Week 6 Lecture 2 System and Object Privileges
Learning Objectives Identify and manage system and object privileges Grant and revoke privileges to users Understand auditing capabilities and practice using auditing commands
Overview of Privileges Privileges allow users to perform operations on the database. 2 types of privileges: System privileges: gives user the ability to manage some part of the database Object privileges: gives user the ability to perform tasks on tables and objects owned by a schema
Identifying System Privileges Common system privileges include: SYSDBA: Allows the user to start up and shut down the database and to create an spfile (system initialization parameter file). The SYSTEM and SYS predefined users have this privilege. SYSOPER: Same as SYSDBA, but does not include the ability to create a database. CREATE SESSION: You assigned this privilege to a user in the previous chapter. This allows a user to log onto the database.
More System Privileges CREATE TABLE, CREATE INDEX, and CREATE VIEW: Allow users to create their own tables, indexes, and views. CREATE USER: DBA must have this privilege to create new users. You logged on as SYSTEM to create users in the previous chapter. CREATE ANY TABLE: Usually reserved for the DBA, allowing him or her to create a table in any schema. DROP ANY TABLE: Allows the user to drop any schema’s tables, except those needed by the database system itself (the data dictionary tables).
More System Privileges SELECT ANY TABLE: Usually reserved for the DBA, because it allows the user to query any table on the database. GRANT ANY PRIVILEGE, GRANT ANY OBJECT PRIVILEGE: Allow the user (preferably the DBA) to assign any system privilege or any object privilege to other users. BACKUP ANY TABLE: Allows the user to use the Export utility to export any table in the database. Exporting a form of backup that can be used to back up specific tables or schemas, or to back up the entire database.
Using Object Privileges Object privileges more pinpointed than system privileges. An object privilege has a much narrower focus. Object privileges always pertain to a table, function, procedure, or other object. Several different object privileges: some available only for tables and views others only available for functions, procedures, packages, or user-defined types.
Managing System and Object Privileges Privileges managed by granting and revoking privileges to users and roles. Granting a privilege allows the user to perform some action Revoking a privilege removes a privilege from a user so that he can no longer perform the action
Granting and Revoking System Privileges Basic syntax of the GRANT command for system privileges: GRANT,,...|ALL PRIVILEGES TO,...|PUBLIC WITH ADMIN OPTION;
Granting System Privileges List as many system privileges as you want, separating each with a comma. Can also substitute ALL PRIVILEGES for a list of privileges. Use with caution, because it grants the user all of the 100 plus system privileges except SELECT ANY DICTIONARY. Add the WITH ADMIN OPTION only when you want the user to be able to grant the same system privilege to other users. List all the users to whom you want to grant the same system privileges. Alternatively, use PUBLIC instead of a specific user name to grant the privilege to all users, including users created in the future.
Revoking System Privileges Basic syntax of the REVOKE command for system privileges: REVOKE,,...|ALL PRIVILEGES FROM,,...|PUBLIC; Final note about system privileges: System privileges are needed to create tables in the database. The owner (schema) of a table can automatically select, insert, update, and delete data in his own tables. However, no other users (except the DBA) are allowed to even see the table’s name without permission from the owner or the DBA. This is where object privileges come into play.
Granting Object Privileges Basic syntax for granting object privileges: GRANT,,... |ALL (,...) ON. TO,...|PUBLIC WITH GRANT OPTION WITH HIERARCHY OPTION;
Granting Object Privileges Column list: Used only when you want to grant a privilege for specific columns in the table or view. Could employ it as a security feature to restrict users from updating sensitive fields. Can only be used to grant UPDATE, REFERENCES, and DELETE privileges. PUBLIC: Can list object privileges for one object, and you can also list users who receive those privileges. Substituted for user names when you want to grant the privilege to all users.
Granting Object Privileges WITH GRANT OPTION: Similar to the WITH ADMIN OPTION. Use when you want the user to be able to issue grants to other users. WITH HIERARCHY OPTION: special feature used for objects that have subobjects. subobject is an object based on another object The option is included for completeness of syntax. Instructs Oracle9i to grant the object privilege to the user on the object and on all its subobjects.
Viewing Privileges DBA_SYS_PRIVS All system privileges granted DBA_TAB_PRIVS All object privileges granted USER_TAB_PRIVS_MADE All object privileges granted by the user USER_TAB_PRIVS_RECD All object privileges when the user is the grantee DBA_COL_PRIVS All object privileges on column lists SESSION_PRIVS User’s privileges currently enabled
Description of Auditing Capabilities Monitoring activity on the database is called auditing Frequently used to determine who is making unauthorized updates or deletions to sensitive data Three types of auditing that Oracle9i can run automatically
Description of Auditing Capabilities Statement auditing: Audits types of SQL commands. You must have the AUDIT SYSTEM privilege to use this type of auditing. Privilege auditing: Audits use of particular privileges. You must have the AUDIT SYSTEM privilege to use this type of auditing. Object auditing: Audits activity on a certain object. You can use the AUDIT command to set up object auditing for any object you own. Otherwise, you must have the AUDIT ANY privilege to audit objects.
