For users to access your database, you must create user accounts and grant appropriate database access privileges to those accounts. A user account is identified by a user name and defines the attributes of the user, including the following:
Authentication method
Password for database authentication
Default tablespaces for permanent and temporary data storage
Tablespace quotas
Account status (locked or unlocked)
Password status (expired or not)
When you create a user account, you must not only assign a user name, a password, and default tablespaces for the account, but you must also do the following:
Grant the appropriate system privileges, object privileges, and roles to the account.
If the user will be creating database objects, then give the user account a space usage quota on each tablespace in which the objects will be created.
Oracle recommends that you grant each user just enough privileges to perform his job, and no more. For example, a database application developer needs privileges to create and modify tables, indexes, views, and stored procedures, but does not need (and should not be granted) privileges to drop (delete) tablespaces or recover the database. You can create user accounts for database administration, and grant only a subset of administrative privileges to those accounts.
In addition, you may want to create user accounts that are used by applications only. That is, nobody logs in with these accounts; instead, applications use these accounts to connect to the database, and users log in to the applications. This type of user account avoids giving application users the ability to log in to the database directly, where they could unintentionally cause damage. See "About User Privileges and Roles" for more information.
When you create a user account, you are also implicitly creating a schema for that user. A schema is a logical container for the database objects (such as tables, views, triggers, and so on) that the user creates. The schema name is the same as the user name, and can be used to unambiguously refer to objects owned by the user. For example, hr.employees
refers to the table named employees
in the hr
schema. (The employees
table is owned by hr
.) The terms database object and schema object are used interchangeably.
When you delete a user, you must either simultaneously delete all schema objects of that user, or you must have previously deleted the schema objects in separate operations.
Predefined User Accounts
In addition to the user accounts that you create, the database includes several user accounts that are automatically created upon installation.
All databases include the administrative accounts SYS
, SYSTEM
, and DBSNMP
. Administrative accounts are highly privileged accounts, and are needed only by individuals authorized to perform administrative tasks such as starting and stopping the database, managing database memory and storage, creating and managing database users, and so on. You log in to Oracle Enterprise Manager Database Express (EM Express) with SYS
or SYSTEM
. You assign the passwords for these accounts when you create the database with Oracle Database Configuration Assistant (DBCA). You must not delete these accounts.
All databases also include internal accounts, which are automatically created so that individual Oracle Database features or components such as Oracle Application Express can have their own schemas. To protect these accounts from unauthorized access, they are initially locked and their passwords are expired. (A locked account is an account for which login is disabled.) You must not delete internal accounts, and you must not use them to log in to the database.
Your database may also include sample schemas, if you chose the option to create the sample schemas in your database when the database was installed. The sample schemas are a set of interlinked schemas that enable Oracle documentation and Oracle instructional materials to illustrate common database tasks. These schemas also provide a way for you to experiment without endangering production data.
Each sample schema has a user account associated with it. For example, the hr
user account owns the hr
schema, which contains a set of simple tables for a human resources application. The sample schema accounts are also initially locked and have an expired password. As the database administrator, you are responsible for unlocking these accounts and assigning passwords to these accounts.
See Also:
Oracle Database 2 Day + Security Guide for a list of predefined user accounts
"SYS and SYSTEM Users" for information about the recommended alternative to using the SYSTEM
account for day-to-day administrative tasks
Oracle Database Sample Schemas for a description of the sample schemas
Oracle Database Concepts for an overview of database security