Tài liệu controlling user access docx

Introduction to Oracle: SQL and PL/SQL Using Procedure Builder 16Ć225 minutes Lecture 20 minutes Practice 45 minutes Total Class Management Note: Files required for this lesson are: Demo

Trang 1

Controlling User Access

16

Trang 2

Introduction to Oracle: SQL and PL/SQL Using Procedure Builder 16Ć2

25 minutes Lecture

20 minutes Practice

45 minutes Total

Class Management Note:

Files required for this lesson are:

Demonstration: None

Practice: None

This lesson should give students an overview of Oracle7 Server’s securityoptions It is not intended to go into tremendous detail on each topic

Trang 3

This lesson describes the Oracle7 Server decentralized security system Using the commands covered in this lesson, you can control database access to specific objects and add new users with different levels of access privileges You can provide alternative names for objects by using the CREATE SYNONYM

command.

At the end of this lesson, you should be able to

D Explain the concept of the database security model

D Describe system privileges

D Set up and maintain database access by using roles

D Identify object privileges

D Change a password

D Grant and revoke object privileges

D Create synonyms for ease of table access

Trang 4

Server

Trang 5

In a multiple-user environment, you want to maintain security of the database accessand use Oracle7 Server database security allows you to

D Control database access

D Give access to specific objects in the database

D Confirm given and received privileges with the Oracle data dictionary.

D Create synonyms for database objects

Database security can be classified into two categories: system security and datasecurity System security covers access and use of the database at the system level,such as username and password, disk space allocated to users, and system operationsallowed by the user Database security covers access and use of the database objectsand the actions that those users can have on the objects

Privileges

Privileges are the right to execute particular SQL statements The database

administrator is a high level user with the ability to grant users access to the databaseand its objects The users require system privileges to gain access to the database and

object privileges to manipulate the content of the objects in the database Users can also be given the privilege to grant additional privileges to other users or to roles,

which are named groups of related privileges

Schema

A schema is a collection of objects, such as tables, views, and sequences The schema

is owned by a database user and has the same name as that user

For more information, see

Oracle7 Server Application Developer’s Guide, Release 7.3, “Establishing a Security

Policy” section and Oracle7 Server Concepts Manual, “Database Security” topic.

PowerPoint: The bottom slide contains the build feature

Trang 6

Trang 7

There are more than eighty system privileges available for users and roles Systemprivileges are typically provided by the database administrator

Typical DBA Privileges

System Privilege Operations Authorized

CREATE USER Allows grantee to create other Oracle users (a

privilege required for a DBA role)

DROP USER Drops another user

DROP ANY TABLE Drops a table in any schema

BACKUP ANY TABLE Backs up any table in any schema with the export

utility

Creating a User

The DBA creates a new Oracle7 Server user by allocating a number of system

privileges to that user These privileges in turn determine what the user can do at thedatabase level The DBA creates the user by executing the CREATE USER

command The user does not have any system privileges

Abridged Syntax

CREATE USER user IDENTIFIED BY password;

where: user is the name of the user to be created

password specifies that the user must log in with this

password

Oracle7 Server SQL Reference, Release 7.3, “GRANT” (System Privileges and

Roles) and “CREATE USER.”

Trang 8

Trang 9

SystemPrivileges continuedNow that the DBA has created a user, the DBA can assign privileges to that user.

Typical User Privileges

System Privilege Operations Authorized

CREATE SESSION Connect to the database

CREATE TABLE Create tables in the user’s schema

CREATE SEQUENCE Create a sequence in the user’s schema

CREATE VIEW Create a view in the user’s schema

CREATE PROCEDURE Create a stored procedure, function, or package in

the user’s schema

GRANT privilege [, privilege ] TO user [, user ];

where: privilege is the system privilege to be granted

user is the name of the user

Note: The above syntax is abridged.

Note for page 16-10

Question: What is a role? Try to elicit answers from the students

Answer: See the next slide for the answer

PowerPoint: The top slide on page 16-10 contains the build feature

Trang 10

Discuss the four following points about roles:

1 Named groups of related privileges

2 Can be granted to users

3 Simplifies the process of granting and revoking privileges

4 Created by a DBA

Trang 11

Creating and Assigning a Role

First, the DBA must create the role Then, the DBA can assign privileges to the roleand users to the role

Syntax

CREATE ROLE role;

where: role is the name of the role to be created

Now that the role is created, the DBA can use the GRANT command to assign users

to the role as well as assign privileges to the role

Trang 12

Trang 13

Changing Your Password

Every user has a password that is initialized by the DBA when the user is created.You can change your password by using the ALTER USER command

Syntax

ALTER USER user IDENTIFIED BY password;

where: user is the name of the user

Note: Although this command can be used to change your password, there are many

other options You must have the ALTER USER privilege to change any otheroption

Oracle7 Server SQL Reference, Release 7.3, “ALTER USER.”

