Presentation is loading. Please wait.

Presentation is loading. Please wait.

Week 7 Lecture 1 Database Roles. Learning Objectives  Discover when and why to use roles  Learn how to create, modify, and remove roles  Learn how.

Published byLisa Day Modified over 8 years ago

Similar presentations

Presentation on theme: "Week 7 Lecture 1 Database Roles. Learning Objectives  Discover when and why to use roles  Learn how to create, modify, and remove roles  Learn how."— Presentation transcript:

1 Week 7 Lecture 1 Database Roles

2 Learning Objectives  Discover when and why to use roles  Learn how to create, modify, and remove roles  Learn how to assign roles  Examine data dictionary views of roles  Assign roles and privileges using the Enterprise Management console

3 Introduction to Roles  Role is a collection of privileges that is named and assigned to users or even to another role  Roles help simplify database maintenance by giving you an easy way to assign a set of privileges to new users

4 How to Use Roles  Simplify security  Grant privileges once to a role and then assign that role to multiple users  Revise the privileges in a role and the change is automatically reflected for every user who has the role.

5 Predefined Roles  CONNECT  Logs onto the database and performs limited activities within the user’s own schema, such as creating tables, views, synonyms, and database links.  DBA  Manages the database, including these tasks: creates users, profiles, and roles, and grants privileges; manages storage and security; starts up and shuts down the database.  DELETE_CATALOG_ROLE  Gives the user the ability to delete from tables owned by SYS. This role was added because the system privilege DELETE ANY TABLE specifically excludes deleting from tables owned by SYS.  EXECUTE_CATALOG_ROLE  Enables the user to execute any package supplied by Oracle that is owned by SYS. Most supplied packages are owned by SYS, and those most commonly used already allow users to execute them. If additional packages are needed, grant the user this role.

6 More Predefined Roles  EXP_FULL_DATABASE  Exports the database using the EXPORT utility.  IMP_FULL_DATABASE  Imports the database using the IMPORT utility.  RESOURCE  Provides more extensive abilities to create objects, such as procedures, triggers, and object types, for users who need to create their own objects.  SELECT_CATALOG_ROLE  Allows the user to query any data dictionary view or table owned by SYS. This can give a user more access to certain data dictionary views, although usually a user can already access those he needs, because the most common data dictionary views are viewable by all users.

7 Creating Roles  Roles used to consolidate a group of system or object privileges  Syntax for creating a role: CREATE ROLE NOT IDENTIFIED|IDENTIFIED BY

8 Creating Roles NOT IDENTIFIED means that no additional authorization is required. This is the default, so omitting the clause is the same as including NOT IDENTIFIED. Alternative option is IDENTIFIED BY, which means that the user must provide the correct password to be able to use the privileges within that role.

9 Granting Privileges to a Role  Granting privileges to a role is done in exactly the same way as granting privileges to a user  Syntax for the GRANT command, used to grant privileges to a role: GRANT TO ;  Cannot grant a privilege and add WITH ADMIN OPTION or WITH GRANT OPTION when granting to a role

10 Granting a Role to a User  To grant a role to a user, use the GRANT command again with the following syntax: GRANT TO | WITH ADMIN OPTION;  Include the WITH ADMIN OPTION only when you want the user to be able to grant the role to other users.  If you grant a role to a second role with the WITH ADMIN OPTION, any user who is granted the second role is allowed to grant the first role to others

11 Modifying a Role  The only part of a role you can change is whether it uses a password. Syntax of the ALTER ROLE command: ALTER ROLE NOT IDENTIFIED|IDENTIFIED BY  When a role switches to requiring a password, users currently logged on who are granted the role are unaffected until they log off and back on again.

12 Limiting Availability and Removing Roles You can control when a role becomes enabled for a user Default roles: The role’s creator or the DBA can adjust the default roles for a user using the ALTER USER command. Automatically enabled when the user logs onto the database. Enable roles: The user with a role can enable or disable his role with the SET ROLE command. Drop roles: The DBA can drop the role from the database entirely and thereby cancel the role for all users who had it.

13 Limiting Availability and Removing Roles Syntax for changing a user’s default role: ALTER USER DEFAULT ROLE,...|ALL|ALL EXCEPT,... |NONE

14 Limiting Availability and Removing Roles  The DBA can issue the ALTER USER command to adjust the default roles for a user  When it is granted to a user, the role is automatically in the list of default roles  The only way to remove the role from the user’s default roles is by issuing the ALTER USER command  To remove all the roles at once, use the NONE clause

15 Limiting Availability and Removing Roles  The user can issue the SET ROLE command to adjust his enabled roles  The SET ROLE command has the following syntax: SET ROLE IDENTIFIED BY,...|ALL|ALL EXCEPT|NONE

16 Limiting Availability and Removing Roles  To enable roles with passwords, include the IDENTIFIED BY clause  Any role not listed is disabled  Enable all roles by using ALL  Disable all roles by using NONE  The roles remain enabled or disabled until the user issues another SET ROLE command, or until the user logs off. When the user logs on again, his roles are reset to the default roles dictated by the DBA

17 Limiting Availability and Removing Roles  The user can issue the DROP ROLE command to revoke its privileges from all users and roles assigned it  The DROP ROLE command has the following syntax: DROP ROLE ;

