Presentation is loading. Please wait.

Presentation is loading. Please wait.

M ODULE 3 D ATABASE M ANAGEMENT Section 3 Database Security 1 ITEC 450 Fall 2012.

Published byOliver Evelyn McCoy Modified over 9 years ago

Similar presentations

Presentation on theme: "M ODULE 3 D ATABASE M ANAGEMENT Section 3 Database Security 1 ITEC 450 Fall 2012."— Presentation transcript:

1 M ODULE 3 D ATABASE M ANAGEMENT Section 3 Database Security 1 ITEC 450 Fall 2012

2 TABLESPACE AND DATA FILLE Fall 2012 2 ITEC 450

3 TABLESPACE AND DATA FILLE Tablespaces are made up of at least one datafile You cannot create a table space without creating its initial datafile; you cannot create a datafile without an associated tablespace Big file tablespaces must be locally managed Undo tablespaces are specialized to store undo (rollback) data Fall 2012 3 ITEC 450

4 THE DATAFILE CLAUSE When creating a tablespace with a user-managed file, specify a datafile name in the command Each datafile must have a specified SIZE Exceptions: OMFs and named files that already exist Omitting AUTOEXTEND and SIZE parameters results in AUTOEXTEND set to ON Example: Fall 2012 4 ITEC 450

5 T HE EXTENT MANAGEMENT AND SEGMENT SPACE MANAGEMENT C LAUSES These clauses tell Oracle how to track the usage of blocks within each extent Locally vs. dictionary-managed  performance: Locally managed tablespaces store the map of where extents are in datafiles in a rapid access bitmap, in the header of the datafile Dictionary-managed tablespaces store this information in metadata, in the SYSTEM tablespace Fall 2012 5 ITEC 450

6 T HE EXTENT MANAGEMENT AND SEGMENT SPACE MANAGEMENT C LAUSES Deallocated extents return to free space list in data dictionary as a contiguous chunk of data blocks For these to be usable, the next object that needs an extent must be that exact size (or smaller) extent Otherwise, deallocated data blocks are passed over, and data blocks at the end of datafile are used Datafile grows faster than necessary If there are contiguous deallocated extents, they aren’t seen as a chunk of space until coalesced Coalescence: combining of multiple adjacent free extents into a single contiguous free extent Occurs periodically through the SMON background process Fall 2012 6 ITEC 450

7 T HE EXTENT MANAGEMENT AND SEGMENT SPACE MANAGEMENT C LAUSES Fall 2012 7 ITEC 450

8 C REATING A D ICTIONARY -M ANAGED T ABLESPACE Fall 2012 8 ITEC 450 Dictionary-managed tablespaces cause slower performance of DML commands Updates involve multiple tables behind the scenes Locally managed tablespaces reduce/eliminate the problem of unused free space gaps

9 C REATING A D ICTIONARY -M ANAGED T ABLESPACE Fall 2012 9 ITEC 450

10 S EGMENT T YPES AND T HEIR U SES Fall 2012 10 ITEC 450

11 T EMPORARY T ABLESPACE Temporary segments need a temporary tablespace Oracle recommends creating locally managed, temporary tablespaces You can also create multiple temporary tablespaces Require a tablespace group Group can be set as the default for the entire DB Assign the user a default temporary tablespace: Fall 2012 11 ITEC 450

12 A LTER TABLESPACE COMMAND Tasks you can handle with ALTER TABLESPACE: Change DEFAULT STORAGE settings for any future objects created in (dictionary-managed) tablespace Change the MINIMUM EXTENT size Change LOGGING to NOLOGGING and vice versa Change PERMANENT to TEMPORARY (vice versa) Change READ ONLY to READ WRITE (vice versa) Coalesce contiguous storage space Add a new datafile or temporary file Rename a datafile or temporary file Begin and end an open backup Fall 2012 12 ITEC 450

13 A LTER TABLESPACE COMMAND To change an existing datafile’s storage, you must use the ALTER DATABASE command instead: To modify tempfile: ALTER DATABASE TEMPFILE Fall 2012 13 ITEC 450

