users,roles,profiles 6
TRANSCRIPT
-
7/31/2019 Users,Roles,Profiles 6
1/48
About User Accounts
For users to access your database, you must create user accounts and
grant appropriate database access privileges to those accounts. A user
account is identified by a user name and defines the attributes of the
user, including the following:
Authentication method
Password (encrypted) for database authentication
Default tablespaces for permanent and temporary data storage
Tablespace quotas
Account status (locked or unlocked)
Password status (expired or not)
When you create a user account, you must not only assign a user name,
a password, and default tablespaces for the account, but you must also
do the following:
Grant the appropriate system privileges, object privileges, and roles to
the
account.
If the user will be creating database objects, give the user account a
space usage
quota on each tablespace in which the objects will be created.
Oracle recommends that you grant each user just enough privileges toperform his job,and no more. For example, a database application
developer needs privileges to create and modify tables, indexes, views,
and stored procedures, but does not need (and should not be granted)
privileges to drop (delete) tablespaces or recover the database.
-
7/31/2019 Users,Roles,Profiles 6
2/48
Predefined User Accounts
In addition to the user accounts that you create, the database includes a
number of user accounts that are automatically created upon
installation.
All databases include the administrative accounts SYS, SYSTEM,
SYSMAN, and DBSNMP. Administrative accounts are highly privileged
accounts, and should be used only by individuals authorized to perform
administrative tasks such as starting and stopping the database,
managing database memory and storage, creating and managing
database users, and so on. You log in to Oracle Enterprise Manager
Database Control (Database Control) with SYS, SYSTEM, or SYSMAN. The
Management Agent of Database Control uses the DBSNMP account to
monitor and manage the database. You assign the passwords for these
accounts when you create the database with Oracle DatabaseConfiguration Assistant (DBCA). You must not delete these accounts.
All databases also include internal accounts which are automatically
created so that individual Oracle Database features or components can
have their own schemas. An example is the WKSYS account, which is
used by Oracle Ultra Search. All Oracle Ultra Search database objects
are installed in the WKSYS schema. To protect these accounts from
unauthorized access, they are initially locked and their passwords are
expired.
(A locked account is an account for which login is disabled.) You must
not delete internal accounts, and you must not use them to log in to the
database.
Your database may also includesample schemas,which provide a way
for you to experiment without endangering production data. Each
sample schema has a user account associated with it. For example, the
hr user account owns the hr schema, which contains a set of simpletables for a human resources application. The sample schema accounts
are also initially locked and have an expired password. As the
database administrator, you are responsible for unlocking these
accounts and assigning passwords to these accounts.
-
7/31/2019 Users,Roles,Profiles 6
3/48
About Administrative Accounts and Privileges
Administrative accounts and privileges enable you to perform
administrative functions such as managing users, managing database
memory, and starting up and shutting down the database
SYS and SYSTEM Users
The following administrative user accounts are automatically created
when you install Oracle Database. They are both created with the
password that you supplied upon installation, and they are both
automatically granted the DBA role.
SYSTEM
This account can perform all administrative functions except the
following:
Backup and recovery
Database upgrade
It is recommended that you log in with this account to perform day-to-
day administrative tasks.
SYS
This account can perform all administrative functions. All base
(underlying) tables and views for the database data dictionary are
stored in the SYS schema. These base tables and views are critical for
the operation of Oracle Database. To maintain the integrity of the datadictionary, tables in the SYS schema are manipulated only by the
database. They should never be modified by any user or database
administrator. You must not create any tables in the SYS schema. The
SYS user is granted the SYSDBA privilege, which enables a user to
performhigh-level administrative tasks such as backup and recovery.
-
7/31/2019 Users,Roles,Profiles 6
4/48
Creating a New User Account
You create a database user with the CREATE USER statement. To create
a user, you must have the CREATE USER system privilege. Because it isa powerful privilege, a database administrator or security administrator
is usually the only user who has the CREATE USER system privilege.
CREATE USER satya IDENTIFIED BYpassword DEFAULT TABLESPACE
data_ts QUOTA 100M ON test_ts QUOTA 500K ON data_ts TEMPORARY
TABLESPACE temp_ts PROFILE clerk;
GRANT CREATE SESSION TO satya;
A newly created user cannot connect to the database until you grant the
user the CREATE SESSION system privileges. So, immediately after you
create the user account, use the GRANT SQL statement to grant the user
these privileges. If the user must access Oracle Enterprise Manager, you
should also grant the user the SELECT ANY DICTIONARY privilege.
Specifying a User Name
Within each database, a user name must be unique with respect to
other user names and roles. A user and role cannot have the same
name. Furthermore, each user has an associated schema. Within a
schema, each schema object must have a unique name. In the
following , the text in bold shows how to create the user name.
CREATE USER satya IDENTIFIED BYpassword DEFAULT TABLESPACE
data_ts
QUOTA 100M ON test_ts QUOTA 500K ON data_ts TEMPORARY
TABLESPACE temp_ts PROFILE clerk;
-
7/31/2019 Users,Roles,Profiles 6
5/48
Assigning the User a Password
The connecting user must supply the correct password to the database
to connect successfully. To specify a password for the user, use the
IDENTIFIED BY clause in the CREATE USER statement.
CREATE USER satya IDENTIFIED BYpasswordDEFAULT TABLESPACE
data_ts QUOTA 100M ON test_ts QUOTA 500K ON data_ts TEMPORARY
TABLESPACE temp_ts PROFILE clerk;
Assigning a Default Tablespace for the User
Each user should have a default tablespace. When a schema object is
created in the users schema and the DDL statement does not specify a
tablespace to contain the object, Oracle Database stores the object in
the default users tablespace.
The default setting for the default tablespaces of all users is the SYSTEM
tablespace. If a user does not create objects, and has no privileges to do
so, then this default setting is fine. However, if a user is likely to create
any type of object, then you should specifically assign the user a default
tablespace, such as the USERS tablespace. Using a tablespace other
-
7/31/2019 Users,Roles,Profiles 6
6/48
than SYSTEM reduces contention between data dictionary objects and
user objects for the same data files. In general, do not store user data in
the SYSTEM tablespace.
You can use the CREATE TABLESPACE SQL statement to create a
permanent default tablespace other than SYSTEM to be used as the
database default for permanent objects. By separating the user data
from the system data, you reduce the likelihood of problems with the
SYSTEM tablespace, which can in some circumstances cause the entire
database to become nonfunctional. This default permanent tablespace is
not used by system users, that is, SYS, SYSTEM whose default
permanent tablespace is SYSTEM. A tablespace designated as the
default permanent tablespace cannot be dropped. To accomplish this
goal, you must first designate another tablespace as the defaultpermanent tablespace. You can use the ALTER TABLESPACE SQL
statement to alter the default permanent tablespace to another
tablespace. Be aware that this will affect all users or objects created
after the ALTER DDL statement commits.
You can also set a user default tablespace during user creation, and
change it later with the ALTER USER statement. Changing the user
default tablespace affects only objects created after the setting ischanged.
When you specify the default tablespace for a user, also specify a quota
on that tablespace.