Trang 14

Trang 15

Granting Object Privileges

The DBA can allow users to perform a particular action on a specific table, view,sequence, or stored procedure by granting them object privileges The object

privileges vary from object to object The table on the facing page outlines the

privileges An object owner has all privileges on the object To give another useraccess to your database objects, execute the GRANT command

Syntax

GRANT {object_priv(, object_priv )|ALL}[(columns)]

ON object

TO {user[, user ]|role|PUBLIC}

[WITH GRANT OPTION];

where: object_priv is an object privilege to be granted

ALL all object privileges

columns specifies the column from a table or view on

which privileges are granted

ON object is the object on which the privileges are granted

TO identifies to whom the privilege is granted.PUBLIC grants object privileges to all users

WITH GRANT OPTION allows the grantee to grant the object privileges

to other users and roles

Note: A procedure refers to standalone procedures and functions, and public

package constructs The INDEX and REFERENCES privileges cannot begranted to a role

Oracle7 Server SQL Reference, Release 7.3, “GRANT.”

Trang 16

Trang 17

Granting Object Privileges continued

Trang 18

If a statement does not use the full name of an object, then the Oracle7Server implicitly prefixes the object name with the current user’s name (orschema) If user Scott queries the S_DEPT table, then the system willSELECT from table SCOTT.S_DEPT

If a statement does not use the full name of an object, and the current userdoes not own an object of that name, then the system will prefix the objectname with PUBLIC For example, if user Scott queries the

USER_OBJECTS table, and Scott does not own such a table, then thesystem will SELECT from the data dictionary view by way of the

PUBLIC.USER_OBJECTS public synonym

Trang 19

Granting Object Privileges continued

The WITH GRANT OPTION Keyword

A privilege that is granted WITH GRANT OPTION can be passed on to other usersand roles by the grantee Object privileges granted WITH GRANT OPTION arerevoked when the grantor’s privilege is revoked

The PUBLIC Keyword

An owner of a table can grant access to all users by using the PUBLIC keyword

Trang 20

Trang 21

Confirming Privileges Granted

If you attempt to perform an unauthorized operation, for example, deleting a rowfrom a table for which you do not have the DELETE privilege, the Oracle7 Serverwill not permit the operation to take place

If you receive the Oracle7 Server error message “table or view does not exist,” youhave done either of the following:

D Named a table or view that does not exist

D Attempted to perform an operation on a table or view for which you do not havethe appropriate privilege

What Privileges Do You Have?

You can access the data dictionary to view the privileges you have

Data Dictionary Table Description

ROLE_SYS_PRIVS System privileges granted to roles

ROLE_TAB_PRIVS Table privileges granted to roles

USER_ROLE_PRIVS Roles accessible by the user

USER_TAB_PRIVS_MADE Object privileges granted on the user’s objects.USER_TAB_PRIVS_RECD Object privileges granted to the user

USER_COL_PRIVS_MADE Object privileges granted on the columns of the

user’s objects

USER_COL_PRIVS_RECD Object privileges granted to the user on specific

columns

Trang 22

Trang 23

Revoking Object Privileges

Remove privileges granted to other users by using the REVOKE command Whenyou use the REVOKE command, the privileges you specify are revoked from theusers you name, and from any other users to whom those privileges may have beengranted

where: CASCADE are required to remove any referential integrity

CONSTRAINTS constraints made to the object by means of the

Oracle7 Server SQL Reference, Release 7.3, “REVOKE.”

