OCA 07 - Administering User Security

7/29/2019 OCA 07 - Administering User Security

1/42

07 - Administering User Security

By Muhammad Asghar Khan

Reference: OCA Oracle Database 11g - Admin I Exam Guide by John Watson


2/42

Agenda

http://asghars.blogspot.com2

Create and Manage Database User Accounts Username

Default Tablespace and Quotas

Temporary Tablespace

Profile Authentication Methods

EXERCISE 7-1: Create Users

Grant and Revoke Privileges

System Privileges

Object Privileges

EXERCISE 7-2: Grant and Revoke Privileges

1/2


3/42

Agenda


Create and Manage Roles EXERCISE 7-3: Create and Grant Roles

Create and Manage Profiles

EXERCISE 7-4: Create and Use Profiles

2/2


4/42

Create and Manage Database User Accounts


To establish a session against an instance and adatabase, a user must connect to a user account

In some applications, each user will have his owndatabase user account

This security model works well for small applicationsbut is often impractical for larger systems with manyhundreds or thousands of users

This model relies on the application to map the real end

user to a database user account, and it can makesession-level security and auditing more complex

Here we assume that every user is known to thedatabase; they all have their own user accounts

1/10


5/42



A user account has a number of attributes defined ataccount creation time

These attributes are:

Username

A username must begin with a letter, must be no morethan 30 characters, and can consist of only letters, digits,and the characters dollar ($) and underscore (_)

The letters are case sensitive but will be automaticallyconverted to uppercase

To change username, the account must be dropped andanother account created.

This is a drastic action, because all the objects in theusers schema will be dropped along with the user

2/10


6/42



Default Tablespace and Quotas Every user account has a default tablespace

There is a database-wide default tablespace that will

be applied to all user accounts if a default tablespace

is not specified when creating the user

The default can be set when creating the database

and changed later withALTER DATABASE DEFAULTTABLESPACE

If a default tablespace is not specified when creating

the database, it will be set to the SYSTEM tablespace

(a very bad practice)

3/10


7/42



A quota is the amount of space in a tablespace that auser is allowed to occupy

-1 shows the u01 has unlimited quota on userstablespace

4/10


8/42



Temporary Tablespace Operations that need temporary space (in memory if

possible, in a temporary tablespace if necessary)include sorting rows, joining tables, building indexes,

and using temporary tables To change a users temporary tablespace useALTERUSER username TEMPORARY TABLESPACEtablespace_name;

If many users are logging on to the same user

account, they will share use of one temporarytablespace. This can be a performance bottleneck,which may be avoided by using temporary tablespacegroups

5/10


9/42



Profile A users profile controls his password settings and

gives a limited amount of control over his resourceusage

Authentication Methods A user account must have an authentication method

Following are the some of methods:

Operating system & password file authentication Granting sysdba or sysoper privileges will copy the users

password from the data dictionary into the external passwordfile where it can be read by the instance even if the database isnot open

6/10


10/42



To use password file authentication, the user can connect with

this syntax

CONNECT username / password [@db_alias] AS [SYSOPER | SYSDBA];

To use operating system authentication, the user can connect

with this syntax

CONNECT / AS [ SYSOPER | SYSDBA ] ;

To determine to whom the SYSDBA and SYSOPER privileges have

been granted, query the view V$PWFILE_USERS

Password Authentication

With password authentication, the instance will validate the

password given against that stored with the user account in the

data dictionary

7/10


11/42



The syntax for a connection with password authentication is

The user SYS is not permitted to connect with password

authentication; only password file, operating system, or LDAP

authentication are possible for SYS When a connection is made across a network, release 11g will

always encrypt password using the AES algorithm before

transmission

Any user can change his/her user account password at any time

8/10


12/42



External Authentication If external authentication is used, Oracle will delegate the

authentication to an external service; it will not prompt for apassword

With Advance Security option, the external service can be aKerberos server, a Radius server etc.

