I NTRODUCTION OF W EEK 7  Assignment Discussion  Graded: (Creation of Database) (All submitted!)  Naming standard, Logical to physical design  OEM required Listener configuration, Delete group 3  Lessons learned (10 points): error and resolution, documentation as future instruction manual, reflection of your learning  Turn in the only in the future, not and  Turned in: 5-1 (Connectivity Paper)  Due this week: 6-1 (High Availability Paper)  Review of previous week and module  Database Change Management  Availability Requirement and Architecture  Database access validation: were you able to use OEM and SQL Plus?  Overview of this week  Database Security  User Management and Security in Oracle  Midterm Review 1 ITEC Fall

M ODULE 3 D ATABASE M ANAGEMENT Section 3 Database Security 2 ITEC Fall

D ATA I NTEGRITY Database structure integrity Index corruption, data block corruption Invalid objects Managing structural problems: DBMS utility Semantic data integrity Entity integrity – primary key should be used Check constraint, rules in SQL Server – validate data Trigger – a piece of code that is executed automatically when a data modification happens Referential integrity – establish the relationship between primary and foreign key columns 2011 Fall 3 ITEC 450

A SPECTS OF D ATABASE S ECURITY Authorization – controlling access to data Authentication – restricting access to legitimate users Auditing – ensuring accountability and inspection Encryption – safeguarding key data in the database Enterprise security – managing the security of the entire organizational information structure beyond database itself 2011 Fall 4 ITEC 450

A UTHORIZATION Authorization – controlling access to data Policy issues – what info should be viewed Integrity issues – preventing unexpected results Types of privileges Data access – read, write, or reference to a table, a view Database object – create or modify database objects System – perform certain types of system-wide activities Procedure – execute specific functions and stored procedures 2011 Fall 5 ITEC 450

A UTHORIZATION I MPLEMENTATION Data Control Language (DCL) – Grant and Revoke Grant different types of privileges GRANT SELECT, INSERT on Titles to user5; GRANT CREATE session, CREATE table to user1; GRANT SELECT ANY table to user9; GRANT EXECUTE on Proc1 to user2, user5; Grant with GRANT option – pass the granted authority to others GRANT SELECT on Titles to user3 WITH GRANT OPTION; Revoke REVOKE INSERT on Titles from user5; 2011 Fall 6 ITEC 450

R OLE AND G ROUP Roles – a collection of granted privileges A role can be created using the CREATE ROLE. The permissions are granted to the role The role is assigned to users using GRANT. These users will get all the privileges from the role. Groups – DBMS built-in roles System administrator: SYS in Oracle, SA in SQL Server Database administrator: all privileges over the database Operations control: perform certain operations such as backup and recovery 2011 Fall 7 ITEC 450

A UTHENTICATION Authentication – restricting access to legitimate users DBMS user ID and password Password guidance and enforcement Operating system login ID and password LDAP authentication A global login account is established for enterprise access In order to access a database, the global login account has to be associated with the database. It is a single sign-on or with same login and password 2011 Fall 8 ITEC 450

A UDITING Auditing – ensuring accountability and inspection When auditing is enabled, the DBMS will produce an audit trail of database operations. Auditing level – database, user, object Auditing issues – performance degradation, storage usage Examples of audit facilities Login and logoff attempts Commands issued to an object Stored procedure executions 2011 Fall 9 ITEC 450

E NCRYPTION Encryption – protect sensitive data in the database It is a security technique that encodes legible data into a scrambled format. Encryption consists of applying an encryption algorithm to data using some pre-specified encryption key. The resulting data has to be decrypted using a decryption key to recover the original data. Examples of encryption Public key encryption Digital signature 2011 Fall 10 ITEC 450

E NTERPRISE S ECURITY Enterprise security – managing the security of the entire organizational information structure beyond database itself System-related issues: Operating system, database physical files, network access and control Legal and ethical issues 2011 Fall 11 ITEC 450

M ODULE 3 D ATABASE M ANAGEMENT Section 4 User Management and Security in Oracle 12 ITEC Fall

U SER M ANAGEMENT Creating a new user Privilege required: “create user” system privilege SQL> CREATE USER mobeydick IDENTFIEDY BY whitewhale; Altering a user – modifying password, assign resource, etc. Privilege required: “alter user” system privilege SQL> ALTER USER Jim IDENTIFIED BY red; SQL> ALTER USER Jim DEFAULT TABLESPACE users; Resource Default tablespace, temporary tablespace Profile: limit on the amount of resources a user can use 2011 Fall 13 ITEC 450

O RACLE P RIVILEGES In oracle, there are two types of privileges: system and object. System privilege - allowing a user to perform a particular action within the database, or on any schema objects Object privilege - gives user ability to perform some operations on a specific object such as table, view, procedure, function. A role is a named group of collected system and object privileges Fall 14 ITEC 450

S YSTEM P RIVILEGE System privilege - allowing a user to perform a particular action within the database, or on any schema objects Privilege required: the system privilege with ADMIN OPTION, or GRANT ANY PRIVILEGE system privilege Examples: CREATE SESSION: connect to a database CREATE ANY INDEX, SELECT ANY TABLE Information is stored in: dba_sys_privs 2011 Fall 15 ITEC 450

O BJECT P RIVILEGE Object privilege - gives user ability to perform some operations on a specific object such as table, view, procedure, function Privilege required: the owner of the object, object privileges with the GRANT option, GRANT ANY OBJECT system privilege Examples: GRANT SELECT, INSERT ON Titles to user1; Information is stored in: dba_tab_privs 2011 Fall 16 ITEC 450

O RACLE N AMING C ONVENTION In Oracle data dictionary, most object names begin with one of three prefixes: USER_information about objects owned by the user performing the query ALL_ information from USER plus other objects on which privileges have been granted to PUBLIC or to the user DBA_all database objects, regardless of owner Oracle dynamic views: current instance information V$v$session contains info of all current sessions 2011 Fall 17 ITEC 450

E XAMPLES OF D ATA D ICTIONARY V IEWS DBA_USERS – information about all user accounts DBA_ROLES – all the roles in the database USER_TAB_PRIVS – table privileges for which you are the grantee, the grantor, or the object owner USER_SYS_PRIVS – system privileges that have been granted to the user USER_ROLE_PRIVS – roles that have been assigned to the user SESSION_PRIVS – system privileges currently enabled for the login user SESSION_ROLES – roles currently enabled for the user 2011 Fall 18 ITEC 450

M IDTERM R EVIEW DBA roles and responsibilities DBMS architecture and selection drivers Oracle architecture database vs. instance logical and physical structures high-level understand background processes and memory structure DBMS installation basics, change consideration Database design: conceptual, logical, and physical design Database connectivity layers, ODBC/JDBC architecture Oracle Net, Listener, purposes of “listener.ora” and “tnsnames.ora” Database change: types, impacts, and management Database high-availability problems and solutions Database security: aspects, authorization, authentication Oracle privileges: system and object, roles 2011 Fall 19 ITEC 450