In the following CREATE USER statement, the default tablespace for user
satya is data_ts, and his quota on that tablespace is 500K:
CREATE USER jward IDENTIFIED BYpasswordDEFAULT
TABLESPACE data_ts QUOTA 100M ON test_ts QUOTA 500K ON
data_ts TEMPORARY TABLESPACE temp_ts PROFILE clerk;
-
7/31/2019 Users,Roles,Profiles 6
7/48
TO CHANGE THE DEFAULT TABLESPACE OF A USER:
SQL>ALTER USER satya DEFAULT TABLESPACE USERS;
SQL>ALTER USER satya QUOTA 4m ON USERS;
Default Permanent TablespaceOracle9i introduced the concept of a default temporary tablespace to
prevent people accidentally using the SYSTEM tablespace for temporary
segments. Oracle 10g takes this further by including a default
permanent tablespace to prevent users having their default tablespace
set to SYSTEM. The DEFAULT TABLESPACE clause in the CREATE
DATABASE statement allows the the default tablespace to be created
and named. If this parameter is not set during creation, or needs to be
changed subsequently, it can be set using the following command.
ALTER DATABASE DEFAULT TABLESPACE users;
The current settings for the default tablespaces can be viewed using the
following query.
COLUMN property_name FORMAT A30COLUMN property_value FORMAT A30
COLUMN description FORMAT A50SET LINESIZE 200
SELECT *FROM database_propertiesWHERE property_name like '%TABLESPACE';
-
7/31/2019 Users,Roles,Profiles 6
8/48
PROPERTY_NAME PROPERTY_VALUEDESCRIPTION------------------------------ --------------------------------------------------------------------
DEFAULT_TEMP_TABLESPACE TEMP Name ofdefault temporary tablespaceDEFAULT_PERMANENT_TABLESPACE USERS Nameof default permanent tablespace
Assigning a Tablespace Quota for the User
You can assign each user a tablespace quota for any tablespace (except
a temporary tablespace). Assigning a quota accomplishes the following:
Users with privileges to create certain types of objects can create
those objects in
the specified tablespace.
Oracle Database limits the amount of space that can be allocated for
storage of a
user's objects within the specified tablespace to the amount of the
quota.
By default, a user has no quota on any tablespace in the database. If the
user has the
privilege to create a schema object, then you must assign a quota to
allow the user to
create objects. At a minimum, assign users a quota for the default
tablespace, and
additional quotas for other tablespaces in which they can create objects.
-
7/31/2019 Users,Roles,Profiles 6
9/48
The following CREATE USER statement assigns the following quotas for
the test_ts
and data_ts tablespaces:
CREATE USER satya IDENTIFIED BYpasswordDEFAULT
TABLESPACE data_ts QUOTA 100M ON test_ts QUOTA 500K ON
data_ts TEMPORARY TABLESPACE temp_ts PROFILE clerk;
You can assign a user either individual quotas for a specific amount of
disk space in each tablespace or an unlimited amount of disk space in all
tablespaces. Specific quotas prevent a user's objects from using too
much space in the database.
You can assign quotas to a user tablespace when you create the user, or
add or change quotas later. (You can find existing user quotas by
querying the USER_TS_QUOTAS view.) If a new quota is less than the
old one, then the following conditions remain true:
If a user has already exceeded a new tablespace quota, then the
objects of a user in the tablespace cannot be allocated more space until
the combined space of these objects is less than the new quota.
If a user has not exceeded a new tablespace quota, or if the space
used by the objects of the user in the tablespace falls under a new
tablespace quota, then the user's objects can be allocated space up to
the new quota
Restricting the Quota Limits for User Objects in a Tablespace
You can restrict the quota limits for user objects in a tablespace by using
the ALTER USER SQL statement to change the current quota of the user
to zero. After a quota of zero is assigned, the objects of the user in the
tablespace remain, and the user can still create new objects, but the
existing objects will not be allocated any new space. For example, you
-
7/31/2019 Users,Roles,Profiles 6
10/48
could not insert data into one of this users exiting tables. The operation
will fail with an ORA-1536 space quota exceeded for tables error.
Granting Users the UNLIMITED TABLESPACE System Privilege
To permit a user to use an unlimited amount of any tablespace in the
database, grant the user the UNLIMITED TABLESPACE system privilege.
This overrides all explicit tablespace quotas for the user. If you later
revoke the privilege, then you must explicitly grant quotas to individual
tablespaces. You can grant this privilege only to users, not to roles.
Before granting the UNLIMITED TABLESPACE system privilege, you must
consider
the consequences of doing so.
Advantage:
You can grant a user unlimited access to all tablespaces of a database
with one
statement.
Disadvantages:
The privilege overrides all explicit tablespace quotas for the user.
You cannot selectively revoke tablespace access from a user with the
UNLIMITED
TABLESPACE privilege. You can grant selective or restricted access only
after
revoking the privilege.
Assigning a Temporary Tablespace for the User
You should assign each user a temporary tablespace. When a user
executes a SQL
statement that requires a temporary segment, Oracle Database stores
the segment in
-
7/31/2019 Users,Roles,Profiles 6
11/48
the temporary tablespace of the user. These temporary segments are
created by the
system when performing sort or join operations. Temporary segments
are owned by
SYS, which has resource privileges in all tablespaces.
In the following, the temporary tablespace of satya is temp_ts, a
tablespace created
explicitly to contain only temporary segments.
CREATE USER satya IDENTIFIED BYpassword DEFAULT TABLESPACE
data_ts
QUOTA 100M ON test_ts QUOTA 500K ON data_ts TEMPORARY
TABLESPACE temp_ts PROFILE clerk;
To create a temporary tablespace, use the CREATE TEMPORARY
TABLESPACE SQL
statement.
If you do not explicitly assign the user a temporary tablespace, then
Oracle Database assigns the user the default temporary tablespace that
was specified at database creation, or by an ALTER DATABASE
statement at a later time. If there is no default temporary tablespace
explicitly assigned, then the default is the SYSTEM tablespace or another
permanent default established by the system administrator. Do not
store user data in the SYSTEM tablespace. Assigning a tablespace to be
used specifically as a temporary tablespace eliminates file contention
among temporary segments and other types of segments.
You can set the temporary tablespace for a user at user creation, and
change it later using the ALTER USER statement. If you are logged in as
user SYS, you can set a quota for the temporary tablespace, and other
space allocations. (Only user SYS can do this, because all space in the
temporary tablespace belongs to user SYS.) You can also establish
-
7/31/2019 Users,Roles,Profiles 6
12/48
tablespace groups instead of assigning individual temporary
tablespaces.
TEMPFILEs are not recorded in the database's control file.
SQL> CREATE USER scott DEFAULT TABLESPACE data TEMPORARY
TABLESPACE temp;
SQL> ALTER USER scott TEMPORARY TABLESPACE temp;
About User Privileges and Roles
A privilege is a right to execute an SQL statement or to access another
user's object. User privileges provide a basic level of database security.
They are designed to control user access to data and to limit the kinds
of SQL statements that users can execute.
When creating a user, you grant privileges to enable the user to connect
to the database, to run queries and make updates, to create schema
objects, and more.
Privileges can be granted to both users and roles.
