系统权限
用户管理需要权限,因此我们用SYS用户进行相关操作
create user tom identified by tom;刚创建好的用户是不能使用的,需要授予相应的权限
授予tom创建会话的权限(连接数据库)
grant create session to tom;再创建一个用户
create user jerry identified by jerry;grant create session to tom with admin option带有WITH ADMIN OPTION属性可以将被授予用户的权限授予他人。
这样我们可以用tom用户给jerry授权
conn tom/tomgrant create session to jerry;revoke create session from tom;虽然tom的授权被取消,但是jerry还是有CREATE SESSION权限
grant create session to tom;对象权限
授予tom查看表的权限
grant select on scott.emp to tom;如果希望tom拥有级联授权,可以加WITH GRANT OPTION
grant select on scott.emp to tom with grant option;revoke create session from tom,jerry;这是tom用户也可以吧查询权限授予给jerry,如果取消tom用户的对象权限,那么jerry查看对象权限也将消失,系统权限回收无级联,但是对象权限回收有级联。
角色是一组权限的逻辑集合,我们会吧用户需要的权限授予给角色,然后将角色授予用户,用角色的方式管理权限。
创建三个角色
create role r1;
create role r2;
create role r3;给角色授权
grant create session,create table to r1;grant create view to r2;grant create any table to r3;grant r2 to r1;grant r1 to tom;conn tom/tomselect * from session_privs;PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE TABLE
CREATE VIEW
Elapsed: 00:00:00.00select * from session_roles;ROLE
------------------------------
R1
R2
Elapsed: 00:00:00.00grant r3 to tom;对于刚被授予的权限,在当前会话是不生效的,因此我们重新连接tom用户
conn tom/tomselect * from session_privs;PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE TABLE
CREATE ANY TABLE
CREATE VIEW
Elapsed: 00:00:00.00select * from session_roles;ROLE
------------------------------
R1
R2
R3
Elapsed: 00:00:00.00权限的动态管理
用户的默认角色是指赋予用户的角色,如果把角色设置为非默认角色,则角色不可见,而且不会被删除
alter user tom default role all except r3;conn tom/tomselect * from session_roles;ROLE
------------------------------
R1
R2
Elapsed: 00:00:00.00如果想使用r3角色的权限,可以激活角色
set role all;select * from session_roles;ROLE
------------------------------
R1
R2
R3
Elapsed: 00:00:00.00用户的资源管理
create table t01(x int);insert into t01 values(1);insert into t01 values(1)
*
ERROR at line 1:
ORA-01950: no privileges on tablespace 'USERS'
Elapsed: 00:00:00.02报错信息提示users表空间权限问题,实际上是tom用户无法使用users表空间上面的空间份额
我们先查下数据库的默认永久表空间
select * from database_properties where rownum<4;PROPERTY_NAME PROPERTY_VALUE DESCRIPTION
------------------------------ ------------------------------ ----------------------------------------
DICT.BASE 2 dictionary base tables version #
DEFAULT_TEMP_TABLESPACE TEMP Name of default temporary tablespace
DEFAULT_PERMANENT_TABLESPACE USERS Name of default permanent tablespace
Elapsed: 00:00:00.00给用户分配配额
alter user tom quota 1m on users;查看用户能够使用多少配额
select * from dba_ts_quotas;TABLESPACE_NAME USERNAME BYTES MAX_BYTES BLOCKS MAX_BLOCKS DRO
-------------------- ------------------------------ ---------- ---------- ---------- ---------- ---
SYSAUX OLAPSYS 7667712 -1 936 -1 NO
SYSAUX SYSMAN 48168960 -1 5880 -1 NO
SYSAUX FLOWS_FILES 0 -1 0 -1 NO
USERS TOM 0 1048576 0 128 NO
SYSAUX APPQOSSYS 0 -1 0 -1 NO
Elapsed: 00:00:00.02这里面显示-1份额的意思是没有配额
查看用户的默认表空间
select default_tablespace,temporary_tablespace from dba_users where username='TOM';DEFAULT_TABLESPACE TEMPORARY_TABLESPACE
------------------------------ ------------------------------
USERS TEMP
Elapsed: 00:00:00.02查看数据库的表空间
select name from v$tablespace;NAME
------------------------------
SYSTEM
SYSAUX
UNDOTBS1
USERS
TEMP
EXAMPLE
UNDO02
TEMP02
8 rows selected.
