Database Administration

Unit 3

USERS AND PRIVILEGES

 3.3.1 Manage Users

1. Predefined Database Administration Accounts

2. User Accounts
1. Create a User Accounts
2. User Authentication
3. Change Users Password
4. Manage a User Account
5. Drop a User Account
3. Monitor User Information,
4. Terminate Users Sessions,
5. Create Schema Only Accounts
 Oracle Database
User Management
Why is user management vital in database ?

 User management is an important task, of lay down, of access control

mechanism, security policies, privileges, roles and profile of user to
access predefined resources within organizational databases.
 Managing users ensures only an authorized, authenticated users access
the database, which results to creation of user accounts for database
access.
 To Audit user database activities on database.
 Oracle Database
Manage User

Each user must provide a valid credentials that had been defined in the database, to connect a
database server. Users information is stored in data dictionary, a account is established in data
dictionary for user, to authorized connection. When you create a database user (account), you
specify the following attributes of the user:

 User name

 Authentication method

 Default tablespace

 Temporary tablespace

 Other tablespaces and quotas

 User profile
 Oracle predefined Users

Several predefined user accounts are included in oracle database. The three types of predefined
accounts are:
•Administrative accounts (SYS, SYSTEM, SYSBACKUP, SYSDG, SYSKM, SYSRAC,
SYSMAN, and DBSNMP) are administrative accounts. SYSMAN is used to perform Oracle Enterprise
Manager Cloud Control (Cloud Control) administration tasks. The management agent of Cloud Control
uses the DBSNMP account to monitor and manage the database. You must not delete these accounts.
•Sample schema accounts
These optional accounts are used for examples in Oracle Database documentation and
instructional materials. The sample schema accounts are – HR, SH, and OE.
•Internal accounts
These accounts are created so that individual Oracle Database features or components can
have their own schemas. You must not delete internal accounts, and you must not attempt to log
in with them.
In Oracle database, a user account can be also called as schema
or schema account. Schema is a logical grouping of database
objects like tables, triggers, views, indexes owned by database
user.
A user account is a unique name with an authentication method,
default tablespace and temporary tablespace. A user account has
a user profile and current account status.
 Oracle Database
Users Creation And Authentication
How to: Create Database Oracle database users?
 Database user account can be created by “CREATE USER” statement, an account through which client can
connect to database.
 To create database user account, you must have system privilege.
 Newly created account must have session privilege to establish connection to database. Therefore, CREATE
SESSION system privilege, must be granted at least.
 Example Syntax
 CREATE USER shushant IDENTIFIED BY BIT_cord1
DEFAULT TABLESPACE BMC_BIT QUOTA 10M ON BMC_BIT
TEMPORARY TABLESPACE temp QUOTA 5M ON system
PROFILE app_user
PASSWORD EXPIRE;
 Newly created account name is shushant with BMC_BIT and temp as default and temporary tablespace
with 10M and 5M disk quota respectively. The account is associate with app_user profile and Password is
expired; which means shushant must change password before login to the database.

 Example 2 Syntax
 Oracle Database
Users Creation

 CREATE USER shushant or ops$sushant IDENTIFIED BY EXTERNALLY

DEFAULT TABLESPACE BMC_BIT
QUOTA 10M ON BMC_BIT
PROFILE app_user ;
 Newly created account name is shushant with BMC_BIT and temp as default and temporary tablespace
with 10M and 5M disk quota respectively. The account is associate with app_user profile. External source is
require to login to database. OS_AUTHENT_PREFIX parameter can be change to allow Operating System
user to be accessible to database. OPS$ prefix is used.

 Example 3
The following example creates a global user. When you create a global user, you can specify the X.509 name
that identifies this user at the enterprise directory server:
CREATEE USER global_user IDENTIFIED GLOBALLY AS ‘CN=student, OU=BIT,
O=oracle, C=US' DEFAULT TABLESPACE BIT QUOTA 5M ON BIT;
 Oracle Database Users Creations

 To check all users inside database

 SQL> select username, account_status, default_tablespace from dba_users;

 To check current user

 SQL> show user;

 To Create User

 SQL> create user sushant identified by bit_cord1; or (CDB USER ONLY) CEATE USER c##Sushant identified by bit_cord1;

 SQL> create user sushant identified by bit_cord1 default tablespace users;

 To Change user password

 SQL> alter user sushant identified by bit_cord2020;

Oracle Database Users Creations
 Use of create, alter, drop, update command manages users accounts in Oracle. Management of User Account

deals with all aspect for bringing user account to existence to deletion of it. Alter command example.

 SQL> select property_name, property _value from database_properties where property _name like

'%DEFAULT%’;

 SQL> alter user sushant default tablespace bmc_bit01;

 SQL> alter user sushant quota 10M on users;

 SQL> alter user sushant identified globally as ‘CN=bmc,O=bit,C=np’;

 SQL> alter user sushant password expire;

ALTER SYNATX WITH CLAUSE
 Oracle Database Manage Accounts

 To Manage Accounts in Oracle we use different command like create, drop, alter etc.

