Oracle User management rights
First, create a user's Profile file
SQL> create profile student limit // student resource file name
FAILED_LOGIN_ATTEMPTS 3 // lock the user's specified number of login failures
PASSWORD_LOCK_TIME 5 // specified user is locked days
PASSWORD_LIFE_TIME 30 // specify the number of days a password
Second, create a user
SQL> Create User username
Identified by password - a password, all digital double quotes,
Default Tablespace tablespace-- default table space,
Temporary Tablespace tablespace-- zero table space
Profile profile-- user data preservation,
Quota integer/unlimited on tablespace;
---
create tablespace test_tablespace
datafile 'd:\oracle\oradata\test\test.dbf'
size 100M
Create a table space statement
Create a table space must pay attention to specify the size of the file and datafile
Example:
SQL> Create user acc01
identified by acc01 // If the password is numeric, use double quotes
default tablespace account
temporary tablespace temp
profile default
quota 50m on account; - up to 50 megabytes
SQL> grant connect, resource to acc01;
[*] Query the user's default table space, temporary table space
SQL> select username, default_tablespace, temporary_tablespace from dba_users;
[*] Query system resource file name:
SQL> select * from dba_profiles;
Resource files similar to a table, once created will be saved in the database.
SQL> select username, profile, default_tablespace, temporary_tablespace from dba_users;
SQL> create profile common limit
failed_login_attempts 5
idle_time 5;
SQL> Alter user acc01 profile common;
Third, modify the user:
SQL> Alter User Username
Identified password
Default Tablespace tablespace
Temporary Tablespace tablespace
Profile profile
Quota integer/unlimited on tablespace;
1, modify the password:
SQL>Alter user acc01 identified by "12345";
2, modify the user's default table space:
SQL> Alter user acc01 default tablespace users;
3, modify the user temporary table space
SQL> Alter user acc01 temporary tablespace temp_data;
4, forcing the user to modify the password:
SQL> Alter user acc01 password expire;
5, the user lock
SQL> Alter user acc01 account lock; // lock
SQL> Alter user acc01 account unlock; // unlock
Fourth, delete users
SQL> drop user username; // user did not build any entity
SQL> drop user username CASCADE; // delete all users and their built entity
* 1 The current user is not connected to delete.
Fifth, monitoring user:
1, the query user session information:
SQL> select username, sid, serial#, machine from v$session;
2, delete user session information:
SQL> Alter system kill session 'sid, serial#';
3, the user query SQL statement:
SQL> select user_name, sql_text from v$open_cursor;
ORACLE user rights management consolidation
select username from dba_users; inquiry system for all users
select * from dba_users where username = 'XXXX'; querying user related information
All roles inquiry system; select * from dba_roles
What DBA_ROLE_PRIVS user queries a user has a role or a role in the
select * from dba_role_privs where grantee ='SYS';
select * fromdba_role_privs where granted_role ='RESOURCE';
DBA_SYS_PRIVS query system privileges a user has
select grantee,privilege from dba_sys_privs where grantee='XXXX';
ROLE_SYS_PRIVS display system privileges granted to roles
select * from role_sys_privs where role = 'RESOURCE'; queries related to the RESOURCE role privileges
ROLE_TAB_PRIVS display table permissions granted to the role
Manage users, roles and permissions DBA views:
DBA_USERS provide information about the user
DBA_ROLES display database of all role
DBA_COL_PRIVS display column-level authorization objects
DBA_ROLE_PRIVS show users and their roles
DBA_SYS_PRIVS display system the user is granted privileges
DBA_TAB_PRIVS show users and their permissions on the table
ROLE_ROLE_PRIVS display roles granted to roles
ROLE_SYS_PRIVS display system privileges granted to roles
ROLE_TAB_PRIVS display table permissions granted to the role
SESSION_PRIVS display allows the user to use the permissions
SESSION_ROLES allows users to display the current role
select * from session_privs; to query the user has the authority itself
select * from user_role_privs; query the users themselves have roles
select * from dba_sys_privs where grantee = 'CONNECT'; query role have permission
select * from role_sys_privs where role = 'CONNECT'; query role have permission
First, the authority classification:
System privileges: system user-specified permissions to the database. (System permissions are for the user).
