Security
Security
Security
Lecture 4
Database Security
Oracle uses schemas and security domains to control access to data and
to restrict the use of various database resources.
To access a database, a user must use a database application and attempt a connection with a
valid user name of the database.
Within each database a user name must be unique with respect to other user names and roles.
A user and role cannot have the same name.
USER_USERS
ALL_USERS
DBA_USERS
USER_TS_QUOTAS
DBA_TS_QUOTAS
Information about the database user who is currently logged on, can
be seen by examining the USER_USERS data dictionary view.
System Privileges
– A system privilege is the right to perform a particular action, or to
perform an action on any schema objects of a particular type.
– For example, the privileges to create tablespaces and to delete
the rows of any table in a database are system privileges.
– There are over 100 distinct system privileges.
role role
PUBLIC
Where:
– System_priv Is a system privilege to be granted
– Role Is a role name to be granted
– TO Identifies the users or roles to which the system privileges and roles are
granted
– PUBLIC Grants system privileges or roles to all users
– WITH ADMIN OPTION Allows the grantee to grant the system privilege or role
to other users or roles. It you grant a role WITH ADMIN OPTION, the grantee
can also alter or drop the role.
– To grant a system privilege, you must have been granted the privilege
with the ADMIN OPTION.
Syntax:
, ,
role
role
PUBLIC
The options for REVOKE have the same meaning as for the
GRANT command
A system privilege can be revoked by a user other than the
grantor
A B C A B C A B C
Schema. role
PUBLIC
Where:
– Object_priv: Is an object privilege to be granted
– ON: Identifies the object on which the privileges are granted. if the
“schema.” prefix is not used then ORACLE assumes the current
user’s schema.
– TO: Identifies the users or roles to which the object privilege is
granted
– PUBLIC: Grants object privileges to all users
– WITH GRANT OPTION : Allows the grantee to grant the object
privileges to other users and roles. The grantee must be a user or
PUBLIC. GRANT OPTION cannot be granted to a role.
Database Systems Slide 18
Object Privileges Cascade
Grantors can revoke privileges from only those users to whom they
had granted the privileges in the first place.
Revoking an object privilege may have a cascading effect that
should be investigated before a REVOKE statement is issued.
A B C A B C A B C
Available to DBAs
Within a database, each role name must be unique, different from all
user names and all other role names.
IDENTIFIED BY password
EXTERNALLY
Where:
– Role Name of the role to be created
– NOT IDENTIFIED Users granted the role do not need to be verified by
ORACLE to enable it
– IDENTIFIED Indicates that the users granted the role must be verified
by ORACLE to enable the role
– BY password Specifies the password that authorizes enabling the role
– EXTERNALLY Specifies that ORACLE will verify user access to the role
using an operating system utility
Note : If the IDENTIFIED option is chosen, users can enable/disable the role
by using the SET ROLE command.
You can direct and limit the use of disk space allocated to the database for
each user, including default and temporary tablespaces and tablespace
quotas.
Default Tablespace
– Each user is associated with a default tablespace. When a user creates a
table, index, or cluster and no tablespace is specified, the object is created in
user’s default tablespace.
Temporary Tablespace
– Each user has a temporary tablespace. When a user runs a SQL statement
that requires the creation of temporary segments, the user’s temporary
tablespace is used.
Tablespace Quotas
– It is possible to limit the collective amount of disk space available to the
objects in a schema. Quotas (space limits) can be set for each tablespace
available to a user. This permits selective control over the amount of disk
space that can be consumed by the objects of specific schemas.
Some Examples
– CPU processing time available for the user’s session and a single call to
Oracle made by a SQL statement,
– Amount of logical I/O available for the user’s session and a single call to
Oracle made by a SQL statement,
– Password restrictions:
Account locking after multiple unsuccessful login attempts
Password expiration and grace period
Password reuse and complexity restrictions