• No results found

195 11 User Management And Database Security [ PUNISHER ] pdf

N/A
N/A
Info
Download
Protected

Academic year: 2020

Share "195 11 User Management And Database Security [ PUNISHER ] pdf"

Copied!
107
0
0

Loading.... (view fulltext now)

Download now ( 107 Page )

Full text

(1)Revision no.: PPT/2K403/02. User Management and Database Security.

(2) Revision no.: PPT/2K403/02. Oracle database security management 2. •. Controlling access to data ( authorization ). •. Authenticating users. •. Ensuring data integrity. •. Auditing user’s actions. •. Managing enterprise security. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(3) Revision no.: PPT/2K403/02. Managing Users 3. •. Creating new database users. •. Altering and dropping existing database users. •. Monitoring information about existing users. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(4) Revision no.: PPT/2K403/02. Users and Security 4. Account locking. Default tablespace. Temporary tablespace. Authentication mechanism. Role privileges. Security domain. Direct privileges. •. DBA defines users who can access db. •. Security domain defines the settings that apply to users. Tablespace quotas Resource limits. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(5) Revision no.: PPT/2K403/02. Database Schema 5. •. Schema: named collection of objects like tables, views, procedures, etc.. •. When a user is created a schema with same name is created. •. Hence username and schema name used interchangeably. •. Some of the objects a user can own. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(6) Checklist for Creating Users (Developers not end users). Revision no.: PPT/2K403/02. 6. •. Choose a username and authentication mechanism.. •. Identify tablespaces in which the user needs to store objects.. •. Decide on quotas for each tablespace.. •. Assign default tablespace and temporary tablespace.. •. Create a user.. •. Grant privileges and roles to the user.. •. If no default tablespace is assign to the user the System tablespace becomes the default for that user.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(7) Creating a New User: Server Authentication. Revision no.: PPT/2K403/02. 7. • •. Set the initial password: Expires at login forcing user to change password CREATE USER anil IDENTIFIED BY panil DEFAULT TABLESPACE data01 TEMPORARY TABLESPACE temp QUOTA 15m ON data01 PASSWORD EXPIRE;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(8) Creating a New User: Operating System Authentication. Revision no.: PPT/2K403/02. 8. • •. Use OS_AUTHENT_PREFIX (in parameter file) Example: O/S User = user15 OS_AUTHENT_ PREFIX. Database User. OS_. OS_USER15. empty string ““. USER15. OPS$ (default). OPS$USER15 (default). Remote Login Possible No No. Yes. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(9) Creating a New User: Operating System Authentication (contd.). Revision no.: PPT/2K403/02. 9. •. E.g., An OS user tikekarr;. •. Use IDENTIFIED EXTERNALLY clause with create user. •. Also exists as a database user. •. Oracle will not validate. •. To use sql*plus say – Sqlplus /. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(10) Revision no.: PPT/2K403/02. Creating a New User: Guidelines 10. •. Choose a standard password initially; use O/S authentication sparingly.. •. Use the EXPIRE keyword to force users to reset their passwords.. •. Always assign temporary tablespace.. •. Restrict quotas to few users; use QUOTA UNLIMITED with caution.. •. Educate users: – To connect – To change password © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(11) Controlling Account Lock and Password. Revision no.: PPT/2K403/02. 11. ALTER ALTERUSER USERanil anil IDENTIFIED IDENTIFIEDBY BYhisgrandpa hisgrandpa PASSWORD PASSWORDEXPIRE; EXPIRE;. ALTER ALTERUSER USERanil anil IDENTIFIED IDENTIFIEDBY BYhisgrandpa hisgrandpa ACCOUNT ACCOUNTLOCK LOCK||UNLOCK; UNLOCK;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(12) Revision no.: PPT/2K403/02. Changing User Quota on Tablespace 12. •. To get a user out of system (fired/resigned): – – – – –. Use password expiration Lock account Alter password Change profile Export/import user schema elsewhere ALTER ALTERUSER USERanil anil QUOTA QUOTA00ON ONdata01; data01;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(13) Revision no.: PPT/2K403/02. Dropping a User 13. •. Use the CASCADE clause if the schema contains objects. DROP DROPUSER USERanil; anil;. DROP DROPUSER USERanil anilCASCADE; CASCADE;. •. User currently connected cannot be dropped. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(14) Revision no.: PPT/2K403/02. Monitoring Users 14. DBA_USERS DBA_USERS. DBA_TS_QUOTAS DBA_TS_QUOTAS. USERNAME USERNAME USER_ID USER_ID. USERNAME USERNAME TABLESPACE_NAME TABLESPACE_NAME. CREATED CREATED ACCOUNT_STATUS ACCOUNT_STATUS. BYTES BYTES MAX_BYTES MAX_BYTES. LOCK_DATE LOCK_DATE EXPIRY_DATE EXPIRY_DATE. BLOCKS BLOCKS MAX_BLOCKS MAX_BLOCKS. DEFAULT_TABLESPACE DEFAULT_TABLESPACE TEMPORARY_TABLESPACE TEMPORARY_TABLESPACE © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(15) Revision no.: PPT/2K403/02. Monitoring Users (contd.) 15. •. Select tablespace_name, blocks, max_blocks, bytes, max_bytes From dba_ts_quota Where username = ‘SCOTT’;. •. -1 in MAX_BLOCKS or MAX_BYTES indicates unlimited quota. •. Select username, account_status, temporary_tablespace From dba_users;. •. Lists all users, their account status and temp. ts. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(16) Revision no.: PPT/2K403/02. Exercise III Managing Users 16. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(17) Revision no.: PPT/2K403/02. Profiles 17. •. Are named sets of resource and password limits. •. Are assigned to users by the CREATE/ALTER USER command. •. Can be enabled or disabled. •. Can relate to the DEFAULT profile. •. Can limit system resources on session or call level. Account Default locking tablespace Authentication mechanism Role privileges. Temporary tablespace. Security domain Tablespace quotas. Direct Resource privileges limits. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(18) Revision no.: PPT/2K403/02. Managing Resources with Profiles 18. 1. Create profiles.. 2. Assign profiles to the user.. 3. Enable resource limits.