User Account Management


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Users and Security Security domain: The database administrator defines the names of the users who are allowed to access a database. A security domain defines the settings that apply to the user. Authentication mechanism: A user who requires access to the database can be authenticated by one of the following: Data dictionary Operating system Network The means of authentication is specified at the time the user is defined in the database and can be altered later. This lesson covers authentication by database and by operating system only. Note: Refer to the “Getting Started with the Oracle Server” lesson for details regarding operating system authentication using roles. Authentication through the network is covered in the course Oracle9i Database Administration Fundamentals II .
  • Database Schema A schema is a named collection of objects such as tables, views, clusters, procedures, and packages that are associated with a particular user. When a database user is created, a corresponding schema with the same name is created for that user. A user can be associated only with a schema of the same name, and therefore username and schema are often used interchangeably. The slide shows some of the objects that users can own in an Oracle database.
  • Creating a New User: Database Authentication Syntax: Use the following command to create a new user: CREATE USER user IDENTIFIED {BY password | EXTERNALLY} [ DEFAULT TABLESPACE tablespace ] [ TEMPORARY TABLESPACE tablespace ] [ QUOTA {integer [K | M ] | UNLIMITED } ON tablespace [ QUOTA {integer [K | M ] | UNLIMITED } ON tablespace ]...] [ PASSWORD EXPIRE ] [ ACCOUNT { LOCK | UNLOCK }] [ PROFILE { profile | DEFAULT }]
  • Creating a New User: Operating System Authentication Operating system authentication: Use the IDENTIFIED EXTERNALLY clause of the CREATE USER command to specify that a user must be authenticated by the operating system. This option is generally useful when the user logs on directly to the machine where the Oracle server is running. Username for operating system authentication: The OS_AUTHENT_PREFIX initialization parameter is used to specify the format of the usernames for operating system authentication. This value defaults to OPS$ to make it backward compatible with earlier releases of the Oracle server. To set the prefix to a NULL value, specify this initialization parameter as: OS_AUTHENT_PREFIX = ““ The example in the slide shows how a user, aaron , is defined in the database. This specifies that the operating system user aaron will be allowed access to the database without having to undergo validation by the Oracle server. Thus, to use SQL*Plus to log on to the system, the UNIX user aaron must enter the following command from the operating system: $ sqlplus /
  • Changing User Quota on Tablespaces Use the following command to modify tablespace quotas or to reassign tablespaces: ALTER USER user [ DEFAULT TABLESPACE tablespace] [ TEMPORARY TABLESPACE tablespace] [ QUOTA {integer [K | M] | UNLIMITED } ON tablespace [ QUOTA {integer [K | M] | UNLIMITED } ON tablespace ] ...] After a quota of 0 is assigned, the objects owned by the user remain in the revoked tablespace, but they cannot be allocated a new space. For example, if a table that is 10 MB exists in the USERS tablespace, and the USERS tablespace quota is altered to 0 , then no more new extents can be allocated for that table. Any unchanged options remain unchanged. Note: Beware of UNLIMITED TABLESPACE privileges as ittakes priority over quota settings.
  • Dropping a User DROP USER user [CASCADE] Guidelines: The CASCADE option drops all objects in the schema before dropping the user. This must be specified if the schema contains any objects. A user who is currently connected to the Oracle server cannot be dropped.
