OCA 07 - Administering User Security
-
Upload
muhammad-asghar-khan -
Category
Documents
-
view
220 -
download
0
Transcript of OCA 07 - Administering User Security
-
7/29/2019 OCA 07 - Administering User Security
1/42
07 - Administering User Security
By Muhammad Asghar Khan
Reference: OCA Oracle Database 11g - Admin I Exam Guide by John Watson
-
7/29/2019 OCA 07 - Administering User Security
2/42
Agenda
http://asghars.blogspot.com2
Create and Manage Database User Accounts Username
Default Tablespace and Quotas
Temporary Tablespace
Profile Authentication Methods
EXERCISE 7-1: Create Users
Grant and Revoke Privileges
System Privileges
Object Privileges
EXERCISE 7-2: Grant and Revoke Privileges
1/2
-
7/29/2019 OCA 07 - Administering User Security
3/42
Agenda
http://asghars.blogspot.com3
Create and Manage Roles EXERCISE 7-3: Create and Grant Roles
Create and Manage Profiles
EXERCISE 7-4: Create and Use Profiles
2/2
-
7/29/2019 OCA 07 - Administering User Security
4/42
Create and Manage Database User Accounts
http://asghars.blogspot.com4
To establish a session against an instance and adatabase, a user must connect to a user account
In some applications, each user will have his owndatabase user account
This security model works well for small applicationsbut is often impractical for larger systems with manyhundreds or thousands of users
This model relies on the application to map the real end
user to a database user account, and it can makesession-level security and auditing more complex
Here we assume that every user is known to thedatabase; they all have their own user accounts
1/10
-
7/29/2019 OCA 07 - Administering User Security
5/42
Create and Manage Database User Accounts
http://asghars.blogspot.com5
A user account has a number of attributes defined ataccount creation time
These attributes are:
Username
A username must begin with a letter, must be no morethan 30 characters, and can consist of only letters, digits,and the characters dollar ($) and underscore (_)
The letters are case sensitive but will be automaticallyconverted to uppercase
To change username, the account must be dropped andanother account created.
This is a drastic action, because all the objects in theusers schema will be dropped along with the user
2/10
-
7/29/2019 OCA 07 - Administering User Security
6/42
Create and Manage Database User Accounts
http://asghars.blogspot.com6
Default Tablespace and Quotas Every user account has a default tablespace
There is a database-wide default tablespace that will
be applied to all user accounts if a default tablespace
is not specified when creating the user
The default can be set when creating the database
and changed later withALTER DATABASE DEFAULTTABLESPACE
If a default tablespace is not specified when creating
the database, it will be set to the SYSTEM tablespace
(a very bad practice)
3/10
-
7/29/2019 OCA 07 - Administering User Security
7/42
Create and Manage Database User Accounts
http://asghars.blogspot.com7
A quota is the amount of space in a tablespace that auser is allowed to occupy
-1 shows the u01 has unlimited quota on userstablespace
4/10
-
7/29/2019 OCA 07 - Administering User Security
8/42
Create and Manage Database User Accounts
http://asghars.blogspot.com8
Temporary Tablespace Operations that need temporary space (in memory if
possible, in a temporary tablespace if necessary)include sorting rows, joining tables, building indexes,
and using temporary tables To change a users temporary tablespace useALTERUSER username TEMPORARY TABLESPACEtablespace_name;
If many users are logging on to the same user
account, they will share use of one temporarytablespace. This can be a performance bottleneck,which may be avoided by using temporary tablespacegroups
5/10
-
7/29/2019 OCA 07 - Administering User Security
9/42
Create and Manage Database User Accounts
http://asghars.blogspot.com9
Profile A users profile controls his password settings and
gives a limited amount of control over his resourceusage
Authentication Methods A user account must have an authentication method
Following are the some of methods:
Operating system & password file authentication Granting sysdba or sysoper privileges will copy the users
password from the data dictionary into the external passwordfile where it can be read by the instance even if the database isnot open
6/10
-
7/29/2019 OCA 07 - Administering User Security
10/42
Create and Manage Database User Accounts
http://asghars.blogspot.com10
To use password file authentication, the user can connect with
this syntax
CONNECT username / password [@db_alias] AS [SYSOPER | SYSDBA];
To use operating system authentication, the user can connect
with this syntax
CONNECT / AS [ SYSOPER | SYSDBA ] ;
To determine to whom the SYSDBA and SYSOPER privileges have
been granted, query the view V$PWFILE_USERS
Password Authentication
With password authentication, the instance will validate the
password given against that stored with the user account in the
data dictionary
7/10
-
7/29/2019 OCA 07 - Administering User Security
11/42
Create and Manage Database User Accounts
http://asghars.blogspot.com11
The syntax for a connection with password authentication is
The user SYS is not permitted to connect with password
authentication; only password file, operating system, or LDAP
authentication are possible for SYS When a connection is made across a network, release 11g will
always encrypt password using the AES algorithm before
transmission
Any user can change his/her user account password at any time
8/10
-
7/29/2019 OCA 07 - Administering User Security
12/42
Create and Manage Database User Accounts
http://asghars.blogspot.com12
External Authentication If external authentication is used, Oracle will delegate the
authentication to an external service; it will not prompt for apassword
With Advance Security option, the external service can be aKerberos server, a Radius server etc.
