After completing this lesson, you should be able to do the following: • Create and modify roles • Control availability of roles • Remove roles • Use predefined roles • Obtain role inform
Trang 117 Managing Roles
Trang 2After completing this lesson, you should be able to do the following:
• Create and modify roles
• Control availability of roles
• Remove roles
• Use predefined roles
• Obtain role information
Trang 3Privileges
Roles
UPDATE
ON JOBS
INSERT ON JOBS
SELECT ON JOBS
CREATE TABLE
CREATE SESSION
HR_CLERK HR_MGR
Roles
Trang 4• Easier privilege management
• Dynamic privilege management
• Selective availability of privileges
• Can be granted through the operating system
Benefits of Roles
Trang 5Roles with ADMIN option:
• Not identified:
• By password:
• Identified externally:
CREATE ROLE oe_clerk;
CREATE ROLE hr_clerk
IDENTIFIED BY bonus;
CREATE ROLE hr_manager
IDENTIFIED EXTERNALLY;
Creating Roles
Trang 6Role Name Description
EXP_FULL_DATABASE Privileges to export the
database IMP_FULL_DATABASE Privileges to import the
database DELETE_CATALOG_ROLE DELETE privileges on
data dictionary tables
data dictionary packages
SELECT_CATALOG_ROLE SELECT privilege on data
dictionary tables
Predefined Roles
Trang 7ALTER ROLE hr_clerk
IDENTIFIED EXTERNALLY;
ALTER ROLE hr_manager
NOT IDENTIFIED;
ALTER ROLE oe_clerk
IDENTIFIED BY order;
Modifying Roles
• ALTER ROLE modifies the authentication method.
• Modifying roles requires the ADMIN option or ALTER ANY ROLE privilege
Trang 8GRANT hr_clerk TO hr_manager;
GRANT oe_clerk TO scott;
GRANT hr_manager TO scott WITH ADMIN OPTION;
Assigning Roles
Use the GRANT command to assign a role.
Trang 9ALTER USER scott
DEFAULT ROLE hr_clerk, oe_clerk;
ALTER USER scott DEFAULT ROLE ALL;
ALTER USER scott DEFAULT ROLE ALL EXCEPT
hr_clerk;
ALTER USER scott DEFAULT ROLE NONE;
Establishing Default Roles
• A user can be assigned many roles.
• A user can be assigned a default role.
• Limit the number of default roles for a user.
Trang 10• Application roles can be enabled only by authorized
PL/SQL packages.
• The USING package clause creates an application role.
CREATE ROLE admin_role
IDENTIFIED USING hr.employee;
Application Roles
Trang 11Enabling and Disabling Roles
• Disable a role to temporarily revoke the role from a
user.
• Enable a role to grant it temporarily.
• The SET ROLE command enables and disables
roles.
• Default roles are enabled for a user at login.
• A password may be required to enable a role.
Trang 12SET ROLE hr_clerk;
SET ROLE oe_clerk IDENTIFIED BY order; SET ROLE ALL EXCEPT oe_clerk;
Enabling and Disabling Roles
Trang 13• Revoking roles from users requires the ADMIN OPTION or GRANT ANY ROLE privilege.
• To revoke a role:
REVOKE hr_manager FROM PUBLIC;
REVOKE oe_clerk FROM scott;
Revoking Roles from Users
Trang 14DROP ROLE hr_manager;
Removing Roles
• Dropping a role:
– Removes it from all users and roles it was granted – Removes it from the database
• Requires the ADMIN OPTION or DROP ANY ROLE privilege
• To drop a role:
Trang 15User
roles
Application
roles
Application
privileges
Users
Payroll privileges Benefits privileges
Guidelines for Creating Roles
Trang 16Default role
Password protected
(not default)
Select privileges
INSERT, UPDATE, DELETE,
and SELECT privileges
Guidelines for Using Passwords
and Default Roles
Trang 17Obtaining Role Information
Information about roles can be obtained by querying the following views:
• DBA_ROLES: All roles that exist in the database
• DBA_ROLE_PRIVS: Roles granted to users and roles
• ROLE_ROL_PRIVS: Roles that are granted to roles
• DBA_SYS_PRIVS: System privileges granted to users
and roles
• ROLE_SYS_PRIVS: System privileges granted to roles
• ROLE_TAB_PRIVS: Object privileges granted to roles
• SESSION_ROLES: Roles that the user currently has
enabled
Trang 18In this lesson, you should have learned how to:
• Create roles
• Assign privileges to roles
• Assign roles to users or roles
• Establish default roles
• Obtain role information
Summary
Trang 19Practice 17 Overview
This practice covers the following topics:
• Listing system privileges for a role
• Creating, assigning, and dropping roles
• Creating application roles