made to each user individually.
Creating a role
You use the CREATE ROLE command to create a role. The syntax looks like this:
If you wish to require a password, use the IDENTIFIED BY clause. This requires
a user to enter a password before using the privileges conveyed by the role.
Besides using passwords, there are some other role authentication options that
aren’t described here. See Appendix A, “SQL Statement Reference,” for details.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 313
You must log on as a user with DBA authority or the CREATE ROLE privilege
to create roles. To modify roles, you must have the ALTER ANY ROLE privilege.
To remove a role, you must have the DROP ANY ROLE privilege. Role names are
subject to the naming rules for Oracle objects. Refer to the sidebar “Choosing
Names for Users and Passwords” for a quick summary of object-naming guidelines.
Of course, a role isn’t very useful until you’ve had a chance to grant some privileges
to that role. You’ll see how to do that in the next section.
You can grant two types of privileges to a role. The example just shown grants
system privileges. It’s also common to grant object privileges to roles. Object
privileges allow access to objects such as tables and views, and must be granted
by the owner of the objects in question. For example, the application administrator
might log on as the SEAPARK user and make the following grants:
After you’ve created a role and granted privileges to that role, you are ready to
grant that role to the users who need it. You’ve already seen how to use the GRANT
command to do that earlier in this chapter.
You can use the Role, System Privileges, and Object Privileges tabs to grant roles,
system privileges, and object privileges, respectively, to the new role. When you’re
done, click the Create button, and Security Manager will execute the necessary SQL
statements to create the role as you have defined it.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 315
Profiles, once created, can be assigned to users. Oracle has one profile preloaded
with its default database. This profile is named DEFAULT. Unless you specify
otherwise, all new users are assigned the DEFAULT profile.
When you select DEFAULT for any of the parameters, that profile parameter receives
the value of the same parameter in the default profile. Notice that you can control
password parameters in the syntax for creating a new profile. The upcoming
subsection “Using a profile to manage password features” provides more information.
You specify time for the password limits in days. Use fractions to represent periods of
less than one day. For example, one hour is expressed as 1⁄24. CPU times are expressed
in hundredths of a second. So a CPU_PER_SESSION limit of 100 allows the use of one
second of CPU time.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 316
After creating a profile, you can assign it to a user. Use the following syntax to do that:
Replace username in this syntax with the name of a database user. Replace
profile_name with the name of a profile.
✦ Expire a password
✦ Prevent reuse of passwords
✦ Enforce password complexity
When you expire a user’s password, the user will still be able to log on, but upon
logon, he or she will be forced to immediately choose a new password.
To retain a user’s password history for a specific number of days, you must set
the PASSWORD_REUSE_TIME parameter in the user’s profile. Note that if you
set PASSWORD_REUSE_TIME to a specific number of days, you must also set
PASSWORD_REUSE_MAX to UNLIMITED. In addition to altering a profile, you can
set these values when you create the profile. The following example creates a
profile named SEAPARK_USERS that retains a 180-day password history:
Rather than have the retention period based on a period of time, you can choose
to base it on a fixed number of passwords. The following example changes the
SEAPARK_USERS profile so that the history for a user always includes the ten most
recently used passwords:
These two methods for determining password retention time are mutually exclu-
sive. You may limit reuse based on elapsed days, or on the number of passwords,
but you can’t use both methods at once in the same profile.
Password verification functions must be owned by the user named SYS, and
the function header must match this format:
function_name (
username IN VARCHAR(30),
password IN VARCHAR (30),
old_password IN VARCHAR (30)
)RETURN BOOLEAN
The function returns a value of TRUE if the user’s new password is acceptable.
Otherwise, it should return FALSE. The syntax for the CREATE PROFILE and ALTER
PROFILE commands is almost identical. Any clause that you’ve seen used with
ALTER PROFILE may also be used with CREATE PROFILE, and vice-versa.
Tip Oracle does provide a working password template function that can be modified
to meet your specific requirements. Using this is a whole lot easier than writing
one from scratch, especially if you’re not familiar with PL/SQL. The file containing
the template function is $ORACLE_HOME/rdbms/admin/utlpwdmg.sql.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 318
To edit an existing profile using Security Manager, just navigate to that profile,
highlight it, and edit its properties in the dialog box that appears in the right pane
of the Security Manager window. Figure 11-9 shows Security Manager being used
to edit the SEAPARK_USERS role:
To create a new profile, right-click the Profiles folder and select Create. The tabs
in the Create Profile dialog box are the same as those used to edit a profile. Profiles
are assigned to users when you create them. Just choose the appropriate profile
from the drop-down list on the General tab of the Create User dialog box.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 319
Becoming a User
When troubleshooting a security problem for a user, it’s sometimes helpful to log
on as the user involved. However, you may not know the user’s password. Asking
users for their password is a bad practice because it gets them used to giving it out
on request. Before you know it, they’ll be giving it out to someone who is not
authorized to have it.
1. Retrieve the user’s encrypted password from the DBA_USERS view. The
password will be in the form of a string of hexadecimal digits. Write this down
or otherwise save it so that you can restore it later.
2. Change the user’s password to something you do know. Use the ALTER USER
command to do this.
3. Log on as the user in question, using the temporary password that you set.
4. Using the hexadecimal password that you saved, issue an ALTER USER
command to change the password back to its original value. Use the
IDENTIFIED BY VALUES clause, as shown in this example:
ALTER USER joseph IDENTIFIED BY VALUES ‘AD923596D59E92AA’
When you alter a user’s password in this manner, the password history is not
checked, the expiration date is not reset, and the complexity function is not called.
