Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The fastest database in existence would have one control file, two redo log groups with
one member each, and no users.
If that sentence didn't catch your eye the first time, read it again.
A database must have users. Without them, there is no profit. But having users
connecting to your database presents a whole range of potential problems. You, the DBA,
must give privileges to access other objects on the database. An open database is a hack
able database.
• Administrators
• Developers
• End users/ Vendors/ Customers/ Viewers
The article you are reading now is stored in a database, and is being delivered by a web
application to your computer screen. At this moment, you are an end user. When you go
to the bank and use an ATM, you are a user of a database. The act of putting your ATM
card into a system and entering your PIN is your login to the application. From there, you
are a customer and viewer, able to select (view balance), insert (make a transaction), and
update (deposit/withdraw).
The main thing that you, the DBA must apply to your users is the principle of least
privilege. Here are some ideas for making this principle work:
• Do not give your users more abilities than they need to get the job done
• Revoke unnecessary privileges from the PUBLIC pseudo-user
• Expire and lock unnecessary users
• Do not give your users more abilities than they need
Schema : is an Owner.
Schema contains a set of objects.
Users: There are 4 main accounts that are created during install sys, system, sysman
and dbmsmp. You have to adjust the parameter license_max_users to allow how many
SYSMAN: Use by OEM to monitor and gather performance stats, which are stored in the sysaux
tablespace
DBSNMP: Same as sys but for the OEM owns all internal tables in the sysaux tablespace.
To create user:
Privileges:
Privilege is a right to execute a particular type of SQL statement or a right to access other
user’s object.
2 types of privileges:
1.System Privileges:
2. Object Privilege:
• Each type of object has different type privilege associated with it.
• We can specify ALL(Privileges) to Grant/ Revoke all available object privileges
for an object.
ALL is not a keyword, it’s a shortcut or a way of granting or revoking all objects
privileges with one word.
• All object privileges are granted using the ALL shortcut, individual privilege can
still be revoked.
• Likewise, all individually granted privileges can be revoked by specifying ALL.
• When REVOKE ALL used, revoking causes integrity constraints to be
deleted(because they depend on references privilege that you are revoking)So,
Cascade Constraints must be included in the REVOKE statement.
Roles:
Create role with the create role command and then grant the role to the user with
the grant command :
Then grant that Oracle role to other users as in this case where we grant the
select_data_role to the ROBERT user role. Once this is done, ROBERT will be able to
query the EMP, DEPT and BONUS tables in the SCOTT schema:
Oracle roles have some limitations. In particular object privileges are granted through
Oracle roles can not be used when writing PL/SQL code. When writing PL/SQL code,
you must have direct grants to the objects in the database that your code is accessing.
If you wish to revoke an Oracle role from a user, simply use the revoke command as
demonstrated earlier in this chapter:
In all releases prior to 10.2, the Oracle connect roles included the following system
privileges:
ALTER SESSION
CREATE CLUSTER
CREATE DATABASE LINK
CREATE SEQUENCE
CREATE SESSION
CREATE SYNONYM
CREATE TABLE
CREATE VIEW
Starting in release 10.2 the connect roles has many privileges removed and only the
CREATE SESSION privilege remains.
Profiles:
Limitable resources
The following limits can be specified:
Kernel limits
Password limits
If a session exceeds one of these limits, Oracle will terminate the session. If there is a
logoff trigger, it won't be executed.
History of passwords
In order to track password related profile limits, Oracle stores the history of passwords
for a user in user_history$. .
The default cost assigned to a resource is unlimited. By setting resource limits, you can
prevent users from performing operations that will tie up the system and prevent other
users from performing operations.
You can use resource limits for security to ensure that users log off the system and do not
leave the session connected for long periods of time.
You can also assign a composite cost to each profile . The system resource limits can be
enforced at the session level, the call level or both.
The session level is from the time the user logs into the database until the user exits.
• Call-level limits are enforced during the execution of each SQL statement.
• When a call-level limit is exceeded, the last SQL command issued is rolled back.
All the previous statements issued are still valid and the user can continue to
execute other SQL statements. The following system resources can be regulated
at the call level:
DBA_PROFILES
Column Definition
Profile the name given to the profile
Resource_name the name of the resource assigned to the profile
Limit the limit placed on the profile
RESOURCE_COST
Column Definition
Resource_name name of the resource
Unit_cost cost assigned
USER_RESOURCE_LIMITS
Column Definition
Resource_name the name of the resource
Limit the limit placed on the user