2. Controlling User Access1
Database security can be classified into two
categories:
System security
It covers access and use of the database at the system level
such as username and password, disk space allocated to
user and system operations allowed by the user.
Data security
Covers access and use of the database objects and the
actions that those users can have on the objects.
2
1 Introduction to Oracle: SQL and PL/SQL P14-4 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
3. Privilege2
Privileges are the right to execute a particular SQL
statements.
There are two types of privileges:
System privilege
Gain access to the database.
Object privilege
Manipulate the content of the database objects.
Schema: is a collection of objects such as tables, views
and sequences, It is owned by database user and has
the same name as that user.
2 Introduction to Oracle: SQL and PL/SQL P14-4 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
4. System Privilege3
4
The DBA has high-level system privileges
CREATE new users
Remove users
Remove tables
Back up tables
3 Introduction to Oracle: SQL and PL/SQL P14-5 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
5. Creating Users4
The DBA creates users by using the CREATE USER
statement.
CREATE USER username
IDENTIFIED BY password;
Notes:
The user does not have any privilege at this points.
The DBA can then grant a number of privileges to that user,
these privilege determine what the user can do at the
database level.
5
4 Introduction to Oracle: SQL and PL/SQL P14-6 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
6. User System Privileges5
Once a user is created, the DBA can grant specific
system privileges to a user.
GRANT privilege [, privilege…]
TO user [, user…];
Typical system privileges granted to user:
CREATE SESSION
CREATE TABLE
CREATE SEQUENCE
CREATE VIEW
CREATE PROCEDURE
6
5 Introduction to Oracle: SQL and PL/SQL P14-7 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
7. Questions
Question1
Create two users the first with name Ahmad and
password abc123 the other one with name Asmaa
and password xyz123.
Question2
Give both users (Ahmad and Asmaa) these system
privileges Create session, Create table and Create
view.
7
8. Roles6
8
A role is a named group of related privileges that
can be granted to the user.
Role make granting and revoking privileges easier to
perform and maintain.
A user can have access to several roles, and several
users can be assigned the same role.
6 Introduction to Oracle: SQL and PL/SQL P14-9 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
9. Creating and Assigning a Role7
9
DBA must create the role
The DBA can assign privileges to the role using
GRANT statement.
The DBA can assign users to the role using GRANT
statement.
The syntax for creating a role
CREATE ROLE rolename;
7 Introduction to Oracle: SQL and PL/SQL P14-10 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
10. Changing Password8
10
The DBA creates your user account and initializes your
password.
You can change your password by using the ALTER USER
statement.
ALTER USER Ahmad
IDENTIFIED BY abcdef;
8 Introduction to Oracle: SQL and PL/SQL P13-4 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
11. Object Privileges9
11
9 Introduction to Oracle: SQL and PL/SQL P14-12 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
Object Privilege Table View Sequence Procedure
ALTER
DELETE
EXECUTE
INDEX
INSERT
REFERENCE
SELECT
UPDATE
12. Object Privileges10
12
Object privileges vary from object to object.
An owner has all the privileges one the object.
An owner can give specific privileges on that owner’s
object.
GRANT objectprivilege[(columns)]
ON object
To {user|role|PUBLIC}
[WITH GRANT OPTION]
10 Introduction to Oracle: SQL and PL/SQL P14-13 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
13. Questions
13
Question3
Give both users Ahmad and Asmaa the SELECT
privilege on Employees table.
Question4
Give Asmaa the UPDATE privilege on salary and
commission columns in Employees table.
14. WITH GRANT OPTION and PUBLIC11
A privilege that is granted WITH GRANT OPTION
can be passed on to other users and roles by the
grantee.
Object privileges granted WITH GRANT OPTIONS
are revoked when the grantor’s privilege is
revoked.
An owner of a table can grant access to all users by
using the PUBLIC keyword.
14
11 Introduction to Oracle: SQL and PL/SQL P14-15 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
15. Revoke Object Privileges12
Use REVOKE statement to revoke privileges granted
to other users.
Privileges granted to others through the WITH
GRANT OPTION will also be revoked.
REVOKE {privilege [, privilege…]|ALL}
ON object
FROM {user[, user…] | role |PUBLIC}
[CASCADE CONSTRAINTS];
15
12 Introduction to Oracle: SQL and PL/SQL P14-17 Neena Kochhar, Ellen Gravina and Priya Nathan, July 1999
16. Revoke Object Privileges(cont)
CASCADE CONSTRAINT is required to remove any
referential integrity constraints made to the object
by means of the REFERENCES privilege.
16
17. Questions
Question5
Write a complete SQL statements that creates two
users Ameer and Susan, each of these user must
have privilege(s) to access Employees table in hr
user account. A role need to be created with name
HumanRes and it has ALTER privilege on
Employees table and add the two users(Ameer and
Susan) to this role.
Notes:
hr provides privileges to Ameer and Ameer
provides privileges to Susan.
17
18. Questions
18
User: hr
Pwd: oradb
User: Ameer
Pwd: abc123
SELECT
INSERT
UPDATE
User: Susan
Pwd: xyz123
Select
UPDATE
User: system
Pwd: oradb
Role: HumanRes
ALTER