DM default accounts:
SYS: system built-in user, not allowed to log in.
SYSDBA: system administrator, has almost all permissions (except auditing and mandatory access control).
SYSAUDITOR: System audit administrator, with audit-related permissions.
SYSSSO: system security administrator, with authority such as mandatory access control.
SYSDBO: A user only available in the security version, a security operator.
The password policies supported by the system are:
⚫ 0 no strategy
⚫ 1 disallow same as username
⚫ 2 The password length must be greater than or equal to the value set by the INI parameter PWD_MIN_LEN
⚫ 4 contains at least one uppercase letter (AZ)
⚫ 8 contains at least one digit (0-9)
⚫ 16 Contains at least one punctuation mark (in the state of English input method, all symbols except " and space)
Password policies can be applied individually or in combination. When applying in combination, if strategy 2 and 4 need to be applied, set port
Let the strategy be 2+4=6.
SQL> select * from v$parameter t where t.name = 'PWD_POLICY';
行号 ID NAME TYPE VALUE SYS_VALUE FILE_VALUE DESCRIPTION DEFAULT_VALUE ISDEFAULT
---------- ----------- ---------- ---- ----- --------- ---------- ----------------------- ------------- -----------
1 463 PWD_POLICY SYS 2 2 2 Flag of password policy 2 1
Elapsed time: 9.016(milliseconds). Execution number: 532.
SQL> select * from v$parameter t where t.name = 'PWD_MIN_LEN';
行号 ID NAME TYPE VALUE SYS_VALUE FILE_VALUE DESCRIPTION DEFAULT_VALUE ISDEFAULT
---------- ----------- ----------- ---- ----- --------- ---------- --------------------------------------------------------------------------- ------------- -----------
1 464 PWD_MIN_LEN SYS 9 9 9 Password min length in byte, it's valid only if PWD_POLICY&2 not equal to 0 9 1
Elapsed time: 5.268(milliseconds). Execution number: 533.
SQL> create user test identified by test1234;
create user test identified by test1234;
Error [-2504] near line 1: The password length does not meet the requirements.
Elapsed time: 1.600(milliseconds). Execution number: 0.
SQL> create user test identified by test12345;
Action performed
Elapsed time: 68.732(milliseconds). Execution number: 534.
When the password policy is 2, the length of the password must be greater than 9 characters.
SQL> select name,type,value,SYS_VALUE,FILE_VALUE from v$parameter where name = 'PWD_POLICY';
行号 NAME TYPE VALUE SYS_VALUE FILE_VALUE
---------- ---------- ---- ----- --------- ----------
1 PWD_POLICY SYS 2 2 2
Elapsed time: 5.854(milliseconds). Execution number: 537.
SQL> alter system set 'PWD_POLICY' = 15 both;
DMSQL procedure completed successfully
Elapsed time: 3.961(milliseconds). Execution number: 538.
SQL> select name,type,value,SYS_VALUE,FILE_VALUE from v$parameter where name = 'PWD_POLICY';
行号 NAME TYPE VALUE SYS_VALUE FILE_VALUE
---------- ---------- ---- ----- --------- ----------
1 PWD_POLICY SYS 15 15 15
Elapsed time: 5.897(milliseconds). Execution number: 539.
Error logging in 3 times with normal user:
SQL> select b.USERNAME,b.LOCK_DATE,a.LOCKED_STATUS,a.PWD_POLICY,a.FAILED_ATTEMPS from sysusers a, dba_users b where a.id = b.USER_ID and b.username='TEST';
行号 USERNAME LOCK_DATE LOCKED_STATUS PWD_POLICY FAILED_ATTEMPS
---------- -------- ------------------- ------------- ----------- --------------
1 TEST 2022-10-19 02:02:18 1 2 3
SQL> select username,account_status from dba_users;
Line number USERNAME ACCOUNT_STATUS
---------- ---------- --------------
1 SYSAUDITOR OPEN
2 SYSSSO OPEN
3 SYSDBA OPEN
4 TEST LOCKED
5 SYS OPEN
Elapsed time: 65.457(milliseconds). Execution number: 1400.