  • Obtaining User Information Use the following query to find the default_tablespace for all users. SQL> SELECT username, default_tablespace 2 FROM dba_users; USERNAME DEFAULT_TABLESPACE --------- ------------------ SYS SYSTEM SYSTEM SYSTEM OUTLN SYSTEM DBSNMP SYSTEM HR SAMPLE OE SAMPLE
  • User Account Management

    1. 1. Chapter 3 Administration of Users
    2. 2. Objectives <ul><li>Understand the importance of administration documentation </li></ul><ul><li>Outline the concept of operating system authentication </li></ul><ul><li>Be able to create, modify, and delete users and logins in Oracle10 g </li></ul><ul><li>Explain the concept of a remote user </li></ul><ul><li>List the risks of database links </li></ul><ul><li>List the security risks of linked servers </li></ul><ul><li>List the security risks of remote servers </li></ul><ul><li>Describe best practices for user administration </li></ul>
    3. 3. Documentation of User Administration <ul><li>Part of the administration process </li></ul><ul><li>Reasons to document: </li></ul><ul><ul><li>Provide a paper trail </li></ul></ul><ul><ul><li>Ensure administration consistency </li></ul></ul><ul><li>What to document: </li></ul><ul><ul><li>Administration policies, staff and management </li></ul></ul><ul><ul><li>Security procedures </li></ul></ul><ul><ul><li>Procedure implementation scripts or programs </li></ul></ul><ul><ul><li>Predefined roles description </li></ul></ul>
    4. 4. Documentation of User Administration (continued)
    5. 5. Documentation of User Administration (continued)
    6. 6. Operating System Authentication <ul><li>Many databases (including Microsoft SQL Server 2000) depend on OS to authenticate users </li></ul><ul><ul><li>And Oracle allows the option of OS based authentication </li></ul></ul><ul><li>Reasons: </li></ul><ul><ul><li>Once an intruder is inside the OS, it is easier to access the database </li></ul></ul><ul><ul><li>Centralize administration of users </li></ul></ul><ul><li>Users must be authenticated at each level </li></ul>
    7. 7. Operating System Authentication (continued)
    8. 8. Creating Users <ul><li>Must be a standardized, well-documented, and securely managed process </li></ul><ul><li>In Oracle10 g , use the CREATE USER statement: </li></ul><ul><ul><li>Part of the a Data Definition Language (DDL) </li></ul></ul><ul><ul><li>Account can own different objects </li></ul></ul>
    9. 9. Users and Security Account locking Tablespace quotas Temporary tablespace Default tablespace Role privileges Resource limits Security domain Direct privileges Authentication mechanism
    10. 10. Database Schema Schema Objects Tables Triggers Constraints Indexes Views Sequences Stored program units Synonyms User-defined data types Database links <ul><li>A schema is a named collection of objects. </li></ul><ul><li>A user is created, and a corresponding schema is created. </li></ul><ul><li>A user can be associated only with one schema. </li></ul><ul><li>Username and schema are often used interchangeably. </li></ul>
    11. 11. Checklist for Creating Users <ul><ul><li>Identify tablespaces in which the user needs to store objects. </li></ul></ul><ul><ul><li>Decide on quotas for each tablespace. </li></ul></ul><ul><ul><li>Assign a default tablespace and temporary tablespace. </li></ul></ul><ul><ul><li>Create a user. </li></ul></ul><ul><ul><li>Grant privileges and roles to the user. </li></ul></ul>
    12. 12. Creating a New User: Database Authentication <ul><li>Set the initial password: </li></ul>CREATE USER aaron IDENTIFIED BY soccer DEFAULT TABLESPACE data DEFAULT TEMPORARY TABLESPACE temp QUOTA 15M ON data QUOTA 10M ON users PASSWORD EXPIRE;
    13. 13. Creating a New User: Operating System Authentication <ul><li>The OS_AUTHENT_PREFIX initialization parameter specifies the format of the usernames. </li></ul><ul><li>Defaults to OPS$. </li></ul>CREATE USER aaron IDENTIFIED EXTERNALLY DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE temp QUOTA 15m ON data PASSWORD EXPIRE;
    14. 14. Changing User Quota on Tablespaces ALTER USER aaron QUOTA 0 ON USERS; <ul><ul><li>A user’s tablespace quotas may be modified for any the following situations: </li></ul></ul><ul><ul><li>Tables owned by a user exhibit unanticipated growth. </li></ul></ul><ul><ul><li>An application is enhanced and requires additional tables or indexes. </li></ul></ul><ul><ul><li>Objects are reorganized and placed in different tablespaces. </li></ul></ul><ul><ul><li>To modify a user’s tablespace quota: </li></ul></ul>