There are two main types of user privileges:
System privilegesA system privilege gives a user the ability to
perform a particular action, or to perform an action on any schema
objects of a particular type. For example, the system privilege CREATE
TABLE permits a user to create tables in the schema associated with
-
7/31/2019 Users,Roles,Profiles 6
13/48
that user, and the system privilege CREATE USER permits a user to
create database users.
Object privilegesAn object privilege gives a user the ability toperform a particular action on a specific schema object. Different object
privileges are available for different types of schema objects. The
privilege to select rows from the EMPLOYEES table or to delete rows
from the DEPARTMENTS table are examples
of object privileges.
A privileges can be assigned to a user or a role
The set of privileges is fixed, that is, there is no SQL statement like
create privilege xyz...
1)System privileges
There are quite a few system privileges: in Oracle 9.2, we count 157 ofthem, and 10g has even 173. Those can be displayed with
SQL>select name from system_privilege_map;
Few Examples of system privileges are
create table, create tablespace, create user, delete any table,
drop any table, drop any role, drop tablespace,drop user,
grant any object privilege, grant any privilege, grant any
role, select any table, update any table
The most important system privileges are:
create session (A user cannot login without this privilege. If hetries, he gets an ORA-01045).
-
7/31/2019 Users,Roles,Profiles 6
14/48
create table
create view
create procedure
sysdba
sysoper
2) Object privileges
Privileges can be assigned to the following types of database objects:
Tablesselect, insert, update, delete, alter, debug, flashback, on commitrefresh, query rewrite, references, all
Views
select, insert, update, delete, under, references, flashback, debug Sequence
alter, select
Packages, Procedures, Functions (Java classes, sources...)execute, debug
Materialized Viewsdelete, flashback, insert, select, update
Directoriesread, write
Librariesexecute
User defined typesexecute, debug, under
Operatorsexecute
Index typesexecute
For a user to be able to access an object in another user's schema, he
needs the according object privilege.
Object Privileges are
-
7/31/2019 Users,Roles,Profiles 6
15/48
ALTER Change the table definition with the ALTER TABLEstatement.
DELETE Remove rows from the table with the DELETE statement.Note:You must grant the SELECT privilege on the table
along with the DELETE privilege.INDEX Create an index on the table with the CREATE INDEX
statement.
INSERT Add new rows to the table with the INSERT statement.
REFERENCES
Create a constraint that refers to the table. You cannot grantthis privilege to a role.
SELECT Query the table with the SELECT statement.
UPDATE Change data in the table with the UPDATE statement.
Note: You must grant the SELECT privilege on the tablealong with the UPDATE privilege.
Grant
Grant is use to grant privileges on tables, view, procedure to other users
or roles
Examples
Suppose you own emp table. Now you want to grant select,update,insert
privilege on this table to other user SAMI.
grant select, update, insert on emp to sami;
Suppose you want to grant all privileges on emp table to sami. Then
grant all on emp to sami;
-
7/31/2019 Users,Roles,Profiles 6
16/48
Suppose you want to grant select privilege on emp to all other users of
the database. Then
grant select on emp to public;
Suppose you want to grant update and insert privilege on only certain
columns not on all the columns then include the column names in grant
statement. For example you want to grant update privilege on ename
column only and insert privilege on empno and ename columns only.
Then give the following statement
grant update (ename),insert (empno, ename) on emp to sami;
To grant select statement on emp table to sami and to make sami be
able further pass on this privilege you have to give WITH GRANT OPTION
clause in GRANT statement like this.
grant select on emp to sami with grant option;
REVOKE
Use to revoke privileges already granted to other users.
For example to revoke select, update, insert privilege you have granted
to Sami then give the following statement.
revoke select, update, insert on emp from sami;
-
7/31/2019 Users,Roles,Profiles 6
17/48
To revoke select statement on emp granted to public give the following
command.
revoke select on emp from public;
To revoke update privilege on ename column and insert privilege on
empno and ename columns give the following revoke statement.
revoke update, insert on emp from sami;
Note :You cannot take back column level privileges. Suppose you justwant to take back insert privilege on ename column then you haveto first take back the whole insert privilege and then grant privilegeon empno column.
LISTING INFORMATION ABOUT PRIVILEGES
To see which table privileges are granted by you to other users.
SELECT * FROM USER_TAB_PRIVS_MADETo see which table privileges are granted to you by other usersSELECT * FROM USER_TAB_PRIVS_RECD;To see which column level privileges are granted by you to otherusers.SELECT * FROM USER_COL_PRIVS_MADETo see which column level privileges are granted to you by otherusersSELECT * FROM USER_COL_PRIVS_RECD;To see which privileges are granted to roles
-
7/31/2019 Users,Roles,Profiles 6
18/48
SELECT * FROM USER_ROLE_PRIVS;
ROLES:
Managing privileges is made easier by using roles, which are namedgroups of related privileges. You create roles, grant system and objectprivileges to the roles, and then grant roles to users. You can also grantroles to other roles. Unlike schema objects, roles are not contained inany schema. A role is a group of Privileges. A role is very handy inmanaging privileges, Particularly in such situation when number of usersshould have the same set of privileges. .
A role can be granted system or schema objectprivileges.
A role can be granted to other roles (an indirect grant.)
However, a role cannot be granted to itself and cannot be grantedcircularly. For example, role A cannot be granted to role B if role B has
previously been granted to role A.
Table 71 lists three widely used roles that are predefined in Oracle
Database. You can grant these roles when you create a user or at any
time thereafter.
Table 71 Oracle Database Predefined Roles
CONNECT
Enables a user to connect to the database. Grant this role to any user or
application that needs database access.
RESOURCE
Enables a user to create, modify, and delete certain types of schema
objects in the schema associated with that user. Grant this role only to
developers and to other users that must create schema objects. This
role grants a subset of the create objectsystem privileges. For example,
-
7/31/2019 Users,Roles,Profiles 6
19/48
it grants the CREATE TABLE system privilege, but does not grant the
CREATE VIEW system privilege. It grants only the following privileges:
CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR,
CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE,
CREATE TRIGGER, CREATE TYPE.
In addition, this role grants the UNLIMITED TABLESPACE system
privilege, which effectively assigns a space usage quota of
UNLIMITED on all tablespaces in which the user creates schema
objects.
DBA
Enables a user to perform most administrative functions, including
creating users and granting privileges; creating and granting roles;
creating, modifying, and deleting schema objects in any schema; and
more. It grants all system privileges, but does not include the privileges
to start up or shut down the database. This Role is by default granted to
users SYS and SYSTEM.
Examples :For example you have four users :Sami, Scott, Ashi, Tanya in thedatabase. To these users you want to grant select ,update privilegeon emp table, select,delete privilege on dept table. To do this firstcreate a role by giving the following statement
create role clerks
Then grant privileges to this role.grant select,update on emp to clerks;grant select,delete on dept to clerks;
Now grant this clerks role to users like this
-
7/31/2019 Users,Roles,Profiles 6
20/48
Syntax : GRANT role TO [user,] [role,]
grant clerks to sami, scott, ashi, tanya ;Now Sami, Scott, Ashi and Tanya have all the privileges granted on
clerks role.
