Basic Database Administration

After a database has been created, there are a variety of activities that must take place for the care and feeding of the database. First, it is helpful to have some way to organize the various objects that we wish to create and store in the database. This can be accomplished using SQL (Structured Query Language) or other mechanisms, such as GUIs, provided by the RDBMS (Relational Database Management System). Second, there must be someway to allow users to access the database. It would be useful to have some way to authenticate users and either allow or deny them certain access and privileges. After this topic you will be able to: Discuss the role of the DBA in establishing and maintaining database security Describe a database schema Identify and implement DDL commands using SQL for a RDBMS Determine appropriate Access Controls for a RDBMS to ensure a secure database implementation Database Schema There are several database schema types and definitions. Many RDBMSs, such as Oracle 9i, implement a database schema as a methodology to create a logical view of database objects for a specified database user. A database object is an object created and stored in a database. A database schema becomes the database structure for that user. The schema is used to store the users database objects. A schema, therefore, could be considered a collection of components and database objects under the control of a given database user. The schema is a collection of related database objects created for a database user using SQL DDL (data definition language) commands. DDL SQL DDL commands provide a standard syntactical language used to create, alter, and/or drop database objects for any RDBMS that complies with the ANSI standard. Database objects stored in a schema include objects such as tables, views, users, indexes, and procedures. So, creating a student table that contains attributes for student id, last name, and first name the DDL statement would look like the following: CREATE TABLE Student ( studentID NUMBER(10), studentLast VARCHAR(30), studentFirst VARCHAR(20)

); This command defines the table Student with the designated attributes and stores the object in the users database schema. Similarly, the command CREATE VIEW StudentVW AS SELECT studentLast, studentFirst FROM Student; creates a dynamic table (known as a view) that would retrieve the designated attributes from the Student table. The basic format for creating any database object to be stored in the users schema is CREATE objectType Parameters; objectName

(NOTE: Where objectType would be the type of object such as TABLE, USER, VIEW, or INDEX and objectName would be the name of the object.) To create a database user you would also use a DDL command CREATE USER userName. The following command would create a database user with the user name Developer identified by the password that you entered.

CREATE USER Developer IDENTIFIED BY password; The following are the parameters that can be used in Oracle 9i when creating a USER; CREATE USER IDENTIFIED DEFAULT TABLESPACE TEMPORARY TABLESPACE QUOTA qSize ON PROFILE PASSWORD EXPIRE ACCOUNT Where: username: how: This is the name of the user ex. Developer Valid responses are: username how tableSpaceName tempTableSpaceName tableSpaceName profileName lockstatus;

By password

- where password is the users password EXTERNALLY indicating that the OS or other external identification GLOBALLY - identified across distributed database systems tableSpaceName: tempTableSpaceName qSize tableSpaceName profileName PASSWORD EXPIRE lockstatus The tablespace (on the permanent storage media) that will be used to store the users database objects. The tablespace that will be used for temporary storeage (for example used for sorting) The quota size allowed for the user in the tablespace The tablespace for which the qSize applies User profile name default profile assigned if there is no specific user profile Use only when the password is set to automatically expire Lock or Unlock the user;

To change a users permissions, an ALTER command may be used. The alter command would have the same parameters as the CREATE. The format would be ALTER USER Developer <parameter to be changed>; For example, to change the profile for the user Developer to the DevProfile, you would issue the following command: ALTER USER Developer PROFILE DevProfile; Creating a database user, provides a user access. You can altering a user to change what they can and can not access. You can, also, remove a user by issuing the DROP USER command. This will deny that user access, essentially the user will no longer exist. There must, also, be mechanisms to control access in a RDBMS such as Oracle 9i. Access Control Access controls are the security mechanisms that allow authorized or trusted users the capability to access the database and DBMS facilities they need to do their job. Access controls

also prevent unauthorized users from accessing sensitive data or using powerful DBMS facilities. The use of access controls is known as authentication. After installation, because of its importance, establishing access control is one of the database administrators (DBA) first duties. Once a user has been authenticated, then the database knows what the users access privileges are. There are several ways to provide the database with this important data. You can, in many RDBMSs including Oracle 9i, create Roles and/or Profiles that can be used to manage and control user accounts and access privileges. We will look more closely at roles and profiles next week. There exist various system and/or object privileges, in Oracle 9i, that can be granted to a user (or revoked). We will take a closer look at these now. Privileges There are two types of privileges, system and object. First, lets take a closer look at system privileges. In Oracle 9i, system privileges allow a user to perform specific tasks such as create tables, create views, select any index, etc. System privileges can be granted to a specific user or removed (revoked) from the user. The following SQL command: GRANT CREATE ANY TABLE TO Developer; would grant the system privilege CREATE ANY TABLE to the user Developer. This privilege could also be revoked using the REVOKE command. The command would be: REVOKE CREATE ANY TABLE FROM Developer; These are powerful privileges and provide the users with a great deal of capabilities. There are users that require this type of functionality such as DBAs, database designers, or developers. However, most users only require access to specific database objects. For these users, object privileges can be granted or revoked that will allow specific access to the database objects that these users need. To grant select access on the Student table to a user named Professor, you would use the following: GRANT SELECT ON Student TO Professor: By using grant (and revoke) for object and system privileges, you can control which users have which privileges for specific objects. To facilitate the administration of privileges, it is possible to create roles that contain the specific privileges. Using these tools, it is easier to just assign the required role. We will explore this in further detail next time.

###