Oracle database User Management ___ Database

I. Database user management 1. Users and Security

The security of Oracle databases includes the mechanism for controlling database access and use at the object level, which is implemented by database users. The database user is defined in the database

A name that accesses the information in the database and is the basic access mechanism for the Oracle database.

To access the database, the user must make a valid database user account and verify it according to the requirements of the account. Each database user has its own database

Account.

Each database user has a series of security attributes

A. Unique username: No more than 30 characters, cannot contain special characters, must begin with a letter

B. Authentication method: The most common authentication method is the password, oracle10g supports many other authentication methods, such as biometrics verification, mark verification and certificate verification

C. Default tablespace: If the user does not specify additional tablespaces, the object can be created in this tablespace. else: Having a default tablespace does not mean that the user has a user in the table space

Also does not mean that the user has a space limit for the table space, which requires separate authorization.

D. Temporary table spaces: where users can create temporary objects (sorting and staging tables)

E. User profiles: Restrictions on a set of resources and passwords assigned to a user

F. Consumer groups: used by the resource Manager

G: Table Space quotas: the size of the storage space that a fatal user can use in a table space 2. Predefined accounts sys and system

A.sys Account

-The DBA role was granted

-All permissions with admin option

-Accounts required for startup, shutdown, and certain maintenance commands

-Own data dictionary

-Have an automatic workload data archive (AWR)

-Use as SYSDBA to connect (any user with SYSDBA permissions can connect to the SYS account by using as SYSDBA)

B.system Account

-The DBA role was granted

C.sys and system accounts are not used in rational program operations

D. Only authorized users who have granted Sysdba and Sysoper permissions can start or close the database

E.sys and system accounts are the war drums that must exist in the database and cannot be removed 3. Verifying Users

Validation refers to verifying the identity of users, devices, or other entities that are using data, resources, or applications, by

The authentication of this identity establishes a trust relationship that allows for further interaction. A. External validation

Also known as operating system verification. The user connects to the Oracle database without specifying a user name or password. When using external validation,

The database relies on the underlying operating system or network authentication service to restrict access to the database account, without involving the database password.

controlled by the prefix defined by the parameter Os_authent_prefix, Oracle adds the prefix before each user's operating system account name.

Default is ops$. When a user tries to connect, Oracle compares the prefixed username with the Oracle username in the database.

Case:

Sys@orcl> Show Parameter Os_authent

NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
Os_authent_prefix string ops$
Remote_os_authent Boolean FALSE

[Root@redhat5 ~]# useradd GMK;
[Root@redhat5 ~]# passwd GMK
Changing password for user gmk.
New UNIX Password:
Bad Password:it are based on a dictionary word
Retype new UNIX Password:
Passwd:all authentication tokens updated successfully.

Sys@orcl> Create user ops$gmk identified externally;

User created.

Sys@orcl> Grant connect to OPS$GMK;

Grant succeeded.

Sys@orcl> SELECT * from dba_users where username= ' OPS$GMK ';

[Gmk@redhat5 ~]$ Vi. Bash_profile

Make environment variables effective after editing

source. bash_profile

[Test@redhat5 ~]$ Sqlplus/can successfully use the operating system login
B. Password verification

Also known as Oracle database validation

Such as

[Oracle@redhat5 ~]$ Sqlplus scott/oracle

Scott@orcl> Conn Test/oracle

Connected.

Test@orcl> Connect scott/oracle

Oracle uses the most authentication method when password authentication. When a connection is made using password authentication, the instance will target the user account in the data dictionary

Stored password Authentication Given password therefore, the database must be turned on, logically, when the connection is authenticated with a password, it is not possible to issue a startup

or shutdown command. ELSE: The SYS user is not allowed to connect in a password-authenticated manner, and SYS can only use the password file, operating system, or LDAP

Authentication.

Advantages of database Validation

-user accounts and their authentication information are stored in the database and validated by Oracle server without the need for any control outside the database.

-When using database validation, Oracle provides strict password management features to enhance password security, such as account lockout, password expiration, and password length.

of complexity.

-Easy to manage

two. Administrator Authentication

The database administrator can perform actions that ordinary users cannot perform, such as starting and shutting down the database, and Oracle provides the database administrator with a more secure way to authenticate 1. Operating system security

In Linux,unix, the DBA belongs to the install operating system group by default, and the reorganization has the required permissions to create and delete database files.

-DBA must have the operating system permissions to create and delete files.

-Normal users should not have permission to create and delete files. 2. Database administrator authentication two ways, operating system authentication and password file authentication. If you use password file authentication, a user name record connection is used, and if you use the operating system validation, this is a conenct/connection and no specific user is logged.

Else: Operating system authentication takes precedence over password file validation. Specifically for members of the OSDBA and osoper groups in the operating system, and to connect as SYSDBA or Sysoper, the associated administrative permissions are used to connect, regardless of user name and password.

ELSE2: To enable operating system and password authentication for the user, the user must be granted SYSDBA or Sysoper permissions, and the user's password will be copied from the data dictionary to the external password file after granting the permission, so the password can be read for verification even if the instance is not open at this time.

CASE1: Password Authentication

CASE2: Operating System validation

Other than that:

Sysoper has permissions: startup,shutdown,alterdatabase open/mount,alter database backup,alter database archivelog and Recovery commands, and have restrictedsession privileges.

SYSDBA: Has all system permissions, as well as the Adminoption options for permissions, including the permissions that Sysoper has, in addition to the ability to execute the CREATE DATABASE command and time based recovery (time-based recovery). three. Parameters for authentication

1. Remote_login_passwordfile: Allows remote logins to be authenticated using a password file.

Sys@orcl> Show Parameter Remote_login

NAME TYPE VALUE

------------------------------------ -----------------------------------------

Remote_login_passwordfile string EXCLUSIVE

A:shared: One or more databases can use a password file and can contain the password file of sys or non-SYS

B:exclusive: New version Oracle is consistent with shared functionality

C.none: Remote use of password file authentication is not allowed

Else: The user who viewed the password file for authentication

Sys@orcl> select * from V$pwfile_users;

USERNAME Sysdb SYSOP Sysas

------------------------------ ----- ----------

SYS true True FALSE

2. Sqlnet. Authentication_services: $ORACLE _home/network/admin/sqlnet.ora configuration file

A.none: Login not allowed through operating system user

B.all: Allow all login methods

C.nts: Allow the operating system user authentication four. The database schema object (Schema) schema pattern is a collection of a series of objects. A schema can only be owned by a database user, and the name of the schema is the same as the user's name. Oracle has a schema for each user, and the schema objects that he creates are stored in this shcema. The types of pattern objects are tables, indexes, clusters, triggers, plsql, sequences, synonyms, views, stored procedures, functions, and so on. Not all Oracle objects are schema objects, such as tablespaces, users, roles, get out of the way, profiles, and so on.