2. SECURITY IN ORACLE RDBMS
Sql * plus
Oracle Form
Visual Basic
USERNAME /
PASSWORD
ORACLE
DATABASE
ORACLE
USER
• USERNAME should be defined in the database.
• There exists a SCHEMA by the same name in the database.
• User has access to all the objects in his schema.
• To carry out any activity in Database, you need a Priviledge.
• To work on any Object belonging to other user, he must grant
the required privilege to you
3. USER‟S SECURITY DOMAIN
U
Direct Privileges
System & Object
Privileges
Indirect
Privileges
( Through Roles )
Default Tablespace
Tablespace Quotas
Temporary Tablespace
Resource Limits
( Defined by Profiles)
4. Privileges & Roles
U
System Privileges
• create user
• create session
• create table
• alter session
• drop tablespace
• create procedure
• alter database
• create ANY table
• select ANY table
• drop user
• execute any
procedure
• drop any table
Object Privileges
• select
• insert
• update
• delete
• alter
• execute
• index
• references
• all
OBJECT
ROLEROLE
5. Pre- Defined Roles
Connect ALTER SESSION, CREATE CLUSTER, CREATE
SEQUENCE, CREATE SESSION, CREATE SYNONYM,
CREATE TABLE, CREATE VIEW
Resource CREATE CLUSTER, CREATE PROCEDURE,
CREATE SEQUENCE, CREATE TABLE, CREATE
TRIGGER ( Take care -- Unlimited Table space )
DBA All system privileges WITH ADMIN OPTION
EXP_FULL_DATABASE , IMP_FULL_DATABASE
SELECT_CATALOG_ROLE , DELETE_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
6. Database Administrator - Responsibilities
• Installing / Upgrading Oracle server
• Allocating system storage
• Enrolling users and maintaining system security
• Controlling and monitoring user access to the database
• Monitoring and optimizing the performance of the
database
• Manage backup and recovery of database
• Creating primary objects (tables, views, indexes) once
application developers have designed an application
• Modifying the database structure, as necessary
7. ORACLE - Default User Accounts
SYS Initial password : change_on_install
SYSTEM Initial password : manager
When Oracle Database is installed, some users like System,
SYS, Scott are created and assigned privileges
• Data Dictionary base tables and views are stored in SYS-schema
SCOTT Initial password : tiger
& Otherslike
PO8, DEMO etc
• Change passwords of SYS & System as soon as possible.
• Both SYS & System have the DBA role
• User tables & other objects should not be created in these
schema.
• Never use the user scott for your main Database.
8. Creating Users
Who can create a user ? CREATE USER system privilege
Command :
Create user < username >
identified externally / identified by <
password >
default tablespace < tablespace name >
temporary tablespace < tablespace name >
quota n k/m on< tablespace>
quota n ...... On .....