Suppose after one month you want grant delete on privilege on emptable all these users then just grant this privilege to clerks role andautomatically all the users will have the privilege.
grant delete on emp to clerks;If you want to take back update privilege on emp table from theseusers just take it back from clerks role.
revoke update on emp from clerks;
To Drop a role
Drop role clerks;
To know the system privileges granted to a user or a role.
desc dba_sys_privs;
SQL> select GRANTEE,PRIVILEGE from dba_sys_privs where
GRANTEE='SYSTEM';
GRANTEE PRIVILEGE
------------------------------ ----------------------------------------
SYSTEM GLOBAL QUERY REWRITE
SYSTEM CREATE MATERIALIZED VIEW
-
7/31/2019 Users,Roles,Profiles 6
21/48
SYSTEM CREATE TABLE
SYSTEM UNLIMITED TABLESPACE
SYSTEM SELECT ANY TABLE
SQL> select GRANTEE,PRIVILEGE from dba_sys_privs where
GRANTEE='DBA';
GRANTEE PRIVILEGE
------------------------------ ----------------------------------------
DBA DROP ANY CUBE BUILD PROCESS
DBA CREATE CUBE
DBA ALTER ANY CUBE DIMENSION
DBA ALTER ANY MINING MODEL
DBA DROP ANY MINING MODEL
GRANTEE is the Name of the user to whom access was granted
PRIVILEGE is the System privilege
To know the object privileges granted to a user or role, desc
dba_tab_privs.
SQL> select GRANTEE,OWNER,TABLE_NAME,GRANTOR,PRIVILEGE from
dba_tab_privs where GRANTEE='SYSTEM';
GRANTEE is the Name of the user to whom access was granted.
-
7/31/2019 Users,Roles,Profiles 6
22/48
OWNER is the Owner of the object
TABLE_NAME is the Name of the object
GRANTOR is the Name of the user who performed the grant.
PRIVILEGE is the Privilege on the object
To know all the roles in the database query the dba_roles view.
Select * from dba_roles;
SYSDBA and SYSOPER System Privileges
SYSDBA and SYSOPER are administrative privileges required to perform
high-level administrative operations such as creating, starting up,
shutting down, backing up, or recovering the database. The SYSDBA
system privilege is for fully empowered database administrators and the
SYSOPER system privilege allows a user to perform basic operational
tasks, but without the ability to look at user data.
The SYSDBA and SYSOPER system privileges allow access to a databaseinstance even when the database is not open. Control of these privileges
is therefore completely outside of the database itself. This enables an
administrator who is granted one of these privileges to connect to the
database instance to start the database.
You can also think of the SYSDBA and SYSOPER privileges as types of
connections that enable you to perform certain database operations for
-
7/31/2019 Users,Roles,Profiles 6
23/48
which privileges cannot be granted in any other way. For example, if you
have the SYSDBA privilege, then you can connect to the database using
AS SYSDBA.
The SYS user is automatically granted the SYSDBA privilege upon
installation. When you log in as user SYS, you must connect to thedatabase as SYSDBA. Connecting as a SYSDBA user invokes the SYSDBA
privilege. Oracle Enterprise Manager Database Control does not permit
you to log in as user SYS without connecting as SYSDBA.
When you connect with SYSDBA or SYSOPER privileges, you connect
with a default schema, not with the schema that is generally associated
with your user name. For SYSDBA this schema is SYS; for SYSOPER the
schema is PUBLIC.
When you connect as user SYS, you have unlimited privileges on data
dictionary tables. Be certain that you do not modify any data dictionary
tables.
When you create a user account, you are also implicitly creating a
schema for that user. A schema is a logical container for the database
objects (such as tables, views, triggers, and so on) that the user creates.
The schema name is the same as the user name, and can be used tounambiguously refer to objects owned by the user. For example,
hr.employees refers to the table named employees in the hr schema.
(The employees table is owned by hr.) The terms database objectand
schema objectare used interchangeably.
Who Should Be Granted Privileges?You grant privileges to users so
they can accomplish tasks required for their jobs. You should grant a
privilege only to a user who requires that privilege to accomplish the
necessary work. Excessive granting of unnecessary privileges can
compromise security. For example, you never should grant SYSDBA or
SYSOPER privilege to users who do not perform administrative tasks. A
user can receive a privilege in two ways: You can grant privileges to
users explicitly. For example, you can explicitly grant to user psmith the
-
7/31/2019 Users,Roles,Profiles 6
24/48
privilege to insert records into the employees table. You also can grant
privileges to a role (a named group of privileges), and then grant the
role to one or more users. For example, you can grant the privileges to
select, insert, update, and delete records from the employees table to
the role named clerk, which in turn you can grant to users psmith and
robert. Because roles allow for easier and better management of
privileges, you should usually grant privileges to roles and not to specific
users.
About ANY Privileges and the PUBLIC Role System privileges that
use the ANY keyword enable you to set privileges for an entire category
of objects in the database. For example, the CREATE ANY PROCEDURE
system privilege permits a user to create a procedure anywhere in the
database. The behavior of an object created by users with the ANYprivilege is not restricted to the schema in which it was created. For
example, if user JSMITH has the CREATE ANY PROCEDURE privilege and
creates a procedure in the schema JONES, then the procedure will run as
JONES. However, JONES may not be aware that the procedure JSMITH
created is running as him (JONES). If JONES has DBA privileges, letting
JSMITH run a procedure as JONES could pose a security violation. The
PUBLIC role is a special role that every database user account
automatically has when the account is created. By default, it
has no privileges granted to it, but it does have numerousgrants, mostly to Java objects. You cannot drop the PUBLIC role,
and a manual grant or revoke of this role has no meaning,
because the user account will always assume this role. Because
all database user accounts assume the PUBLIC role, it does not
appear in the DBA_ROLES and SESSION_ROLES data dictionary
views. You can grant privileges to the PUBLIC role, but
remember that this makes the privileges available to every user
in the Oracle database. For this reason, be careful about granting
privileges to the PUBLIC role, particularly powerful privileges such as the
ANY privileges and system privileges. For example, if JSMITH has theCREATE PUBLIC SYNONYM privilege, he could redefine an interface that
he knows everyone else uses, and then point to it with the PUBLIC
SYNONYM that he created. Instead of accessing the correct interface,
users would access the interface of JSMITH, which could possibly
perform illegal activities such as stealing the login credentials of users.
These types of privileges are very powerful and could pose a security
-
7/31/2019 Users,Roles,Profiles 6
25/48
risk if given to the wrong person. Be careful about granting privileges
using ANY or PUBLIC. As with all privileges, you should follow the
principles of "least privilege" when granting these privileges to users. To
protect the data dictionary (the contents of the SYS schema) against
users who have one or more of the powerful ANY system privileges, set
the O7_DICTIONARY_ ACCESSIBILITY initialization parameter to FALSE.
You can set this parameter by using an ALTER SYSTEM statement.
to list all the users in the database query the dba_users view.
this view also provides information about the default
tablespace,temporary tablespace of that user,status of the
account(whether its locked or open),date of account lock,when will the
account expire etc.
How to grant all privileges in Oracle
This is a short paper showing how to grant "all privileges" to a user inOracle and more importantly what privileges are needed to do this. Thiswas a posting I made to one of the newsgroups/mailing lists recently.This is for information only as it is useful to know BUT one important factthat should be highlighted here is that i cannot think of any
circumstances or when ALL PRIVILEGES should be granted to anyone. Itis simply unnecessary. Do the job correctly and find out the exactprivileges needed for the job in hand and grant those. Granting allprivileges is a security risk as it means the user having those privilegescan do just about anything in your database.