Permissions entities: some users access rights to other users table or view. (For a table or view against).
Second, the rights management system:
1, system permissions Category:
DBA: Has full privileges, is the highest authority, only the DBA can create a database structure.
RESOURCE: Users with Resource privilege can only create an entity, can not create the database structure.
CONNECT: Connect Users with permission can only log Oracle, can not create an entity, can not create the database structure.
For the average user: grant connect, resource permissions.
For the DBA to manage user: grant connect, resource, dba privileges.
2, system privileges authorization command:
[The system can only be granted permission by the user DBA: sys, system (beginning only two users)]
Authorization command: SQL> grant connect, resource, dba to username 1 [, the user name 2] ...;
[Authorized by ordinary users may have the same system user rights, but never reached the same sys user permissions, user privileges system can be recovered. ]
Example:
SQL> connect system/manager
SQL> Create user user50 identified by user50;
SQL> grant connect, resource to user50;
Where the user has permission to query:
SQL> select * from dba_role_privs;
SQL> select * from dba_sys_privs;
SQL> select * from role_sys_privs;
Delete a user: SQL> drop user username cascade; // add cascade will delete all user created along with their stuff
3, delivery system permissions:
Increased WITH ADMIN OPTION option, you can get permission to pass.
SQL> grant connect, resorce to qwith admin option; // can transfer acquired rights.
4, the recovery system permissions: a user system permissions recovered only by DBA
命令:SQL> Revoke connect, resource from user50;
Description:
1) If you use the grant system privileges WITH ADMIN OPTION for a user, all users are granted the same rights to the user, the user's system privileges canceled and will not cancel cascade same permissions for these users.
2) non-cascade system permissions, i.e., A is granted permission B, C B grant permission, permission to recover if A B and C is not affected authority; users across system permissions recovered, i.e., A C can be recovered directly user's permissions.
Third, rights management entities
1, an entity classification authority: select, update, insert, alter, index, delete, all // all include all rights
execute // execute the stored procedure permissions
user01:
SQL> grant select, update, insert on product to user02;
SQL> grant all on product to user02;
user02:
SQL> select * from user01.product;
// At this point user02 check user_tables, not including user01.product the table, but if you check all_tables can be found, because he has access.
2. The table of operating authority granted to all users:
SQL> grant all on product to public; // public representation of all users, all rights here does not include drop.
[Entity rights data dictionary]:
SQL> select owner, table_name from all_tables; // user can query the table
SQL> select table_name from user_tables; // user-created table
SQL> select grantor, table_schema, table_name, privilege from all_tab_privs; // is eligible for access to the right table (authorized)
SQL> select grantee, owner, table_name, privilege from user_tab_privs; // table granted permission (permission granted)
3. DBA user can operate any of the base table of all users (without authorization, including deletion):
DBA users:
SQL> Create table stud02.product(
id number(10),
name varchar2(20));
SQL> drop table stud02.emp;
SQL> create table stud02.employee
as
select * from scott.emp;
4. entity the right to pass (with grant option):
user01:
SQL> grant select, update on product to user02 with grant option; // user02 get permission, and can be passed.
The recovered solid permissions:
user01:
SQL> Revoke select, update on product from user02; // transfer of authority will be lost.
Explanation
1) If you cancel a user's object privileges, then that user for user WITH GRANT OPTION to grant permission, the same permissions for these users will cancel the same, that is to cancel the authorization cascade.
to sum up:
- View user's system privileges
select * from dba_sys_privs;
select * from session_privs;
select * from user_sys_privs;
- View user object permissions
select * from dba_tab_privs;
select * from all_tab_privs;
select * from user_tab_privs;
Oracle Role Manager
First, what is the role of
Character. A role is a set of permissions, roles assigned to a user, the user will have all the permissions of this role.
