Provisioning Database Access

http://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#i1006107

Create a User and Grant the Create Session System Privilege

CREATE USER jward
    IDENTIFIED BY AZ7BC2
    DEFAULT TABLESPACE data_ts
    QUOTA 100M ON TBS_NAME
    PROFILE USERS;

GRANT create session TO jward;

RESETTING USERS PASSWORD

ALTER USER andy IDENTIFIED BY swordfish;

Dropping Users - When a user is dropped, the user and associated schema are removed from the data dictionary and all schema objects contained in the user schema, if any, are immediately dropped.

DROP USER jones CASCADE;

User and Profile Information in Data Dictionary Views

View	Description
`DBA_USERS`	Describes all users of the database
`ALL_USERS`	Lists users visible to the current user, but does not describe them
`USER_USERS`	Describes only the current user
`DBA_TS_QUOTAS` `USER_TS_QUOTAS`	Describes tablespace quotas for users
`USER_PASSWORD_LIMITS`	Describes the password profile parameters that are assigned to the user
`USER_RESOURCE_LIMITS`	Displays the resource limits for the current user
`DBA_PROFILES`	Displays all profiles and their limits
`RESOURCE_COST`	Lists the cost for each resource
`V$SESSION`	Lists session information for each current session, includes user name
`V$SESSTAT`	Lists user session statistics
`V$STATNAME`	Displays decoded statistic names for the statistics shown in the `V$SESSTAT` view
`PROXY_USERS`	Describes users who can assume the identity of other users

Listing All Users and Associated Information

SELECT USERNAME, PROFILE, ACCOUNT_STATUS FROM DBA_USERS;
 
USERNAME        PROFILE         ACCOUNT_STATUS  
--------------- --------------- ---------------

Listing All Tablespace Quotas

SELECT * FROM DBA_TS_QUOTAS;

TABLESPACE    USERNAME    BYTES     MAX_BYTES    BLOCKS    MAX_BLOCKS
----------    ---------  --------   ----------   -------   ----------

Listing All Profiles and Assigned Limits

SELECT * FROM DBA_PROFILES
   ORDER BY PROFILE;

PROFILE             RESOURCE_NAME              RESOURCE   LIMIT             
-----------------   ---------------            ---------- --------------

Viewing Memory Use for Each User Session

SELECT USERNAME, VALUE || 'bytes' "Current UGA memory"
   FROM V$SESSION sess, V$SESSTAT stat, V$STATNAME name
WHERE sess.SID = stat.SID
   AND stat.STATISTIC# = name.STATISTIC#
   AND name.NAME = 'session uga memory';

To see the maximum UGA memory ever allocated to each session since the instance started, replace 'session uga memory' in the preceding query with 'session uga memory max'.

A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object.

Roles, on the other hand, are created by users (usually administrators) and are used to group together privileges
or other roles. They are a means of facilitating the granting of 
multiple privileges or roles to users.

A profile is a named set of resource limits and password parameters that

restrict database usage and instance resources for a user.

Create a profile

CREATE PROFILE clerk LIMIT
    SESSIONS_PER_USER 1
    IDLE_TIME 30
    CONNECT_TIME 600;

Drop a profile

DROP PROFILE clerk CASCADE;

