Download presentation
Presentation is loading. Please wait.
Published byLisa Day Modified over 9 years ago
1
Week 7 Lecture 1 Database Roles
2
Learning Objectives Discover when and why to use roles Learn how to create, modify, and remove roles Learn how to assign roles Examine data dictionary views of roles Assign roles and privileges using the Enterprise Management console
3
Introduction to Roles Role is a collection of privileges that is named and assigned to users or even to another role Roles help simplify database maintenance by giving you an easy way to assign a set of privileges to new users
4
How to Use Roles Simplify security Grant privileges once to a role and then assign that role to multiple users Revise the privileges in a role and the change is automatically reflected for every user who has the role.
5
Predefined Roles CONNECT Logs onto the database and performs limited activities within the user’s own schema, such as creating tables, views, synonyms, and database links. DBA Manages the database, including these tasks: creates users, profiles, and roles, and grants privileges; manages storage and security; starts up and shuts down the database. DELETE_CATALOG_ROLE Gives the user the ability to delete from tables owned by SYS. This role was added because the system privilege DELETE ANY TABLE specifically excludes deleting from tables owned by SYS. EXECUTE_CATALOG_ROLE Enables the user to execute any package supplied by Oracle that is owned by SYS. Most supplied packages are owned by SYS, and those most commonly used already allow users to execute them. If additional packages are needed, grant the user this role.
6
More Predefined Roles EXP_FULL_DATABASE Exports the database using the EXPORT utility. IMP_FULL_DATABASE Imports the database using the IMPORT utility. RESOURCE Provides more extensive abilities to create objects, such as procedures, triggers, and object types, for users who need to create their own objects. SELECT_CATALOG_ROLE Allows the user to query any data dictionary view or table owned by SYS. This can give a user more access to certain data dictionary views, although usually a user can already access those he needs, because the most common data dictionary views are viewable by all users.
7
Creating Roles Roles used to consolidate a group of system or object privileges Syntax for creating a role: CREATE ROLE NOT IDENTIFIED|IDENTIFIED BY
8
Creating Roles NOT IDENTIFIED means that no additional authorization is required. This is the default, so omitting the clause is the same as including NOT IDENTIFIED. Alternative option is IDENTIFIED BY, which means that the user must provide the correct password to be able to use the privileges within that role.
9
Granting Privileges to a Role Granting privileges to a role is done in exactly the same way as granting privileges to a user Syntax for the GRANT command, used to grant privileges to a role: GRANT TO ; Cannot grant a privilege and add WITH ADMIN OPTION or WITH GRANT OPTION when granting to a role
10
Granting a Role to a User To grant a role to a user, use the GRANT command again with the following syntax: GRANT TO | WITH ADMIN OPTION; Include the WITH ADMIN OPTION only when you want the user to be able to grant the role to other users. If you grant a role to a second role with the WITH ADMIN OPTION, any user who is granted the second role is allowed to grant the first role to others
11
Modifying a Role The only part of a role you can change is whether it uses a password. Syntax of the ALTER ROLE command: ALTER ROLE NOT IDENTIFIED|IDENTIFIED BY When a role switches to requiring a password, users currently logged on who are granted the role are unaffected until they log off and back on again.
12
Limiting Availability and Removing Roles You can control when a role becomes enabled for a user Default roles: The role’s creator or the DBA can adjust the default roles for a user using the ALTER USER command. Automatically enabled when the user logs onto the database. Enable roles: The user with a role can enable or disable his role with the SET ROLE command. Drop roles: The DBA can drop the role from the database entirely and thereby cancel the role for all users who had it.