14 A LTER TABLESPACE COMMAND The status of a tablespace defines its availability to end-users and also defines how it is handled during backup and recovery ONLINE OFFLINE NORMAL TEMPORARY IMMEDIATE It is possible to take individual datafiles offline Fall 2012 14 ITEC 450

15 READ-ONLY TABLESPACE Fall 2012 15 ITEC 450

16 DROPPING & RENAMING TABLESPACES Fall 2012 16 ITEC 450

17 TABLESPACE VIEWS Fall 2012 17 ITEC 450

18 D ATA I NTEGRITY Database structure integrity Index corruption, data block corruption Invalid objects Managing structural problems: DBMS utility Semantic data integrity Entity integrity – primary key should be used Check constraint, rules in SQL Server – validate data Trigger – a piece of code that is executed automatically when a data modification happens Referential integrity – establish the relationship between primary and foreign key columns Fall 2012 18 ITEC 450

19 A SPECTS OF D ATABASE S ECURITY Authorization – controlling access to data Authentication – restricting access to legitimate users Auditing – ensuring accountability and inspection Encryption – safeguarding key data in the database Enterprise security – managing the security of the entire organizational information structure beyond database itself Fall 2012 19 ITEC 450

20 A UTHORIZATION Authorization – controlling access to data Policy issues – what info should be viewed Integrity issues – preventing unexpected results Types of privileges Data access – read, write, or reference to a table, a view Database object – create or modify database objects System – perform certain types of system-wide activities Procedure – execute specific functions and stored procedures Fall 2012 20 ITEC 450

21 A UTHORIZATION I MPLEMENTATION Data Control Language (DCL) – Grant and Revoke Grant different types of privileges GRANT SELECT, INSERT on Titles to user5; GRANT CREATE session, CREATE table to user1; GRANT SELECT ANY table to user9; GRANT EXECUTE on Proc1 to user2, user5; Grant with GRANT option – pass the granted authority to others GRANT SELECT on Titles to user3 WITH GRANT OPTION; Revoke REVOKE INSERT on Titles from user5; Fall 2012 21 ITEC 450

22 R OLE AND G ROUP Roles – a collection of granted privileges A role can be created using the CREATE ROLE. The permissions are granted to the role The role is assigned to users using GRANT. These users will get all the privileges from the role. Groups – DBMS built-in roles System administrator: SYS in Oracle, SA in SQL Server Database administrator: all privileges over the database Operations control: perform certain operations such as backup and recovery Fall 2012 22 ITEC 450

23 A UTHENTICATION Authentication – restricting access to legitimate users DBMS user ID and password Password guidance and enforcement Operating system login ID and password LDAP authentication A global login account is established for enterprise access In order to access a database, the global login account has to be associated with the database. It is a single sign-on or with same login and password Fall 2012 23 ITEC 450

24 A UDITING Auditing – ensuring accountability and inspection When auditing is enabled, the DBMS will produce an audit trail of database operations. Auditing level – database, user, object Auditing issues – performance degradation, storage usage Examples of audit facilities Login and logoff attempts Commands issued to an object Stored procedure executions Fall 2012 24 ITEC 450

25 E NCRYPTION Encryption – protect sensitive data in the database It is a security technique that encodes legible data into a scrambled format. Encryption consists of applying an encryption algorithm to data using some pre-specified encryption key. The resulting data has to be decrypted using a decryption key to recover the original data. Examples of encryption Public key encryption Digital signature Fall 2012 25 ITEC 450

26 E NTERPRISE S ECURITY Enterprise security – managing the security of the entire organizational information structure beyond database itself System-related issues: Operating system, database physical files, network access and control Legal and ethical issues Fall 2012 26 ITEC 450

