1. Create and manage accounts
User, user account, schema The terms
user, user account, schema are often used interchangeably, but these terms are not identical.
A user connects to a user account by establishing a session to the instance and logs in based on the user account name.
A schema is a set of objects owned by a user account.
Properties of the user account:
username
Authentication method
default tablespace
tablespace quota
temporary tablespace
user profile
condition
1) Username: It starts with a letter, can only contain letters, numbers, dollar sign $, underscore _, cannot be reserved words, letters are automatically converted to uppercase, if not according to the rules, it needs to be specified in double quotation marks, and cannot exceed 30 characters. Once created, it cannot be modified.
·Authentication method:
2) Default tablespace: If not specified, the default tablespace of the database is used, and if the database is not specified, the system tablespace is used.
alter database default tablespace tablespace_name; -- modify the default tablespace of the database
alter user username default tablespace tablespace_name; -- modify the default tablespace of the user account
3)配额:select user_name,default_tablespace,temporary_tablespace from dba_users.
alter user [username ] quota 100M on [tablespace_name]
alter user [username ] quota unlimited on [tablespace_name]
4) Temporary table space
·Temporary tablespace alter user username temporary tablespace tablespace_name; -- Modify the user's temporary tablespace. Users do not need quotas on temporary tablespaces.
5) Configuration file
6) User status (dba_users.account_status)
OPEN: open
LOCKED: locked
EXPIRED: expired
EXPIRED & LOCKED: expired and locked
EXPIRED(GRACE): normal expiration, within the configured time period, you can change the password
LOCKED(TIMED): login attempt Failed, account is locked
EXPIRED & LOCKED(TIMED): expired and timed out lock
EXPIRED(GRACE) & LOCKED(TIMED): expired normally and timed out lock
alter user username account lock; -- lock account
alter user username account unlock; -- unlock account
alter user username password expire; -- force user to change password
alter user username identified by password; -- change user password
alter user username identified by value password; -- Change the user's password (change the encrypted value directly).
Authentication method:
Compare username and password
Operating system certification
Password file authentication
(1) Operating system and password file authentication
To enable operating system and password file authentication (the two are matched), the user must be granted SYSDBA or SYSOPER authority:
grant [sysdba|sysoper] to username;
if the user is granted these one or all of the permissions, the user's password is copied from the data dictionary to the external password file, and the instance can read the password even when the database is not open.
select * from v$pwfile_users; -- password file users, see which users are granted SYSDBA or SYSOPER
-- rebuild password file (default location of password file: $ORACLE_HOME/dbs/orapwSID)
orapwd file=<fileName> passwod=<password> entries=<users>
Operating system authentication:
connect / as [sysdba|sysoper];
password file authentication
connect username/password[@db_alias] as [sysdba|sysoper];
(2) password authentication
connect username/password[@ db_alias];
When connecting using password authentication, the database must be open and the instance will verify the user password stored in the data dictionary.
The SYS user is not allowed to connect by means of password authentication, SYS can only use password file, operating system or LDAP authentication.
Any user can change his own user account password at any time, and a user with sufficient authority (such as SYSTEM) can change any user account password.
alter user username identified by password; -- change user password
(3) External authentication:
If a user account is created using external authentication, Oracle will delegate authentication to an external service.
Enable Advanced Security option: Available external services: Kerberose server, Radius server, Windows local authentication service.
If Advanced Security option is not enabled, only operating system authentication can be used, and ordinary users are also applicable.
Ordinary users use operating system authentication:
use the same as Create an Oracle user account with the same name as the operating system user account, but the created user needs to be prefixed with ops$. The default prefix is set to the value of the parameter os_authent_prefix:
select value from v$parameter where name='os_authent_prefix';
create user ops$username identified externally;
grant create session to ops$username;
log in to Linux as username, and log in to Oracle database as OS.
sqlplus/
(4) Global authentication
uses an LDAP server.
1.3 Create and delete user accounts
Create user accounts:
create user scott identified by tiger
default tablespace users temporary tablespace temp
quota 100m on users, quota unlimited on example
profile default
password expire
account unlock;
delete user accounts:
drop user scott cascade;
------------------------------------------------------
5. Grant and revoke permissions
System permissions: Allow users to perform operations that affect the data dictionary.
Object permissions: Allow users to perform operations that affect data.