Second, the system predefined roles
The predefined roles are some common database roles after installation, the system automatically created. Under mediated a brief look at these predetermined roles. Permission roles included can be queried with the following statement:
sql>select * from role_sys_privs where role='角色名';
1.CONNECT, RESOURCE, DBA
These predefined roles primarily for backward compatibility. Which is mainly used for database management. oracle recommend that users design their own database management and security planning permission, rather than simply using these predefined roles. Future versions of these roles may not be as predefined roles.
2.DELETE_CATALOG_ROLE, EXECUTE_CATALOG_ROLE, SELECT_CATALOG_ROLE
These roles are mainly used to access the data dictionary views and packages.
3.EXP_FULL_DATABASE, IMP_FULL_DATABASE
These two roles for data import using the export tool.
4.AQ_USER_ROLE, AQ_ADMINISTRATOR_ROLE
AQ: Advanced Query. These two roles for oracle advanced search functions.
5. SNMPAGENT
For oracle enterprise manager and Intelligent Agent
6.RECOVERY_CATALOG_OWNER
For creating a user has to restore the library. Information about the restoration of the library, reference documentation oracle "Oracle9i User-Managed Backup and Recovery Guide"
7.HS_ADMIN_ROLE
A DBA using Oracle's heterogeneous services feature needs this role to access appropriate tables in the data dictionary.
Third, the management role
1. build a role
sql>create role role1;
2. Authorization to roles
sql>grant create any table,create procedure to role1;
3. Grant roles to users
sql>grant role1 to user1;
4. View the permission roles included
sql>select * from role_sys_privs;
5. Create a role with a password to (the password must be provided at the commencement of the role with a password)
sql>create role role1 identified by password1;
6. Modify the role: whether a password is required
sql>alter role role1 not identified;
sql>alter role role1 identified by password1;
7. Set the role of the current user to take effect
(Note:? Entry into force of character is a concept of what it assumes that the user has a b1, b2, b3 three roles, if b1 is not in effect, the rights contained b1 for a speaking is not owned, only the role of the entry into force permissions within the role was the role of the user, the maximum number set by the entry into force of character parameters MAX_ENABLED_ROLES;. after the user logs in, oracle will be directly assigned all the permissions the user's default permissions and user roles assigned to the user)
sql> set role role1; // entry into force of the role1
sql> set role role, role2; // make role1, role2 take effect
sql> set role role1 identified by password1; // use role1 with a password take effect
sql> set role all; // use all the roles the user to take effect
sql> set role none; // set all the characters fail
sql> set role all except role1; // all other roles in addition to role1 the user to take effect.
sql> select * from SESSION_ROLES; // view the role of the entry into force of the current user.
8. Modify the specified user, the default character set
sql>alter user user1 default role role1;
sql>alter user user1 default role all except role1;
See reference documentation oracle
9. Remove Roles
sql>drop role role1;
After deleting the role, originally owned by the role of the user no longer has a role, the appropriate permissions will be no.
Description:
1) WITH GRANT OPTION can not be used as the object privileges granted to roles
2) can be used to grant system privileges WITH ADMIN OPTION for the role, not canceled cascade
Data Dictionary
1, Dynamic Data Dictionary v $ xxx is the beginning of the data dictionary, about 150 or so in the database, the database data dictionary to reflect the dynamic operating conditions, at different times queries will get different results.
2, DBA data dictionary is DBA_xxx said the data dictionary database storage structures, query the data dictionary to reflect DBA information database structure set up, manage disk space and table space, and transaction rollback segments, and user table space.
3, user data dictionary is USER_xxx said the data dictionary information reaction entity created by the user. Such as, USER_TABLES, USER_VIEWS, database administrator has all rights to all user entity's operations, you can query this data dictionary to understand the user-created entity status, you can delete the incorrect entity created by the user if necessary.
4, ALL_xxx class data dictionary, the user indicates that the user is authorized to create entities and entities that can be accessed.
select privilege from dba_SYS_privs where grantee=‘USERNAME’
Oracle query the user rights
- to determine the role of authority
select * from role_tab_privs; contains the object privileges granted to roles
select * from role_role_privs; includes roles granted to another role
select * from role_sys_privs; contains the system privileges granted to roles
- determine the user account permissions granted
select * from DBA_tab_privs; direct object privileges granted to the user account
select * from DBA_role_privs; granted to the role of the user account
select * from DBA_sys_privs; system privileges granted to user accounts
View the current user privileges:
SQL> select * from session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE TABLE
CREATE CLUSTER
CREATE SYNONYM
CREATE VIEW
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
8 rows selected.
