- Management and create user accounts
- Grant and revoke user privileges
- Creating and managing roles
- Management and create user profiles
- Principles of safety management - Principle of Least Privilege
- Database Audit
Management and create user accounts
Account properties: username / authentication method / default table space / table space quota / temporary table space / profile / account status
Username: <30 letters / numbers / $ / _ After you create a user name can not be changed
create user pan identified by pw44wo$d
The default table space and quota
select username,DEFAULT_TABLESPACE,temporary_TABLESPCE from dba_users where username='pan' alter user pan quota 10m on users; alter user pan quota unlimited on example; select tablespace_name,bytes,max_bytes from dba_ts_quotas where username='pan' select property_name,property_value from database_proerties where proerty_name like'%tablespace' the ALTER the User PAN the Temporary TABLESPACE the TEMP ; # users do not need a temporary table space quota
账号状态: OPEN/LOCKED/EXPIRED/EXPIRED &lOCKED/EXPIRED GRACE/LOCKED TIMED/EXPIRTED & LOCKED TIMES/EXPIRED GRACE &LOCKED TIMED)
alter user pan account lock alter user pan password expire
Authentication Methods
Grant [ sysdba | sysoper ] to username # password file and operating system authentication
# v $ pwfile_users query grant sysdba user and sysoper Connect username / password [ @db_alias ] AS [ sysdba | sysoper ] # password file authentication Connect / AS [ sysdba | SYSOPER ] # operating systems do not require a password Connect username / password [ @db_alias ] # password to authenticate the SELECT value from v $ the Parameter the WHERE name = ' os_authent_prefix '; Value OPS $ # query string of the Create the User OPS $ PAN IDENTIFIED externally; Grant the Create sesion to OPS $ PAN sqlplus / #linux external authentication logon creeate the User "OPS $ TT \ PAN" IDENTIFIED externally; # Windows external authentication login TT is the domain name, pan account
Account Management
create user pan identified by tiger default tablespace users temporary tablespace temp quota 100 on users,quota unlimited on example profile devloper_profile password expire account unlock; alter user pan profile product_profile; drop user pan cascade;
Grant and revoke user privileges
grant/revoke/grantor/grantee
System privileges (revoke non-cascade)
create session
restricted session
alter database
alter system
create tablespace
create table
grant any object privilege
create any table
drop any table
insert any table/update any table/delete any table
select any table
Grant the Create the session, the ALTER the session, the Create the Table , the Create View , the Create synonym, the Create Cluster, craete Database Link, the Create Sequence,
the Create tigger, the Create of the type, the Create Procedure , the Create operator to the User with ADMIN the Option ; # allow the authorized person permission transfer to a third party #dba_sys_privs
Object privileges (revoke will cascade)
ANY authorization rights for each object in the database for each user account in, the system authority, rather than object permissions.
In the column level authorization is a wrong approach, such as the need to restrict user access to specific columns, create a view to display only those columns are a better alternative practices
SELECT/INSERT/UPDATE/DELETE on table/view/sequence
ALTER on table and sequence
EXECUTE on procedure / function / package / synonyms
Grant the SELECT ON store.customers to scott; Grant Update (order_status) ON store.orders to scott; Grant ON store.regions to scott with Grant the Option # enables users to object to the third party