Without the Advanced Security option, the only form ofexternal authentication is that can be used is OS authentication
To create an oracle user and allow him to use the externalauthentication use the command:
User name needed to be prefixed with the key stringOPS$
9/10
-
7/29/2019 OCA 07 - Administering User Security
13/42
Create and Manage Database User Accounts
http://asghars.blogspot.com13
Any user logged on to Unix as asghar will be able to issue this
command and will be connected to the database user account
ops$asghar
Global Authentication
A global user is a user who is defined within the LDAP directory,
and global authentication is a means of delegating userauthentication to the directory
It doesnt requires the user to present a password to the
database
10/10
-
7/29/2019 OCA 07 - Administering User Security
14/42
EXERCISE 7-1: Create Users
http://asghars.blogspot.com14
1. Create three users
2. Confirm that the users have been created with DatabaseControl. From database home page, the navigation path is
the Server tab and the Users link in the Security section
1/2
-
7/29/2019 OCA 07 - Administering User Security
15/42
EXERCISE 7-1: Create Users
http://asghars.blogspot.com15
3. From SQL*Plus, attempt to connect as user alois
alois can not connect because alois does not have the CREATE SESSIONprivilege
4. Refresh the Database Control window, and note thatthe status of the ALOIS account is no longer EXPIREDbut OPEN, because his password has been changed
2/2
-
7/29/2019 OCA 07 - Administering User Security
16/42
Grant and Revoke Privileges
http://asghars.blogspot.com16
Privileges are assigned to user accounts with aGRANT command and withdrawn with a REVOKE
A user cannot even connect without being granted
a privilege
Privileges come in two groups:
System privileges that let users perform actions that
affect the data dictionary
Object privileges that let users perform actions thataffect data
1/4
-
7/29/2019 OCA 07 - Administering User Security
17/42
Grant and Revoke Privileges
http://asghars.blogspot.com17
System Privileges
There are about two hundred system privileges
These privileges affect the data dictionary, databaseor instance, or establishing a session
Some of the more commonly used privileges are: CREATE SESSION
RESTRICTED SESSION; allows to users to connect whenan instance is started in RESTRICTED mode
ALTER DATABASE ALTER SYSTEM; allows control on instance parameters
and memory structures
CREATE TABLESPACE
2/4
-
7/29/2019 OCA 07 - Administering User Security
18/42
Grant and Revoke Privileges
http://asghars.blogspot.com18
CREATE TABLE
GRANT ANY OBJECT PRIVILEGE
CREATE ANY TABLE
DROP ANY TABLE
INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANYTABLE
SELECT ANY TABLE
The syntax for granting system privileges isGRANT privilege [, privilege...] TO username[with admin option];
ANY privileges should be used with extreme caution,
as it removes all protection from user tables
3/4
-
7/29/2019 OCA 07 - Administering User Security
19/42
Grant and Revoke Privileges
http://asghars.blogspot.com19
Object Privileges Object privileges give the ability to perform SELECT,
INSERT, UPDATE, and DELETE commands against
tables, and to execute PL/SQL objects
The syntax isGRANT privilege ON schema.object TO username[WITH GRANT OPTION] ;
Granting privileges at the column level is often said to
be bad practice because of the massive workloadinvolved
4/4
-
7/29/2019 OCA 07 - Administering User Security
20/42
EXERCISE 7-2: Grant and Revoke Privileges
http://asghars.blogspot.com20
1. Grant CREATE SESSION to user alois
2. Now connect as alois. This time, the login will
succeed
3. As alois, attempt to create a table
1/5
-
7/29/2019 OCA 07 - Administering User Security
21/42
EXERCISE 7-2: Grant and Revoke Privileges
http://asghars.blogspot.com21
4. In the SYSTEM session, grant alois the CREATETABLE privilege
5.