Oracle's own data dictionary design I personally feel very reasonable, because DBA_xxx, ALL_xxx, USER_xxx people to see probably know this view is used to do. This article briefly summed up the rights, role-related view.
I. Overview
And authority, role-related view about these below:
DBA_SYS_PRIVS: query system a user has permission
USER_SYS_PRIVS: current users have system privileges
SESSION_PRIVS: The current user has full access
ROLE_SYS_PRIVS: a role have system privileges
Note: To order SYS user login query this view, otherwise empty.
ROLE_ROLE_PRIVS: current role is assigned the role of
SESSION_ROLES: the role of the current user is activated
USER_ROLE_PRIVS: The current role of the user is granted
There is also access for table view:
TABLE_PRIVILEGES
ALL_TAB_PRIVS
ROLE_TAB_PRIVS: permission to be given a role in the related table
...
Two. Examples
1. Query permissions of the current user has
Select * from session_privs;
2. Query system privileges a user is given.
There are several ways
Select * from user_sys_privs;
或者: select * from DBA_SYS_PRIVS where grantee='XXX'
(The current needs of users with DBA role)
3. Query role of the current user is granted:
1. Select * from SESSION_ROLES order by ROLE
Description: This query returns all the roles the current user is granted, including
Nested authorization roles. For example the DBA role granted to a user, DBA role
Has been granted role (for example exp_full_database and imp_full_database)
Check out will be
2. Select * from USER_ROLE_PRIVS
4. Inquiry System permissions have been given a role
Select Privilege from ROLE_SYS_PRIVS where ROLE=&Role
Input role = 'CONNECT'
Output:
PRIVILEGE
--------------------
ALTER SESSION
CREATE CLUSTER
CREATE DATABASE LINK
CREATE SEQUENCE
CREATE SESSION
CREATE SYNONYM
CREATE TABLE
CREATE VIEW
The query role current role is granted
Select GRANTED_ROLE from ROLE_ROLE_PRIVS where ROLE=&ROLE
Input role = 'DBA'
Output:
GRANTED_ROLE
----------------------
DELETE_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
PLUSTRACE
SELECT_CATALOG_ROLE
Description: PLUSTRACE this role is used to perform SQL AUTO TRACE by performing
$ ORACLE_HOME / sqlplus / admin / plustrce.sql you can generate this role.
-------------------------------------------------------------------------------------------------------------------------------------------------------------
How to check oracle user rights?
ORACLE data dictionary view type are: USER, ALL, and DBA.
USER_ *: about the objects owned by the user information, information that is user-created objects
ALL_ *: information about the user can access an object, that object is created by the user's own information plus
Other user-created objects but the user has access to information
DBA_ *: For information about objects in the entire database
(Where * can be TABLES, INDEXES, OBJECTS, USERS, etc.)