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(19) Revision no.: PPT/2K403/02. Creating a Profile: Resource Limit 19. CREATE CREATEPROFILE PROFILEdeveloper_prof developer_profLIMIT LIMIT SESSIONS_PER_USER SESSIONS_PER_USER22 CPU_PER_SESSION CPU_PER_SESSION10000 10000 IDLE_TIME IDLE_TIME60 60 CONNECT_TIME CONNECT_TIME480; 480;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(20) Revision no.: PPT/2K403/02. Setting Resource Limits at Session Level 20. Resource. Description. CPU_PER_SESSION. Total CPU time measured in hundredths of seconds. SESSIONS_PER_USER. Number of concurrent sessions allowed for each username. CONNECT_TIME. Elapsed connect time measured in minutes. IDLE_TIME. Periods of inactive time measured in minutes. LOGICAL_READS_PER _SESSION. Number of data blocks (physical and logical reads). PRIVATE_SGA. Private space in the SGA measured in bytes (for MTS only). © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(21) Revision no.: PPT/2K403/02. Setting Resources at Call Level 21. Resource. Description. CPU_PER_CALL. CPU time per call in hundredths of seconds. LOGICAL_READS_PER _CALL. Number of data blocks. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(22) Revision no.: PPT/2K403/02. Resource Parameter 22. •. Composite_limit – A composite limit is a sum of several of the resource parameters, measured in service units. – These resources are weighted by their importance. – Oracle takes into account four parameters to compute a weighted composite_limit: • • • •. Cpu_per_session Connect_time Logical_reads_per_session Private_sga.. – You can set a weight for these four parameter by using the alter resource cost statement.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(23) Revision no.: PPT/2K403/02. Assigning Profiles to a User 23. CREATE CREATEUSER USERuser3 user3IDENTIFIED IDENTIFIEDBY BYuser3 user3 DEFAULT DEFAULTTABLESPACE TABLESPACEdata01 data01 TEMPORARY TEMPORARYTABLESPACE TABLESPACEtemp temp QUOTA QUOTAunlimited unlimitedON ONdata01 data01 PROFILE PROFILEdeveloper_prof; developer_prof;. ALTER ALTERUSER USERscott scott PROFILE PROFILEdeveloper_prof; developer_prof;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(24) Revision no.: PPT/2K403/02. Enabling Resource Limits 24. •. Set the initialization parameter RESOURCE_LIMIT to TRUE –. •. or. Enforce the resource limits by enabling the parameter with the ALTER SYSTEM command. ALTER ALTERSYSTEM SYSTEMSET SETRESOURCE_LIMIT=TRUE; RESOURCE_LIMIT=TRUE;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(25) Revision no.: PPT/2K403/02. Altering a Profile 25. ALTER ALTERPROFILE PROFILEdefault defaultLIMIT LIMIT SESSIONS_PER_USER SESSIONS_PER_USER55 CPU_PER_CALL CPU_PER_CALL3600 3600 IDLE_TIME IDLE_TIME30; 30;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(26) Revision no.: PPT/2K403/02. Dropping a Profile 26. DROP DROPPROFILE PROFILEdeveloper_prof; developer_prof;. DROP DROPPROFILE PROFILEdeveloper_prof developer_profCASCADE; CASCADE;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(27) Revision no.: PPT/2K403/02. Viewing Resource Limits 27. DBA_USERS. DBA_PROFILES. - profile - username. - profile - resource_name - resource_type (KERNEL) - limit. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(28) Revision no.: PPT/2K403/02. Password Management 28. Password history. Account locking. User. Setting up profiles Password expiration and aging. Password verification. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(29) Revision no.: PPT/2K403/02. Enabling Password Management 29. •. Set up password management by using profiles and assigning them to users.. •. Lock, unlock, and expire accounts using the CREATE USER or ALTER USER command.. •. Password limits are always enforced, even if RESOURCE_LIMIT for an instance is set to FALSE.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(30) Revision no.: PPT/2K403/02. Creating a Profile: Password Settings 30. CREATE CREATEPROFILE PROFILEgrace_5 grace_5LIMIT LIMIT FAILED_LOGIN_ATTEMPTS FAILED_LOGIN_ATTEMPTS33 PASSWORD_LIFE_TIME PASSWORD_LIFE_TIME30 30 PASSWORD_REUSE_TIME PASSWORD_REUSE_TIME30 30 PASSWORD_VERIFY_FUNCTION PASSWORD_VERIFY_FUNCTIONverify_function verify_function PASSWORD_GRACE_TIME PASSWORD_GRACE_TIME5; 5;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(31) Revision no.: PPT/2K403/02. Password Settings 31. Parameter. Description. FAILED_LOGIN_ATTEMPTS Number of failed login attempts before lockout of the account PASSWORD_LOCK_TIME. PASSWORD_LIFE_TIME. PASSWORD_GRACE_TIME. Number of days for which the account remains locked upon password expiration Lifetime of the password in days after which the password expires Grace period in days for changing the password after the first successful login after the password has expired. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(32) Revision no.: PPT/2K403/02. Password Settings (contd.) 32. Parameter. Description. PASSWORD_REUSE_TIME. Number of days before a password can be reused. PASSWORD_REUSE_MAX. PASSWORD_VERIFY_FUNCTION. Maximum number of times a password can be reused. PL/SQL function that makes a password complexity check before a password is assigned. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(33) Revision no.: PPT/2K403/02. User- Provided Password Function 33. •. Function must be created in the SYS schema and must have the following specification:. function_name( function_name( userid_parameter userid_parameterIN INVARCHAR2(30), VARCHAR2(30), password_parameter password_parameterIN INVARCHAR2(30), VARCHAR2(30), old_password_parameter old_password_parameterIN INVARCHAR2(30)) VARCHAR2(30)) RETURN RETURNBOOLEAN BOOLEAN. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(34) Revision no.: PPT/2K403/02. Password Verification Function VERIFY_FUNCTION. 34. •. Minimum length is four characters. •. Password should not be equal to username. •. Password should have at least one alpha, one numeric, and one special character. •. Password should differ from the previous password by at least three letters. Password verification. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(35) Revision no.: PPT/2K403/02. Viewing Password Information 35. •. DBA_USERS – – – – –. •. profile username account_status lock_date expiry_date. DBA_PROFILES – – – –. profile resource_name resource_type (PASSWORD) limit. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(36) Resource Management Problem for Production Database. Revision no.: PPT/2K403/02. 36. •. • • • •. •. Batch job’s are taking up most of the available resources, which is hurting other, more critical jobs that need to run at the same time. Excessive loads at peak times are causing critical processes to run for an unacceptably long period of time. You schedule large jobs and really can’t predict when they might be launched. Some users are using an excessive amount of CPU, causing you to kill their session abruptly. Some users are using a very high degree of parallelism in their operations, which is hurting the performance of the system as a whole. You want to prioritize jobs according to some scheme, but you can’t do so using operating system resources. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(37) Revision no.: PPT/2K403/02. With Oracle's Database Resource Manager, a database administrator can:. 37. •. •. Guarantee certain users a minimum amount of processing resources regardless of the load on the system and the number of users Distribute available processing resources by allocating percentages of CPU time to different users and applications. – In a data warehouse, a higher percentage may be given to ROLAP (relational on-line analytical processing) applications than to batch jobs.. • •. Limit the degree of parallelism of any operation performed by members of a group of users Create an active session pool. – This pool consists of a specified maximum number of user sessions allowed to be concurrently active within a group of users. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(38) Revision no.: PPT/2K403/02. With Oracle's Database Resource Manager, a database administrator can: (contd.). 38. •. Allow automatic switching of users from one group to another group based on administrator-defined criteria. – If a member of a particular group of users creates a session that runs for longer than a specified amount of time, that session can be automatically switched to another group of users with different resource requirements.. • •. Prevent the execution of operations that are estimated to run for a longer time than a predefined limit Create an undo pool. – This pool consists of the amount of undo space that can be consumed in by a group of users.. •. Configure an instance to use a particular method of allocating resources. – You can dynamically change the method, for example, from a daytime setup to a nighttime setup, without having to shut down and restart the instance. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(39) Revision no.: PPT/2K403/02. Database Resource Manager Overview 39. • • •. Resources are allocated to users according to a resource plan specified by the database administrator. The following terms are used in specifying a resource plan: A resource plan – specifies how the resources are to be distributed among various users (resource consumer groups).. •. Resource consumer groups – allow the administrator to group user sessions together by resource requirements. Resource consumer groups are different from user roles; one database user can have different sessions assigned to different resource consumer groups.. •. Resource allocation methods – determine what policy to use when allocating for any particular resource. Resource allocation methods are used by resource plans and resource consumer groups. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(40) Revision no.: PPT/2K403/02. Database Resource Manager Overview (contd.) 40. •. Resource plan directives – are a means of assigning consumer groups to particular plans and partitioning resources among consumer groups by specifying parameters for each resource allocation method.. •. The Database Resource Manager also allows for creation of plans within plans, called subplans.. •. Subplans allow further subdivision of resources among different users of an application.. •. Levels provide a mechanism to specify distribution of unused resources among available users. Up to eight levels of resource allocation can be specified. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(41) Revision no.: PPT/2K403/02. Using the Database Resource Manager 41. •. A DBA can manage the Database Resource Manager through executing procedures in the Oracle-supplied DBMS_RESOURCE_MANAGER package.. •. Sequence of actions need to take to start using the Database Resource Manager – Create a pending area. – Create a consumer group. – Create a resource plan. – Create a plan directive. – Validate the pending area. – Submit the pending area. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(42) Revision no.: PPT/2K403/02. Creating a Pending Area 42. •. •. Before you can modify an old plan or create a new plan, you need to activate or create a pending area using the Database Resource Manager package. All resource plans created will be stored in the data dictionary. SQL> SQL>execute executedbms_resource_manager.create_pending_area; dbms_resource_manager.create_pending_area; PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>execute executedbms_resource_manager.clear_pending_area; dbms_resource_manager.clear_pending_area; PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(43) Revision no.: PPT/2K403/02. Creating Consumer Groups 43. • •. Once the pending area is active, create the consumer groups to which users are allocated. You can assign users initially to one group, and you can later switch them to other groups if necessary. SQL> SQL>execute executedbms_resource_manager.create_pending_area; dbms_resource_manager.create_pending_area; PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>execute executedbms_resource_manager.create_consumer_group dbms_resource_manager.create_consumer_group (consumer_group (consumer_group=> =>‘local’,comment ‘local’,comment=> =>‘local ‘localcouncils’); councils’); PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>execute executedbms_resource_manager.create_consumer_group dbms_resource_manager.create_consumer_group (consumer_group (consumer_group=> =>‘regional’,comment ‘regional’,comment=> =>‘regional’); ‘regional’); PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>execute executedbms_resource_manager.create_consumer_group dbms_resource_manager.create_consumer_group (consumer_group (consumer_group=> =>‘national’,comment ‘national’,comment=> =>‘national ‘nationaloffice’); office’); PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(44) Revision no.: PPT/2K403/02. Checking what groups exist in your database 44. •. Use DBA_RSRC_CONSUMER_GROUPS view for information relating to what groups currently exist in your database.. SQL> SQL>SELECT SELECTconsumer_group, consumer_group,status statusFROM FROM dba_rscr_consumer_groups; dba_rscr_consumer_groups;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(45) Revision no.: PPT/2K403/02. Default groups in Oracle Database 45. •. Other_groups – This isn’t really a group, because you can’t assign users to it. – When a resource plan is active, other_groups is the catchall term for all sessions that don’t belong to this active resource plan.. •. Default_consumer_groups – If you don’t assign users to any group, they will, by default, become members of the default group.. •. Sys_group and low_group – These are part of the default system_plan