In the alois session, try again to create table
6. As alois, grant object privileges on the new table
2/5
-
7/29/2019 OCA 07 - Administering User Security
22/42
EXERCISE 7-2: Grant and Revoke Privileges
http://asghars.blogspot.com22
7. Connect to Database Control as user SYSTEM. Confirm
that the object privileges have been granted.
SchemaDatabase ObjectsTables link. Enter ALOIS
as the Schema and T1 as the Table and click the Go
button. In the Actions drop-down box, select Object
Privileges. ANJA has only SELECT, but AFRA has
everything
3/5
-
7/29/2019 OCA 07 - Administering User Security
23/42
EXERCISE 7-2: Grant and Revoke Privileges
http://asghars.blogspot.com23
8. Confirm which privileges have granted to alois
ServerSecurity SectionUsers link. Select the radio
button for alois, and click the View button
9. Retrieve the same information with SQL*Plus
4/5
-
7/29/2019 OCA 07 - Administering User Security
24/42
EXERCISE 7-2: Grant and Revoke Privileges
http://asghars.blogspot.com24
10. Revoke the privileges granted to AFRA and ANJA
5/5
-
7/29/2019 OCA 07 - Administering User Security
25/42
Create and Manage Roles
http://asghars.blogspot.com25
A role is a collection of system and/or objectprivileges that can be granted and revoked as a
unit, and having been granted can be temporarily
activated or deactivated within a session
Roles are not schema objects: they arent owned by
anyone and so cannot be prefixed with a username
Create a role with the CREATE ROLE command:
CREATE ROLE rolename;
Then grant privileges to the role with the usual
syntax, including WITH ADMIN or WITH GRANT
OPTION of desired
1/4
-
7/29/2019 OCA 07 - Administering User Security
26/42
Create and Manage Roles
http://asghars.blogspot.com26
There are at least 50 predefined roles in an Oracledatabase
CONNECT; exists for backward compatibility, with thecurrent release, it only has CREATE SESSION
RESOURCE; Also for backward compatibility, this rolecan create both data objects and procedural objects
DBA; Any user granted DBA can manage virtually allaspects of the database, except for startup andshutdown
SELECT_CATALOG_ROLE ; Has over 2000 objectprivileges against data dictionary objects, but nosystem privileges or privileges against user data
2/4
-
7/29/2019 OCA 07 - Administering User Security
27/42
Create and Manage Roles
http://asghars.blogspot.com27
SCHEDULER_ADMIN ; Has the system privilegesnecessary for managing the Scheduler job schedulingservice
PUBLIC; always granted to every database useraccount. if a privilege is granted to PUBLIC, it will be
available to all users
If a user has been granted a role, then the role willenabled by default
This behavior can be modified by making the rolenon-default
3/4
-
7/29/2019 OCA 07 - Administering User Security
28/42
Create and Manage Roles
http://asghars.blogspot.com28
The basic command to enable a role within asession is
4/4
-
7/29/2019 OCA 07 - Administering User Security
29/42
EXERCISE 7-3: Create and Grant Roles
http://asghars.blogspot.com29
1. Create two roles as follows
2. Grant some privileges to the roles, and grantUSR_ROLE to MGR_ROLE
1/6
-
7/29/2019 OCA 07 - Administering User Security
30/42
EXERCISE 7-3: Create and Grant Roles
http://asghars.blogspot.com30
3.
Grant the roles to AFRA
4. Connect to the database as user AFRA and grant
the USR_ROLE to ANJA
5. Confirm the ANJA can connect and query ALOIS.t1but do nothing else
2/6
-
7/29/2019 OCA 07 - Administering User Security
31/42
EXERCISE 7-3: Create and Grant Roles
http://asghars.blogspot.com31
6. As user SYSTEM, adjust ANJA so that by default he
can log on but do nothing else
3/6
-
7/29/2019 OCA 07 - Administering User Security
32/42
EXERCISE 7-3: Create and Grant Roles
http://asghars.blogspot.com32
7.
