1 / 34

Chapter 7 User Creation and Management

Chapter 7 User Creation and Management. Jason C. H. Chen , Ph.D. Professor of MIS School of Business Gonzaga University Spokane, WA 99258 USA chen@jepson.gonzaga.edu. Objectives. Explain the concept of data security Create a new user account

meghan
Download Presentation

Chapter 7 User Creation and Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 7User Creation and Management Jason C. H. Chen, Ph.D. Professor of MIS School of Business Gonzaga University Spokane, WA 99258 USA chen@jepson.gonzaga.edu

  2. Objectives • Explain the concept of data security • Create a new user account • Identify two types of privileges: system and object • Grant privileges to a user • Address password expiration requirements • Change the password of an existing account

  3. Objectives (continued) • Create a role • Grant privileges to a role • Assign a user to a role • View privilege information • Revoke privileges from a user and a role • Remove a user and roles

  4. Basic SQL Concepts • DDL (Data Definition Language) • commands that work with the objects (tables, indexes, views, etc.) in the database. e..g., CREATE, ALTER, DROP, and RENAME. • DML (Data Manipulation Language) • commands that work with the (physical) data in the database. e.g., SELECT, INSERT, UPDATE, and DELETE • DCL ( ) • commands that control a database, including administering privileges. e.g., GRANT, REVOKE. Data Control Language

  5. Data Security • User accounts provide a method of authentication • They can grant access to specific objects • They identify owners of objects

  6. Creating a User • The CREATE USER command gives each user a user name and password Figure 7-1 Syntax of the CREATE USER command Can you perform this command? Why?

  7. Assigning User Privileges • There are two types of privileges • System privileges • Allow access to the database and execution of DDL operations • Object privileges • Allow a user to perform DML and query operations

  8. Practice • Type the following command SELECT * FROM customers; • I grant the following to all of you: GRANT SELECT ON customers TO PUBLIC; • You type the following again SELECT * FROM chen.customers; • I revoke the following from you: REVOKE SELECT ON customers FROM PUBLIC; • You type the following again SELECT * FROM chen.customers;

  9. Examples of Object Privileges

  10. Pseudo-columns • Acts like a column in a database query • Actually a command that returns a specific values • Used to retrieve: • Current system date • Name of the current database user • Next value in a sequence

  11. Using Pseudo-columns • Retrieving the current system date: SELECT SYSDATE FROM DUAL; • Retrieving the name of the current user: SELECT USER FROM DUAL; • DUAL is a system table that is used with pseudo-columns

  12. Your Turn (and Job) • Read chapter 7 (both pptxfile and Oracle text) • Practice all examples (script file is available in the Bb, file name: Ch7_Queries.sql)

  13. Assigning User Privileges (continued) • Even with a valid user name and password, a user still needs the CREATE SESSION privilege to connect to a database Figure 7-5 Command to grant the CREATE SESSION privilege

  14. System Privileges • Affect a user’s ability to create, alter, and drop objects • Use of ANY keyword with an object privilege (INSERT ANY TABLE) is considered a system privilege • List of all available system privileges available through SYSTEM_PRIVILEGE_MAP

  15. SYSTEM_PRIVILEGE_MAP Figure 7-3 A partial list of available system privelages

  16. Granting System Privileges • System privileges are given through the GRANT command Figure 7-4 Syntax of the GRANT command for system privaleges

  17. Granting System Privileges (continued) • GRANT clause – identifies system privileges being granted • TO clause – identifies receiving user or role • WITH ADMIN OPTION clause – allows a user to grant privilege to other database users

  18. Object Privileges • SELECT – display data from table, view, or sequence • INSERT – insert data into table or view • UPDATE – change data in a table or view • DELETE – remove data from a table or view • ALTER – change definition of table or view

  19. Granting Object Privileges • Grant object privileges through the GRANT command Figure 7-6 Syntax of the GRANT command for object privileges

  20. Granting Object Privileges (continued) • GRANT clause – identifies object privileges • ON clause – identifies object • TO clause – identifies user or role receiving privilege • WITH GRANT OPTION clause – gives a user the ability to assign the same privilege to other users GRANT Command Examples Table 7-2 Examples of Granting Object Privileges to a User

  21. Password Management • To change a user password, use the PASSWORD command or the ALTER USER command Figure 7-12 Command to change a password

  22. Utilizing Roles • A role is a group, or collection, of privileges Figure 7-16 Command for creating the ORDERENTRY role Figure 7-17 Commands for granting privileges to the ORDERENTRY role

  23. Utilizing Roles (continued) • Roles can be assigned to users or other roles Figure 7-18 Command for granting the ORDERENTRY role to RTHOMAS

  24. Utilizing Roles (continued) • A user can be assigned several roles • All roles can be enabled at one time • Only one role can be designated as the default role for each user • Default role can be assigned through the ALTER USER command

  25. Utilizing Roles (continued) • Roles can be modified with the ALTER ROLE command • Roles can be assigned passwords Figure 7-23 Syntax of the ALTER ROLE command

  26. Viewing Privilege Information • ROLE_SYS_PRIVS lists all system privileges assigned to a role • SESSION_PRIVS lists a user’s currently enabled roles

  27. ROLE_TAB_PRIVS Example Figure 7-24 Verifying privileges assigned to a role

  28. Removing Privileges and Roles • Revoke system privileges with the REVOKE command Figure 7-26 Syntax for revoking a system privilege

  29. Removing Privileges and Roles (continued) • Revoking an object privilege– if the privilege was originally granted using WITH GRANT OPTION, the effect cascades and is revoked from subsequent recipients Figure 7-27 Syntax for revoking an object privilege Figure 7-28 Syntax for removing a role from an account

  30. Dropping a Role • Users receiving privileges via a role that is dropped will no longer have those privileges available Figure 7-31 Syntax of the DROP ROLE command Figure 7-32 Command for dropping the ORDERENTRY role

  31. Dropping a User • The DROP USER command is used to remove a user account Figure 7-33 Syntax of the DROP USER command

  32. Summary • Database account management is only one facet of data security • A new user account is created with the CREATE USER command • The IDENTIFIED BY clause contains the password for the account • System privileges are used to grant access to the database and to create, alter, and drop database objects • The CREATE SESSION system privilege is required before a user can access his account on the Oracle server • The system privileges available in Oracle 11g can be viewed through the SYSTEM_PRIVILEGE_MAP

  33. Summary (continued) • Object privileges allow users to manipulate data in database objects • Privileges are given through the GRANT command • The ALTER USER command, combined with the PASSWORD EXPIRE clause, can be used to force a user to change her password upon the next attempted login to the database • The ALTER USER command, combined with the IDENTIFIED BY clause, can be used to change a user’s password • Privileges can be assigned to roles to make the administration of privileges easier

  34. Summary (continued) • Roles are collections of privileges • The ALTER USER command, combined with the DEFAULT ROLE keywords, can be used to assign a default role(s) to a user • Privileges can be revoked from users and roles using the REVOKE command • Roles can be revoked from users using the REVOKE command • A role can be deleted using the DROP ROLE command • A user account can be deleted using the DROP USER command

More Related