27 M ODULE 3 D ATABASE M ANAGEMENT Section 4 User Management and Security in Oracle 27 ITEC 450 Fall 2012

28 U SER M ANAGEMENT Creating a new user Privilege required: “create user” system privilege SQL> CREATE USER mobeydick IDENTFIEDY BY whitewhale; Altering a user – modifying password, assign resource, etc. Privilege required: “alter user” system privilege SQL> ALTER USER Jim IDENTIFIED BY red; SQL> ALTER USER Jim DEFAULT TABLESPACE users; Resource Default tablespace, temporary tablespace Profile: limit on the amount of resources a user can use Fall 2012 28 ITEC 450

29 CREATE USER Fall 2012 29 ITEC 450

30 ALTER USER Fall 2012 30 ITEC 450

31 DROP USER Fall 2012 31 ITEC 450 Removing users requires the DROP USER system privilege, which the SYSTEM user has. DROP USER CASCADE; Use CASCADE if user owns tables or DB objects If a user has created other users, those users are not dropped when the creating user is dropped The new users do not belong to the original user’s schema If a user has created tables you want to keep, do not drop the user Instead, change the user account to LOCK status

32 PROFILES Specify a profile when you create/alter a DB user Profile: collection of settings that limits the use of system resources and the database A profile can be assigned to any number of users A user can be assigned only one profile at a time A newly assigned profile overrides the old one User’s current session isn’t affected by profile change DEFAULT profile has no resource or DB use limits As a system grows, resources may become stretched Profiles can be used for managing passwords too Fall 2012 32 ITEC 450

33 CREATE PROFILE CREATE PROFILE LIMIT......; Password settings: FAILED_LOGIN_ATTEMPTS, PASSWORD_LIFE_TIME, PASSWORD_REUSE_TIME, PASSWORD_REUSE_MAX, PASSWORD_LOCK_TIME, FAILED_LOGIN_ATTEMPTS, PASSWORD_GRACE_TIME, PASSWORD_VERIFY_FUNCTION You can limit nine resources: SESSSIONS_PER_USER, CPU_PER_SESSION, CPU_PER_CALL, CONNECT_TIME, IDLE_TIME, LOGICAL_READS_PER_SESSION, LOGICAL_READS_PER_CALL, PRIVATE_SGA, COMPOSITE_LIMIT Fall 2012 33 ITEC 450

34 PASSWORD MANAGEMENT There are three different areas to examine when working with passwords: Changing a password and making it expire Enforcing password time limits, history, and other settings Enforcing password complexity Uses a combination of a function and a profile Predefined SQL script to verify the complexity of a password Adjust the PASSWORD_VERIFY_FUNCTION setting in a profile and assign that profile to a user Fall 2012 34 ITEC 450

35 ALTER PROFILE ALTER PROFILE, with resource clauses listed: ALTER PROFILE LIMIT... SESSIONS_PER_USER CPU_PER_SESSION CPU_PER_CALL CONNECT_TIME IDLE_TIME LOGICAL_READS_PER_SESSION LOGICAL_READS_PER_CALL PRIVATE_SGA COMPOSITE_LIMIT Example: ALTER SYSTEM SET RESOURCE_LIMIT=TRUE; ALTER PROFILE PROGRAMMER LIMIT IDLE_TIME 15 CPU_PER_CALL 100; ALTER RESOURCE COST CPU_PER_SESSION 1000 PRIVATE_SGA 1; Fall 2012 35 ITEC 450

36 DROP PROFLE The syntax of DROP PROFILE is similar to the syntax for dropping a user in that it includes a CASCADE parameter: DROP PROFILE CASCADE; You must add CASCADE if any users have been assigned the profile being dropped Oracle automatically resets these users to the DEFAULT profile For example, if three users have been assigned to the ACCT_MGR profile, drop the profile like this: DROP PROFILE ACCT_MGR CASCADE; Fall 2012 36 ITEC 450

37 O RACLE P RIVILEGES In oracle, there are two types of privileges: system and object. System privilege - allowing a user to perform a particular action within the database, or on any schema objects Object privilege - gives user ability to perform some operations on a specific object such as table, view, procedure, function. A role is a named group of collected system and object privileges. Fall 2012 37 ITEC 450

