Oracle® Database 2 Day DBA 10g Release 2 (10.2) Part Number B14196-02 |
|
|
View PDF |
System privileges, object privileges, and roles provide a basic level of database security. They are designed to control user access to data and to limit the kinds of SQL statements that users can execute.
Roles are groupings of privileges that you can use to create different levels of database access. For example, you can create a role for application developers that enable users to create tables and programs.
You can grant privileges and roles to other users only when you possess the necessary privilege. The granting of roles and privileges starts at the administrator level. At database creation, the administrative user SYS
is created and granted all system privileges and predefined Oracle roles. User SYS
can then grant privileges and roles to other users and also grant those users the right to grant specific privileges to others.
Table 7-2 provides descriptions and examples of privileges and roles.
Table 7-2 Privileges and Roles
Privilege or Role | Description | Examples |
---|---|---|
An Oracle-defined privilege usually granted only to and by administrators. System privileges enable users to perform specific database operations. |
The following are examples of system privileges that can be granted to users:
|
|
A privilege that controls access to a specific object. |
The following examples are object privileges that can be granted to users:
|
|
A group of privileges or other roles |
The following examples are Oracle-defined roles:
You can create your own roles if you have been granted this privilege. |
See Also:
Oracle Database SQL Reference for a list of Oracle-defined privileges and rolesThe following administrative accounts are automatically created when Oracle Database is installed:
When you create an Oracle database, the user SYS
is automatically created and granted the DBA
role.
All base tables and views for the database data dictionary are stored in the schema SYS
. These base tables and views are critical for the operation of Oracle Database. To maintain the integrity of the data dictionary, tables in the SYS
schema are manipulated only by the database. They should never be modified by any user or database administrator. Also, you should not create any tables in the schema of user SYS
, although you can change the storage parameters of the data dictionary settings if necessary.
Ensure that most database users are never able to connect to Oracle Database with the SYS
account.
When you create an Oracle Database, the user SYSTEM
is also automatically created and granted the DBA
role.
The SYSTEM
user can create additional tables and views that display administrative information as well as internal tables and views used by various Oracle Database options and tools. Never use the SYSTEM
schema to store tables of interest to nonadministrative users.
A predefined DBA
role is automatically created with every Oracle Database installation. This role contains most database system privileges. Therefore, you should grant the DBA
role only to actual database administrators. The DBA
role does not include the SYSDBA
or SYSOPER
system privileges.
SYSDBA
and SYSOPER
are administrative privileges required to perform basic database operations such as creating the database and instance startup and shutdown. Depending upon the level of authorization you require, you must have one of these privileges granted to you.
Note:
TheSYSDBA
and SYSOPER
system privileges allow access to a database instance even when the database is not open. Control of these privileges is totally outside of the database itself.You can also think of the SYSDBA
and SYSOPER
privileges as types of connections that enable you to perform certain database operations for which privileges cannot be granted in any other way. For example, if you have the SYSDBA
privilege, then you can connect to the database by specifying CONNECT
AS
SYSDBA
.
See Also:
Oracle Database Administrator's Guide for more the operations authorized with each privilege and an exampleYou can use Enterprise Manager to view existing roles as follows:
In the Users & Privileges section of the Administration home page, click Roles.
The Roles page appears. From this page you can create, edit, view, or delete roles. The structure and functionality of the Roles page is similar to that of the Users page shown in Figure 7-2.
Select the CONNECT
role.
Click View.
The View page appears. In this page you can see all of the privileges and roles associated with the CONNECT
role.
You can create a secure role with the privileges necessary for application development. You can then grant the role to other roles or users depending on the level of data access required by the user.
See Also:
Oracle Database Security Guide for more information on administering user security, roles, and privilegesIn this exercise, you create an application developer role called APPDEV
.
To create the APPDEV
role:
In the Users & Privileges section of the Administration home page, click Roles.
The Roles page appears.
Click Create.
The Create Role General page appears.
In the Name field, enter the name of the new role. For instance, enter APPDEV
to create a new role for application developers.
Click OK.
A page appears with a list of all roles, including the APPDEV
role that you just created. You can now modify this new role by adding the required privileges.
You can add roles, privileges, and consumer groups to roles. In this exercise, you add the basic system privileges shown in Table 7-3, which allow the creation of various objects, to the APPDEV
role that you created previously. These objects are described in Chapter 8, "Managing Schema Objects".
Table 7-3 APPDEV Privileges
Privilege | Description |
---|---|
CREATE TABLE |
Enables user to create tables in his schema. |
CREATE VIEW |
Enables user to create views in his schema. |
CREATE PROCEDURE |
Enables user to create procedures in his schema. |
CREATE TRIGGER |
Enables user to create triggers in his schema. |
CREATE SEQUENCE |
Enables user to create sequences in his schema. |
CREATE SYNONYM |
Enables user to create synonyms in his schema. |
To modify the APPDEV
role:
In the Users & Privileges section of the Administration home page, click Roles.
The Roles page appears.
From the list of roles, select APPDEV and click Edit.
Click System Privileges to navigate to the System Privileges property page.
The System Privilege column should display no items.
Click Edit List.
The Modify System Privileges page appears.
In the Available System Privileges list, double-click the privileges listed in Table 7-3 to add them to the Selected System Privileges list.
Click OK.
You are returned to the Edit Role: APPDEV page.
Click Apply.
A confirmation message should appear saying that the role has been modified successfully.
In this exercise, you drop to the APPDEV
role that you created in "Dropping Roles".
To drop the APPDEV
role:
In the Users & Privileges section of the Administration home page, click Roles.
The Roles page appears.
Select the APPDEV
role and click Delete.
A confirmation page appears.
Click Yes.
A confirmation message indicates that the role has been deleted successfully.