Predefined Roles

Role Name	Created By (Script)	Description
`CONNECT`	`SQL.BSQ`	Includes only the following system privilege: `CREATE SESSION`
`RESOURCE`	`SQL.BSQ`	Includes the following system privileges: `CREATE CLUSTER`, `CREATE INDEXTYPE`, `CREATE OPERATOR`, `CREATE PROCEDURE`, `CREATE SEQUENCE`, `CREATE TABLE`, `CREATE TRIGGER`, `CREATE TYPE`
`DBA`	`SQL.BSQ`	All system privileges `WITH ADMIN OPTION`
`EXP_FULL_DATABASE`	`CATEXP.SQL`	Provides the privileges required to perform full and incremental database exports and includes: `SELECT ANY TABLE`, `BACKUP ANY TABLE`, `EXECUTE ANY PROCEDURE`, `EXECUTE ANY TYPE`, `ADMINISTER RESOURCE MANAGER`, and `INSERT`, `DELETE`, and `UPDATE` on the tables `SYS.INCVID`, `SYS.INCFIL`, and `SYS.INCEXP`. Also the following roles: `EXECUTE_CATALOG_ROLE` and `SELECT_CATALOG_ROLE`.
`IMP_FULL_DATABASE`	`CATEXP.SQL`	Provides the privileges required to perform full database imports. Includes an extensive list of system privileges (use view `DBA_SYS_PRIVS` to view privileges) and the following roles: `EXECUTE_CATALOG_ROLE` and `SELECT_CATALOG_ROLE`.
`DELETE_CATALOG_ROLE`	`SQL.BSQ`	Provides `DELETE` privilege on the system audit table (`AUD$`)
`EXECUTE_CATALOG_ROLE`	`SQL.BSQ`	Provides `EXECUTE` privilege on objects in the data dictionary. Also, `HS_ADMIN_ROLE`.
`SELECT_CATALOG_ROLE`	`SQL.BSQ`	Provides `SELECT` privilege on objects in the data dictionary. Also, `HS_ADMIN_ROLE`.
`RECOVERY_CATALOG_OWNER`	`CATALOG.SQL`	Provides privileges for owner of the recovery catalog. Includes: `CREATE SESSION`, `ALTER SESSION`, `CREATE SYNONYM`, `CREATE VIEW`, `CREATE DATABASE LINK`, `CREATE TABLE`, `CREATE CLUSTER`, `CREATE SEQUENCE`, `CREATE TRIGGER`, and `CREATE PROCEDURE`
`HS_ADMIN_ROLE`	`CATHS.SQL`	Used to protect access to the Heterogeneous Services (HS) data dictionary tables (grants `SELECT`) and packages (grants `EXECUTE`). It is granted to `SELECT_CATALOG_ROLE` and `EXECUTE_CATALOG_ROLE` such that users with generic data dictionary access also can access the HS data dictionary.
`AQ_USER_ROLE`	`CATQUEUE.SQL`	Obsolete, but kept mainly for release 8.0 compatibility. Provides execute privilege on `DBMS_AQ` and `DBMS_AQIN`.
`AQ_ADMINISTRATOR_ROLE`	`CATQUEUE.SQL`	Provides privileges to administer Advance Queuing. Includes `ENQUEUE ANY QUEUE`, `DEQUEUE ANY QUEUE`, and `MANAGE ANY QUEUE`, `SELECT` privileges on AQ tables and `EXECUTE` privileges on AQ packages.

Creating a Role

CREATE ROLE clerk IDENTIFIED BY bicentennial;

Dropping Roles

DROP ROLE clerk;

Granting System Privileges and Roles

GRANT CREATE SESSION, accts_pay TO jward;

Creating a New User with the GRANT Statement

GRANT CONNECT TO ssmith IDENTIFIED BY p1q2r3;

Oracle enables you to create a new user with the GRANT statement. If you specify a password using the IDENTIFIED BY
 clause, and the user name/password does not exist in the database, then
 a new user with that user name and password is created. The above
example creates ssmith as a new user while granting ssmith the CONNECT system privilege

Granting Object Privileges

The following statement grants the SELECT, INSERT, and DELETE object privileges for all columns of the emp table to the users, jfee and tsmith:

GRANT SELECT, INSERT, DELETE ON emp TO jfee, tsmith;

Revoking System Privileges and Roles

The following statement revokes the `CREATE TABLE` system privilege and the `accts_rec` role from `tsmith`:

REVOKE CREATE TABLE, accts_rec FROM tsmith;

Revoking Object Privileges

The following statement revokes the `SELECT` and `INSERT` privileges on the `emp` table from the users `jfee` and `tsmith`:

REVOKE SELECT, insert ON emp FROM jfee, tsmith;

The following statement revokes all object privileges for the dept table that you originally granted to the human_resource role

REVOKE ALL ON dept FROM human_resources;

Viewing Privilege and Role Information

To access information about grants of privileges and roles, you can query the following data dictionary views:

View	Description
`DBA_COL_PRIVS` `ALL_COL_PRIVS` `USER_COL_PRIVS`	`DBA` view describes all column object grants in the database. `ALL` view describes all column object grants for which the current user or `PUBLIC` is the object owner, grantor, or grantee. `USER` view describes column object grants for which the current user is the object owner, grantor, or grantee.
`ALL_COL_PRIVS_MADE` `USER_COL_PRIVS_MADE`	`ALL` view lists column object grants for which the current user is object owner or grantor. `USER` view describes column object grants for which the current user is the grantor.
`ALL_COL_PRIVS_RECD` `USER_COL_PRIVS_RECD`	`ALL` view describes column object grants for which the current user or `PUBLIC` is the grantee. `USER` view describes column object grants for which the current user is the grantee.
`DBA_TAB_PRIVS` `ALL_TAB_PRIVS` `USER_TAB_PRIVS`	`DBA` view lists all grants on all objects in the database. `ALL` view lists the grants on objects where the user or `PUBLIC` is the grantee. `USER` view lists grants on all objects where the current user is the grantee.
`ALL_TAB_PRIVS_MADE` `USER_TAB_PRIVS_MADE`	`ALL` view lists the all object grants made by the current user or made on the objects owned by the current user. `USER` view lists grants on all objects owned by the current user.
`ALL_TAB_PRIVS_RECD` `USER_TAB_PRIVS_RECD`	`ALL` view lists object grants for which the user or `PUBLIC` is the grantee. `USER` view lists object grants for which the current user is the grantee.
`DBA_ROLES`	This view lists all roles that exist in the database.
`DBA_ROLE_PRIVS` `USER_ROLE_PRIVS`	`DBA` view lists roles granted to users and roles. `USER` view lists roles granted to the current user.
`DBA_SYS_PRIVS` `USER_SYS_PRIVS`	`DBA` view lists system privileges granted to users and roles. `USER` view lists system privileges granted to the current user.
`ROLE_ROLE_PRIVS`	This view describes roles granted to other roles. Information is provided only about roles to which the user has access.
`ROLE_SYS_PRIVS`	This view contains information about system privileges granted to roles. Information is provided only about roles to which the user has access.
`ROLE_TAB_PRIVS`	This view contains information about object privileges granted to roles. Information is provided only about roles to which the user has access.
`SESSION_PRIVS`	This view lists the privileges that are currently enabled for the user.
`SESSION_ROLES`	This view lists the roles that are currently enabled to the user.