SQL> alter user test account unlock;
Action performed
Elapsed time: 10.547(milliseconds). Execution number: 1401.
SQL> select username,account_status from dba_users;
Line number USERNAME ACCOUNT_STATUS
---------- ---------- --------------
1 SYSAUDITOR OPEN
2 SYSSSO OPEN
3 SYSDBA OPEN
4 TEST OPEN
5 SYS OPEN
Elapsed time: 2.437(milliseconds). Execution number: 1402.
Change a user's default tablespace:
SQL> alter user test default tablespace test01;
Action performed
Elapsed time: 2.720(milliseconds). Execution number: 1403.
Change user password:
SQL> alter user test identified by "Dameng_test";
Action performed
Elapsed time: 6.176(milliseconds). Execution number: 1404.
delete users:
SQL> drop user test cascade; --Use cascade with caution in the production environment.
Action performed
Elapsed time: 360.997(milliseconds). Execution number: 1405.
User's resource limit:
User resource limit settings (you can use the limit clause directly, or you can use profile to manage user resource limits)
Use clause:
SQL> alter user test LIMIT FAILED_LOGIN_ATTEMPS 10,PASSWORD_LOCK_TIME 10;
Action performed
Elapsed time: 2.777(milliseconds). Execution number: 1408.
Create a profile profile1, use the profile to manage user resource limits.
SQL> create profile profile1 limit FAILED_LOGIN_ATTEMPS 10,PASSWORD_LOCK_TIME 10,PASSWORD_LIFE_TIME 180;
Action performed
Elapsed time: 2.587(milliseconds). Execution number: 1409.
SQL> alter user test profile profile1;
Action performed
Elapsed time: 6.332(milliseconds). Execution number: 1410.
Query the profile resource restriction file used by the user:
select a.pid profileid, b.name profile_name, a.uid userid, c.name user_name
from SYSUSERPROFILES a, SYSOBJECTS b, SYSOBJECTS c
where a.PID = b.id and a.UID = c.ID;
行号 PROFILEID PROFILE_NAME USERID USER_NAME
---------- ----------- ------------ ----------- ---------
1 469762148 PROFILE1 50331750 TEST
Elapsed time: 1.410(milliseconds). Execution number: 1411.
View user-related permissions:
select * from dba_sys_privs t where t.GRANTEE= 'TEST';
select * from dba_role_privs t where t.GRANTEE= 'TEST';
select * from dba_tab_privs t where t.GRANTEE= 'TEST';
By default, DM cannot grant users the data definition (DDL) permission in other modes, which is determined by the parameter
ENABLE_DDL_ANY_PRIV specified, the default is 0.
SQL> grant create any table to test;
grant create any table to test;
Error [-5567] near line 1: Authorizer does not have authorization for this authorization.
Elapsed time: 0.506(milliseconds). Execution number: 0.
SQL> select * from v$parameter t where name like '%ENABLE_DDL_ANY_PRIV%';
行号 ID NAME TYPE VALUE SYS_VALUE FILE_VALUE DESCRIPTION DEFAULT_VALUE ISDEFAULT
---------- ----------- ------------------- ---- ----- --------- ---------- -------------------------------------------------- ------------- -----------
1 495 ENABLE_DDL_ANY_PRIV SYS 0 0 0 Whether enable grant and
revoke ddl any privilege. 0 1
Elapsed time: 8.062(milliseconds). Execution number: 1505.
SQL> alter system set 'ENABLE_DDL_ANY_PRIV' = 1 both;
DMSQL procedure completed successfully
Elapsed time: 43.465(milliseconds). Execution number: 1506.