13
Limiting Availability and Removing Roles Syntax for changing a user’s default role: ALTER USER DEFAULT ROLE,...|ALL|ALL EXCEPT,... |NONE
14
Limiting Availability and Removing Roles The DBA can issue the ALTER USER command to adjust the default roles for a user When it is granted to a user, the role is automatically in the list of default roles The only way to remove the role from the user’s default roles is by issuing the ALTER USER command To remove all the roles at once, use the NONE clause
15
Limiting Availability and Removing Roles The user can issue the SET ROLE command to adjust his enabled roles The SET ROLE command has the following syntax: SET ROLE IDENTIFIED BY,...|ALL|ALL EXCEPT|NONE
16
Limiting Availability and Removing Roles To enable roles with passwords, include the IDENTIFIED BY clause Any role not listed is disabled Enable all roles by using ALL Disable all roles by using NONE The roles remain enabled or disabled until the user issues another SET ROLE command, or until the user logs off. When the user logs on again, his roles are reset to the default roles dictated by the DBA
17
Limiting Availability and Removing Roles The user can issue the DROP ROLE command to revoke its privileges from all users and roles assigned it The DROP ROLE command has the following syntax: DROP ROLE ;
18
Data Dictionary Information about Roles ALL_TAB_PRIVS_MADE All object privileges granted and by whom DBA_ROLE_PRIVS All roles and grantees including users and roles DBA_ROLES All the roles in the database DBA_SYS_PRIVS All system privileges granted to users or roles DBA_TAB_PRIVS All object privileges granted to users or roles
19
Data Dictionary Information about Roles ROLE_ROLE_PRIVS Roles granted to other roles that the current user can enable ROLE_SYS_PRIVS System privileges granted to roles that the current user can enable ROLE_TAB_PRIVS Object privileges granted to roles that the current user can enable SESSION_ROLES Roles currently enabled in your session
20
Roles in the Enterprise Manager Console Security manager contains Rolls folder If you select the Rolls folder you will see a list of all the defined rolls Rolls Folder Roll List
21
Roles in the Enterprise Manager Console If you select a roll, the property sheet will be displayed for that roll Selecting the System tab will allow you to see all system privileges granted to this roll System Tab CONNECT Roll System Privileges
22
Roles in the Enterprise Manager Console Selecting the Object tab will allow you to see all object privileges granted to this roll Available privileges are at the top, and granted privileges are at the bottom Object Tab Active Privileges SELALL Roll Granted Privileges
23
Roles in the Enterprise Manager Console Clicking the up and down arrows grants and revokes privileges Available Privileges WANT_AD Object Grant and Revoke Arrows Granted Privileges
24
Roles in the Enterprise Manager Console Once you have used the arrow to select a privilege to grant or remove, you must execute it by pressing the apply button Privilege to Grant Not Yet Applied Icon Apply Button Privileges selected with the arrows but not yet applied are marked with an icon
25
Roles in the Enterprise Manager Console Right click a role in the security manager and a popup will appear Select Show Grantees from to display a window of all users granted this role User List Users Granted This Role Admin Option
26
Lecture Summary Roles simplify security administration. Roles can be granted other roles, system privileges, and object privileges. Predefined roles help speed up administration by providing basic groupings of roles. Roles with passwords add security to the roles. You can grant system privileges and object privileges to a role, but you cannot use the WITH ADMIN OPTION or WITH GRANT OPTION clauses.
27
Lecture Summary You can grant a role to a role and optionally include the WITH ADMIN OPTION clause. Create a role with the CREATE ROLE command. Change a role with the ALTER ROLE command. Grant privileges to a role with the GRANT command. USER_TAB_PRIVS does not list privileges granted to the user’s roles. DBA_TAB_PRIVS includes privileges granted to roles.
28
Lecture Summary Use the ROLE_ROLE_PRIVS view to find roles granted to other roles. After a user has been granted a role, subsequent grants to the role are effective immediately for the user. Default roles are roles enabled when you log on. Use ALTER USER to change the default roles for a user. Use SET ROLE to enable or disable roles in your current session.
29
Lecture Summary Use DROP ROLE to drop a role. Dropped roles are automatically revoked from users and other roles. DBA_TAB_PRIVS lists all object privileges granted to users and roles. The console displays roles and privileges within the Security Manager.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.