Some examples of using these views follow. For these examples, assume the following statements have been issued:

CREATE ROLE security_admin IDENTIFIED BY honcho;

GRANT CREATE PROFILE, ALTER PROFILE, DROP PROFILE,
    CREATE ROLE, DROP ANY ROLE, GRANT ANY ROLE, AUDIT ANY,
    AUDIT SYSTEM, CREATE USER, BECOME USER, ALTER USER, DROP USER
    TO security_admin WITH ADMIN OPTION;

GRANT SELECT, DELETE ON SYS.AUD$ TO security_admin;

GRANT security_admin, CREATE SESSION TO swilliams;

GRANT security_admin TO system_administrator;

GRANT CREATE SESSION TO jward;

GRANT SELECT, DELETE ON emp TO jward;

GRANT INSERT (ename, job) ON emp TO swilliams, jward;

Listing All System Privilege Grants

The following query returns all system privilege grants made to roles and users:

SELECT * FROM DBA_SYS_PRIVS;

GRANTEE            PRIVILEGE                         ADM
--------------     --------------------------------- ---
SECURITY_ADMIN     ALTER PROFILE                     YES
SECURITY_ADMIN     ALTER USER                        YES
SECURITY_ADMIN     AUDIT ANY                         YES
SECURITY_ADMIN     AUDIT SYSTEM                      YES
SECURITY_ADMIN     BECOME USER                       YES
SECURITY_ADMIN     CREATE PROFILE                    YES
SECURITY_ADMIN     CREATE ROLE                       YES
SECURITY_ADMIN     CREATE USER                       YES
SECURITY_ADMIN     DROP ANY ROLE                     YES
SECURITY_ADMIN     DROP PROFILE                      YES
SECURITY_ADMIN     DROP USER                         YES
SECURITY_ADMIN     GRANT ANY ROLE                    YES
SWILLIAMS          CREATE SESSION                    NO
JWARD              CREATE SESSION                    NO

Listing All Role Grants

SELECT * FROM DBA_ROLE_PRIVS;

GRANTEE            GRANTED_ROLE                         ADM
------------------ ------------------------------------ ---

Listing the Current Privilege Domain of Your Session

The following query lists all roles currently enabled for the issuer:

SELECT * FROM SESSION_ROLES;

The following query lists all system privileges currently available in the security domain of the issuer, both from explicit privilege grants and from enabled roles:

SELECT * FROM SESSION_PRIVS;

Listing Roles of the Database

The `DBA_ROLES` data dictionary view can be used to list all roles of a database and the authentication used for each role.

The following query lists all the roles in the database:

SELECT * FROM DBA_ROLES;

Listing Information About the Privilege Domains of Roles

The `ROLE_ROLE_PRIVS`, `ROLE_SYS_PRIVS`, and `ROLE_TAB_PRIVS` data dictionary views contain information on the privilege domains of roles. For example, the following query lists all the roles granted to the `system_admin` role:

SELECT GRANTED_ROLE, ADMIN_OPTION
   FROM ROLE_ROLE_PRIVS
   WHERE ROLE = 'SYSTEM_ADMIN';

GRANTED_ROLE              ADM
----------------          ----
SECURITY_ADMIN            NO

The following query lists all the system privileges granted to the security_admin role:

SELECT * FROM ROLE_SYS_PRIVS WHERE ROLE = 'SECURITY_ADMIN';

The following query lists all the object privileges granted to the security_admin role:

SELECT TABLE_NAME, PRIVILEGE FROM ROLE_TAB_PRIVS
    WHERE ROLE = 'SECURITY_ADMIN';

Learner - A starter to work on a Database and its Administration

Monday, April 21, 2014