Remember use least privilege principle at all times and grant what isneeded. Do not grant everything just to get the job done quickly. Hereis the example code!
Connected to:Personal Oracle9i Release 9.2.0.1.0 - ProductionWith the Partitioning, OLAP and Oracle Data Mining optionsJServer Release 9.2.0.1.0 - Production
SQL>SQL> sho user
-
7/31/2019 Users,Roles,Profiles 6
26/48
USER is "SYSTEM"SQL> select * from system_privilege_map2 where name like '%PRIV%';
PRIVILEGE NAME PROPERTY---------- ---------------------------------------- -----------167 GRANT ANY PRIVILEGE 0-244 GRANT ANY OBJECT PRIVILEGE 0
SQL>SQL> -- Create a new user with just create session (to log on)
and grantSQL> -- any privilege to, well grant all privileges.SQL> create user emil identified by emil;
User created.
SQL> grant create session, grant any privilege to emil;
Grant succeeded.
SQL> -- because we want to test this privilege create a seconduser to
SQL> -- test it withSQL> create user zulia identified by zulia;
User created.
SQL> -- connect as emil and grant all privileges to ZuliaSQL> connect emil/[email protected]> grant all privileges to zulia;
Grant succeeded.
SQL> -- connect as system and find out if it worked.SQL> connect system/manager@sans
Connected.
SQL> select count(*),grantee2 from dba_sys_privs3 where grantee in ('MDSYS','EMIL','ZULIA')4* group by grantee
SQL> /
-
7/31/2019 Users,Roles,Profiles 6
27/48
COUNT(*) GRANTEE---------- ------------------------------
2 EMIL
139 MDSYS139 ZULIA
SQL>
We used MDSYS as a checkpoint as MDSYS has all privilegesgranted to it
by default in a default installation of Oracle. The privilege youneed
therefore is GRANT ANY PRIVILEGE.
Setting a Default Role for the User
A role is a named group of related privileges that you grant as a group
to users or other roles. A default role is automatically enabled for a user
when the user creates a session. You can assign a user zero or more
default roles.
You cannot set default roles for a user in the CREATE USER statement.
When you first create a user, the default role setting for the user is ALL,
which causes all roles
Note: If your SYSTEM tablespace is locally managed, then users must
be assigned a specific default (locally managed) temporary tablespace.
They may not be allowed to default to using the SYSTEM tablespace
because temporary objects cannot be placed in locally managed
permanent tablespaces
What is profile?
A profile is a set of limits on database resources and password access to
the database
Specifying a Profile for the User
-
7/31/2019 Users,Roles,Profiles 6
28/48
You can specify a profile when you create a user. If you do not specify a
profile, then Oracle Database assigns the user a default profile.
The following example demonstrates how to assign a user a profile.
CREATE USER satya IDENTIFIED BYpassword DEFAULT TABLESPACE
data_ts QUOTA 100M ON test_ts QUOTA 500K ON data_ts TEMPORARY
TABLESPACE temp_ts PROFILE clerk;
If you assign the profile to a user, then that user cannot exceed these
limits.
Prerequisites
To create a profile, you must have the CREATE PROFILE systemprivilege.
To specify resource limits for a user, you must:
Create a profile that defines the limits using the CREATE PROFILEstatement
Assign the profile to the user using the CREATE USER or ALTERUSER statement
Enable resource limits dynamically with the ALTER SYSTEMstatement or with the initialization parameter RESOURCE_LIMIT.This parameter does not apply to password resources. Passwordresources are always enabled.
RESOURCE_LIMIT
Property Description
Parameter type Boolean
Default value false
Modifiable ALTER SYSTEM
Range of values true | false
-
7/31/2019 Users,Roles,Profiles 6
29/48
RESOURCE_LIMIT determines whether resource limits are enforced indatabase profiles.
Values:
TRUE Enables the enforcement of resource limits FALSE
Disables the enforcement of resource limits
profile
Specify the name of the profile to be created. Use profiles to limit thedatabase resources available to a user for a single call or a singlesession.
Oracle Database enforces resource limits in the following ways:
If a user exceeds the CONNECT_TIME or IDLE_TIME sessionresource limit, then the database rolls back the currenttransaction and ends the session. When the user process nextissues a call, the database returns an error.
If a user attempts to perform an operation that exceeds the limitfor other session resources, then the database aborts theoperation, rolls back the current statement, and immediatelyreturns an error. The user can then commit or roll back the current
transaction, and must then end the session. If a user attempts to perform an operation that exceeds the limit
for a single call, then the database aborts the operation, rolls backthe current statement, and returns an error, leaving the currenttransaction intact.
UNLIMITED
When specified with a resource parameter, UNLIMITED indicates that auser assigned this profile can use an unlimited amount of this resource.When specified with a password parameter, UNLIMITED indicates that nolimit has been set for the parameter.
DEFAULT
Specify DEFAULT if you want to omit a limit for this resource in thisprofile. A user assigned this profile is subject to the limit for this
-
7/31/2019 Users,Roles,Profiles 6
30/48
resource specified in the DEFAULT profile. The DEFAULT profile initiallydefines unlimited resources. You can change those limits with the ALTERPROFILE statement.
Any user who is not explicitly assigned a profile is subject to the limits
defined in the DEFAULT profile. Also, if the profile that is explicitlyassigned to a user omits limits for some resources or specifies DEFAULTfor some limits, then the user is subject to the limits on those resourcesdefined by the DEFAULT profile.
resource_parameters
SESSIONS_PER_USER
Specify the number of concurrent sessions to which you want to limit theuser.
CPU_PER_SESSION
Specify the CPU time limit for a session, expressed in hundredth ofseconds.
CPU_PER_CALL
Specify the CPU time limit for a call (a parse, execute, or fetch),expressed in hundredths of seconds.
CONNECT_TIME
Specify the total elapsed time limit for a session, expressed in minutes.
IDLE_TIME
Specify the permitted periods of continuous inactive time during asession, expressed in minutes. Long-running queries and otheroperations are not subject to this limit.
PRIVATE_SGA
-
7/31/2019 Users,Roles,Profiles 6
31/48
Specify the amount of private space a session can allocate in the sharedpool of the system global area (SGA), expressed in bytes.
Note:
This limit applies only if you are using shared serverarchitecture. The private space for a session in the SGA
includes private SQL and PL/SQL areas, but not shared
SQL and PL/SQL areas.
password_parameters
Use the following clauses to set password parameters. Parameters thatset lengths of time are interpreted in number of days. For testingpurposes you can specify minutes (n/1440) or even seconds (n/86400).
FAILED_LOGIN_ATTEMPTS
Specify the number of failed attempts to log in to the user accountbefore the account is locked.
CREATE PROFILE app_user2 LIMIT FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LIFE_TIME
Specify the number of days the same password can be used forauthentication. If you also set a value for PASSWORD_GRACE_TIME, thepassword expires if it is not changed within the grace period, and furtherconnections are rejected. If you do not set a value forPASSWORD_GRACE_TIME, its default of UNLIMITED will cause thedatabase to issue a warning but let the user continue to connectindefinitely.