Technical Note:

If a user is granted a privilege WITH GRANT OPTION, then that user canalso grant the privilege WITH GRANT OPTION, so that a long chain ofgrantees is possible, but no circular grants are permitted If the ownerrevokes a privilege from a user who granted the privilege to other users,then the REVOKE cascades to all privileges granted

For example, if user A grants SELECT privilege on a table to user Bincluding the WITH GRANT OPTION, then user B can grant to user C theSELECT privilege WITH GRANT OPTION, and user C can then grant touser D the SELECT privilege If user A the revokes the privilege from user

B, then the privileges granted to users C and D are also revoked

Trang 24

A common use of synonyms is to run an application against a set of testtables Then, when testing is completed, a set of synonyms can be defined

or redefined, directing the application to run against production tables

An object need not currently exist and you need not have privileges toaccess the object when creating the synonym

Trang 25

Creating a Synonymfor an Object

To refer to a table owned by another user, you need to prefix the table name with thename of the user who created it followed by a period Creating a synonym eliminatesthe need to qualify the object name with the schema, and provides you with an

alternative name for a table, view, sequence, procedure, or other objects This methodcan be especially useful with lengthy object names, such as views

Syntax

CREATE [PUBLIC] SYNONYM synonym

FOR object;

where: PUBLIC creates a synonym accessible to all users

synonym is the name of the synonym to be created

object identifies the object for which the synonym is

created

Guidelines

D The object cannot be contained in a package

D A private synonym name must be distinct from all other objects owned by thesame user

Example

As user Scott, create a private synonym named S_DEPT for Alice’s S_DEPT table

SQL> CREATE SYNONYM s_dept

2 FOR alice.s_dept;

Synonym created

Oracle7 Server SQL Reference, Release 7.3, “CREATE SYNONYM.”

Trang 26

Trang 27

Creating a Synonymfor an Object continued

Examples

Create a synonym for the DEPT_SUM_VU for quicker reference

SQL> CREATE SYNONYM d_sum

2 FOR dept_sum_vu;

Synonym created

The DBA can create a public synonym accessible to all users

SQL> CREATE PUBLIC SYNONYM s_dept

Oracle7 Server SQL Reference, Release 7.3, “DROP SYNONYM.”

Technical Note:

In the Oracle7 Server, the DBA can specifically grant the CREATE

PUBLIC SYNONYM to any user, allowing that user to create public

synonyms

Trang 28

Trang 29

DBAs establish initial database security for users by assigning privileges to the users

D The DBA creates users who must have a password The DBA is also responsiblefor establishing the initial system privileges for a user

D Once the user has created an object, the user can pass along any of the availableobject privileges to other users or to all users by using the GRANT command

D A DBA can create roles by using the CREATE ROLE command to pass along acollection of system or object privileges to multiple users Roles make grantingand revoking privileges easier to maintain

D Users can change their password by using the ALTER USER command

D You can remove privileges from users by using the REVOKE command

D DBAs can create public synonyms, and users can create private synonyms forconvenience by using the CREATE SYNONYM command They permit shortnames or alternative names for objects Remove synonyms by using the DROPSYNONYM command

D Data dictionary views allow users to view the privileges granted to them and thatare granted on their objects

Trang 30

Trang 31

Practice Overview

Team up with other students for this exercise of controlling database object access

Practice Contents

D Granting other users privileges to your table

D Modifying another user’s table through the privileges granted to you

D Creating a synonym

D Querying the data dictionary views related to privileges

Duration: 20 minutes

Pair up terminals so that one set of students can work with another set inthis practice

Trang 32

Trang 33

Practice 16

1. What privilege should a user be given to log in to the Oracle7 Server? Is thisprivilege a system or object privilege?

2. What privilege should a user be given to create tables?

3. If you create a table, who can pass along privileges to other users on your table?

4. You are the DBA You are creating many users who require the same systemprivileges What would you use to make your job easier?

5. What command do you use to change your password?

6. Grant other users query access to your S_REGION table Have them grant youquery access to their S_REGION table

7. Query all the rows in your S_REGION table

8. Add a new row to your S_REGION table Team 1 should add Central America asregion number 6 Team 2 should add Micronesia as region number 7 Make thechanges permanent

9. Query the other team’s S_REGION table

10. Create a synonym for the other team’s S_REGION table

11. Display the other team’s S_REGION table contents by using your synonym

12. Confirm the privileges for your team’s tables

13. Revoke the SELECT privilege from the other team

14. Attempt to SELECT from the other team’s S_REGION table

15. Drop the synonym you created

Tiêu đề	Controlling user access
Trường học	Oracle University
Chuyên ngành	Database Security
Thể loại	bài giảng

Định dạng
Số trang	34
Dung lượng	254,49 KB