Profile < profile name >
9. Users & Necessary Privileges
Connect system / manager
create user ram identified by r11;
ERROR
Connect system/manager
grant create session to ram;
Connected
Connect system/manager
grant create table to ram;
Conn ram/r11
create table t1(n number);
ERRORConnect ram/ r11
Connect ram/ r11
Connect system / manager
alter user ram default
tablespace user_data quota
1m on user_data;
Conn ram/r11
create table t1(n number);
10. Connect system / manager
drop user ram cascade
create user ram identified by
r11;
grant create session, resource
to ram;
Resource Role
also gives Unlimited
Tablespace
alter user ram identified by r22;
DBA can change
User‟s password
When User owns objects
cascade is required
conn ram/r22
alter user ram identified by r11;
A User can change
his own password
conn system/manager
alter user ram identified by r11
account lock;
DBA can lock a user‟s
account
conn ram/r11; ORA-28000: the account is locked
11. Granting System Privileges
conn system/manager
grant select any table to ram;
Conn ram / r22;
select * from scott.imp;
Revoking the Privilege
conn system/manager
revoke select any table from ram;
For granting system privileges, you must
have the privilege –”With Admin Option”
or the system privilege : Grant ANY
Privilege
12. Administrative Powers For System Privileges :
System System Privilege S
with Admin Option
User a S
User b
S
System Revoke S
User a
S
User b
S
with
admi
n
optio
n
connect system / manager
create user a identified by a11;
create user b identified by b11;
create user c identified by c11;
grant connect to a,b,c;
grant select any table to a with admin
option;
Revoke S
S
13. Connect a /a11
grant select any table to b with admin option;
Connect b/b11
revoke select any table from a;
Connect b/b11
select * from scott.imp;
select * from user_sys_privs;
Try select
Connect system/manager
grant select any table to a;
Try select
Connect b/b11
revoke select any table from a;
Connect system/manager
revoke select any table from b;
B still has the
Privilege
Conn a/a11
select * from
scott.imp ;
14. SYSTEM PRIVILEGES
• As of Oracle 8i there are 126 system privileges
• System Privileges are broadly in following categories :
* Enabling System wide operations ( create tablespace, --
session)
* Enabling Management of User‟s own schema ( create table ,
etc)
* Enabling Management in any schema ( create Any table etc)
• System Privileges should be assigned with great caution,
especially, the Admin Option
• ANY keyword gives the user privilege in every schema. Drop
Any --- privileges can be misused to destroy the database.
• The DBA Role has all the System Privileges.
• DBA_SYS_PRIVS view displays all System Privileges.
• SESSION_PRIVS view displays all System Privileges granted
to Roles and Users at the session level.
15. Object Privileges
Conn system/manager
select * from dba_sys_privs where grantee in
('A','B','C');
conn scott/tiger
grant select on staff to a;
Conn a/a11
select * from scott.staff;
conn scott/tiger
grant insert on loans to a;
Conn a/a11
insert into scott.loans
(name,loanamt)
values('SATHE',20000);
conn scott/tiger
grant update(qty) on imp
to b;
conn b/b11
update scott.imp set
qty=0 where qty<5;
Object Privilege can be given selectively on a column
16. conn scott/tiger
revoke delete on imp from a;
conn a/a11
delete from scott.imp;
select * from scott.imp;
conn scott/tiger
grant all on imp to a;
conn a/a11
delete from scott.imp;
rollback;
“ALL” option gives all the relevant privileges on the object
conn scott/tiger
revoke all on imp from a;
Select, Insert, Delete,update Alter, Index, ReferencesTable -
scott ALL on IMP a scottRevoke delete on IMP
17. Object Privilege With Grant Option
Scott
Obj. Privilege O
with GrantOption
User a
O (G)
(G)
User b
O (G)
User
C OScott Revokes the
Object Privilege O
User
a
User
b
User
C
Scott
Obj. Privilege O
with GrantOption
User
a (G)
User
b(G)
User
C
User
a (G) O
User
C
18. Object Privilege With Grant Option
conn scott/tiger
grant select on loans to a
with grant option;
conn a/a11
grant select on scott.loans to b with
grant option;
conn b/b11
grant select on
