This document discusses managing privileges and auditing in a database. It covers granting and revoking system and object privileges to users, as well as defining and enabling auditing options. System privileges allow users to perform actions in the database, while object privileges allow access to specific database objects. Auditing can track database activity, statements, and privileges for security and monitoring purposes.

1. Managing Privileges

2. Objectives
After completing this lesson, you should be able to
do the following:
• Identify system and object privileges
• Grant and revoke privileges
• Control operating system or password file
authentication
• Identify auditing capabilities

3. Managing Privileges
Two types of privileges:
• System: Enables users to perform particular
actions in the database
• Object: Enables users to access and manipulate a
specific object

4. System Privileges
• There are about 126 system privileges.
• The ANY keyword in the privileges signifies that
users have the privilege in every schema.
• The GRANT command adds a privilege to a user
or a group of users.
• The REVOKE command deletes the privileges.

5. System Privileges: ExamplesCategory Examples
INDEX CREATE ANY INDEX
ALTER ANY INDEX
DROP ANY INDEX
TABLE CREATE TABLE
CREATE ANY TABLE
ALTER ANY TABLE
DROP ANY TABLE
SELECT ANY TABLE
UPDATE ANY TABLE
DELETE ANY TABLE
SESSION CREATE SESSION
ALTER SESSION
RESTRICTED SESSION
TABLESPACE CREATE TABLESPACE
ALTER TABLESPACE
DROP TABLESPACE
UNLIMITED TABLESPACE

6. Granting System Privileges
GRANT CREATE SESSION, CREATE TABLE TO managers;
GRANT CREATE SESSION TO scott
WITH ADMIN OPTION;

7. SYSDBA and SYSOPER
Privileges
Category Examples
SYSOPER STARTUP
SHUTDOWN
ALTER DATABASE OPEN | MOUNT
ALTER DATABASE BACKUP CONTROLFILE
ALTER TABLESPACE BEGIN/END BACKUP
RECOVER DATABASE
ALTER DATABASE ARCHIVELOG
RESTRICTED SESSION
SYSDBA SYSOPER privileges WITH ADMIN OPTION
CREATE DATABASE
RECOVER DATABASE UNTIL

8. Password File Authentication
1. Check that the password file has been created; if
not, create it using ORAPWD.
2. Check that the initialization parameter
REMOTE_LOGIN_PASSWORD_FILE has been set
to EXCLUSIVE.
3. Grant SYSOPER and SYSDBA privileges to users.
4. Query V$PWFILE_USERS to verify the password
file members.

9. Displaying System Privileges
DBA_SYS_PRIVS
• GRANTEE
• PRIVILEGE
• ADMIN OPTION
SESSION_PRIVS
• PRIVILEGE
Database Level Session Level

10. System Privilege Restrictions
O7_DICTIONARY_ACCESSIBILITY = TRUE
• Reverts to Oracle7 behavior
• Removes the restrictions on system
privileges with the ANY keyword
• Defaults to TRUE

11. Revoking System Privileges
REVOKE CREATE TABLE FROM karen;
REVOKE CREATE SESSION FROM scott;

12. KAREN SCOTT
Revoking System Privileges
Using WITH ADMIN OPTION
DBA
GRANT
REVOKE
KAREN SCOTT
DBA

13. RESULT
Revoking System Privileges
Using WITH ADMIN OPTION
DBA KAREN SCOTT

14. Object Privileges
Object priv. Table View Sequence Procedure
ALTER  
DELETE  
EXECUTE 
INDEX 
INSERT  
REFERENCES 
SELECT   
UPDATE  

15. Granting Object Privileges
GRANT EXECUTE ON dbms_pipe TO public;
GRANT UPDATE(first_name, salary) ON
employee TO karen WITH GRANT OPTION;

16. DBA_TAB_PRIVS
Displaying Object Privileges
DBA_COL_PRIVS
GRANTEE
OWNER
TABLE_NAME
GRANTOR
PRIVILEGE
GRANTABLE
GRANTEE
OWNER
TABLE_NAME
COLUMN_NAME
GRANTOR
PRIVILEGE
GRANTABLE

17. Revoking Object Privileges
REVOKE execute ON dbms_pipe FROM scott;

18. GRANT
REVOKE
Revoking Object Privileges
Using WITH GRANT OPTION
SCOTT
SCOTT
USER 1
USER 1
USER 2
USER 2

19. RESULT
Revoking Object Privileges
Using WITH GRANT OPTION
SCOTT USER 1 USER 2

20. Auditing Guidelines
• Define your purpose of auditing
– Suspicious database activity
– Gather historical information
• Define what you want to audit
– Audit users, statements, or objects
– By session
– Successful or unsuccessful
• Manage your audit trail
– Monitor the growth of the audit trail
– Protect the audit trail from unauthorized access

21. Auditing Categories
• Auditing privileged operations
– Always audited
– Startup, shutdown, and SYSDBA connections
• Database auditing
– Enabled by DBA
– Cannot record column values
• Value-based or application auditing
– Implemented through code
– Can record column values
– Used to track changes to tables

22. Database Auditing
Audit trail
Audit options
Parameter file
Enable database
auditing
DBA
Specify
audit options
Database
User
Execute command
Generate
audit trail
Review
audit
information
Server
process
OS audit
trail

23. Enabling Auditing Options
• Statement auditing
• Privilege auditing
• Schema object auditing
AUDIT select any table
BY summit BY ACCESS;
AUDIT user;
AUDIT LOCK ON summit.employee
BY ACCESS WHENEVER SUCCESSFUL;

24. Data Dictionary View
ALL_DEF_AUDIT_OPTS
DBA_STMT_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS
DBA_OBJ_AUDIT_OPTS
Description
Default audit options
Statement auditing options
Privilege auditing options
Schema object auditing
options
Viewing Auditing Options

25. Audit Trail View
DBA_AUDIT_TRAIL
DBA_AUDIT_EXISTS
DBA_AUDIT_OBJECT
DBA_AUDIT_SESSION
DBA_AUDIT_STATEMENT
Description
All audit trail entries
Records for AUDIT EXISTS/NOT
EXISTS
Records concerning schema
objects
All connect and disconnect entries
Statement auditing records
Viewing Auditing Results

26. Summary
In this lesson, you should have learned how to:
• Control system and object privileges
• Use database auditing