Scribd
Upload
21 views

SQL 12 DCL

This document discusses controlling user access in SQL. It describes creating users and roles to ease security management. Users are created with the CREATE USER statement and assigned a username and password. Roles allow allocating privileges to groups of users. The DBA can grant system and object privileges to users and roles using the GRANT statement to control access to database objects and resources.

Uploaded by

misterfarhan0307
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
21 views

SQL 12 DCL

This document discusses controlling user access in SQL. It describes creating users and roles to ease security management. Users are created with the CREATE USER statement and assigned a username and password. Roles allow allocating privileges to groups of users. The DBA can grant system and object privileges to users and roles using the GRANT statement to control access to database objects and resources.

Uploaded by

misterfarhan0307
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 17

(SQL)

Controlling User Access

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 1
Objectives

• After completing this lesson, you should be


able to do the following:
– Create users
– Create roles to ease setup and maintenance of
the security model
– Use the GRANT and REVOKE statements to
grant and revoke object privileges

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 2
Controlling User Access

Database
administrator

Username and password


privileges
Users

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 3
Privileges
– Database security:
• System security
• Data security
– System privileges: Gain access to the database
– Object privileges: Manipulate the content of the
database objects
– More than 80 privileges are available.
– The DBA has high-level system privileges:
• Create new users
• Remove users
• Remove tables
• Back up tables
© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 4
Creating Users

• The DBA creates users by using the CREATE USER


statement.
CREATE
CREATE USER
USER username
username
IDENTIFIED
IDENTIFIED BY
BY password;
password;

SQL>
SQL> CREATE
CREATE USER
USER scott
scott
22 IDENTIFIED
IDENTIFIED BY
BY tiger;
tiger;
User
User created.
created.

• To log in with the new user:

CONNECT;
CONNECT;

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 5
Changing Your Password

– The DBA creates your user account and initializes


your password.
– You can change your password by using the ALTER
USER statement.

SQL>
SQL> ALTER
ALTER USER
USER scott
scott
22 IDENTIFIED
IDENTIFIED BY
BY lion;
lion;
User
User altered.
altered.

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 6
Viewing all the Users
• Use the Data Dictionary view ALL_USERS.
SQL>
SQL> DESC
DESC ALL_USERS;
ALL_USERS;

Name
Name Null?
Null? Type
Type
-------------------------------
------------------------------- --------
-------- ----
----
USERNAME
USERNAME NOT
NOT NULL
NULL VARCHAR2(30)
VARCHAR2(30)
USER_ID
USER_ID NOT
NOT NULL
NULL NUMBER
NUMBER
CREATED
CREATED NOT
NOT NULL
NULL DATE
DATE

• To get a list of all the users:


SQL>
SQL> SELECT
SELECT ** FROM
FROM ALL_USERS;
ALL_USERS;

• To get a list of all the users along with their privileges:


SQL>
SQL> SELECT
SELECT ** FROM
FROM DBA_ROLE_PRIVS;
DBA_ROLE_PRIVS;

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 7
User System Privileges
• Once a user is created, the DBA can grant specific
system privileges to a user.
GRANT
GRANT privilege
privilege [,
[, privilege...]
privilege...]
TO
TO user
user [,
[, user...];
user...];

• An application developer may have the following


system privileges:
– CREATE TABLE
– CREATE SEQUENCE
– CREATE VIEW
– CREATE INDEX
– CREATE PROCEDURE

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 8
Granting System Privileges

• The DBA can grant a user specific system privileges.

SQL>
SQL> GRANT
GRANT create
create table,
table, create
create sequence,
sequence, create
create view
view
22 TO
TO scott;
scott;
Grant
Grant succeeded.
succeeded.

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 9
What Is a Role?

Users

Manager

Privileges

Allocating privileges Allocating privileges


without a role with a role

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 10
What Is a Role?
• A role is a privilege or set of privileges that allows a
user to perform certain functions in the database.
• To grant a role to a user, use the following syntax:

SQL>
SQL> GRANT
GRANT role
role TO
TO USER
USER
22 [WITH
[WITH ADMIN
ADMIN OPTION];
OPTION];
Grant
Grant succeeded.
succeeded.

• If WITH ADMIN OPTION is used, that user can then


grant roles to other users.

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 11
Creating and Granting Privileges to a Role

SQL>
SQL> CREATE
CREATE ROLE
ROLE manager;
manager;
Role
Role created.
created.

SQL>
SQL> GRANT
GRANT create
create table,
table, create
create view
view
22 to
to manager;
manager;
Grant
Grant succeeded.
succeeded.

SQL>
SQL> GRANT
GRANT manager
manager to
to BLAKE,
BLAKE, CLARK;
CLARK;
Grant
Grant succeeded.
succeeded.

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 12
Granting and Revoking a Role

SQL>
SQL> GRANT
GRANT role
role TO
TO user;
user;

SQL>
SQL> GRANT
GRANT connect
connect TO
TO manager;
manager;

SQL>
SQL> REVOKE
REVOKE role
role FROM
FROM user;
user;

SQL>
SQL> REVOKE
REVOKE connect
connect FROM
FROM manager;
manager;

SQL>
SQL> REVOKE
REVOKE create
create table
table FROM
FROM manager;
manager;

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 13
Object Privileges

– After you decide which roles to grant your users, your


next step is deciding which permissions or privileges
these users will have on database objects.
– If you actually create an object, you can grant
privileges on that object to other users.
– Object privileges vary from object to object.
– An owner has all the privileges on the object.

GRANT
GRANT {object_priv
{object_priv || ALL}
ALL} [(columns)]
[(columns)]
ON
ON object
object
TO
TO {user|role|PUBLIC}
{user|role|PUBLIC}
[WITH
[WITH GRANT
GRANT OPTION];
OPTION];

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 14
Granting Object Privileges
– Grant query privileges on the EMP table.
SQL>
SQL> GRANT
GRANT select
select
22 ON
ON emp
emp
33 TO
TO boota,bala;
boota,bala;
Grant
Grant succeeded.
succeeded.
– Grant all privileges on the EMP table.
SQL>
SQL> GRANT
GRANT ALL
ALL ON
ON emp
emp
33 TO
TO boss;
boss;
Grant
Grant succeeded.
succeeded.

• Grant privileges to update specific columns to users and roles.


SQL>
SQL> GRANT
GRANT update
update (dname,
(dname, loc)
loc)
22 ON
ON dept
dept
33 TO
TO scott,
scott, manager;
manager;
Grant
Grant succeeded.
succeeded.
© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 15
How to Revoke Object Privileges

– You use the REVOKE statement to revoke


privileges granted to other users.
– Privileges granted to others through the WITH
GRANT OPTION will also be revoked.

REVOKE
REVOKE {privilege
{privilege [,
[, privilege...]|ALL}
privilege...]|ALL}
ON
ON object
object
FROM
FROM {user[,
{user[, user...]|role|PUBLIC};
user...]|role|PUBLIC};

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 16
Revoking Object Privileges

• As user Alice, revoke the SELECT and INSERT


privileges given to user Scott on the DEPT table.

SQL>
SQL> REVOKE
REVOKE select,
select, insert
insert
22 ON
ON dept
dept
33 FROM
FROM scott;
scott;
Revoke
Revoke succeeded.
succeeded.

© 2009 Punjab University College of Information Technology (PUCIT) September 8, 2009 Slide 17

You might also like