1, view all users
select * from dba_user;
select * from all_users;
select * from user_users;
2. View user's system privileges
select * from dba_sys_privs;
select * from all_sys_privs;
select * from user_sys_privs;
3, view the user object permissions
select * from dba_tab_privs;
select * from all_tab_privs;
select * from user_tab_privs;
4. See all roles
select * from dba_roles;
5, view the user have role
select * from dba_role_privs;
select * from user_role_privs;
6, view the current user's default table space
select username,default_tablespace from user_users;
7, view a specific role permissions
如grant connect,resource,create session,create view to TEST;
8, those permissions to view RESOURCE
用SELECT * FROM DBA_SYS_PRIVS WHERE GRANTEE='RESOURCE';
System and object privileges oracle list
alter any cluster permission to modify any cluster
alter any index permission to modify any index
alter any role permission to modify any role
alter any permission to modify any sequence sequence
alter any snapshot permission to modify any snapshot
Permission to alter any modification of any table table
alter any trigger permission to modify any trigger
alter cluster clusters have permission to modify
Permissions alter database modify the database
alter procedure to modify the stored procedure has permission
alter profile modify resource limit permissions profile
alter resource cost to set permissions stories resource overhead
alter rollback segment modify permissions rollback
alter sequence sequence of modifications have permission
alter session permission to modify the database session
alter sytem modify permissions on the database server settings
alter table modify table permissions have
Modify the table space alter tablespace privileges
alter user to modify user permissions
analyze analysis using the analyze command in any database tables, indexes, and clusters
audit any audit options for any set of database objects
audit system allow system operators audit
Permissions backup backup any table of any table
the switching state of the user become user permissions
commit any table submit permissions on the table
create any cluster permission to create clusters for any user
create any index permission to create an index for any user
create any procedure to create a stored procedure for any user rights
create any sequence create sequence privileges to any user
create any snapshot to create a snapshot of any user rights
create any synonym permission to create synonym for any user
create any table permission to create tables to any user
create any trigger permission to create a trigger for any user
create any view create view permission for any user
create cluster permission to create clusters for users
Permissions create database link created for the user
create procedure to create a stored procedure for user rights
create profile create profile resource limits of authority
create public database link to create a public database link permissions
create public synonym permission to create public synonyms of the
create role create role privileges
create rollback segment creation rights rollback
create session permission to create a session
create sequence create sequence privileges for users
create snapshot to create a snapshot of user rights
create synonym permission to create synonyms for users
create table permission to create tables for users
create tablespace permission to create table space
create user create user permissions
create view permission to create a view for the user
delete any table permission to delete any table row
delete any view delete any view row permissions
delete snapshot delete permissions snapshot rows
delete table privileges for the user to delete the table row
delete view rights for the user to delete rows view
drop any cluster delete any clusters of rights
drop any index permission to delete any index
drop any procedure to delete any stored procedure permissions
drop any role delete any role of authority
drop any sequence delete any sequence of privileges
drop any snapshot permission to delete any snapshots
drop any synonym delete any rights of synonyms
Permissions drop any table delete any table
drop any trigger permission to delete any trigger
drop any view delete any view of authority
drop profile delete permissions to resource constraints profile
drop public cluster delete public authority clusters
drop public database link to delete public data link permissions
drop public synonym delete privileges of public synonyms
drop rollback segment delete permissions rollback
Permissions drop tablespace drop table space
drop user to delete the user's permission
Permissions execute any procedure to execute arbitrary stored procedure
execute function execute permissions for stored functions
execute package execute a stored package of rights
execute procedure execute permissions to user stored procedures
Output rights to any transaction force any transaction management uncommitted
Output user permissions affairs force transaction management uncommitted
grant any privilege granted any privileges on the system privileges
grant any role of authority granted to any role
index table to table indexed authority
insert permission any table to any table row insert
Permissions insert snapshot to snapshot insert rows
Permissions insert table to a user table, insert rows
Insert view permission to a user the view interpolation line
lock any table to table any privileges locked
Permissions manager tablespace management (backup availability) table space
The reference table references table permissions
restricted session to create limited database permissions session
select any permission to use the sequence of any sequence
select any permission to use any table table
select snapshot permission to use snapshots
select sequence using a sequence of user rights
select table using user tables
select view using the view permissions
unlimited tablespace table space unrestricted rights
update any table edit access to any row in the table
update snapshot permission to modify rows in a snapshot
update table rows in the table to modify the user permissions
update view to modify the view of rows rights
Related to the competence of the Security data dictionary tables are:
ALL_TAB_PRIVS
ALL_TAB_PRIVS_MADE
ALL_TAB_PRIVS_RECD
DBA_SYS_PRIVS
DBA_ROLES
DBA_ROLE_PRIVS
ROLE_ROLE_PRIVS
ROLE_SYS_PRIVS
ROLE_TAB_PRIVS
SESSION_PRIVS
SESSION_ROLES
USER_SYS_PRIVS
USER_TAB_PRIV