Demonstrate the enabling and disabling of roles
4/6
-
7/29/2019 OCA 07 - Administering User Security
33/42
EXERCISE 7-3: Create and Grant Roles
http://asghars.blogspot.com33
8.
Use Database Control to inspect the roles. Thenavigation path from the Home PageServer
tab Security sectionRoles link
5/6
6/6
-
7/29/2019 OCA 07 - Administering User Security
34/42
EXERCISE 7-3: Create and Grant Roles
http://asghars.blogspot.com34
9.
To see to whom a role has been granted, in theActions drop-down box shown in the preceding
illustration, select Show Grantees and click the Go
button
6/6
1/6
-
7/29/2019 OCA 07 - Administering User Security
35/42
Create and Manage Profiles
http://asghars.blogspot.com35
A profile enforce a password policy and to restrict theresources a session can take up
Password controls are always enforced; resourcelimits are only enforced if the instance parameterRESOURCE_LIMIT is on TRUEby default, it is FALSE
The limits that can be applied to passwords are:
FAILED_LOGIN_ATTEMPTS; Specifies the number ofconsecutive errors on a password before the account islocked
PASSWORD_LOCK_TIME; The number of days to lock anaccount after FAILED_LOGIN_ATTEMPTS is reached
PASSWORD_LIFE_TIME; The number of days before apassword expires
1/6
2/6
-
7/29/2019 OCA 07 - Administering User Security
36/42
Create and Manage Profiles
http://asghars.blogspot.com36
PASSWORD_GRACE_TIME; The number of days
following the first successful login after the
password has expired that prompts to change the
password will be generated
PASSWORD_REUSE_TIME; The number of daysbefore a password can be reused
PASSWORD_REUSE_MAX; Then number of times a
password can be reused
PASSWORD_VERIFY_FUNCTION; The name of afunction to run whenever a password is changed
2/6
3/6
-
7/29/2019 OCA 07 - Administering User Security
37/42
Create and Manage Profiles
http://asghars.blogspot.com37
The limits that can be applied to resource usage (alsoknown as kernel limits) are:
SESSIONS_PER_USER
CPU_PER_SESSION
CPU_PER_CALL
LOGICAL_READS_PER_SESSION
LOGICAL_READS_PER_CALL
PRIVATE_SGA
CONNECT_TIME
IDLE_TIME
COMPOSITE_LIMIT (Sum of CPU_PER_SESSION,CONNECT_TIME, LOGICAL_READS_PER_SESSION, andPRIVATE_SGA
3/6
4/6
-
7/29/2019 OCA 07 - Administering User Security
38/42
Create and Manage Profiles
http://asghars.blogspot.com38
When a session is terminated because a resource
limit has been reached, if there was a transaction in
progress it will be rolled back
Profiles can be used to limit resource usage, but a
much more sophisticated tool is the ResourceManager
To see which profile is currently assigned to ach
user, run this query
4/6
5/6
-
7/29/2019 OCA 07 - Administering User Security
39/42
Create and Manage Profiles
http://asghars.blogspot.com39
With Database Control, from the database home
page take the Server tab, and then click the Users
link in the Security section to see which profile each
user has
5/6
6/6
-
7/29/2019 OCA 07 - Administering User Security
40/42
Create and Manage Profiles
http://asghars.blogspot.com40
To enable more sophisticated password
management is to run a supplied script
$ORACLE_HOME/rdbms/admin/utlpwdmg.sql
On either platform, the script creates two functions
called VERIFY_FUNCTION andVERIFY_FUNCTION_11G; This will adjust the profile
called DEFAULT
6/6
1/2
-
7/29/2019 OCA 07 - Administering User Security
41/42
EXERCISE 7-4: Create and Use Profiles
http://asghars.blogspot.com41
1. Create a profile that will lock accounts after two
wrong passwords
2. Assign this new profile to ALOIS
3. Deliberately enter the wrong password for ALOIS a
few times
1/2
2/2
-
7/29/2019 OCA 07 - Administering User Security
42/42
EXERCISE 7-4: Create and Use Profiles
4. As user SYSTEM, unlock the ALOIS account
5. Check that ALOIS can now connect
2/2