CREATE PROFILE app_user2 LIMIT PASSWORD_LIFE_TIME 60
-
7/31/2019 Users,Roles,Profiles 6
32/48
PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX
These two parameters must be set in conjunction with each other.PASSWORD_REUSE_TIME specifies the number of days before which apassword cannot be reused. PASSWORD_REUSE_MAX specifies thenumber of password changes required before the current password canbe reused. For these parameter to have any effect, you must specify aninteger for both of them.
If you specify an integer for both of these parameters, then theuser cannot reuse a password until the password has beenchanged the password the number of times specified forPASSWORD_REUSE_MAX during the number of days specified for
PASSWORD_REUSE_TIME.
For example, if you specify PASSWORD_REUSE_TIME to 30 andPASSWORD_REUSE_MAX to 10, then the user can reuse thepassword after 30 days if the password has already been changed10 times.
If you specify an integer for either of these parameters and specifyUNLIMITED for the other, then the user can never reuse apassword.
If you specify DEFAULT for either parameter, then Oracle Database
uses the value defined in the DEFAULT profile. By default, allparameters are set to UNLIMITED in the DEFAULT profile. If youhave not changed the default setting of UNLIMITED in theDEFAULT profile, then the database treats the value for thatparameter as UNLIMITED.
If you set both of these parameters to UNLIMITED, then thedatabase ignores both of them.
PASSWORD_LOCK_TIME
Specify the number of days an account will be locked after the specified
number of consecutive failed login attempts.
PASSWORD_GRACE_TIME
-
7/31/2019 Users,Roles,Profiles 6
33/48
Specify the number of days after the grace period begins during which awarning is issued and login is allowed. If the password is not changedduring the grace period, the password expires.
PASSWORD_VERIFY_FUNCTION
The PASSWORD_VERIFY_FUNCTION clause lets a PL/SQL passwordcomplexity verification script be passed as an argument to the CREATEPROFILE statement. Oracle Database provides a default script, but youcan create your own routine or use third-party software instead.
For function, specify the name of the password complexityverification routine.
Specify NULL to indicate that no password verification isperformed.
If you specify exprfor any of the password parameters, the expressioncan be of any form except scalar subquery expression.
Examples
Creating a Profile: Example
The following statement creates the profile new_profile:
CREATE PROFILE new_profile LIMIT PASSWORD_REUSE_MAX 10
PASSWORD_REUSE_TIME 30;
Setting Profile Resource Limits: Example
The following statement creates the profile app_user:
CREATE PROFILE app_user LIMIT
SESSIONS_PER_USER UNLIMITED
CPU_PER_SESSION UNLIMITED
CPU_PER_CALL 3000
CONNECT_TIME 45
-
7/31/2019 Users,Roles,Profiles 6
34/48
LOGICAL_READS_PER_SESSION DEFAULT
LOGICAL_READS_PER_CALL 1000
PRIVATE_SGA 15K
COMPOSITE_LIMIT 5000000;
If you assign the app_user profile to a user, the user is subject to the
following limits in subsequent sessions:
The user can have any number of concurrent sessions. In a single session, the user can consume an unlimited amount of
CPU time.
A single call made by the user cannot consume more than 30seconds of CPU time. A single session cannot last for more than 45 minutes. In a single session, the number of data blocks read from memory
and disk is subject to the limit specified in the DEFAULT profile. A single call made by the user cannot read more than 1000 data
blocks from memory and disk. A single session cannot allocate more than 15 kilobytes of
memory in the SGA. In a single session, the total resource cost cannot exceed 5 million
service units. The formula for calculating the total resource cost is
specified by the ALTER RESOURCE COST statement. Since the app_user profile omits a limit for IDLE_TIME and for
password limits, the user is subject to the limits on theseresources specified in the DEFAULT profile.
Setting Profile Password Limits: Example
The following statement creates the app_user2 profile with password
limits values set:
CREATE PROFILE app_user2 LIMIT
FAILED_LOGIN_ATTEMPTS 5
PASSWORD_LIFE_TIME 60
PASSWORD_REUSE_TIME 60
-
7/31/2019 Users,Roles,Profiles 6
35/48
PASSWORD_REUSE_MAX 5
PASSWORD_VERIFY_FUNCTION verify_function
PASSWORD_LOCK_TIME 1/24
PASSWORD_GRACE_TIME 10;
This example uses the default Oracle Database password verification
function, verify_function.
Deleting User Accounts
When you drop a user account, Oracle Database removes the user
account and
associated schema from the data dictionary. It also immediately drops
all schema
objects contained in the user schema, if any.
A user that is currently connected to a database cannot be dropped. To
drop a
connected user, you must first terminate the user sessions using the
SQL statement
ALTER SYSTEM with the KILL SESSION clause. You can find the session ID
(SID) by
querying the V$SESSION view.
Example 23 shows how to query V$SESSION and displays the session
ID, serial
number, and user name for user ANDY.
Example 23 Querying V$SESSION for the Session ID of a User
SELECT SID, SERIAL#, USERNAME FROM V$SESSION;
SID SERIAL# USERNAME
------- --------------- ----------------------
-
7/31/2019 Users,Roles,Profiles 6
36/48
127 55234 ANDY
...
Example 24 shows how to stop the session for user andy.
Example 24 Killing a User Session
ALTER SYSTEM KILL SESSION '127, 55234';
You can drop a user from a database using the DROP USER statement.
To drop a user
and all the user schema objects (if any), you must have the DROP USER
system
privilege. Because the DROP USER system privilege is powerful, a
security
administrator is typically the only type of user that has this privilege.
If the schema of the user contains any dependent schema objects, then
use the
CASCADE option to drop the user and all associated objects and foreign
keys that
depend on the tables of the user successfully. If you do not specify
CASCADE and the
user schema contains dependent objects, then an error message is
returned and the
user is not dropped.
Before dropping a user whose schema contains objects, thoroughly
investigate which
objects the schema contains and the implications of dropping them. You
can find the
objects owned by a particular user by querying the DBA_OBJECTS view.
Example 25 shows how to find the objects owned by user andy.
Example 25 Finding Objects Owned by a User
-
7/31/2019 Users,Roles,Profiles 6
37/48
SELECT OWNER, OBJECT_NAME FROM DBA_OBJECTS WHERE OWNER
LIKE 'ANDY';
Notes:
If a user schema and associated objects must remain but the
user must be denied access to the database, then revoke the
CREATE SESSION privilege from the user.
Do not attempt to drop the SYS or SYSTEM user. Doing so
corrupts your database.
A user that is currently connected to a database cannot be dropped. To
drop a
connected user, you must first terminate the user sessions using the
SQL statement
ALTER SYSTEM with the KILL SESSION clause. You can find the session ID
(SID) by
querying the V$SESSION view.
Example 23 shows how to query V$SESSION and displays the session
ID, serial
number, and user name for user ANDY.
Example 23 Querying V$SESSION for the Session ID of a User
SELECT SID, SERIAL#, USERNAME FROM V$SESSION;
SID SERIAL# USERNAME
------- --------------- ----------------------
127 55234 ANDY
...
