e computer notes - controlling user access
TRANSCRIPT
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 1/21
Controlling User Access
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 2/21
Objectives
After completing this lesson, you should be able todo the following:
•
•
•
•
Create users
Create roles to ease setup and maintenance of thesecurity model
Use the GRANT and REVOKE statements to grantand revoke object privileges
Create and access database links
http://ecomputernotes.com
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 3/21
Controlling User Access
Database
administrator
Username and password
Privileges
Users
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 4/21
•
•
•
•
Privileges
Database security:
– System security
– Data security
System privileges: Gaining access to the database
Object privileges: Manipulating the content of thedatabase objects
Schemas: Collections of objects, such as tables,
views, and sequences
http://ecomputernotes.com
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 5/21
•
•
System Privileges
More than 100 privileges are available.
The database administrator has high-level systemprivileges for tasks such as:
– Creating new users
– Removing users
– Removing tables
– Backing up tables
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 6/21
Creating Users
The DBA creates users by using the CREATE USER
statement.
CREATE USER user IDENTIFIED BY password ;
CREATE USER scott
IDENTIFIED BY tiger;
User created.
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 7/21
•
User System Privileges
Once a user is created, the DBA can grant specificsystem privileges to a user.
GRANT privilege [, privilege...]
TO user [, user| role, PUBLIC ...];
• An application developer, for example, may havethe following system privileges:
– CREATE SESSION
– CREATE TABLE
– CREATE SEQUENCE
– CREATE VIEW
– CREATE PROCEDURE
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 8/21
Granting System Privileges
The DBA can grant a user specific system privileges.
GRANT create session, create table,
create sequence, create viewTO scott;
Grant succeeded.
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 9/21
What is a Role?
Users
Privileges
Manager
Allocating privilegeswithout a role
Allocating privilegeswith a role
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 10/21
Creating and Granting Privileges to a Role
•
•
•
Create a role
CREATE ROLE manager;
Role created.
Grant privileges to a role
GRANT create table, create view
TO manager;
Grant succeeded.
Grant a role to users
GRANT manager TO DEHAAN, KOCHHAR;
GrantGrant succeeded.
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 11/21
•
•
Changing Your Password
The DBA creates your user account and initializesyour password.
You can change your password by using the
ALTER USER statement.
ALTER USER scott
IDENTIFIED BY lion;
User altered.
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 12/21
Object
Object Privileges
Privilege
ALTER
DELETE
EXECUTE
INDEX
INSERT
REFERENCES
SELECT
UPDATE
Table
√
√
√
√
√
√
√
View
√
√
√
√
√
Sequence Procedure
√
√
√
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 13/21
•
•
•
Object Privileges
Object privileges vary from object to object.
An owner has all the privileges on the object.
An owner can give specific privileges on thatowner’s object.
GRANTON
object_priv [(columns)]object
TO {user |role|PUBLIC}
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 14/21
•
Granting Object Privileges
Grant query privileges on the EMPLOYEES table.
GRANT select
ON employees
TO sue, rich;Grant succeeded.
• Grant privileges to update specific columns tousers and roles.
GRANT update (department_name, location_id)ON departments
TO scott, manager;
Grant succeeded.
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 15/21
Using the WITH GRANT OPTION and PUBLIC
Keywords
• Give a user authority to pass along privileges.
GRANT select, insertON departmentsTO scottWITH GRANT OPTION;Grant succeeded.
• Allow all users on the system to query data fromAlice’s DEPARTMENTS table.
GRANT select
ON alice.departmentsTO PUBLIC;Grant succeeded.
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 16/21
Confirming Privileges Granted
Data Dictionary View
ROLE_SYS_PRIVS
ROLE_TAB_PRIVS
USER_ROLE_PRIVS
USER_TAB_PRIVS_MADE
USER_TAB_PRIVS_RECD
USER_COL_PRIVS_MADE
USER_COL_PRIVS_RECD
USER_SYS_PRIVS
Description
System privileges granted to roles
Table privileges granted to roles
Roles accessible by the user
Object privileges granted on theuser’s objects
Object privileges granted to theuser
Object privileges granted on the
columns of the user’s objectsObject privileges granted to theuser on specific columns
Lists system privileges granted tothe user
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 17/21
•
•
How to Revoke Object Privileges
You use the REVOKE statement to revoke privilegesgranted to other users.
Privileges granted to others through the WITH
GRANT OPTION clause are also revoked.
REVOKE {privilege [, privilege...]|ALL}ON object
FROM {user[, user...]|role|PUBLIC}
[CASCADE CONSTRAINTS];
http://ecomputernotes.com
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 18/21
Revoking Object Privileges
As user Alice, revoke the SELECT and INSERTprivileges given to user Scott on the DEPARTMENTS
table.
REVOKE select, insertON departments FROM scott;Revoke succeeded.
http://ecomputernotes.com
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 19/21
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 20/21
http://ecomputernotes.com
Database Links
A database link connection allows local users toaccess data on a remote database.
Local Remote
EMP Table
SELECT * FROM
emp@HQ_ACME.COM;
HQ_ACME.COM
database
8/3/2019 e computer notes - Controlling User Access
http://slidepdf.com/reader/full/e-computer-notes-controlling-user-access 21/21
•
•
http://ecomputernotes.com
Database Links
Create the database link.
CREATE PUBLIC DATABASE LINK hq.acme.com
USING 'sales';
Database link created.
Write SQL statements that use the database link.
SELECT *
FROM [email protected];