However, Step 2, where you change the user’s password to a temporary value, will
cause all these to be done. Your temporary password will be added to the user’s
password history list, and the password expiration date will be set based on when
you set the temporary password.
A become_user script
The code in Listing 11-2 represents one possible approach to the task of writing
a SQL*Plus script that allows you to become another user.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 320
This script uses the COLUMN command’s NEW_VALUE clause to store the user’s
current password in a SQL*Plus user variable named current_password. Only
the encrypted hex representation of the password will be stored. The script then
changes the user’s password, in the normal fashion, to the temporary value that
you specified, and logs you on to the database as that user. Listing 11-3 shows this
script being used to temporarily log on as the SEAPARK user:
User altered.
Connected.
Press ENTER to reset the user’s password back to what it was.
User altered.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 321
The PAUSE command in the script allows you to control exactly when the password
is reset to its original value. This gives you the ability to also run any third-party
software that the user may be using and to connect to the database using the
temporary password. Then, after you connect, you press Enter on your SQL*Plus
session, and the user’s password is reset.
DBA_USERS Returns one row for each database user. Use this view
to retrieve information about account status,
password expiration, default and temporary
tablespace settings, and profile name.
DBA_ROLES Returns one row for each role defined in the database.
DBA_PROFILES Returns one row for each user profile setting. Use this
view when you want to list profiles that have been
defined, or when you want to list the settings defined
for a particular profile.
DBA_SYS_PRIVS Returns one row for each system privilege that has
been granted to a user or to a role.
DBA_TAB_PRIVS Returns one row for each object privilege held by a
user. Use this parameter when you want to see a list
of objects to which a user has access.
DBA_ROLE_PRIVS Returns one row for each role granted to a user or
for each role granted to another role.
You can also use this view to find out the default and temporary tablespace settings
for a user.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 322
The third item in the list can be the most difficult to track down. When you
discover that a user has been granted a role, to get a complete picture of the user’s
privileges, you need to in turn find out what has been granted to that role. In the
process of doing that, you might discover yet another role to look at, and so forth.
PRIVILEGE ADM
---------------------------------------- ---
UNLIMITED TABLESPACE YES
In this case, the SYSTEM user holds the UNLIMITED TABLESPACE privilege with the
ADMIN option. The ADMIN option allows the SYSTEM user to grant this privilege to
other users. This may not seem like much considering that the user in question is
SYSTEM, and it’s not. The SYSTEM user gets most of its privileges via the DBA role.
To find out what privileges the DBA role conveys, you would also query the
DBA_SYS_PRIVS view, as shown in Listing 11-4.
PRIVILEGE ADM
---------------------------------------- ---
ADMINISTER DATABASE TRIGGER YES
ADMINISTER RESOURCE MANAGER YES
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 323
This is a much longer list. It still doesn’t give you the complete picture, though,
because the DBA role also conveys some roles that have been granted to it.
GRANTED_ROLE ADM
------------------------------ ---
DELETE_CATALOG_ROLE YES
EXECUTE_CATALOG_ROLE YES
EXP_FULL_DATABASE NO
IMP_FULL_DATABASE NO
SELECT_CATALOG_ROLE YES
The ADMIN option, represented here by the column titled ADM, indicates whether
the role can be further granted to other users. Use the same approach for listing
the roles held directly by a user: Simply compare the grantee column to a username
instead of a role name.
Continued
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 324
The COLUMN commands in this example are not strictly necessary, but the nature
of this particular query makes for some very long lines of output. The COLUMN
commands limit the display width of the columns so that the output isn’t wrapped
around on the screen. It’s a lot easier to read this way.
Object privileges may be granted to roles as well as to users. In this example, the
user of interest was SYSTEM, but you can substitute any other username or role
name in its place.
ROLE
------------------------------
CONNECT
RESOURCE
DBA
SELECT_CATALOG_ROLE
To find out which privileges have been granted to a role, follow the same process
described earlier for listing privileges granted to a user.
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 325
For each profile that you define, the DBA_PROFILES view will return several rows,
one for each resource limit in the profile. Listing 11-6 demonstrates how you can
return the definition of the profile named DEFAULT.
RESOURCE_NAME LIMIT
-------------------------------- ----------------
COMPOSITE_LIMIT UNLIMITED
SESSIONS_PER_USER UNLIMITED
CPU_PER_SESSION UNLIMITED
CPU_PER_CALL UNLIMITED
LOGICAL_READS_PER_SESSION UNLIMITED
LOGICAL_READS_PER_CALL UNLIMITED
IDLE_TIME UNLIMITED
CONNECT_TIME UNLIMITED
PRIVATE_SGA UNLIMITED
FAILED_LOGIN_ATTEMPTS UNLIMITED
PASSWORD_LIFE_TIME UNLIMITED
PASSWORD_REUSE_TIME UNLIMITED
Continued
4623-6 ch11.f.qc 1/28/00 12:29 PM Page 326
16 rows selected.
The DBA_PROFILES view will return a row for each possible resource limit,
regardless of whether you specified all of them when you created the profile.
Summary
In this chapter, you learned:
✦ You use system privileges to control what a user can and can’t do to the data-
base. Object privileges control what a user can and can’t do to individual
objects such as a table or a view.
✦ Roles enable the DBA and the application developer to simplify privilege
management by lumping related privileges together under a single role.
Subsequently, a new user can be assigned (granted) to a single role rather
than assigned numerous privileges individually.
✦ You can use profiles to limit a user’s consumption of CPU resources and to
enforce rules regarding password complexity. Profiles also define how often
passwords need to be changed.
✦ When you create a user, always define both a default and a temporary
tablespace. Don’t forget to provide quota on the default tablespace.
✦ ✦ ✦