Example 24 shows how to stop the session for user ANDY
-
7/31/2019 Users,Roles,Profiles 6
38/48
(Enter the user name in capital letters.) Pay attention to any unknown
cascading
effects. For example, if you intend to drop a user who owns a table, thencheck
whether any views or procedures depend on that particular table.
Example 26 drops the user andy and all associated objects and foreign
keys that
depend on the tables owned by andy.
Example 26 Dropping a User Account
DROP USER andy CASCADE;
Using Data Dictionary Views to Find Information About Users
and Profiles
Table 21 lists data dictionary views that contain information about
database users and
profiles. For detailed information about these views, see Oracle
Database Reference.
See Also: Oracle Database Administrator's Guide for more
information about terminating sessions
Table 21 Data Dictionary Views That Display Information about
Users and Profiles
View Description
ALL_OBJECTS Describes all objects accessible to the current user
ALL_USERS Lists users visible to the current user, but does not describe
them
DBA_PROFILES Displays all profiles and their limits
DBA_TS_QUOTAS Describes tablespace quotas for users
-
7/31/2019 Users,Roles,Profiles 6
39/48
DBA_OBJECTS Describes all objects in the database
DBA_USERS Describes all users of the database
DBA_USERS_WITH_DEFPWD Lists all user accounts that have default
passwords
PROXY_USERS Describes users who can assume the identity of other
users
RESOURCE_COST Lists the cost for each resource in terms of CPUs for
each session,
reads for each session, connection times, and SGA
USER_PASSWORD_LIMITS Describes the password profile parameters
that are assigned to
the user
USER_RESOURCE_LIMITS Displays the resource limits for the current
user
USER_TS_QUOTAS Describes tablespace quotas for users
USER_OBJECTS Describes all objects owned by the current user
USER_USERS Describes only the current user
V$SESSION Lists session information for each current session, includes
user
name
V$SESSTAT Lists user session statistics
V$STATNAME Displays decoded statistic names for the statistics shown
in the
V$SESSTAT view
The following sections present examples of using these views. These
examples assume
-
7/31/2019 Users,Roles,Profiles 6
40/48
that the following statements have been run:
CREATE PROFILE clerk LIMIT
SESSIONS_PER_USER 1
IDLE_TIME 30
CONNECT_TIME 600;
CREATE USER jfee
IDENTIFIED BYpassword
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp_ts
QUOTA 500K ON users
PROFILE clerk;
CREATE USER dcranney
IDENTIFIED BYpassword
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE temp_ts
QUOTA unlimited ON users;
CREATE USER userscott
IDENTIFIED BYpassword;
Using Resource PROFILES
You can set up limits on the system resources used by setting upprofiles with defined limits on resources. Profiles are very useful inlarge, complex organizations with many users. It allows you to regulatethe amount of resources used by each database user by creating andassigning profiles to users. Using Oracle8 password attributes whereadded into profiles as well.
Creation of PROFILES
-
7/31/2019 Users,Roles,Profiles 6
41/48
Profiles are a named set of resource limits. By default, when you createa user, they are given the default profile. The default profile providesunlimited use of all resources.
The syntax to create a profile follows:
>---CREATE PROFILE profile LIMIT resource_parameters|password_parameters--;->Resource_parameters (you can specify multiple paramters percommand):[SESSIONS_PER_USER n|UNLIMITED|DEFAULT][CPU_PER_SESSION n|UNLIMITED|DEFAULT][CPU_PER_CALL n|UNLIMITED|DEFAULT][CONNECT_TIME n|UNLIMITED|DEFAULT][IDLE_TIME n|UNLIMITED|DEFAULT][LOGICAL_READS_PER_SESSION n|UNLIMITED|DEFAULT]
[LOGICAL_READS_PER_CALL n|UNLIMITED|DEFAULT][COMPOSITE_LIMIT n|UNLIMITED|DEFAULT][PRIVATE_SGA n [K|M]|UNLIMITED|DEFAULT]Password_parameters (Oracle8 and above):[FAILED_LOGIN_ATTEMPTS expr|UNLIMITED|DEFAULT][PASSWORD_LIFE_TIME expr|UNLIMITED|DEFAULT][PASSWORD_REUSE_TIME expr|UNLIMITED|DEFAULT][PASSWORD_REUSE_MAX expr|UNLIMITED|DEFAULT][PASSWORD_LOCK_TIME expr|UNLIMITED|DEFAULT][PASSWORD_GRACE_TIME expr|UNLIMITED|DEFAULT][PASSWORD_VERIFY_FUNCTION function_name|NULL|DEFAULT]
Restrictions on password parameters:
* Expr must resolve to either an integer value or an integer number ofdays
* If PASSWORD_REUSE_TIME is set to an integer value,PASSWORD_REUSE_MAX must be set to UNLIMITED.
* If PASSWORD_REUSE_MAX is set to an integer value,PASSWORD_REUSE_TIME must be set to UNLIMITED.
* If both PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX are setto UNLIMITED, then Oracle uses neither of these password resources.
* If PASSWORD_REUSE_MAX is set to DEFAULT andPASSWORD_REUSE_TIME is set to UNLIMITED, then Oracle uses thePASSWORD_REUSE_MAX value defined in the DEFAULT profile.
-
7/31/2019 Users,Roles,Profiles 6
42/48
* If PASSWORD_REUSE_TIME is set to DEFAULT andPASSWORD_REUSE_MAX is set to UNLIMITED, then Oracle uses thePASSWORD_REUSE_TIME value defined in the DEFAULT profile.
* If both PASSWORD_REUSE_TIME and PASSWORD_REUSE_MAX are set
to DEFAULT, then Oracle uses whichever value is defined in theDEFAULT profile.
For example:
CREATE PROFILE enduser LIMITCPU_PER_SESSION 60000LOGICAL_READS_PER_SESSION 1000CONNECT_TIME 30PRIVATE_SGA 102400CPU_PER_CALL UNLIMITED
COMPOSITE LIMIT 60000000FAILED_LOGIN_ATTEMPTS 3PASSWORD_LIFE_TIME 90PASSWORD_REUSE_TIME 180PASSWORD_LOCK_TIME 3PASSWORD_GRACE_TIME 3Verify_function_one ;
You can assign a profile to a user when you create the user or byaltering the user. The syntax to alter the profile for a user is:
ALTER USER PROFILE profile;
For example:
ALTER USER scottPROFILE appuser;
You must have the CREATE PROFILE system privilege to create a profile.To alter a profile you must be the creator of the profile or have theALTER PROFILE system privilege. To assign a profile to a user, you musthave the CREATE USER or ALTER USER system privilege.
Profiles and Resource Limits
The default cost assigned to a resource is unlimited. By setting resourcelimits, you can prevent users from performing operations that will tie upthe system and prevent other users from performing operations. Youcan use resource limits for security to ensure that users log off thesystem and do not leave the session connected for long periods of time.
-
7/31/2019 Users,Roles,Profiles 6
43/48
You can also assign a composite cost to each profile . The systemresource limits can be enforced at the session level, the call level orboth.
The session level is from the time the user logs into the database until
the user exits. The call level is for each SQL command issued. Sessionlevel limits are enforced for each connection. When a session level limitis exceeded, only the last SQL command issued is rolled back and nofurther work can be performed until a commit, rollback or exit isperformed. Table 7.15 lists the system resources which can be regulatedat the session level.