that exists in every database. – Oracle supplies three plans for each database • SYSTEM_PLAN : Plan to give system sessions priority. • INTERNAL_QUIESCE : Plan to internally quiesce system. • INTERNAL_PLAN : Plan to give system sessions priority © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(46) Revision no.: PPT/2K403/02. Validate & submit pending area 46. • •. Once you create the groups, you can then validate your pending area. Once the changes are accepted as being correct, you can submit the changes through the Database Resource Manager. SQL> SQL>execute executedbms_resource_manager.validate_pending_area; dbms_resource_manager.validate_pending_area; PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>execute executedbms_resource_manager.submit_pending_area; dbms_resource_manager.submit_pending_area; PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>select selectconsumer_group, consumer_group,status statusfrom from dba_rsrc_consumer_groups; dba_rsrc_consumer_groups; © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(47) Revision no.: PPT/2K403/02. Assigning users to consumer groups 47. •. First grant the users privileges to switch their groups using dbms_resource_manager_privs.grant_switch_consumer_group. •. procedure. Use dbms_resource_manager_privs.set_initial_consumer_group procedure to switch. SQL> SQL>execute executedbms_resource_manager_privs.grant_switch_ dbms_resource_manager_privs.grant_switch_ consumer_group consumer_group('anil','local',TRUE); ('anil','local',TRUE); PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>execute executedbms_resource_manager.set_inital_ dbms_resource_manager.set_inital_ consumer_group('anil','local'); consumer_group('anil','local'); PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. Verify VerifyConsumer ConsumerGroup GroupMembership Membershipof ofUsers Users SQL> SQL>select selectusername, username,initial_rsrc_consumer_group initial_rsrc_consumer_groupfrom fromdba_users; dba_users; © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(48) Revision no.: PPT/2K403/02. Create Resource Plans and Plan Directives 48. •. Creating Resource Plans – Resource plans enable you to set limits on resource use by specifying limits on four variables: CPU, active session pool, degree of parallelism, and the order in which queued sessions will execute. – Currently, for all four parameters, only the default levels and methods provided by Oracle can be used. SQL> SQL>execute executedbms_resource_manager.create_pending_area; dbms_resource_manager.create_pending_area; PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>execute executedbms_resource_manager.create_plan dbms_resource_manager.create_plan((plan plan=> => ‘membership_plan’, ‘membership_plan’,comment comment=> =>‘New ‘NewMembership Membership Recruitment’); Recruitment’); PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(49) Revision no.: PPT/2K403/02. Create Resource Plans and Plan Directives (contd.) 49. •. Creating a Plan Directive – The plan directive assigns 70 percent of the available CPU at the first level to the local group and the rest, 30 percent, to the regional group. – It allocates 100 percent of the CPU at the second level to the national group. – In addition to the preceding three groups, you need to add a plan directive for the default other_groups for the Database Resource Manager to accept your plan directives.. •. If you don’t include a resource directive for other_groups, Oracle won’t let you use your directives for the other groups if the plan directives is for a primary or top plan. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(50) Revision no.: PPT/2K403/02. Create Resource Plans and Plan Directives (contd.) 50. SQL> SQL>execute executedbms_resource_manager.create_plan_directive dbms_resource_manager.create_plan_directive (plan (plan=> =>‘membership_plan’, ‘membership_plan’,GROUP_OR_SUBPLAN GROUP_OR_SUBPLAN=> => ‘local’, ‘local’,COMMENT COMMENT=> =>‘LOCAL ‘LOCALGROUP’, GROUP’,CPU_P1 CPU_P1=> =>70); 70); SQL> SQL>execute executedbms_resource_manager.create_plan_directive dbms_resource_manager.create_plan_directive (plan (plan=> =>‘membership_plan’, ‘membership_plan’,GROUP_OR_SUBPLAN GROUP_OR_SUBPLAN=> => ‘REGIONAL’, ‘REGIONAL’,COMMENT COMMENT=> =>‘regional ‘regionalgroup’, group’,CPU_P1 CPU_P1=> =>30); 30); SQL> SQL>execute executedbms_resource_manager.create_plan_directive dbms_resource_manager.create_plan_directive (plan (plan=> =>‘membership_plan’, ‘membership_plan’,GROUP_OR_SUBPLAN GROUP_OR_SUBPLAN=> => ‘national’, ‘national’,COMMENT COMMENT=> =>‘NATIONAL ‘NATIONALGROUP’, GROUP’,CPU_P2 CPU_P2=> =>100); 100); SQL> SQL>execute executedbms_resource_manager.create_plan_directive dbms_resource_manager.create_plan_directive (plan (plan=> =>'membership_plan', 'membership_plan',GROUP_OR_SUBPLAN GROUP_OR_SUBPLAN=> => 'OTHER_GROUPS', 'OTHER_GROUPS',comment comment=> =>'Default 'Defaultplan',CPU_P3 plan',CPU_P3=> =>100); 100); © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(51) Revision no.: PPT/2K403/02. Create Resource Plans and Plan Directives (contd.) 51. • •. You can now validate and submit your new top-level plan, membership_plan. Determining the status of the Resource Plans from dba_rsrc_plan_directives SQL> SQL>execute executedbms_resource_manager.validate_pending_area; dbms_resource_manager.validate_pending_area; PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>execute executedbms_resource_manager.submit_pending_area; dbms_resource_manager.submit_pending_area; PL/SQL PL/SQLprocedure proceduresuccessfully successfullycompleted. completed. SQL> SQL>select selectplan, plan,group_or_subplan, group_or_subplan,cpu_p1, cpu_p1,cpu_p2,cpu_p3, cpu_p2,cpu_p3,status status from fromdba_rsrc_plan_directives; dba_rsrc_plan_directives; © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(52) Revision no.: PPT/2K403/02. Enabling the Database Resource Manager 52. • •. •. Oracle will not automatically enforce the resource plans. Explicitly activate the Database Resource Manager, either by specifying the initialization parameter resource_manager_plan in the init.ora file or by using the alter system command. Query V$RSRC_CONSUMER_GROUP to see what resource usage among the consumers groups looks like. SQL> SQL>alter altersystem systemset setresource_manager_plan=MEMBERSHIP_PLAN; resource_manager_plan=MEMBERSHIP_PLAN; System Systemaltered. altered. SQL SQLselect select**from fromv$rsrc_plan; v$rsrc_plan; SQL> SQL>select selectname, name,active_sessions, active_sessions,cpu_wait_time, cpu_wait_time, consumed_cpu_time, consumed_cpu_time, current_undo_consumption current_undo_consumptionfrom fromv$rsrc_consumer_group; v$rsrc_consumer_group; © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(53) Revision no.: PPT/2K403/02. Managing Privileges 53. •. Two types of privileges: – SYSTEM: enables users to perform particular actions in the database • create, alter, drop, etc.. – OBJECT: enables users to access and manipulate a specific object • select, update, insert, exec, etc.