Without the Advanced Security option, the only form ofexternal authentication is that can be used is OS authentication

To create an oracle user and allow him to use the externalauthentication use the command:

User name needed to be prefixed with the key stringOPS$

9/10


13/42



Any user logged on to Unix as asghar will be able to issue this

command and will be connected to the database user account

ops$asghar

Global Authentication

A global user is a user who is defined within the LDAP directory,

and global authentication is a means of delegating userauthentication to the directory

It doesnt requires the user to present a password to the

database

10/10


14/42



1. Create three users

2. Confirm that the users have been created with DatabaseControl. From database home page, the navigation path is

the Server tab and the Users link in the Security section

1/2


15/42



3. From SQL*Plus, attempt to connect as user alois

alois can not connect because alois does not have the CREATE SESSIONprivilege

4. Refresh the Database Control window, and note thatthe status of the ALOIS account is no longer EXPIREDbut OPEN, because his password has been changed

2/2


16/42



Privileges are assigned to user accounts with aGRANT command and withdrawn with a REVOKE

A user cannot even connect without being granted

a privilege

Privileges come in two groups:

System privileges that let users perform actions that

affect the data dictionary

Object privileges that let users perform actions thataffect data

1/4


17/42



System Privileges

There are about two hundred system privileges

These privileges affect the data dictionary, databaseor instance, or establishing a session

Some of the more commonly used privileges are: CREATE SESSION

RESTRICTED SESSION; allows to users to connect whenan instance is started in RESTRICTED mode

ALTER DATABASE ALTER SYSTEM; allows control on instance parameters

and memory structures

CREATE TABLESPACE

2/4


18/42



CREATE TABLE

GRANT ANY OBJECT PRIVILEGE

CREATE ANY TABLE

DROP ANY TABLE

INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANYTABLE

SELECT ANY TABLE

The syntax for granting system privileges isGRANT privilege [, privilege...] TO username[with admin option];

ANY privileges should be used with extreme caution,

as it removes all protection from user tables

3/4


19/42



Object Privileges Object privileges give the ability to perform SELECT,

INSERT, UPDATE, and DELETE commands against

tables, and to execute PL/SQL objects

The syntax isGRANT privilege ON schema.object TO username[WITH GRANT OPTION] ;

Granting privileges at the column level is often said to

be bad practice because of the massive workloadinvolved

4/4


20/42



1. Grant CREATE SESSION to user alois

2. Now connect as alois. This time, the login will

succeed

3. As alois, attempt to create a table

1/5


21/42



4. In the SYSTEM session, grant alois the CREATETABLE privilege

5.

In the alois session, try again to create table

6. As alois, grant object privileges on the new table

2/5


22/42



7. Connect to Database Control as user SYSTEM. Confirm

that the object privileges have been granted.

SchemaDatabase ObjectsTables link. Enter ALOIS

as the Schema and T1 as the Table and click the Go

button. In the Actions drop-down box, select Object

Privileges. ANJA has only SELECT, but AFRA has

everything

3/5


23/42



8. Confirm which privileges have granted to alois

ServerSecurity SectionUsers link. Select the radio

button for alois, and click the View button

9. Retrieve the same information with SQL*Plus

4/5


24/42



10. Revoke the privileges granted to AFRA and ANJA

5/5


25/42

Create and Manage Roles


A role is a collection of system and/or objectprivileges that can be granted and revoked as a

unit, and having been granted can be temporarily

activated or deactivated within a session

Roles are not schema objects: they arent owned by

anyone and so cannot be prefixed with a username

Create a role with the CREATE ROLE command:

CREATE ROLE rolename;

Then grant privileges to the role with the usual

syntax, including WITH ADMIN or WITH GRANT

OPTION of desired

1/4


26/42



There are at least 50 predefined roles in an Oracledatabase

CONNECT; exists for backward compatibility, with thecurrent release, it only has CREATE SESSION

RESOURCE; Also for backward compatibility, this rolecan create both data objects and procedural objects

DBA; Any user granted DBA can manage virtually allaspects of the database, except for startup andshutdown

