Managing users and security Akhtar Ali

Aims Understand and manage profiles Understand and manage users Understand and manage privileges Understand and manage database auditing Understand and manage roles

Profiles Profiles are used to control system resource usage, they can be used to : –Define limits for resources –Password management –Control by different user communities When a database is created a profile called DEFAULT is created which is implicitly assigned to all users

Resource management Profiles allow you to control the following resources: –Concurrent sessions per users –Elapsed time connected to the database –CPU time used –Private SQL and PLSQL areas used by the SGA The limit for each resource is specified as an integer or UNLIMITED or DEFAULT Initial values for DEFAULT are all UNLIMITED

Resource management example CREATE PROFILE demo_user LIMIT SESSIONS_PER_USER6 CONNECT_TIME1440 IDLE_TIME120 LOGICAL_READS_PER_CALL PASSWORD_LIFE_TIME60 PASSWORD_REUSE_TIME90 PASSWORD_REUSE_MAXUNLIMITED FAILED_LOGIN_ATTEMPTS6;

Managing passwords Passwords can be managed by profiles PASSWORD_LIFE_TIME60 PASSWORD_REUSE_TIME90 PASSWORD_REUSE_MAXUNLIMITED Also FAILED_LOGIN_ATTEMPTS, PASSWORD_GRACE_TIME, PASSWORD_LOCK_TIME, PASSWORD_VERIFY_FUNCTION etc.

Resource management If a user fails password profile’s limit then the account will be locked. The DBA can unlock the account by entering: ALTER USER ACCOUNT UNLOCK DBA can also lock a users by entering: ALTER USER ACCOUNT LOCK Locking account prevents anyone connecting to the DB as the user even if they have the correct password but will not prevent users accessing objects in the locked account.

Password verification function You can create a function to verify complexity of the passwords, and assign the function name to the PASSWORD_VERYFY_FUNCTION parameter in the profile This function must return a Boolean value Default verification function is verify_function which can be found in the script utlpwdmg.sql

Altering, dropping and assigning profiles ALTER PROFILE Changes take effect next time user connects DROP PROFILE Cascade option is required if user is assigned the profile being dropped, it will be replaced with DEFAULT ALTER USER PROFILE This can be assigned on creation.

Querying profile information Profile information is queried in dictionary views DBA_PROFILES – information about each profile in system USER_RESOURCE_LIMITS – shows resource limits defined for current user USER_PASSWORD_LIMITS – shows the password limits defined for current user RESOURCE_COST – shows the weighting for resource cost for the composite limit

Managing users Users are managed using –CREATE USER –ALTER USER –DROP USER –GRANT –REVOKE

Creating users 1 CREATE USER test1 IDENTIFIED BY testpassword DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp QUOTA UNLIMITED ON users QUOTA 1M ON indx PROFILE application_user PASSWORD EXPIRE ACCOUNT UNLOCK;

Creating users 2 If omitted default tablespace is SYSTEM Temporary tablespace default is the databases temporary tablespace if defined else it is SYSTEM You cannot specify the undo tablespace as the default or temp tablespace You can use unlimited for tablespace quota Password expire means that the users will be prompted for a new password at the first login User must be granted create session and resource privilege to be able to login and create objects

Altering and dropping users ALTER USER DROP USER CASCADE Cascade will drop all objects in user, if omitted and objects exits in user then exception will be raised

Authentication 3 types in Oracle –Database authentication – checks DB user is a legitimate user for the DB and password supplied is correct DEFAULT –External authentication – checks users is legitimate user for DB and password is validated by OS or network –Global authentication – checks the user is legitimate for DB, password is validated by oracle security service a separate service (costs extra)

Database authentication CREATE USER test2 IDENTIFIED BY anotherpassword; The key word IDENTIFIED BY tells oracle that the account is a database authenticated account The above is the minimum required for the create user statement

Externally authenticated user User accounts can be configured to rely on checking passwords at the OS level. The init.ora parameter is os_authent_prefix and the string defined must be pre-pended to the OS account name. If the default (OPS$) was used then the OS user test2 would have been created in Oracle as CREATE USER OPS$test2 INDENTIFIED EXTERNALLY

Globally authenticated user accounts User accounts can be configured to rely on password checking from an X.509 enterprise directory service Create user SSO identified by globally as ‘/scott/divisiona1/sybex/uk/’; Keyword IDENTIFIED GLOBALLY AS tells oracle that the account uses global authentication. Used when organisation requires single sign on system.

Querying user information DBA_USERS – information on all users DBA_TS_QUOTAS – lists the quota assigned to each user, -1 indicates unlimited quota Encrypted password is held in DBA_USERS This can be used to create a user in same or different DB without the DBA actually knowing what the password is. Select user_name, password from dba_users where user_name = ‘test2’;

Managing roles CREATE ROLE to create new roles DROP ROLE ALTER USER assigns roles SET ROLE to enable Look in DBA_ROLES,DBA_SESSION_ROLES, DBA_ROLES_PRIVS, ROLE_ROLE_PRIVS and ROLE_SYS_PRIVS

Auditing the database Oracles auditing of the database is about storing information on database activity. You can audit: –Statements – audit select on by audits all select statement performance by –Privilege – audit create trigger audits all users who executes create trigger privilege –Object – audit select on.demo monitors the select statement performed on the demo table

Auditing examples Audit session Audit session whenever successful; Audit session whenever not successful; Audit session by, whenever successful; Audit update delete of.demo by access whenever successful;

DBA audit tables The database audit trail (SYS.AUD$) is a single table in each oracle database DD To help you meaningfully view auditing information in this table, several predefined views are available If you disable auditing and no longer need the audit trail view delete them by connecting to the database as sys and running the script file CATNOAD.SQL

Globalisation support 1 Globalisation support is used to store and retrieve data in a native language and format Oracle supports a wide range of languages and character set and uses UNICODE to support the languages When you create the db you can specify a character set which is defines what character set to use within the database if non e is specified then US2ASCII character set will be used You can only change the dataset once the db has been create if the new dataset is a superset of the exiting character dataset.

Globalisation support 2 You can specify a second character set with the NATIONAL CHARACTER SET clause which defines how data is stored in data types Nchar, Nvarchar2 and Nclob columns The default national character set is AF16UTF16

Sample question Which command is used to assign a profile to an existing user 1.Alter profile 2.Alter user 3.Set profile 4.The profile should be specified when creating the user and cannot be changed

Sample 2 What happens when you create a new user and do not specify a profile 1.Oracle prompts you for a profile name 2.No profile is assigned to the user 3.The DEFAULT profile is assigned 4.The SYSTEM profile is assigned