Analysis of Oracle user authorization and Management

Oracle Database permission systems can be divided into system permissions and object permissions. Database System Privilege allows Oracle users to execute specific command sets.

For example, the create table permission allows Oracle users to CREATE tables, and grant any privilege permission allows users to grant any system permissions. Database Object Privilege allows you to perform certain operations on each Object. For example, the DELETE permission allows you to DELETE rows in a table or view. The SELECT permission allows Oracle users to query information from a table, view, sequence, or snapshot Through select.

1. Create a user

Oracle has two users: SYSTEM and SYS. You can directly log on to the SYSTEMOracle user to create other users, because the SYSTEM has the permission to create other users. When installing Oracle, the user or system administrator can first create a user for himself. For example:

 
 

  
  
create user user01 identified by u01; 
 
 

This command can also be used to set other permissions. For more information, see self-learning materials. To change a password, run the alter user command:

 
 

  
  
alter user user01 identified by usr01; 
 
 

Now the user01 password has been changed from "u01" to "usr01 ".

In addition to the alter user command, Oracle users can also use the password command. If you use the password command, the new password is not displayed on the screen. Users with the dba privilege can use the password command to change the passwords of any other users. Other users can only change their own passwords.

When you enter the password command, the system prompts you to enter the old and new passwords, as shown below:

 
 

  
  
password  
  
  
Changing password for user01  
  
  
Old password:  
  
  
New password:  
  
  
Retype new password:  
 
 

When the password is successfully modified, the Oracle user will receive the following feedback:

 
 

  
  
Password changed 
 
 

Ii. delete a user

To delete an Oracle user, run the drop user command as follows:

 
 

  
  
drop user user01; 
 
 

If you have an object, you cannot delete it directly. Otherwise, an error value is returned. Specify the keyword CASCADE to delete all objects of a user and then delete the user. The following example deletes a user and an object:

 
 

  
  
drop user user01 CASCADE; 
 
 

3. Three standard roles

To be compatible with earlier versions, Qracle provides three standard roles: CONNECT, RESOURCE, and DBA.

1. CONNECT Role (connection Role)

Temporary users, especially Oracle users who do not need to create tables, usually only give them CONNECTrole. CONNECT is a simple permission for using Oracle. This permission can be meaningful only when you have access to tables of other users, including select, insert, update, and delete. Users with CONNECT role can also create tables, views, sequences, clusters, synonyms (synonym), and sessions) and link with other databases ).

2. RESOURCE Role (RESOURCE Role)

RESOURCE role can be granted to more reliable and formal database users. RESOURCE provides users with additional permissions to create their own tables, sequences, procedures, triggers, indexes, and clusters ).

3. DBA Role (database administrator Role)

DBA role has all system permissions-including unlimited space limits and the ability to grant various permissions to other Oracle users. SYSTEM is owned by DBA users. The following describes some typical permissions frequently used by DBAs.

(1) grant (authorization) command

Run the following command to grant permissions to user01:

 
 

  
  
grant connect, resource to user01; 
 
 

(2) revoke (UNDO) Permission

The granted permissions can be revoked. For example, to revoke the authorization in (1), run the following command:

 
 

  
  
revoke connect, resource from user01; 
 
 

A user with a DBA role can revoke the CONNECT, RESOURCE, and DBA permissions of any other Oracle users or even other DBAs. Of course, this is very dangerous. Therefore, unless necessary, DBA permissions should not be granted to general users who are not very important.

Revoking all permissions of a user does not mean that the user is deleted from Oracle, nor does it damage any table created by the user; it simply disallow access to these tables. Other users who want to access these tables can access these tables as before.

4. Create a role

In addition to the three system roles-CONNECT, RESOURCE, and DBA, you can also create your own role in Oracle. A role created by a user can be composed of a table or system permission or a combination of the two. To CREATE a role, you must have the create role system permission. The following is an example of the create role command:

 
 

  
  
create role STUDENT; 
 
 

This command creates a role named STUDENT.

Once a role is created, the Oracle user can authorize it. The syntax of the grant command authorized to role is the same as that for the user. When authorizing a role, you must use the role name in the to clause of the grant command, as shown below:

 
 

  
  
grant select on CLASS to STUDENT; 
 
 

Currently, all Oracle users with the STUDENT role have the select permission on the CLASS table.

5. delete a role

To delete a role, run the drop role command as follows:

 
 

  
  
drop role STUDENT; 
 
 

The specified role and related permissions will be deleted from the database.