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(54) Revision no.: PPT/2K403/02. System Privileges 54. •. There are about 126 system privileges.. •. The ANY-keyword in the privileges signifies that users have the privilege in every schema.. •. The GRANT command adds a privilege to a user or a group of users.. •. The REVOKE command deletes the privileges.. •. Users with ANY privilege can access data dictionary tables. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(55) Revision no.: PPT/2K403/02. System Privileges: Examples 55. Category. Examples. INDEX. CREATE ANY INDEX, ALTER ANY INDEX DROP ANY INDEX. TABLE. CREATE TABLE (includes dropping privilege, create index) CREATE ANY TABLE, ALTER ANY TABLE DROP ANY TABLE (need this for truncating) SELECT ANY TABLE, UPDATE ANY TABLE DELETE ANY TABLE. SESSION. CREATE SESSION (need this to do anything) ALTER SESSION RESTRICTED SESSION(when db in restricted mode). TABLESPACE. CREATE TABLESPACE ALTER TABLESPACE DROP TABLESPACE UNLIMITED TABLESPACE. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(56) Revision no.: PPT/2K403/02. Granting System Privileges 56. GRANT GRANTCREATE CREATESESSION, SESSION,CREATE CREATETABLE TABLETO TOuser1; user1;. GRANT GRANTCREATE CREATESESSION SESSIONTO TOscott scott WITH WITHADMIN ADMINOPTION; OPTION;(enables (enablesscott scottto togrant grantthe theprivilege privilege or orrole roleto toother otherusers usersor orroles) roles). © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(57) Revision no.: PPT/2K403/02. SYSDBA and SYSOPER Privileges 57. Category. Examples. SYSOPER. STARTUP SHUTDOWN ALTER DATABASE OPEN | MOUNT ALTER DATABASE BACKUP CONTROLFILE ALTER TABLESPACE BEGIN/END BACKUP RECOVER DATABASE, ALTER DATABASE ARCHIVELOG RESTRICTED SESSION. SYSDBA. SYSOPER privileges WITH ADMIN OPTION CREATE DATABASE RECOVER DATABASE UNTIL (any operation on db or objects in db). user SYSTEM not as powerful as SYS © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(58) Revision no.: PPT/2K403/02. SYSDBA and SYSOPER Privileges (contd.) 58. •. User SYS: – Owner of data dictionary, can make changes – Granted SYSOPER and SYSDBA roles – Can start and shutdown database. •. User STSTEM: – Not granted SYSOPER and SYSDBA roles – Cannot start/shutdown database – Cannot modify data dictionary – Safer to be SYSTEM than SYS © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(59) Revision no.: PPT/2K403/02. Password File Authentication 59. •. Create the password file and set the REMOTE_LOGIN_PASSWORDFILE parameter.. •. Set REMOTE_LOGIN_ PASSWORD_FILE=EXCLUSIVE.. •. Grant SYSOPER and SYSDBA privileges to users.. •. Query V$PWFILE_USERS to verify the password file members.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(60) Revision no.: PPT/2K403/02. Displaying System Privileges 60. • •. Select * from dba_sys_privs; Select * from session_privs; (current session). Database Level. Session Level. DBA_SYS_PRIVS. SESSION_PRIVS. • GRANTEE. • PRIVILEGE. • PRIVILEGE • ADMIN OPTION. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(61) Revision no.: PPT/2K403/02. System Privilege Restrictions 61. •. O7_DICTIONARY_ACCESSIBILITY = TRUE – Reverts to Oracle7 behavior – Removes the restrictions on system privileges with the ANY keyword – Defaults to TRUE. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(62) Revision no.: PPT/2K403/02. Revoking System Privileges 62. REVOKE REVOKECREATE CREATETABLE TABLEFROM FROMuser1; user1; (can (canREVOKE REVOKEprivileges privilegesgranted grantedwith withGRANT GRANTcommand) command). REVOKE REVOKECREATE CREATESESSION SESSIONFROM FROMscott; scott;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(63) Revision no.: PPT/2K403/02. Revoking System Privileges Using WITH ADMIN OPTION. 63. DBA. USER 1. SCOTT. DBA. USER 1. SCOTT. GRANT. REVOKE (doesn’t cascade). © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(64) Revoking System Privileges Using WITH ADMIN OPTION (contd.). Revision no.: PPT/2K403/02. 64. RESULT DBA. USER 1. SCOTT. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(65) Revision no.: PPT/2K403/02. Object Privileges 65. Object priv.. Table. ALTER. √. DELETE. √. View. Sequence Procedure √. √ √. EXECUTE INDEX. √. INSERT. √. REFERENCES. √. SELECT. √. √. UPDATE. √. √. √. √. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(66) Revision no.: PPT/2K403/02. Granting Object Privileges 66. GRANT GRANTEXECUTE EXECUTEON ONdbms_pipe dbms_pipeTO TOpublic; public;. GRANT GRANTUPDATE(ename,sal) UPDATE(ename,sal)ON ONemp empTO TOuser1 user1 WITH WITHGRANT GRANTOPTION; OPTION; Column (field) level grants. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(67) Revision no.: PPT/2K403/02. Displaying Object Privileges 67. DBA_TAB_PRIVS GRANTEE OWNER TABLE_NAME GRANTOR PRIVILEGE GRANTABLE. Object privileges. DBA_COL_PRIVS GRANTEE OWNER TABLE_NAME COLUMN_NAME GRANTOR PRIVILEGE GRANTABLE Col specific privileges. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(68) Revision no.: PPT/2K403/02. Revoking Object Privileges 68. • •. Select * from dba_tab_privs where grantee = ‘SCOTT’; Select * from dba_col_privs;. REVOKE REVOKEexecute executeON ONdbms_pipe dbms_pipeFROM FROMscott; scott;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(69) Revision no.: PPT/2K403/02. Revoking Object Privileges Using WITH GRANT OPTION. 69. SCOTT. USER 1. USER 2. SCOTT. USER 1. USER 2. GRANT. REVOKE. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(70) Revoking Object Privileges Using WITH GRANT OPTION (contd.). Revision no.: PPT/2K403/02. 70. RESULT SCOTT. USER 1. USER 2. Summary: revoking object privileges will cascade. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(71) Revision no.: PPT/2K403/02. Roles 71. •. Role: named groups of related privileges – Granted/revoked with same commands as for privileges – Maybe granted to user or role (except itself) – Can consist of object and system privileges – May be enabled/disabled – Can require password to enable – Not owned by anyone. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(72) Revision no.: PPT/2K403/02. Roles (contd.) 72. Users A. Roles. A. HR_MGR. Privileges CREATE TABLE. A. HR_CLERK. INSERT ON EMP. SELECT ON EMP CREATE SESSION. UPDATE ON EMP. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(73) Revision no.: PPT/2K403/02. Benefits of Roles 73. •. Reduced granting of privileges. •. Dynamic privilege management. •. Selective availability of privileges. •. Granted through the OS. •. No cascading revokes. •. Improved performance. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(74) Revision no.: PPT/2K403/02. Creating Roles 74. CREATE CREATEROLE ROLEsales_clerk; sales_clerk;. CREATE CREATEROLE ROLEhr_clerk hr_clerk IDENTIFIED IDENTIFIEDBY BYbonus; bonus;. CREATE CREATEROLE ROLEhr_manager hr_manager IDENTIFIED IDENTIFIEDEXTERNALLY; EXTERNALLY;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(75) Revision no.: PPT/2K403/02. Using Predefined Roles 75. Role Name. Description. CONNECT. These two roles are provided. RESOURCE. for backward compatibility.. DBA. All system privileges WITH ADMIN OPTION. EXP_FULL_DATABASE. Privileges to export the DB. IMP_FULL_DATABASE. Privileges to import the DB. DELETE_CATALOG_ROLE. DELETE privileges on DD tables. EXECUTE_CATALOG_ROLE. EXECUTE privilege on DD packages. SELECT_CATALOG_ROLE. SELECT privilege on DD tables. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(76) Revision no.: PPT/2K403/02. Modifying Roles 76. ALTER ALTERROLE ROLEsales_clerk sales_clerk IDENTIFIED IDENTIFIEDBY BYcommission; commission;. ALTER ALTERROLE ROLEhr_clerk hr_clerk IDENTIFIED IDENTIFIEDEXTERNALLY; EXTERNALLY;. ALTER ALTERROLE ROLEhr_manager hr_manager NOT NOTIDENTIFIED; IDENTIFIED;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(77) Revision no.: PPT/2K403/02. Assigning Roles 77. GRANT GRANTsales_clerk sales_clerkTO TOscott; scott;. GRANT GRANThr_clerk, hr_clerk, TO TOhr_manager; hr_manager;. GRANT GRANThr_manager hr_managerTO TOscott scott WITH WITHADMIN ADMINOPTION; OPTION;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(78) Revision no.: PPT/2K403/02. Assigning Privileges to Roles 78. GRANT GRANTcreate createtable, table,create createany anyindex indexTO TOhr_clerk; hr_clerk;. GRANT GRANTcreate_session create_sessionTO TOhr_manager; hr_manager;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(79) Revision no.: PPT/2K403/02. Enabling and Disabling Roles 79. •. Disable a role to temporarily revoke the role from a user.. •. Enable a role to temporarily grant it.. •. The SET ROLE command enables and disables roles.. •. Default roles are enabled for a user at login.. •. A password may be required to enable a role.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(80) Revision no.: PPT/2K403/02. Enabling and Disabling Roles: Examples. 80. SET SETROLE ROLEsales_clerk sales_clerkIDENTIFIED IDENTIFIEDBY BY SET ROLE hr_clerk; SET ROLE hr_clerk; commission; commission;. Enable: this is how users would activate their role. SET SETROLE ROLEALL ALLEXCEPT EXCEPTsales_clerk; sales_clerk;. SET SETROLE ROLENONE; NONE;. Disable all roles for current session. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(81) Revision no.: PPT/2K403/02. Removing Roles from Users 81. REVOKE REVOKEsales_clerk sales_clerkFROM FROMscott; scott;. REVOKE REVOKEhr_manager hr_managerFROM FROMPUBLIC; PUBLIC;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(82) Revision no.: PPT/2K403/02. Removing Roles 82. DROP DROPROLE ROLEhr_manager; hr_manager;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(83) Revision no.: PPT/2K403/02. Guidelines for Creating Roles 83. Users User roles Application roles. HR_CLERK. HR_MANAGER. PAY_CLERK. BENEFITS. PAYROLL. Benefits privileges. Payroll privileges. Application privileges © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(84) Revision no.: PPT/2K403/02. Guidelines for using Passwords and Default Roles. 84. Password protected non-default. Default role. PAY_CLERK. PAY_CLERK_RO. Insert, update, delete and select privileges. Select privileges. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(85) Revision no.: PPT/2K403/02. PUBLIC 85. •. The PUBLIC User Group and Roles – To give a certain privilege or role to all the users in the database, simple grant this privilege/role to the user group PUBLIC, which exists in every database by default.. •. Using Secure Application Roles – Secure application roles in Oracle9i are roles that are implemented through a package.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(86) Revision no.: PPT/2K403/02. Displaying Role Information 86. Role View. Description. DBA_ROLES. All roles which exist in the database. DBA_ROLE_PRIVS. Roles granted to users and roles. ROLE_ROLE_PRIVS. Roles which are granted to roles. DBA_SYS_PRIVS. System privileges granted to users and roles. ROLE_SYS_PRIVS. System privileges granted to roles. ROLE_TAB_PRIVS. Table privileges granted to roles. SESSION_ROLES. Roles which the user currently has enabled.. Select role, password_required from dba_roles; © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(87) Revision no.: PPT/2K403/02. Exercise IV Managing user roles & privileges 87. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(88) Revision no.: PPT/2K403/02. Fine-grained Data Security 88. • •. •. Oracle9i database provides a lower level security of data using fine-grained data security techniques. You can allow all users to access a central table such as payroll table, but transparent to the users you can institute security policies that limit access of an individual user to only those rows in a table. Oracle uses two main concepts to enforce fine-grained security within database: – An application context. – A fine-grained access control policy.. •. Oracle uses the term Virtual Private Database to refer to the implementation of the fine-grained access control policies through application contexts. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(89) Revision no.: PPT/2K403/02. Auditing Categories 89. •. Auditing privileged operations – Always audited – Startup, shutdown, and SYSDBA or SYSOPER connections. •. Database auditing – Enabled by DBA – Cannot record column values. •. Value-based or application auditing – Implemented through code – Can record column values – Used to track changes to tables © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(90) Revision no.: PPT/2K403/02. System-level Triggers 90. •. Database start-up triggers : – These triggers are used to execute code that you want to execute immediately after database start-up.. •. Logon triggers: – Provide you with information regarding the logon times of a user, along with details about the user’s session.. •. Logoff triggers: – Similar to the logon triggers, but they execute right before the user’s session logs off.. •. DDL triggers: – To capture all database object changes with these triggers.. •. Server error triggers: – Capture all major PL/SQL code errors into a special table. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(91) Value-Based Auditing: An Example. Revision no.: PPT/2K403/02. 91. CREATE CREATE TRIGGER TRIGGERscott.auditemployee scott.auditemployee AFTER AFTERINSERT INSERTOR ORDELETE DELETEOR ORUPDATE UPDATE ON ONscott.emp scott.emp FOR FOREACH EACHROW ROW BEGIN BEGIN INSERT INSERTINTO INTOscott.audit_employee scott.audit_employee VALUES VALUES(( :OLD.empno, :OLD.empno,:OLD.name,…, :OLD.name,…, :NEW.empno, :NEW.empno,:NEW.name,…, :NEW.name,…, USER, USER,SYSDATE); SYSDATE); END; END;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(92) Revision no.: PPT/2K403/02. Database Auditing 92. Execute command. Enable DB auditing DBA. User. Parameter file. Specify audit options Review audit information. Server process. Generate audit trail. Audit options Audit trail. Other tables Database. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(93) Revision no.: PPT/2K403/02. Enabling Database Auditing 93. AUDIT_TRAIL DBA. AUD$ table. OS audit trail. DB. OS. Parameter file. Instance. OS. NONE. No trail. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(94) Revision no.: PPT/2K403/02. Enabling Auditing Options 94. •. Statement auditing AUDIT AUDITuser; user;. •. Privilege auditing AUDIT AUDITselect selectany anytable table BY BYscott scottBY BYACCESS; ACCESS;. •. Schema object auditing AUDIT AUDITLOCK LOCKON ONscott.emp scott.emp BY BYACCESS ACCESSWHENEVER WHENEVERSUCCESSFUL; SUCCESSFUL; © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(95) Revision no.: PPT/2K403/02. Auditing Schema Objects 95. Object Option ALTER AUDIT COMMENT DELETE EXECUTE GRANT INDEX INSERT LOCK READ RENAME SELECT UPDATE. Table. View. X X X X. X X X. Sequence X X. X. Stored Program X. X X. Snapshot X X X X. X X X X. X X X. X X X X. X X X. X X X. X X X. X. X. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(96) Revision no.: PPT/2K403/02. Viewing Auditing Options 96. Data Dictionary View. Description. ALL_DEF_AUDIT_OPTS. Default audit options. DBA_STMT_AUDIT_OPTS. Statement auditing options. DBA_PRIV_AUDIT_OPTS. Privilege auditing options. DBA_OBJ_AUDIT_OPTS. Schema object auditing options. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(97) Revision no.: PPT/2K403/02. Disabling Auditing Options 97. NOAUDIT NOAUDITuser userWHENEVER WHENEVERSUCCESSFUL; SUCCESSFUL;. NOAUDIT NOAUDITcreate createtable tableBY BYscott; scott;. NOAUDIT NOAUDITLOCK LOCKON ONemp; emp;. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(98) Revision no.: PPT/2K403/02. The Audit Trail 98. •. Stores the records generated by statement, privilege, and object auditing. •. The audit records are stored in the SYS.AUD$ data dictionary table or in the OS audit trail. •. Each record in the audit trail includes: – The user who executed the statement – The command issued (action code) – Any system or object privilege used – The objects referenced in the statement – The date and time the statement was issued © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(99) Revision no.: PPT/2K403/02. Oracle Default Auditing 99. •. When you don’t specify any type of logging, by default Oracle will log three types of database actions under all circumstances.. •. The auditing actions and the audit records are written to the default $ORACLE_HOME/rdbms/audit directory. – Connections as SYSOPER or SYSDBA. – Database start-up – Database shutdown © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(100) Revision no.: PPT/2K403/02. Viewing Auditing Results 100. Audit Trail View. Description. DBA_AUDIT_TRAIL. All audit trail entries. DBA_AUDIT_EXISTS. Records for AUDIT EXISTS/NOT EXISTS. DBA_AUDIT_OBJECT. Records concerning schema objects. DBA_AUDIT_SESSION. All connect and disconnect entries. DBA_AUDIT_STATEMENT. Statement auditing records. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(101) Revision no.: PPT/2K403/02. Auditing Guidelines 101. •. Focus auditing – Object auditing, where possible – Only specific users – By session – Successful or unsuccessful. •. Maintain the audit trail – Monitor the growth of the audit trail – Protect the audit trail from unauthorized access – Cleaning OS audit files © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(102) Revision no.: PPT/2K403/02. The Password File 102. • • •. Use orapwd to create the password file. The remote_login_passwordfile initialization parameter. None – No password file is used. – This is the default, and it permits only operating systemauthenticated users to perform DBA task.. •. Shared – Creates a shared password file with a single user: SYS. – Any user who wants to perform privileged tasks has to log in as SYS.. •. Exclusive – Uses a password file. – Any user can be granted the SYSDBA and SYSOPER privileges, and when the user SYS does so, the user is automatically added to the password file. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(103) Revision no.: PPT/2K403/02. Encrypted Passwords 103. •. By default, Oracle user passwords aren’t encrypted, which leaves them vulnerable to unauthorized usage.. •. ora_encrypt_login=true (client). •. dblink_encrypt_login=true (server). •. Oracle will always encrypt a password when it’s sending it across a network.. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(104) Revision no.: PPT/2K403/02. Authentication Methods 104. •. External Authentication. •. Proxy Authentication. •. Centralized User Authorization using LDAP. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(105) Revision no.: PPT/2K403/02. Database Security Do’s Don’ts 105. •. User Accounts default lock except SYS and SYSTEM.. •. Passwords, don’t hard-code. •. Operating System Authentication. •. Audit your Database. •. Grant Privileges Appropriately.. •. Set appropriate Permissions.. •. Safeguard the Network and the Listener.. •. Keep Up-to-Date for latest news about new security vulnerabilities and the patches to overcome them... •. Use Oracle’s Advanced Security Feature.. •. Take Care of Application Security. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(106) Revision no.: PPT/2K403/02. Exercise V Auditing the database Usage 106. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(107) Revision no.: PPT/2K403/02. 107. Design & Published by: CMS Institute, Design & Development Centre, CMS House, Plot No. 91, Street No.7, MIDC, Marol, Andheri (E), Mumbai –400093, Tel: 91-22-28216511, 28329198 Email: [email protected] www.cmsinstitute.co.in. © CMS INSTITUTE, 2004. All rights reserved. No part of this material may be reproduced, stored or emailed without the prior permission of Programme Director, CMS Institute.