(1) System permissions
Common system permissions:
CREATE SESSION
RESTRICTED SESSION
ALTER DATABASE
ALTER SYSTEM
·CREATE TABLESPACE, ALTER TABLESPACE, DROP TABLESPACE
·CREATE TABLE
·GRANT ANY OBJECT PRIVILEGE
·CREATE ANY TABLE
·DROP ANY TABLE
·INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE
·SELECT ANY TABLE
User's system privilege:
select privilege from dba_sys_privs where grantee='username'; -- View the
authorization and revocation of system privileges owned by the user Syntax:
grant privilege[,privilege...] to username [with admin option]; -- Grant privileges
revoke privilege[,privilege...] from username; -- revoke privilege
grant create session, alter session, create table to username;
allow privilege transfer (with admin option), no cascading revocation when revoking privilege.
connect system/oracle ;
grant create table to scott with admin option;
connect scott/tiger;
grant create table to username;
connect system/oracle;
revoke create table from scott;
grant select any table to scott. The word any will overwrite the original authority, which usually brings bad influence (better than before, you cannot check the table in the sys schema)
(2) Object authority
SELECT: Authorization objects are tables, views, synonyms, sequences
INSERT : Authorization objects are tables, views, and synonyms
. UPDATE: Authorization objects are tables, views, and synonyms
. DELETE: Authorization objects are tables, views, and synonyms
. ALTER: Authorization objects are tables and sequences
. EXECUTE: Authorization objects are procedures, functions, Package, synonym
select grantee,privilege,grantor,grantable from dba_tab_privs; -- View table permission
grant and revoke syntax:
grant privilege[,privilege...] on schema.object to username [with grant option]; -- Grant permission
revoke privilege[,privilege...] on schema.object from username; -- revoke privilege
grant select on hr.employees to scott;
grant update(salary) on hr.employees to scott;
grant all on hr.regions to scott;
allows permissions to pass (with grant option), cascading revocation when permissions are revoked.
connect hr/hr;
grant select on employees to scott with grant option;
connect scott/tiger;
grant select on hr. employees to username;
connect hr/hr
revoke select on employees from scott;
------------------------------------------------------------------------------------------------
6. Create and manage roles
Roles are not schema objects, they do not belong to anyone, they share the same namespace with users, and roles and users cannot have the same name.
Predefined roles:
CONNECT: Only CREATE SESSION privilege, before 11g also has system privilege to create data storage objects.
RESOURCE: Can create data objects and procedure objects, and UNLIMITED TABLESPACE privilege before 12c.
DBA: owns most systems Permissions, as well as multiple object permissions and roles, can manage all aspects of the database, and cannot start and shut down the database.
SELECT_CATALOG_ROLE
SCHEDULER_ADMIN
PUBLIC: This role will be granted to each user, which is special and will not appear in the dba_roles view.
select role from dba_roles; -- view roles
select * from dba_role_privs; -- view role permissions
-------------------------------------------------------------------------------------
7. Create and manage profiles
Profile (profile) function: Implement password policies to limit the resources that a session can occupy.
The password policies of profiles are always implemented, and the resource limits of profiles are only implemented when the instance parameter resource_limit=true.
select username,profile from dba_users; -- The configuration file assigned to the user account, the default configuration file is DEFAULT
select * from dba_profiles where profile='DEFAULT'; -- The content of the configuration file
Password restrictions:
FAILED_LOGIN_ATTEMPTS The password is allowed to be continuous when logging in Number of errors
PASSWORD_LOCK_TIME The number of days to lock the account after reaching FAILED_LOGIN_ATTEMPTS PASSWORD_LIFT_TIME The number of
days before the password expires PASSWORD_GRACE_TIME The number of days
after the first successful login after the password expires PASSWORD_VERIFY_FUNCTION Function resource limit for verifying password complexity : SESSIONS_PER_USER CPU_PER_SESSION
·CPU_PER_CALL
·LOGICAL_READS_PER_SESSION
·LOGICAL_READS_PER_CALL
·PRIVATE_SGA
·CONNECT_TIME
·IDLE_TIME
·COMPOSITE_LIMIT
open the resource limit parameter set by the instance parameter
alter system set resource_limit=true; create profile
and assign
create profile dba_profile limit sessions_per_user unlimited
password_lift_time 7 password_grace_time 1;
alter user sys profile dba_profile;
alter user system profile dba_profile;
alter profile default limit sessions_per_user 1; -- modify the configuration file
to enable more advanced password management, run the script:
$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
delete the configuration file, reassign the DEFAULT configuration file .
drop profile profile_name cascade;
---------------------------------------------------------------------
Minimization principle:
-------------------------------------------------------------------------
Audit using standard databases
1. Auditing SYSDBA activities
Enable auditing of SYSDBA activities. Each statement issued by a user connecting to the database as SYSDBA or SYSOPER will be written to the audit trail of the operating system, thus giving a complete record of operations performed by dba.