One thing to note if you use parallel query option (PQO) is that theresources are applied to each new session, not accumulated over all ofthe sessions that a parallel operation uses.
TABLE 7.15: RESOURCES REGULATED AT THE SESSION LEVEL
SYSTEM RESOURCE DEFINITIONCPU_PER_SESSION total CPU time in hundreds of secondsSESSIONS_PER_USER number of concurrent sessions for a userCONNECT_TIME allowed connection time in minutesIDLE_TIME inactive time on the server in minutesLOGICAL_READS_PER_SESSION
number of data blocks read including bothphysical and logical reads from memoryand disk
PRIVATE_SGA bytes of SGA used in a database with themultithreaded server (in K or M)
You can combine the CPU_PER_SESSION, LOGICAL_READS_PER_SESSION,CONNECT_TIME, and PRIVATE_SGA to create a COMPOSITE LIMIT.
Call-level limits are enforced during the execution of each SQLstatement. When a call-level limit is exceeded, the last SQL commandissued is rolled back. All the previous statements issued are still validand the user can continue to execute other SQL statements. Thefollowing system resources can be regulated at the call level:
* CPU_PER_CALL for the CPU time for the SQL statement* LOGICAL_READS_PER_CALL for the number of data blocks read for theSQL statement
The assignment of a cost to a resource can be performed with the ALTERRESOURCE COST command. Resource limits that you set explicitly for a
-
7/31/2019 Users,Roles,Profiles 6
44/48
user take precedence over the resource costs in an assigned profile.The command line syntax for this command is:
>-ALTER RESOURCE COST ---------------------------------------------------;-->|-[CPU_PER_SESSION n|UNLIMITED|DEFAULT]-----------|
|-[CONNECT_TIME n|UNLIMITED|DEFAULT]--------------||-[LOGICAL_READS_PER_SESSION n|UNLIMITED|DEFAULT]-||-[PRIVATE_SGA n [K|M]|UNLIMITED|DEFAULT]--------|
For example,
ALTER RESOURCE COST CONNECT_TIME 100;
Use of resource limits is set in the database initialization parameterRESOURCE_LIMIT=TRUE. By default this parameter is set to false. Thisparameter can be changed interactively with an ALTER SYSTEM
command.
The DBA_PROFILES view provides information on all the profiles and theresource limits for each profile. The RESOURCE_COST view shows theunit cost associated with each resource. Each user can find informationon his resources and limits in the USER_RESOURCE_LIMITS view.
Table 7.16 gives a description of these data dictionary views.
Table 7.16: Data dictionary views for resources.
DBA_PROFILES
Column DefinitionProfile the name given to the profileResource_name the name of the resource assigned to the profileLimit the limit placed on the profile
RESOURCE_COST
Column DefinitionResource_name name of the resourceUnit_cost cost assigned
USER_RESOURCE_LIMITS
Column DefinitionResource_name the name of the resourceLimit the limit placed on the user
-
7/31/2019 Users,Roles,Profiles 6
45/48
Listing All Users and Associated Information
To find all users and their associated information as defined in the
database, query the
DBA_USERS view. For detailed information on the DBA_USERS view, see
Oracle
Database Reference.
For example:
SELECT USERNAME, PROFILE, ACCOUNT_STATUS,
AUTHENTICATION_TYPE FROM DBA_USERS;
USERNAME PROFILE ACCOUNT_STATUS AUTHENTICATION_TYPE
--------------- --------------- --------------- -------------------
SYS DEFAULT OPEN PASSWORD
SYSTEM DEFAULT OPEN PASSWORD
USERSCOTT DEFAULT OPEN PASSWORD
JFEE CLERK OPEN GLOBAL
DCRANNEY DEFAULT OPEN EXTERNAL
Listing All Tablespace Quotas
Use the DBA_TS_QUOTAS view to list all tablespace quotas specifically
assigned to
each user. (For detailed information on this view, see Oracle Database
Reference.) Forexample:
SELECT * FROM DBA_TS_QUOTAS;
TABLESPACE USERNAME BYTES MAX_BYTES BLOCKS MAX_BLOCKS
-
7/31/2019 Users,Roles,Profiles 6
46/48
---------- --------- -------- ---------- ------- ----------
USERS JFEE 0 512000 0 250
USERS DCRANNEY 0 -1 0 -1
When specific quotas are assigned, the exact number is indicated in the
MAX_BYTES
column. This number is always a multiple of the database block size, so
if you specify
a tablespace quota that is not a multiple of the database block size, then
it is rounded
up accordingly. Unlimited quotas are indicated by -1.
Listing All Profiles and Assigned Limits
The DBA_PROFILE view lists all profiles in the database and associated
settings for
each limit in each profile. (For detailed information on this view, see
Oracle Database
Reference.) For example:
SELECT * FROM DBA_PROFILES ORDER BY PROFILE;
PROFILE RESOURCE_NAME RESOURCE_TYPE LIMIT
----------------- ------------------------- ------------- --------------
CLERK COMPOSITE_LIMIT KERNEL DEFAULT
CLERK FAILED_LOGIN_ATTEMPTS PASSWORD DEFAULT
CLERK PASSWORD_LIFE_TIME PASSWORD DEFAULT
CLERK PASSWORD_REUSE_TIME PASSWORD DEFAULT
CLERK PASSWORD_REUSE_MAX PASSWORD DEFAULT
CLERK PASSWORD_VERIFY_FUNCTION PASSWORD
-
7/31/2019 Users,Roles,Profiles 6
47/48
To find the default profile values, run the following query:
SELECT * FROM DBA_PROFILES WHERE PROFILE = 'DEFAULT';
Viewing Memory Use for Each User Session
To find the memory use for each user session, query the V$SESSION
view. (For
detailed information on this view, see Oracle Database Reference. The
following query
lists all current sessions, showing the Oracle Database user and current
User Global
Area (UGA) memory use for each session:
SELECT USERNAME, VALUE || 'bytes' "Current UGA memory"
FROM V$SESSION sess, V$SESSTAT stat, V$STATNAME name
WHERE sess.SID = stat.SID
AND stat.STATISTIC# = name.STATISTIC#
AND name.NAME = 'session uga memory';
To see the maximum UGA memory allocated to each session since the
instance started,
replace 'session uga memory' in the preceding query with 'session uga
memory max'.
DBMS PROCEDURES FOR USERS.
set long 100000
select dbms_metadata.get_ddl('USER','SATYA') from dual;
-
7/31/2019 Users,Roles,Profiles 6
48/48
the above query is used to get the DDL stmt that was used to create the
user 'SATYA'
set long 100000
select dbms_metadata.get_granted_ddl( 'SYSTEM_GRANT', 'SATYA' )
from dual;
THE ABOVE CMD GIVES THE LIST OF SYSTEM PRIVILEGES GRANTED TO
THE USER.
set long 100000
select dbms_metadata.get_granted_ddl( 'OBJECT_GRANT', 'SATYA' )
from dual;
TO KNOW THE OBJECT PRIVILEGES GRANTED TO THE USER.
set long 100000
select dbms_metadata.get_granted_ddl( 'ROLE_GRANT','SATYA') from
dual;
TO KNOW THE ROLES GRANTED TO A USER.