SELECT_CATALOG_ROLE ; Has over 2000 objectprivileges against data dictionary objects, but nosystem privileges or privileges against user data

2/4


27/42



SCHEDULER_ADMIN ; Has the system privilegesnecessary for managing the Scheduler job schedulingservice

PUBLIC; always granted to every database useraccount. if a privilege is granted to PUBLIC, it will be

available to all users

If a user has been granted a role, then the role willenabled by default

This behavior can be modified by making the rolenon-default

3/4


28/42



The basic command to enable a role within asession is

4/4


29/42

EXERCISE 7-3: Create and Grant Roles


1. Create two roles as follows

2. Grant some privileges to the roles, and grantUSR_ROLE to MGR_ROLE

1/6


30/42



3.

Grant the roles to AFRA

4. Connect to the database as user AFRA and grant

the USR_ROLE to ANJA

5. Confirm the ANJA can connect and query ALOIS.t1but do nothing else

2/6


31/42



6. As user SYSTEM, adjust ANJA so that by default he

can log on but do nothing else

3/6


32/42



7.

Demonstrate the enabling and disabling of roles

4/6


33/42



8.

Use Database Control to inspect the roles. Thenavigation path from the Home PageServer

tab Security sectionRoles link

5/6

6/6


34/42



9.

To see to whom a role has been granted, in theActions drop-down box shown in the preceding

illustration, select Show Grantees and click the Go

button

6/6

1/6


35/42



A profile enforce a password policy and to restrict theresources a session can take up

Password controls are always enforced; resourcelimits are only enforced if the instance parameterRESOURCE_LIMIT is on TRUEby default, it is FALSE

The limits that can be applied to passwords are:

FAILED_LOGIN_ATTEMPTS; Specifies the number ofconsecutive errors on a password before the account islocked

PASSWORD_LOCK_TIME; The number of days to lock anaccount after FAILED_LOGIN_ATTEMPTS is reached

PASSWORD_LIFE_TIME; The number of days before apassword expires

1/6

2/6


36/42



PASSWORD_GRACE_TIME; The number of days

following the first successful login after the

password has expired that prompts to change the

password will be generated

PASSWORD_REUSE_TIME; The number of daysbefore a password can be reused

PASSWORD_REUSE_MAX; Then number of times a

password can be reused

PASSWORD_VERIFY_FUNCTION; The name of afunction to run whenever a password is changed

2/6

3/6


37/42



The limits that can be applied to resource usage (alsoknown as kernel limits) are:

SESSIONS_PER_USER

CPU_PER_SESSION

CPU_PER_CALL

LOGICAL_READS_PER_SESSION

LOGICAL_READS_PER_CALL

PRIVATE_SGA

CONNECT_TIME

IDLE_TIME

COMPOSITE_LIMIT (Sum of CPU_PER_SESSION,CONNECT_TIME, LOGICAL_READS_PER_SESSION, andPRIVATE_SGA

3/6

4/6


38/42



When a session is terminated because a resource

limit has been reached, if there was a transaction in

progress it will be rolled back

Profiles can be used to limit resource usage, but a

much more sophisticated tool is the ResourceManager

To see which profile is currently assigned to ach

user, run this query

4/6

5/6


39/42



With Database Control, from the database home

page take the Server tab, and then click the Users

link in the Security section to see which profile each

user has

5/6

6/6


40/42



To enable more sophisticated password

management is to run a supplied script

$ORACLE_HOME/rdbms/admin/utlpwdmg.sql

On either platform, the script creates two functions

called VERIFY_FUNCTION andVERIFY_FUNCTION_11G; This will adjust the profile

called DEFAULT

6/6

1/2


41/42



1. Create a profile that will lock accounts after two

wrong passwords

2. Assign this new profile to ALOIS

3. Deliberately enter the wrong password for ALOIS a

few times

1/2

2/2


42/42


4. As user SYSTEM, unlock the ALOIS account

5. Check that ALOIS can now connect

2/2

OCA 07 - Administering User Security

Documents

Transcript of OCA 07 - Administering User Security