scott.loans to c;
conn c/c11
select * from scott.loans;
conn scott/tiger
select * from
user_tab_privs;
conn c/c11
select * from scott.loans;
Conn scott/tiger
revoke select on
loans from a;
conn c/c11
select * from scott.loans;
19. Listing Privileges
ALL_TAB_PRIVS shows all grants on objects for which
the USER OR PUBLIC is Grantee
select * from all_tab_privs
where grantee <>'PUBLIC'
ALL_TAB_PRIVS_MADE shows all grants on objects
for which the USER is the OWNER or GRANTER
conn scott/tiger
select * from all_tab_privs_made;
COLUMN_PRIVILEGES : Shows grants on columns for
which the user is grantor or the User or Public is grantee
USER_TAB_PRIVS shows grants on objects for which the
user is Owner, Granter or Grantee
20. ROLES
Role is a named collection of Privileges
P1 P2 P3 P4 P1 P2 P3 P4
U1 U2 U3 U4
R
U1 U2 U3 U4
21. ROLE -- FEATURES
Role
S O
USER Role
S O
ROLES
O
O
S
O
O
O
S
O
O
USER
O
ROLE
S
DBA
S
USER ROLE
With Grant
Option
OWNER
ROLE
With Admin
Option
USER
ROLE
USER
O
22. Creating Roles
Connect system/manager
create role rs ;
grant select any table to rs;
grant rs to a;
grant rs to b with admin option;
conn a/a11;
select * from scott.imp;
Connect b/b11;
grant rs to c;
Connect c/c11
select * from scott.staff;
Create a Role
Grant Privileges
to the Role
Grant the Role
to Users
23. Connect system/manager
create role ru;
Connect scott/tiger
grant update on loans to ru;
Connect system/manager
grant ru to a;
Connect a/a11
update scott.loans set
loanamt=20000 ;
rollback;
Connect scott/tiger
grant update on imp
to ru;
Connect a/a11
update scott.imp set qty=50;
rollback;
Connect system/manager
grant drop any table to a;
grant drop any table to rs;
revoke drop any table from rs;
Role ru
Add one more
privilege
to role ru
User a still
has the privilege
24. Connect system/manager
create role rd identified by rd11;
grant delete any table to rd;
grant rd to c;
Connect c/c11
delete from scott.staff;
rollback;
set role rs;
delete from scott.imp;
ORA-01031: insufficient
privileges
set role rd identified by rd11;
delete from scott.imp;
rollback;
Setting a particular role resulted in disabling other roles
25. Roles -- Enabled / Disabled & Default Roles
Roles r1,r2
Roles with
passwords -r3
USER
Roles are always
enabled by default
USER
All granted roles
enabled (r1,r2,r3)
Alter user
set Default roles
r1,r2
Alter user
set Default roles
ALL except r1
Alter user
set Default roles NONE
D B A
set roles
r1,r2
set roles
r3 identified by ***
set roles
ALL except r3
The Roles NOT
mentioned in
these commands
will be disabled
26. Experiments With Roles
Connect system/manager
grant rs,ru,rd to b;
Connect b/b11
select * from session_roles;
select * from user_role_privs;
USERNAME GRANTED_ROLE ADMIN DEFAULT_ROLE
-------- ---------- ----- ----------
B CONNECT NO YES
B RD NO YES
B RS NO YES
B RU NO YES
Connect system/manager
alter user b default role connect,rs;
DEFAULT_ROLE
--------
YES
NO
YES
NO
Conn b/b11
select * from user_role_privs;
set role connect,rs,ru,rd identified
by rd11
Have to mention
already enabled roles
27. set role none;
set role all;
ORA-01979: missing or invalid
password for role 'RD'
set role all except rd;
conn system/manager;
alter user b default role all;
Role with Admin Option :
• Grantee can grant the role to other user or Role
• Grantee can revoke the role from other users
• Grantee can alter Or Drop the role
Set Role All :
• Enables all Roles except those mentioned in Except clause.
• Can not use this option to enable roles with passwords.
28. „View‟-ing Roles & Privileges
Dba_roles : Lists all the system &
Other roles
Session_roles : System & Other
Roles enabled for the user in session
role_sys_privs :Roles to which the
user has access, System privoleges
granted to roles
dba_role_privs :Roles granted to
users & to other roles
role_role_privs: Roles to which
user has access. Shows Roles granted
to other roles
ROLE
GRANTED_ROLE
ADMIN_OPTION
GRANTEE
GRANTED_ROLE
ADMIN_OPTION
DEFAULT_ROLE
ROLE
PRIVILEGE
ADMIN_OPTION
ROLE
PASSWORD
ROLE
user_role_privs : Shows details of
roles granted to the user
USERNAME
GRANTED_ROLE
ADMIN_OPTION
DEFAULT_ROLE