Elapsed: 00:00:00.03我们修改tom用户的表空间
alter user tom default tablespace example temporary tablespace temp02;select default_tablespace,temporary_tablespace from dba_users where username='TOM';DEFAULT_TABLESPACE TEMPORARY_TABLESPACE
------------------------------ ------------------------------
EXAMPLE TEMP02
Elapsed: 00:00:00.01用户口令安全
查看概要文件
select * from dba_profiles order by 1;PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ----------------------------------------
DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED
DEFAULT PASSWORD_LOCK_TIME PASSWORD 1
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED
DEFAULT PASSWORD_LIFE_TIME PASSWORD 180
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10
DEFAULT PRIVATE_SGA KERNEL UNLIMITED
DEFAULT CONNECT_TIME KERNEL UNLIMITED
DEFAULT IDLE_TIME KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED
DEFAULT CPU_PER_CALL KERNEL UNLIMITED
DEFAULT CPU_PER_SESSION KERNEL UNLIMITED
DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED
DEFAULT PASSWORD_GRACE_TIME PASSWORD 7
MONITORING_PROFILE PASSWORD_GRACE_TIME PASSWORD DEFAULT
MONITORING_PROFILE COMPOSITE_LIMIT KERNEL DEFAULT
MONITORING_PROFILE PASSWORD_REUSE_TIME PASSWORD DEFAULT
MONITORING_PROFILE IDLE_TIME KERNEL DEFAULT
MONITORING_PROFILE PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT
MONITORING_PROFILE LOGICAL_READS_PER_CALL KERNEL DEFAULT
MONITORING_PROFILE PASSWORD_LIFE_TIME PASSWORD DEFAULT
MONITORING_PROFILE LOGICAL_READS_PER_SESSION KERNEL DEFAULT
MONITORING_PROFILE PASSWORD_LOCK_TIME PASSWORD DEFAULT
MONITORING_PROFILE CPU_PER_CALL KERNEL DEFAULT
MONITORING_PROFILE FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED
MONITORING_PROFILE CPU_PER_SESSION KERNEL DEFAULT
MONITORING_PROFILE PASSWORD_REUSE_MAX PASSWORD DEFAULT
MONITORING_PROFILE SESSIONS_PER_USER KERNEL DEFAULT
MONITORING_PROFILE PRIVATE_SGA KERNEL DEFAULT
MONITORING_PROFILE CONNECT_TIME KERNEL DEFAULT
32 rows selected.
Elapsed: 00:00:00.02这里面default概要文件是用户在没有指定概要文件时用的概要文件
可以创建自己的概要文件
create profile p1 limit password_life_time 1/1440;创建概要文件时,要求至少修改一个资源的参数值
select * from dba_profiles order by 1;PROFILE RESOURCE_NAME RESOURCE LIMIT
------------------------------ -------------------------------- -------- ----------------------------------------
DEFAULT PASSWORD_REUSE_MAX PASSWORD UNLIMITED
DEFAULT FAILED_LOGIN_ATTEMPTS PASSWORD 10
DEFAULT IDLE_TIME KERNEL UNLIMITED
DEFAULT SESSIONS_PER_USER KERNEL UNLIMITED
DEFAULT PRIVATE_SGA KERNEL UNLIMITED
DEFAULT LOGICAL_READS_PER_CALL KERNEL UNLIMITED
DEFAULT PASSWORD_LOCK_TIME PASSWORD 1
DEFAULT PASSWORD_GRACE_TIME PASSWORD 7
DEFAULT CPU_PER_SESSION KERNEL UNLIMITED
DEFAULT PASSWORD_REUSE_TIME PASSWORD UNLIMITED