Description of Auditing Capabilities Auditing has no effect until you set the AUDIT_TRAIL initialization parameter. Valid settings for AUDIT_TRAIL include: TRUE or DB: Starts auditing and places the audit trail records into the SYS.AUD$ table. FALSE or NONE: Turns off auditing. Default is NONE. OS: Starts auditing and places the audit trail records into an operating system file in the directory named in the AUDIT_FILE_DEST initialization parameter.
Object Auditing Syntax of the AUDIT command for object auditing: AUDIT,,...|ALL ON. |DEFAULT|NOT EXISTS BY SESSION|BY ACCESS WHENEVER SUCCESSFUL|WHENEVER NOT SUCCESSFUL;
Object Auditing To set this auditing for the automatic turn on of any new object that is created, substitute DEFAULT for an object name. Substitute NOT EXISTS for an object name, and Oracle9i creates an audit trail record for attempted actions that fail with the “object does not exist” error.
Privilege Auditing Syntax of the AUDIT command for privilege auditing: AUDIT,,...|ALL PRIVILEGES|CONNECT|RESOURCE|DBA BY BY SESSION|BY ACCESS WHENEVER SUCCESSFUL|WHENEVER NOT SUCCESSFUL;
SQL Statement Auditing Syntax of the AUDIT command for SQL statement auditing: AUDIT,,...|ALL BY BY SESSION|BY ACCESS WHENEVER SUCCESSFUL|WHENEVER NOT SUCCESSFUL;
Description of Auditing Capabilities BY SESSION: Tells Oracle9i to write one record to the audit trail for each session for the same SQL or privilege on the same object. Saves space in the audit trail. BY ACCESS: Tells Oracle9i to write one record to the audit trail for every occurrence of the audited event. The default. Can specify either BY ACCESS or BY SESSION, but not both.
Description of Auditing Capabilities WHENEVER SUCCESSFUL: Tells Oracle9i to write a record to the audit trail only when the operation is successful. WHENEVER NOT SUCCESSFUL: Tells Oracle9i to write a record to the audit trail only when the operation is not successful. If you don’t specify this or the previous clause, Oracle9i writes a record for the operation it is auditing regardless of whether it succeeds.
Viewing Audit Results DBA_AUDIT_EXISTS: Audit trail records generated by object auditing of non-existent objects DBA_AUDIT_OBJECT: Audit trail records generated by object auditing DBA_AUDIT_SESSION: Audit trail records generated by session auditing DBA_AUDIT_STATEMENT: Audit trail records generated by statement auditing DBA_AUDIT_TRAIL: All audit trail records All of these have a corresponding USER_counterpart, except DBA_AUDIT_EXISTS.
Stopping and Altering Audits Audits are turned off and modified with the NOAUDIT command The NOAUDIT command’s structure is exactly like the AUDIT command; it turns off the auditing it names You can turn off selective portions of the audit you have set up
Lecture Summary System privileges allow a user to manage some part of the database system Object privileges allow a user to work with an object. SYSDBA and SYSOPER are system privileges that allow a user to start up and shut down the database, as well as other high-level tasks The CREATE SESSION system privilege is needed to log onto the database
Lecture Summary Typical object privileges for a table include SELECT, INSERT, UPDATE, and DELETE The GRANT and REVOKE commands are used for both system and object privileges Use WITH ADMIN OPTION when granting system privileges to allow the user to grant that privilege to others
Lecture Summary A grant made to PUBLIC gives all users the privilege Revoked system privileges do not cascade to other users Use WITH GRANT OPTION when granting object privileges to allow the user to grant that privilege to others Revoked object privileges cascade to other users
Lecture Summary Object privileges can be granted on columns The owner of a table can grant object privileges on that table The grantor grants the privilege and the grantee receives the privilege Querying an object without privileges to query causes an error stating that the object does not exist
Lecture Summary Statement auditing is the monitoring of activity on a particular type of statement, such as SELECT Privilege auditing audits any command that is authorized by the privilege, such as CREATE TABLE Object auditing generates audit trail records as soon as the object is used, such as with SELECT or DELETE statements
Lecture Summary The SYS.AUD$ table holds auditing records unless the AUDIT_TRAIL initialization parameter is set to “OS” AUDIT_SYS_OPERATIONS is an initialization parameter that, when set to “TRUE,” causes Oracle9i to audit all activity by SYS or users with SYSDBA privileges BY ACCESS or BY SESSION tell Oracle9i whether to write a record for each occurrence of an audited event or a summary record for the session
Lecture Summary The following clauses limit the writing of audit trail records: WHENEVER SUCCESSFUL and WHENEVER NOT SUCCESSFUL AUDIT_TRAIL is a static parameter, so you must restart the database after changing it A group of data dictionary views shows audit trail records for each type of auditing Use the NOAUDIT command to stop specific auditing activities