(108)

Figure

TABLE CREATE TABLE (includes dropping privilege, create index)CREATE ANY TABLE, ALTER ANY TABLE
Table privileges granted to roles

References

Download now ( PDF - 107 Page - 1.27 MB )

Related documents

Executive Compensation at New Hampshire s Non-Profit Hospitals

The numbers also include several large, one-time payments to CEOs (including multi-year retention bonuses and vesting in retirement plans.) But the figures indicate that

Doação de medula óssea na perspectiva de irmãos doadores

Once the option for transplant has been defined, the search begins for the identification of a donor of compatible bone marrow, which can be obtained from

Social media and crisis communication: using social media and image repair discourse to maintain positive image

The primary research question for the study is this: following a crisis situation during the image repair efforts for a brand, what social media post types generate the most

EQUITY LENDING MARKETS AND OWNERSHIP STRUCTURE

More concentrated ownership structures increase short sale constraints - including loan fees, recall risk and arbitrage risk - and forces arbitrageurs to decrease demand for

Designing A New Electronic Voting System

The Insertion of Corrupt Software Into Machines Prior to Election Day, Wireless and other Remote Control Attacks, Attacks on Tally Servers, Mis- calibration of Machines, Shut off

Acrylic Acid Final Report

Another process inoles producing acrylic acid from propylene through acrolein as an Another process inoles producing acrylic acid from propylene through

Curriculum Vitae. Ivan Kenneth Gaetz

Chair, Regis University Task Force on Intellectual Property and Copyright, 2005— Chair, Shared Collection Development Committee, Colorado Alliance, 2004— 2009 Secretary/Board

NUMERICAL ANALYSIS OF SEEPAGE THROUGH EMBANKMENT DAMS (CASE STUDY: KOCHARY DAM, GOLPAYEGAN)

 By constructing sealing trench, the seepage through the Kochary Embankment Dam foundation will reach to 35200 cubic meters per year and the ratio of the seepage volume