chapter 7 user creation and management

Dr. Chen, Oracle Database System (Oracle) 1

Chapter 7User Creation and Management

Jason C. H. Chen, Ph.D.Professor of MIS

School of BusinessGonzaga University

Spokane, WA 99258 [email protected]


Objectives

• Explain the concept of data security• Create a new user account• Identify two types of privileges: system and

object• Grant privileges to a user• Address password expiration requirements• Change the password of an existing account


Objectives (continued)

• Create a role• Grant privileges to a role• Assign a user to a role• View privilege information• Revoke privileges from a user and a role• Remove a user and roles


Basic SQL Concepts

• DDL (Data Definition Language)– commands that work with the objects (tables, indexes,

views, etc.) in the database. e..g., CREATE, ALTER, DROP, and RENAME.

• DML (Data Manipulation Language)– commands that work with the (physical) data in the

database. e.g., SELECT, INSERT, UPDATE, and DELETE• DCL ( )

– commands that control a database, including administering privileges. e.g., GRANT, REVOKE.

Data Control Language


Data Security

• User accounts provide a method of authentication

• They can grant access to specific objects• They identify owners of objects


Creating a User

• The CREATE USER command gives each user a user name and password

Figure 7-1 Syntax of the CREATE USER command

Can you perform this command? Why?


Assigning User Privileges

• There are two types of privileges• System privileges

– Allow access to the database and execution of DDL operations

• Object privileges – Allow a user to perform DML and query

operations


Practice• Type the following command

SELECT * FROM location;• I grant the following to all of you:

GRANT SELECT ON location TO PUBLIC;

• You type the following again SELECT * FROM c##chen.location;

• I revoke the following from you: REVOKE SELECT ON location FROM PUBLIC;

• You type the following again SELECT * FROM c##chen.location;

Just for the instructor: @ c:\oradata\NW_CW\northwoods.sql


Examples of Object Privileges

Object Type Privilege Description

Table, Sequence

ALTER Allows user to change object’s structure using the ALTER command

Table, Sequence

DROP Allows user to drop object

Table, Sequence

SELECT Allows user to view object

Table INSERT, UPDATE, DELETE

Allows user to insert, update, delete table data

Any database object

ALL Allows user to perform any operation on object


Pseudo-columns

• Acts like a column in a database query

• Actually a command that returns a specific values

• Used to retrieve:– Current system date – Name of the current

database user– Next value in a sequence

PseudocolumnName

Output

CURRVAL Most recently retrieved sequence value

NEXTVAL Next value in a sequence

SYSDATE Current system date from database server

USER Username of current user


• Retrieving the current system date:SELECT SYSDATEFROM DUAL;

• Retrieving the name of the current user:SELECT USERFROM DUAL;

•DUAL is a system table that is used with pseudo-columns

Using Pseudo-columns


Your Turn (and Job)

• Read chapter 7 (both pptx file and Oracle text)

• Practice all examples (script file is available in the Bb, file name: Ch7_Queries.sql)


Assigning User Privileges (continued)

• Even with a valid user name and password, a user still needs the CREATE SESSION privilege to connect to a database

Figure 7-5 Command to grant the CREATE SESSION privilege


System Privileges

• Affect a user’s ability to create, alter, and drop objects

• Use of ANY keyword with an object privilege (INSERT ANY TABLE) is considered a system privilege

• List of all available system privileges available through SYSTEM_PRIVILEGE_MAP


SYSTEM_PRIVILEGE_MAP

Figure 7-3 A partial list of available system privelages


Granting System Privileges

• System privileges are given through the GRANT command

Figure 7-4 Syntax of the GRANT command for system privaleges


Granting System Privileges (continued)

• GRANT clause – identifies system privileges being granted

• TO clause – identifies receiving user or role• WITH ADMIN OPTION clause – allows a

user to grant privilege to other database users


Object Privileges

• SELECT – display data from table, view, or sequence

• INSERT – insert data into table or view• UPDATE – change data in a table or view• DELETE – remove data from a table or

view• ALTER – change definition of table or view


Granting Object Privileges

• Grant object privileges through the GRANT command

Figure 7-6 Syntax of the GRANT command for object privileges


Granting Object Privileges (continued)• GRANT clause – identifies object privileges• ON clause – identifies object• TO clause – identifies user or role receiving privilege• WITH GRANT OPTION clause – gives a user the ability

to assign the same privilege to other usersGRANT Command Examples

Table 7-2 Examples of Granting Object Privileges to a User


Password Management

• To change a user password, use the PASSWORD command or the ALTER USER command

Figure 7-12 Command to change a password


Utilizing Roles

• A role is a group, or collection, of privileges

Figure 7-16 Command for creating the ORDERENTRY role

Figure 7-17 Commands for granting privileges to the ORDERENTRY role


Utilizing Roles (continued)

• Roles can be assigned to users or other roles

Figure 7-18 Command for granting the ORDERENTRY role to RTHOMAS



• A user can be assigned several roles• All roles can be enabled at one time• Only one role can be designated as the

default role for each user• Default role can be assigned through the

ALTER USER command



• Roles can be modified with the ALTER ROLE command

• Roles can be assigned passwords

Figure 7-23 Syntax of the ALTER ROLE command


Viewing Privilege Information

• ROLE_SYS_PRIVS lists all system privileges assigned to a role

• SESSION_PRIVS lists a user’s currently enabled roles


ROLE_TAB_PRIVS Example

Figure 7-24 Verifying privileges assigned to a role


Removing Privileges and Roles

• Revoke system privileges with the REVOKE command

Figure 7-26 Syntax for revoking a system privilege


Removing Privileges and Roles (continued)

• Revoking an object privilege – if the privilege was originally granted using WITH GRANT OPTION, the effect cascades and is revoked from subsequent recipients

Figure 7-27 Syntax for revoking an object privilege

Figure 7-28 Syntax for removing a role from an account


Dropping a Role

• Users receiving privileges via a role that is dropped will no longer have those privileges available

Figure 7-31 Syntax of the DROP ROLE command

Figure 7-32 Command for dropping the ORDERENTRY role


Dropping a User

• The DROP USER command is used to remove a user account

Figure 7-33 Syntax of the DROP USER command


Summary• Database account management is only one facet of data

security• A new user account is created with the CREATE USER

command– The IDENTIFIED BY clause contains the password for

the account• System privileges are used to grant access to the database and

to create, alter, and drop database objects• The CREATE SESSION system privilege is required before a

user can access his account on the Oracle server• The system privileges available in Oracle 11g can be viewed

through the SYSTEM_PRIVILEGE_MAP


Summary (continued)

• Object privileges allow users to manipulate data in database objects

• Privileges are given through the GRANT command• The ALTER USER command, combined with the

PASSWORD EXPIRE clause, can be used to force a user to change her password upon the next attempted login to the database

• The ALTER USER command, combined with the IDENTIFIED BY clause, can be used to change a user’s password– Privileges can be assigned to roles to make the administration of

privileges easier


Summary (continued)

• Roles are collections of privileges• The ALTER USER command, combined with the

DEFAULT ROLE keywords, can be used to assign a default role(s) to a user

• Privileges can be revoked from users and roles using the REVOKE command

• Roles can be revoked from users using the REVOKE command

• A role can be deleted using the DROP ROLE command• A user account can be deleted using the DROP USER

command

chapter 7 user creation and management

Documents

oracle database system

database queryactually

sequencealterallows

user privilegesthere

sequencedropallows user

user creation

sequenceselectallows

deleteallows user