    15. 15. Creating an Oracle10 g User <ul><li>IDENTIFIED clause </li></ul><ul><ul><li>Tells Oracle how to authenticate a user account </li></ul></ul><ul><ul><li>BY PASSWORD option: encrypts and stores an assigned password in the database </li></ul></ul><ul><ul><li>EXTERNALLY option: user is authenticated by the OS </li></ul></ul><ul><ul><li>GLOBALLY AS option: depends on authentication through centralized user management method </li></ul></ul>
    16. 16. Creating an Oracle10 g User (continued)
    17. 17. Creating an Oracle10 g User (continued) <ul><li>PASSWORD EXPIRE clause: tells Oracle to expire the user password and prompts the user to enter a new password </li></ul><ul><li>ACCOUNT clause: enable or disable account </li></ul><ul><li>ALTER USER: modifies a user account </li></ul><ul><li>Oracle Enterprise Manager: GUI administration tool </li></ul>
    18. 18. Creating an Oracle User Using Global Authentication <ul><li>Enterprise-level authentication solution </li></ul><ul><li>Use the CREATE USER statement </li></ul><ul><ul><li>Specify an external_name which is the name used for global authentication </li></ul></ul><ul><li>DBA_USERS view: contains information about all accounts </li></ul><ul><ul><li>Includes the external name </li></ul></ul>
    19. 19. Removing Users <ul><li>Simple process </li></ul><ul><li>Make a backup first </li></ul><ul><li>Obtain a written request (for auditing purposes) </li></ul>
    20. 20. Removing an Oracle User <ul><li>DROP command </li></ul><ul><li>CASCADE option: when user owns database objects </li></ul><ul><li>Recommendations: </li></ul><ul><ul><li>Backup the account for one to three months </li></ul></ul><ul><ul><li>Listing all owned objects </li></ul></ul><ul><ul><li>Lock the account or revoke the CREATE SESSION privilege </li></ul></ul>
    21. 21. Dropping a User <ul><ul><li>Use the CASCADE clause to drop all objects in the schema if the schema contains objects. </li></ul></ul><ul><ul><li>Users who are currently connected to the Oracle server cannot be dropped. </li></ul></ul>DROP USER aaron; DROP USER aaron CASCADE;
    22. 22. Modifying Users <ul><li>Modifications involve: </li></ul><ul><ul><li>Changing passwords </li></ul></ul><ul><ul><li>Locking an account </li></ul></ul><ul><ul><li>Increasing a storage quota </li></ul></ul><ul><li>ALTER USER DDL statement </li></ul>
    23. 23. Obtaining User Information <ul><li>Information about users can be obtained by querying the following views: </li></ul><ul><ul><li>DBA_USERS </li></ul></ul><ul><ul><li>DBA_TS_QUOTAS </li></ul></ul>
    24. 24. Default Users <ul><li>Oracle default users: </li></ul><ul><ul><li>SYS, owner of the data dictionary </li></ul></ul><ul><ul><li>SYSTEM, performs almost all database tasks </li></ul></ul><ul><ul><li>ORAPWD, creates a password file </li></ul></ul>
    25. 25. Remote Users
    26. 26. Database Links <ul><li>Connection from one database to another: allow DDL and SQL statements </li></ul><ul><li>Types: PUBLIC and PRIVATE </li></ul><ul><li>Authentication Methods: </li></ul><ul><ul><li>CURRENT USER </li></ul></ul><ul><ul><li>FIXED USER </li></ul></ul><ul><ul><li>CONNECT USER </li></ul></ul>
    27. 27. Database Links (continued)
    28. 28. Practices for Administrators and Managers <ul><li>Manage: </li></ul><ul><ul><li>Accounts </li></ul></ul><ul><ul><li>Data files </li></ul></ul><ul><ul><li>Memory </li></ul></ul><ul><li>Administrative tasks: </li></ul><ul><ul><li>Backup </li></ul></ul><ul><ul><li>Recovery </li></ul></ul><ul><ul><li>Performance tuning </li></ul></ul>
    29. 29. Best Practices <ul><li>Follow company’s policies and procedures </li></ul><ul><li>Always document and create logs </li></ul><ul><li>Educate users </li></ul><ul><li>Keep abreast of database and security technology </li></ul><ul><li>Review and modify procedures </li></ul><ul><li>Block direct access to database tables </li></ul><ul><li>Limit and restrict access to the server </li></ul><ul><li>Use strong passwords </li></ul><ul><li>Patches, patches, patches </li></ul>
    30. 30. Summary <ul><li>Document tasks and procedures for auditing purposes </li></ul><ul><li>Creating users: </li></ul><ul><ul><li>CREATE USER statement in Oracle </li></ul></ul><ul><li>Removing users: </li></ul><ul><ul><li>SQL DROP statement </li></ul></ul><ul><li>Modifying user attributes: ALTER USER DDL statement </li></ul><ul><li>Local database and users </li></ul><ul><li>Remote users </li></ul><ul><li>Database links </li></ul><ul><li>Linked servers </li></ul>