The audit trail must be protected, and if the dba is able to delete audit records, there is no point in creating those audit records. Therefore, the dba should not have superuser privileges for the operating system.
Parameters about auditing:
audit_sys_operations -- whether to enable auditing SYSDBA activities, the default is TRUE
audit_file_dest -- the directory where the audit trail file is located
select name, value from v$parameter where name like 'audit%';
2. Before database auditing
is set before database auditing , the audit_trail parameter must be set, parameter value:
NONE (or FALSE): disable database auditing
OS: audit records will be written to the audit trail directory of the operating system (the directory where audit_file_dest is located).
DB: audit records will be written to data Dictionary table sys.aud$.
DB_EXTENDED: Much the same as DB, but contains SQL statements with bind variables that generate audit records.
XML: Works roughly the same as OS, but formatted using XML tags.
XML_EXTENDED: Much the same as XML, but uses SQL statements and bind variables.
After setting the audit_trail parameter, you can use database auditing to capture login attempts, use of system and object permissions, and execution of SQL commands, and you can specify whether these events should be audited when they succeed and/or fail due to permission control. Auditing is especially useful for commands that were not executed successfully, where any records generated would indicate that the user attempted to violate their own access rights.
Database auditing can be configured using the audit command:
SQL> audit create any trigger;
SQL> audit select any table by session;
SQL> audit select any table by access;
-- by session auditing generates an audit for each session that violates the audit criteria Records, regardless of the number of violations of the condition.
-- by access generates a record for each condition violation.
SQL> audit insert on ar.hz_parties whenever successful; -- inserting a row into the specified table will generate audit records
SQL> audit all on ar.ra_interface_lines_all; -- audit each session that executes DDL statements against the specified table.
-- whenever successful Audit records are limited to records of successful operations
-- whenever not successful
SQL> audit session whenever not successful; -- audit login
If you are auditing the operating system (audit_trail parameter set to OS or XML), use an appropriate editor to view the files created in the operating system audit trail to view the audit results.
If the audit is against the database (audit_trail parameter is set to DB or DB_EXTENDED), the audit records are written to the data dictionary table sys.aud$, but generally use the view dba_audit_trail to view the audit results.
Audit Views
dba_audit_trail
dba_audit_object
dba_audit_statement
dba_audit_session
3. Use triggers to perform value-based auditing
Database auditing can capture the fact that a command is executed against a table, but does not track the affected rows. For example, if you execute the audit insert on hr.employees command, an audit record will be generated whenever a row is inserted into the specified table, but the audit record will not contain the actual value of the inserted row. There are times when we want to capture these actual values, which is where database triggers are needed.
CREATE OR REPLACE TRIGGER system.creditrating_audit
AFTER UPDATE OF creditrating
ON oe.customers
REFERENCING NEW AS NEW OLD AS OLD
FOR EACH ROW
BEGIN
IF :old.creditrating != :new.creditrating THEN
INSERT INTO system.creditrating_audit VALUES(sys_context('userenv','os_user'),sys_context('userenv','ip_address'),:new.cust_id||' credit rating changed from '||:old.creditrating||' to '||:new.creditrating);
END IF;
END;
/
4. Fine-grained auditing (FGA) Fine-grained auditing
can be configured to generate an audit only when a specific row or a specific column of a specific row is accessed records, and can also be configured to run a block of PL/SQL code when an audit condition is violated.
Configuring fine-grained auditing requires the use of the package dbms_fga. To create an audit policy use the procedure add_policy. Parameters for the procedure add_policy
:
object_schema
object_name
policy_name
audit_condition
·audit_column
·handler_schema -- the username of the procedure to run when the
audit condition is met ·handler_module -- the PL/SQL procedure to run when the audit condition is met
·enable -- TRUE/FALSE,enable and disable
· statement_types -- audited statement types: SELECT, INSERT, UPDATE, DELETE
· audit_trail
· audit_column_opts -- DBMS_FGA_ANY_COLUMNS/DBMS_FGA_ALL_COLUMNS
Create an audit policy example:
dbms_fga.add_policy(object_schema => 'HR',
object_name => 'EMPLOYEES',
policy_name = > 'POL1',
audit_condition = 'department_id=80',
audit_column => 'SALARY');
Audit view:
dba_audit_trail
dba_fga_audit_trail
dba_common_audit_trail
创建角色:
create role rolename;
grant create session to rolename [with admin option|with grant option];
revoke rolename from rolename2;
grant select on hr.regions to rolename;
grant rolename to rolename2 with admin option;
revoke rolename from rolename2