 SQL> select property_name, property _value from database_properties where property _name like '%DEFAULT%’;

 SQL> alter user sushant default tablespace bmc_bit01;

 SQL> alter user sushant quota 10M on users;

 SQL> alter user sushant identified globally as ‘CN=bmc,O=bit,C=np’;

 SQL> alter user sushant password expire;

 SQL>alter user sushant profile app_users2;

 SQL> alter user sushant revoke connect through sh;

 To Drop or delete user account in Oracle we use drop command.

 SQL>drop user Sushant CASCADE;

 Oracle Database GRANT OPTIONS

Use the GRANT statement to grant:

•System privileges to users and roles

•Roles to users and roles. Both privileges and roles
are either local, global, or external.
•Object privileges for a particular object to users,
roles, and PUBLIC. SQL>CREATE USER name IDENTIFIED BY password;

SQL> GRANT CREATE SESSION, CREATE TABLE,

CREATE VIEW, CREATE SEQUENCE TO name

IDENTIFIED BY password;

SQL> ALTER USER name IDENTIFIED BY password;

SQL> CREATE DATABASE LINK AUTHENTICATED BY

name IDENTIFIED BY password;

 Monitoring user information

You can monitor and record selected user database actions, including those performed by administrators.

You can monitor system-wide actions as well as actions performed on individual database objects. This

type of monitoring is called database auditing.

Some of the database Monitoring Tools are Trace Files, Alert Files, Oracle Administration Assistant for

windows, Oracle Enterprise Manager Database Management Packs, Event Viewer.

An Unified audit policies can be created and manage these audit policies using SQL statements. Oracle

Database provides default unified audit policies that contain the standard audit settings, and you can create

custom unified audit policies. You can also create fine-grained audit policies using the DBMS_FGA PL/SQL package
 Users Session Termination

ALTER SYSTEM KILL command is used to terminate session in SQL*Plus CLI interface. The session's index

number and serial number must be specified while issuing ALTER SYSTEM KILL session command. To identify

the session index number (sid) and serial number of a session, query the V$SESSION dynamic performance view.

The value of the STATUS column will be ACTIVE when the session is making a SQL call to Oracle. It will be

INACTIVE if it is not making a SQL call to oracle database

ALTER SYSTEM KILL SESSION ‘<sid, serial#>’

We can also terminate session by using Enterprise manager or Windows Process (OS)
 Oracle Database schema-only account
Oralce 18c onward introduce the concept of schema-only account. This type of accounts doesn’t provide direct connection
to database resulting in proxy account to connect oracle database and administration instead of actual user credential
expose in application or to user used in pair exchange of credentials.
User account must not have admin privilege to become schema only account. We can check it using Select Query in
V$pwfile_users. “SELECT username,sysdba,sysoper,sysasm,sysbackup,sysdg,syskm FROM v$spwfile_users” WHERE username
= ‘schemaonly’;

Example

SQL>CREATE USER schemaonly IDENTIFIED BY schemaonly1; or CREATE USER schemaonly NO AUTHENTICATION;

SQL> GRANT CREATE SESSION, CREATE TABLE, CREATE INDEX, CREATE VIEW, CREATE SEQUENCE TO

schemaonly;

SQL>CREATE USER schemaonly GRANT CONNECT THROUGH student1;

CONN student1[schemaonly]/student1@//localhost:1521/pdb1
3.2 Manage Privileges
1. Database Access,

2. Oracle Supplied Roles,

3. System and Object Level Privileges,

4. The Grant and Revoke Commands,

5. Create, Modify and Drop Roles,

6. Use Predefined Roles

 Data Access

• Structured Query Language (SQL) User privileges provides basic level of security to database. Database with multiple
user access requires authorization. Privileges ensure control of user access to data and limit user execution of SQL
statements. A Database privilege is a level of access provided or granted to user on database system by database
instance administrator or user with admin privileges.
• Creating users followed by grant privileges enable user to perform connection or data access, along with other database
operations.
 Oracle Supplied Roles

• Roles are useful for quickly and easily granting permissions to users. Oracle may change or remove the privileges in an
Oracle Database-defined role. Some of the default oracle provided roles are:
1. CONNECT
2. DBA
3. DV_ADMIN
4. AUTHENTICATEDUSER
 PRIVILEGES
• Database with multiple user access requires authorization. A Database privilege is level of access provided or granted to
user on database system by database instance administrator or user with admin privileges.
• User privileges provides basic level of security to database.
• Privileges ensure control of user access to data and limit user execution of SQL statements.
• Creating users followed by grant privileges enable user to perform connection along with other database operations.
• Basically there are two types of user privileges

 System privileges

A system privilege gives a user the ability to perform a particular action, or to perform an action on any schema
objects of a particular type. Objects include tables, views, materialized views, synonyms, indexes, sequences,
cache groups, replication schemes and PL/SQL functions, procedures and packages. Only the instance
administrator or a user with ADMIN privilege can grant or revoke system privileges. For example, the system
privilege CREATE TABLE permits a user to create tables in the schema associated with that user, and the system
privilege CREATE USER permits a user to create database users.

