Documente Academic
Documente Profesional
Documente Cultură
User Management
SYSTEM
SYSMAN
Use by OEM to monitor and gather performance stats, which are stored in the sysaux tablespace
DBSNMP
Same as sys but for the OEM, owns all internal tables in the sysaux tablespace.
There are two privileges which many junior DBA get confused (including myself)
with sysoper and sysdba, these are system privileges not users or roles, see here for
more details on these two privileges.
All users need a default tablespace, this is where all objects created by the user will be
stored and a temporary tablespace which is where they perform work such as sorting
data during SQL execution. Make sure that you assign the tablespaces as on some
systems they could end up using the system tablespace which is not a good idea.
Creating
Remove
drop user vallep;
drop user vallep cascade;
Note: the cascade option will remove all the users objects as well.
Alter
Password options
Note:
identified by - the password will be kept in the data dicitonary
identified externally - authenication will be performed by the O/S
idenitified globally as extname - authenication will be performed by external app i.
a user is only allowed to change is his/her password
Expire password
Lock/unlock
Connecting
Note: this allows the user to connect to the database
Revoke access
Quota
Useful Views
DBA_USERS
DBA_TS_QUOTAS
V$SESSION
By default oracle passwords are sent in clear text across the network, set the following
environment variables to encrypt the password between the client and server.
Server
dblink_encrypt_login = true
Client
ora_encrypt_login = true
Profiles
Profiles are used to limit a users resource, it can also enforce password management
rules, only the DBA can change profiles. There is a global default profile which every
users is assigned to if they are already not assigned to one. If a user reaches one of the
limits in the profile the transaction is rolled back and a error message is displayed
stating that a resource limit has been reached. There are a number of resources that
can be limited
connect_time - limits session to number of minutes
cpu_per_call - limits cpu time by any single database call
cpu_per_session - limit cpu by session
idle_time - limit session to idle time, allows user to rollback or commit before
logging off
logical_reads_per_call - caps the amount of work by any single database call
logical_reads_per_session - caps the amount of work by any session
private_sga - limits memory when using shared servers
sessions_per_user - limits the number of sessions a user can have
composite_limit - calculated by cpu_per_session, logical_reads_per_session,
connection_time and private_sga
The security features that the profile can also manage are
failed_login_attemps - number of times a user can enter the wrong password
before the account is locked
password_lock_time - if the above is breached lock password for this number
of days
password_life_time - number of days a password can remain in force
password_grace_time - number of days user is notified but is used in above
value
password_reuse_time - maximum # of days before a password can be reused
Remove
Setting a limit
Note: any users using the dropped profile will be automatically assigned the de
profile
alter profile user_profile limit idle_time 30;
Assign a profile
Useful Views
USER_RESOURCE_LIMITS
USER_PASSWORD_LIMITS
describes the password profile parameters that are assigned to the user.
DBA_PROFILES
Before profiles are used you must set the following systems parameter, you have
to restart the database in order for the changes to take affect.
Enable resource limits
Roles
See data access for more information on roles.
Data Access
Oracle uses several means to control data access and the best way is to assign
privileges and roles to users. You can assign individual privileges to users but this can
become overwhelming when you have many users, this is were roles comes in to play
as privileges can be assigned to the role then the role assigned to the user.
There are two basic privileges system and object, using the
commands grant and revoke privileges can be given and taken away from a user.
System Privileges
Here are some common system privileges, be careful to whom you grant system
privileges too as these can have devastating impact on your database.
advisor
alter database
alter system
audit system
create database link
create table
create any index
create session
create tablespace
create, alter and drop user
insert any table
It is possible to allow a user to also grant the same system privilege he/she has to
other users, when granting the system privilege, use the option "with admin option".
Granting
Revoking
Useful Views
SYSTEM_PRIVILEGE_MAP
DBA_USERS
DBA_SYS_PRIVS
There are two very powerful system privileges sysdba and sysoper, you cannot grant
this privilege to a role and you cannot use with admin option.
SYSOPER
Object Privileges
Object privileges are privileges on database objects which allows a user to perform
some action on a specific table, view, sequence, etc. You can use the following SQL
statements when you grant object privileges
alter
select
delete
execute
insert
ex type, operator, procedure, sequence, table, trigger and type
exp_full_database - used for data pump export
imp_full_database - used for data pump import
if you grant a role using with admin option the grantee can do the following:
grant the role to or revoke it from any user or other role in the database
grant the role with admin option
alter or drop the role
create role test_role identified by <password>;
creating
Note: the password is optional, you can also use externally or globally authentica
removing
list roles/privileges
set default
Useful Views
DBA_ROLES
DBA_ROLE_PRIVS
Note: useful columns are with admin option, default role
ROLE_SYS_PRIVS
lists the roles system privileges and what roles have other roles within them
ROLE_TAB_PRIVS
ROLE_ROLE_PRIVS
lists what other roles the role has (roles within roles)
SESSION_ROLES
SESSION_PRIVS