38 S YSTEM P RIVILEGE System privilege - allowing a user to perform a particular action within the database, or on any schema objects Privilege required: the system privilege with ADMIN OPTION, or GRANT ANY PRIVILEGE system privilege Examples: CREATE SESSION: connect to a database CREATE ANY INDEX, SELECT ANY TABLE Information is stored in: dba_sys_privs Fall 2012 38 ITEC 450

39 O BJECT P RIVILEGE Object privilege - gives user ability to perform some operations on a specific object such as table, view, procedure, function Privilege required: the owner of the object, object privileges with the GRANT option, GRANT ANY OBJECT system privilege Examples: GRANT SELECT, INSERT ON Titles to user1; Information is stored in: dba_tab_privs Fall 2012 39 ITEC 450

40 OBJECT PRIVILEGES Fall 2012 40 ITEC 450

41 O RACLE N AMING C ONVENTION In Oracle data dictionary, most object names begin with one of three prefixes: USER_information about objects owned by the user performing the query ALL_ information from USER plus other objects on which privileges have been granted to PUBLIC or to the user DBA_all database objects, regardless of owner Oracle dynamic views: current instance information V$v$session contains info of all current sessions Fall 2012 41 ITEC 450

42 ROLES Fall 2012 42 ITEC 450

43 D ATA DICTIONARY VIEWS Fall 2012 43 ITEC 450

44 E XAMPLES OF D ATA D ICTIONARY V IEWS DBA_USERS – information about all user accounts DBA_ROLES – all the roles in the database USER_TAB_PRIVS – table privileges for which you are the grantee, the grantor, or the object owner USER_SYS_PRIVS – system privileges that have been granted to the user USER_ROLE_PRIVS – roles that have been assigned to the user SESSION_PRIVS – system privileges currently enabled for the login user SESSION_ROLES – roles currently enabled for the user Fall 2012 44 ITEC 450

45 M IDTERM R EVIEW DBA roles and responsibilities DBMS architecture and selection drivers Oracle architecture database vs. instance logical and physical structures high-level understand background processes and memory structure DBMS installation basics, change consideration Database design: conceptual, logical, and physical design Database connectivity layers, ODBC/JDBC architecture Oracle Net, Listener, purposes of “listener.ora” and “tnsnames.ora” Database change: types, impacts, and management Database high-availability problems and solutions Database security: aspects, authorization, authentication Oracle privileges: system and object, roles Fall 2012 45 ITEC 450

Download ppt "M ODULE 3 D ATABASE M ANAGEMENT Section 3 Database Security 1 ITEC 450 Fall 2012."

Similar presentations

The Architecture of Oracle

The Architecture of Oracle
Oracle Architecture. Instances and Databases (1/2)

Oracle Architecture. Instances and Databases (1/2)
Oracle 10g Database Administrator: Implementation and Administration

Oracle 10g Database Administrator: Implementation and Administration
Page Footer Keed Education Oracle Database Administration Basic Copyright 2009 Keed Education BV Version 0.0.1. Concept.

Page Footer Keed Education Oracle Database Administration Basic Copyright 2009 Keed Education BV Version Concept.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Basic Storage Concepts and Settings

Basic Storage Concepts and Settings
Database Management System

Database Management System
1 - Oracle Server Architecture Overview

1 - Oracle Server Architecture Overview
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.

Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.

Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
Harvard University Oracle Database Administration Session 2 System Level.

Harvard University Oracle Database Administration Session 2 System Level.
Harvard University Oracle Database Administration Session 5 Data Storage.

Harvard University Oracle Database Administration Session 5 Data Storage.
About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.

About physical design After you have provided your scripts Understand the problems Present a template that can be used to report on the physical design.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
Advanced Databases Basic Database Administration Guide to Oracle 10g 1.

Advanced Databases Basic Database Administration Guide to Oracle 10g 1.
Database Security Managing Users and Security Models.

Database Security Managing Users and Security Models.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Oracle Database Administration Database files Logical database structures.

Oracle Database Administration Database files Logical database structures.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google