18 Data Dictionary Information about Roles ALL_TAB_PRIVS_MADE All object privileges granted and by whom DBA_ROLE_PRIVS All roles and grantees including users and roles DBA_ROLES All the roles in the database DBA_SYS_PRIVS All system privileges granted to users or roles DBA_TAB_PRIVS All object privileges granted to users or roles

19 Data Dictionary Information about Roles ROLE_ROLE_PRIVS Roles granted to other roles that the current user can enable ROLE_SYS_PRIVS System privileges granted to roles that the current user can enable ROLE_TAB_PRIVS Object privileges granted to roles that the current user can enable SESSION_ROLES Roles currently enabled in your session

20 Roles in the Enterprise Manager Console  Security manager contains Rolls folder  If you select the Rolls folder you will see a list of all the defined rolls Rolls Folder Roll List

21 Roles in the Enterprise Manager Console  If you select a roll, the property sheet will be displayed for that roll  Selecting the System tab will allow you to see all system privileges granted to this roll System Tab CONNECT Roll System Privileges

22 Roles in the Enterprise Manager Console  Selecting the Object tab will allow you to see all object privileges granted to this roll  Available privileges are at the top, and granted privileges are at the bottom Object Tab Active Privileges SELALL Roll Granted Privileges

23 Roles in the Enterprise Manager Console  Clicking the up and down arrows grants and revokes privileges Available Privileges WANT_AD Object Grant and Revoke Arrows Granted Privileges

24 Roles in the Enterprise Manager Console  Once you have used the arrow to select a privilege to grant or remove, you must execute it by pressing the apply button Privilege to Grant Not Yet Applied Icon Apply Button  Privileges selected with the arrows but not yet applied are marked with an icon

25 Roles in the Enterprise Manager Console  Right click a role in the security manager and a popup will appear  Select Show Grantees from to display a window of all users granted this role User List Users Granted This Role Admin Option

26 Lecture Summary  Roles simplify security administration.  Roles can be granted other roles, system privileges, and object privileges.  Predefined roles help speed up administration by providing basic groupings of roles.  Roles with passwords add security to the roles.  You can grant system privileges and object privileges to a role, but you cannot use the WITH ADMIN OPTION or WITH GRANT OPTION clauses.

27 Lecture Summary  You can grant a role to a role and optionally include the WITH ADMIN OPTION clause.  Create a role with the CREATE ROLE command.  Change a role with the ALTER ROLE command.  Grant privileges to a role with the GRANT command.  USER_TAB_PRIVS does not list privileges granted to the user’s roles.  DBA_TAB_PRIVS includes privileges granted to roles.

28 Lecture Summary  Use the ROLE_ROLE_PRIVS view to find roles granted to other roles.  After a user has been granted a role, subsequent grants to the role are effective immediately for the user.  Default roles are roles enabled when you log on.  Use ALTER USER to change the default roles for a user.  Use SET ROLE to enable or disable roles in your current session.

29 Lecture Summary  Use DROP ROLE to drop a role.  Dropped roles are automatically revoked from users and other roles.  DBA_TAB_PRIVS lists all object privileges granted to users and roles.  The console displays roles and privileges within the Security Manager.

Download ppt "Week 7 Lecture 1 Database Roles. Learning Objectives  Discover when and why to use roles  Learn how to create, modify, and remove roles  Learn how."

Similar presentations

Tutorial EBSCOadmin User Groups support.ebsco.com.

Tutorial EBSCOadmin User Groups support.ebsco.com.
13 Copyright © Oracle Corporation, 2001. All rights reserved. Controlling User Access.

13 Copyright © Oracle Corporation, All rights reserved. Controlling User Access.
Oracle 10g Database Administrator: Implementation and Administration

Oracle 10g Database Administrator: Implementation and Administration
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Chapter 9 Auditing Database Activities

Chapter 9 Auditing Database Activities
System Administration Accounts privileges, users and roles

System Administration Accounts privileges, users and roles
Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.

Oracle8 - The Complete Reference. Koch a& Loney1 By What Authority? Presented by Victor Matos.
Advanced Databases Basic Database Administration Guide to Oracle 10g 1.

Advanced Databases Basic Database Administration Guide to Oracle 10g 1.
Administering User Security

Administering User Security
A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.

A Guide to MySQL 3. 2 Objectives Start MySQL and learn how to use the MySQL Reference Manual Create a database Change (activate) a database Create tables.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.

By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.

CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.

9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Copyright س Oracle Corporation, 1998. All rights reserved. 14 Controlling User Access.

Copyright س Oracle Corporation, All rights reserved. 14 Controlling User Access.
Database Programming Sections 13–Creating, revoking objects privileges.

Database Programming Sections 13–Creating, revoking objects privileges.
Week 6 Lecture 2 System and Object Privileges. Learning Objectives  Identify and manage system and object privileges  Grant and revoke privileges to.

Week 6 Lecture 2 System and Object Privileges. Learning Objectives  Identify and manage system and object privileges  Grant and revoke privileges to.
IS 221: DATABASE ADMINISTRATION Lecture 6:Create Users & Manage Users. Information Systems Department 1.

IS 221: DATABASE ADMINISTRATION Lecture 6:Create Users & Manage Users. Information Systems Department 1.
I NTRODUCTION OF W EEK 7  Assignment Discussion  Graded: 3-1-2 (Creation of Database) (All submitted!)  Naming standard, Logical to physical design.

I NTRODUCTION OF W EEK 7  Assignment Discussion  Graded: (Creation of Database) (All submitted!)  Naming standard, Logical to physical design.

Similar presentations

Ads by Google