DEFAULT COMPOSITE_LIMIT KERNEL UNLIMITED
DEFAULT CPU_PER_CALL KERNEL UNLIMITED
DEFAULT PASSWORD_LIFE_TIME PASSWORD 180
DEFAULT PASSWORD_VERIFY_FUNCTION PASSWORD NULL
DEFAULT LOGICAL_READS_PER_SESSION KERNEL UNLIMITED
DEFAULT CONNECT_TIME KERNEL UNLIMITED
MONITORING_PROFILE CONNECT_TIME KERNEL DEFAULT
MONITORING_PROFILE IDLE_TIME KERNEL DEFAULT
MONITORING_PROFILE LOGICAL_READS_PER_CALL KERNEL DEFAULT
MONITORING_PROFILE LOGICAL_READS_PER_SESSION KERNEL DEFAULT
MONITORING_PROFILE CPU_PER_CALL KERNEL DEFAULT
MONITORING_PROFILE CPU_PER_SESSION KERNEL DEFAULT
MONITORING_PROFILE SESSIONS_PER_USER KERNEL DEFAULT
MONITORING_PROFILE COMPOSITE_LIMIT KERNEL DEFAULT
MONITORING_PROFILE PASSWORD_GRACE_TIME PASSWORD DEFAULT
MONITORING_PROFILE PASSWORD_LOCK_TIME PASSWORD DEFAULT
MONITORING_PROFILE PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT
MONITORING_PROFILE PASSWORD_REUSE_MAX PASSWORD DEFAULT
MONITORING_PROFILE PASSWORD_REUSE_TIME PASSWORD DEFAULT
MONITORING_PROFILE PASSWORD_LIFE_TIME PASSWORD DEFAULT
MONITORING_PROFILE FAILED_LOGIN_ATTEMPTS PASSWORD UNLIMITED
MONITORING_PROFILE PRIVATE_SGA KERNEL DEFAULT
P1 LOGICAL_READS_PER_SESSION KERNEL DEFAULT
P1 CONNECT_TIME KERNEL DEFAULT
P1 PASSWORD_LOCK_TIME PASSWORD DEFAULT
P1 CPU_PER_CALL KERNEL DEFAULT
P1 PASSWORD_REUSE_MAX PASSWORD DEFAULT
P1 PASSWORD_GRACE_TIME PASSWORD DEFAULT
P1 CPU_PER_SESSION KERNEL DEFAULT
P1 SESSIONS_PER_USER KERNEL DEFAULT
P1 PASSWORD_LIFE_TIME PASSWORD .0006
P1 LOGICAL_READS_PER_CALL KERNEL DEFAULT
P1 COMPOSITE_LIMIT KERNEL DEFAULT
P1 FAILED_LOGIN_ATTEMPTS PASSWORD DEFAULT
P1 IDLE_TIME KERNEL DEFAULT
P1 PASSWORD_VERIFY_FUNCTION PASSWORD DEFAULT
P1 PRIVATE_SGA KERNEL DEFAULT
P1 PASSWORD_REUSE_TIME PASSWORD DEFAULT
48 rows selected.
Elapsed: 00:00:00.01select profile from dba_users where username='TOM';PROFILE
------------------------------
DEFAULT
Elapsed: 00:00:00.02修改用户tom的profile
alter user tom profile p1;select profile,account_status from dba_users where username='TOM';PROFILE ACCOUNT_STATUS
------------------------------ --------------------------------
P1 OPEN
Elapsed: 00:00:00.01这个时候状态是open,我们再用tom用户登录一次
conn tom/tomERROR:
ORA-28002: the password will expire within 7 days
Connected.select profile,account_status from dba_users where username='TOM';PROFILE ACCOUNT_STATUS
------------------------------ --------------------------------
P1 EXPIRED(GRACE)
Elapsed: 00:00:00.02现在是处于已过期,还处在宽限期
我们修改一下宽限期,改成1分钟
alter profile p1 limit password_grace_time 1/1440;这样用户在登录后,宽限期1分钟后,将会被要求修改密码
conn tom/tomERROR:
ORA-28001: the password has expired
Changing password for tom修改用户的资源配置,首先修改参数
alter system set resource_limit=true;alter profile p1 limit sessions_per_user 2;