SQL> select * from v$parameter t where name like '%ENABLE_DDL_ANY_PRIV%';
行号 ID NAME TYPE VALUE SYS_VALUE FILE_VALUE DESCRIPTION DEFAULT_VALUE ISDEFAULT
---------- ----------- ------------------- ---- ----- --------- ---------- -------------------------------------------------- ------------- -----------
1 495 ENABLE_DDL_ANY_PRIV SYS 1 1 1 Whether enable grant and revoke ddl any privilege. 0 0
Elapsed time: 14.931(milliseconds). Execution number: 1507.
SQL> grant create any table to test;
Action performed
Elapsed time: 3.878(milliseconds). Execution number: 1508.
A role is a collection of permissions, and roles make permission management more convenient.
DBA: Has almost all permissions (except auditing and mandatory access control), and is assigned to the SYSDBA user by default.
PUBLIC: has the DML data operation authority for objects in the current mode.
RESOURCE: has the object definition authority in the current mode (create tables, indexes, views, etc.);
SOI: Has the authority to query the system tables beginning with sys;
VTI: Have the permission to query dynamic views beginning with v$ (dynamic views are recorded in v$dynamic_tables, if you do not have this permission, the DM management tool will report that you do not have the permission to query v$ views)
The roles starting with DB_AUDIT_ are audit-related roles with audit-related permissions, and are assigned to SYSAUDITOR by default.
The roles starting with DB_POLICY_ are security-related roles with mandatory access control and other permissions, and are assigned to SYSSSO by default.
SQL> select * from dba_roles;
行号 ROLE PASSWORD_REQUIRED AUTHENTICATION_TYPE
---------- ---------------- ----------------- -------------------
1 DBA NULL NULL
2 DB_AUDIT_ADMIN NULL NULL
3 DB_AUDIT_OPER NULL NULL
4 DB_AUDIT_PUBLIC NULL NULL
5 DB_AUDIT_SOI NULL NULL
6 DB_AUDIT_SVI NULL NULL
7 DB_AUDIT_VTI NULL NULL
8 DB_POLICY_ADMIN NULL NULL
9 DB_POLICY_OPER NULL NULL
10 DB_POLICY_PUBLIC NULL NULL
11 DB_POLICY_SOI NULL NULL
12 DB_POLICY_SVI NULL NULL
13 DB_POLICY_VTI NULL NULL
14 PUBLIC NULL NULL
15 RESOURCE NULL NULL
16 SOI NULL NULL
17 ALL NULL NULL
18 SYS_ADMIN NULL NULL
19 VTI NULL NULL
19 rows got
Elapsed time: 0.557(milliseconds). Execution number: 1511.
SQL> create role role1;
Action performed
Elapsed time: 3.797(milliseconds). Execution number: 1517.
SQL> grant select any table to role1;
Action performed
Elapsed time: 4.059(milliseconds). Execution number: 1518.
SQL> grant create any table to role1;
Action performed
Elapsed time: 2.705(milliseconds). Execution number: 1519.
SQL> grant role1 to test;
Action performed
Elapsed time: 3.665(milliseconds). Execution number: 1520.
SQL> select * from dba_role_privs where GRANTED_ROLE='ROLE1';
行号 GRANTEE GRANTED_ROLE ADMIN_OPTION DEFAULT_ROLE
---------- ------- ------------ ------------ ------------
1 SYSDBA ROLE1 Y NULL
2 TEST ROLE1 N NULL
Elapsed time: 2.386(milliseconds). Execution number: 1523.
Role disabling and enabling, role permissions will no longer take effect after disabling.
SQL> sp_set_role('ROLE1',0); --- does not take effect
DMSQL procedure completed successfully
Elapsed time: 29.238(milliseconds). Execution number: 1526.
SQL> sp_set_role('ROLE1',1); --- take effect
DMSQL procedure completed successfully
Elapsed time: 32.781(milliseconds). Execution number: 1527.
Community address: https://eco.dameng.com