Example ADMIN CREATE TABLE, SEQUENCE etc; ALTER ANY MATERIALIZED VIEW or ANY PROCEDURE or INDEX,
 PRIVILEGES
 Object privileges

An object privilege provides a user, the ability to perform a particular action on a specific schema object. Different
object privileges are available for different types of schema objects. An object's owner has all object privileges for
that object, and those privileges cannot be revoked. A user with ADMIN privilege can grant and revoke object
privileges from users who do not own the objects on which the privileges are granted.
The object's owner can grant object privileges for that object to other database users. The privilege to select rows
from the EMPLOYEES table or to delete rows from the DEPARTMENTS table are examples of object privileges. An
object privilege is the right to perform a particular action on an object or to access another user's object. Objects
include tables, views, materialized views, indexes, synonyms, sequences, cache groups, replication schemes and
PL/SQL functions, procedures and packages.
For example : DELETE, INDEX, INSERT, UPDATE, EXECUTE, UNLOAD are object level privileges provided to user.
.
 ROLES
• Privileges grouped together in single set or package is simply a role. So Roles are named groups of related privileges that you
grant to users or other roles. This allows for the administrator of the database to easily grant or revoke privileges among the
database users. Rather than manually assigning privileges to each user, a user can be assigned a role. Database privileges in an
oracle are easily controlled and managed through roles.

• Roles are designed to ease the administration of end-user system and schema object privileges. However, roles are not meant
to be used for application developers, because the privileges to access schema objects within stored programmatic constructs
need to be granted directly.

• Roles are useful for quickly and easily granting permissions to users. Although you can use Oracle Database-defined roles, you
have more control and continuity if you create your own roles that contain only the privileges pertaining to your
requirements. Oracle may change or remove the privileges in an Oracle Database-defined role.

• To manage the privileges for a database application along with the privileges for a user group. Selectively enable or disable
the Roles granted to user.
 GRANT AND REVOKE
You can GRANT and REVOKE privileges on various database objects in Oracle. We'll first look at how to grant and revoke
privileges on tables and then how to grant and revoke privileges on function, procedure and other objects in Oracle Database.
Various privileges to tables can be provided to users. These privileges can be any combination of SELECT, INSERT, UPDATE,
DELETE, REFERENCES, ALTER, INDEX, or ALL.

Example:
 GRANT SELECT, INSERT, UPDATE, DELETE ON suppliers TO smithj;
 GRANT ALL ON suppliers TO smithj;
 GRANT SELECT ON suppliers TO public
 GRANT EXECUTE ON sequence TO user;
 GRANT AND REVOKE
Once you privileges had been granted, you may need to revoke some or all of these privileges. To do this, you can run a revoke
command. You can revoke any combination of SELECT, INSERT, UPDATE, DELETE, REFERENCES, ALTER, INDEX, or ALL..

Syntax Example:
 REVOKE privileges ON object FROM user;
 REVOKE DELETE ON suppliers TO smithj;
 REVOKE ALL ON suppliers FROM anderson;
 GRANT EXECUTE ON sequence TO user;
 REVOKE ALL ON suppliers FROM public;
 ROLES
 CREATE ROLE
 Examples
CREATE ROLE dw_manager;
CREATE ROLE dw_manager IDENTIFIED BY warehouse;
CREATE ROLE role1 CONTAINER = CURRENT;
CREATE ROLE c##role1 CONTAINER = ALL;
 ALTER ROLES
 ALTER ROLE
We use this command to change authorization of users to database and privileges. An user sessions in which the role is
already enabled are not affected.
•If you have the ALTER ANY ROLE system privilege and you change a role that is IDENTIFIED GLOBALLY to IDENTIFIED BY
password, IDENTIFIED EXTERNALLY, or NOT IDENTIFIED, then Oracle Database grants you the altered role with the ADMIN
OPTION, as it would have if you had created the role identified nonglobally.
 Examples
ALTER ROLE warehouse_user NOT IDENTIFIED; ALTER ROLE dw_manager IDENTIFIED BY data;
ALTER ROLE dw_manager IDENTIFIED USING hr.admin;
 DROP ROLES
 DROP ROLE

Use the DROP ROLE syntax statement to remove a role from the database. When you drop a role, Oracle Database revokes
it from all users and roles to whom it has been granted and removes it from the database. User sessions in which the role
is already enabled are not affected. However, no new user session can enable the role after it is dropped.
You must have been granted the role with the ADMIN OPTION or you must have the DROP ANY ROLE system privilege.

 Examples
DROP ROLE dw_manager;
 SET ROLES
 SET ROLES
 Examples
SET ROLE dw_manager IDENTIFIED BY warehouse;
SET ROLE ALL;
SET ROLE ALL EXCEPT dw_manager;
SET ROLE NONE;