Oracle DBA Notes

  

These are my personal notes that I use as a quick help in my work.
You are welcome to read them.

Contents of current page Top-level home page
 
Index  Java Internet Oracle Notes
Linux Basics Web Basics SQL Notes
Informatica Servlets Apache BkpRstore SQL*Plus
Teradata   LDAP Storage PL/SQL
Windows     Tables OEM
UML   Net8 Portal
SQL Server Python perl Performance OLAP
Vmware Visual Basic PHP/MySQL User Mgmt  
Git        
More technical pages here

Contents

 


 

 


Also see chapter 11 "Database Security Overview for Application Developers" or "Database Security Overview for Application Developers" in the Oracle documentation (...oracle_doc\appdev.920\a96590\adgsec01.htm)


User Creation

Checklist:

Connect as user with dba privileges

CREATE USER <new user name> IDENTIFIED BY { <the password> | EXTERNALLY }
  DEFAULT TABLESPACE <a tablespace>
  TEMPORARY TABLESPACE <a temporary tablespace>
  QUOTA { nM | UNLIMITED } ON tablespace QUOTA { nM | UNLIMITED } ON tablespace
  PASSWORD EXPIRE -- v8
  ACCOUNT { LOCK | UNLOCK }
  PROFILE { profile | DEFAULT } ;

GRANT CREATE SESSION TO <new user name> ; -- or grant a role with CREATE SESSION
GRANT <roles> TO <new user name> ;
ALTER USER <new user name> DEFAULT ROLE CONNECT, <roles>;
ALTER USER <new user name> DEFAULT ROLE ALL; -- all roles are default roles
ALTER USER <new user name> QUOTA { 10M | UNLIMITED } ON USERS; -- unlimited cannot be granted to roles
create user OPS$AUSER identified whatever ...  ; -- Linked to operating system
create user OPS$AUSER identified externally ...; -- Idem, password handled by OS

Note that only the first line is compulsory. Best to also define default and temporary tablespaces.
Minimal script for creation:
CREATE USER SCOTT IDENTIFIED BY tiger
   DEFAULT TABLESPACE USERS
   TEMPORARY TABLESPACE TEMP
   PROFILE DEFAULT;
GRANT CREATE SESSION TO SCOTT;

Problems doing what the user should normally be able to do:
alter user system default role all;

To move a schema to a new user: exp user x, imp to user y.

Profiles are used to define resource limits.

Users authenticated by windows (must be member of administrators group, must have the "Logon as a batch job" user right policy.
Assuming parameter os_authent_prefix = OPS$
Set in sqlnet.ora: SQLNET.AUTHENTICATION_SERVICES= (NTS)
create user "OPS$THE_DOMAIN\THE_USER" identified externally -- capital letters
default tablespace usr_data temporary tablespace temp;
grant connect to "OPS$THE_DOMAIN\THE_USER" ;
alter user "OPS$THE_DOMAIN\THE_USER" default role all;

On UNIX, this user can be the oracle account set up during the installation process.

 

 


Administer user accounts

ALTER USER username IDENTIFIED BY password;
Force new password
Everyone can change his/her password. SYSTEM can change all. SYS can change SYSTEM. Last chance: connect internal.
ALTER USER username PASSWORD EXPIRE ;
Force user to enter a new password.
ALTER USER username ACCOUNT { LOCK | UNLOCK } ;
Lock or unlock an account
DROP USER username [ CASCADE ] ;
Drop (cascade if a schema)
Note: to block a user from connecting, revoke CREATE SESSION; no need to drop.
ALTER USER username DEFAULT TABLESPACE tablespace ;
Define default tablespace
ALTER USER username TEMPORARY TABLESPACE tablespace ;
Define temporary tablespace
ALTER USER username QUOTA { nM | UNLIMITED } ON tablespace ;
When quota 0 is applied, the user keeps the existing objects but cannot use more space.

 


Roles

Use roles to manage groups of users. Grant system and object privileges to roles. You can also grant roles to roles.

Group-based security policy: privileges should be granted only to groups and an individual's access should be inherited through the respective security group. "World", "Public" or individual user IDs should not be granted any access.

Default roles include:

The user group PUBLIC is not a role.

 

CREATE ROLE <role name> [IDENTIFIED BY ... ];
ALTER ROLE <role name> NOT IDENTIFIED;         -- Disable password

GRANT <priv>, <priv> TO <role name>;
SET ROLE <role name>; -- Set role of the current user
SET ROLE <role name> IDENTIFIED BY <password>; -- Same as previous, but with password
SET ROLE NONE; -- disable roles.

GRANT <role name> TO <user name>;
REVOKE <user name> FROM <role name>;
ALTER USER <user name> DEFAULT ROLE NONE;
ALTER USER <user name> DEFAULT ROLE <role name>;
ALTER USER <user name> DEFAULT ROLE ALL;
ALTER USER <user name> DEFAULT ROLE ALL EXCEPT <role name>;

 

CREATE ROLE <role name> ;
No identification needed.
CREATE ROLE <role name> IDENTIFIED BY ... ;
Identification is needed when executing "SET ROLE" unless the role is a default role
CREATE ROLE <role name> IDENTIFIED BY <password>;
Provide a password (unless default role). Must be a single-byte character password.
CREATE ROLE <role name> IDENTIFIED USING <package name>;
The role can be enabled by any module in the package.
CREATE ROLE <role name> IDENTIFIED EXTERNALLY;
External authorization (operating system, network)
CREATE ROLE <role name> IDENTIFIED GLOBALLY;
Enterprise directory service. Note that only the enterprise directory service can then grant and revoke these roles.

 


Profiles

create profile <profile name> limit FAILED_LOGIN_ATTEMPTS 5;
alter profile DEFAULT limit idle_time 60;
alter profile <profile name> limit PASSWORD_REUSE_MAX 3 PASSWORD_REUSE_TIME UNLIMITED;

create user <user name> identified by whatever profile <profile name>;

ALTER PROFILE DEFAULT LIMIT
PASSWORD_LIFE_TIME 60
PASSWORD_GRACE_TIME 10
PASSWORD_REUSE_TIME 1800
PASSWORD_REUSE_MAX UNLIMITED
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 1/1440
PASSWORD_VERIFY_FUNCTION <function name>;

create profile temp_profile limit
password_verify_function    null
password_reuse_time         unlimited
password_reuse_max          unlimited;

 


System Privileges

Some comments:

GRANT  { system_priv | role } TO   { user | role | PUBLIC } [ WITH ADMIN OPTION ] ;
REVOKE { system_priv | role } FROM { user | role | PUBLIC };

Examples

GRANT CREATE SESSION, CREATE TABLE TO user1;
user can connect and create tables
REVOKE CREATE TABLE FROM user1;
User can no longer create tables

 

 


Object Privileges

GRANT { SELECT or INSERT or UPDATE or DELETE } ON table, view or sequence.
GRANT EXECUTE ON procedure.
GRANT ALTER, INDEX and REFERENCES ON other objects, but these are not used (or even dangerous to grant to others in some cases).

Owner can grant privileges (must be my schema) or I must have WITH GRANT OPTION. A user has all privileges on an object that he/she owns.
Note that WITH GRANT OPTION does not work with roles.

GRANT <priv> [(column, column)] , <priv>
ON object TO { user | role | PUBLIC }, { same } [ WITH GRANT OPTION ] ;
Grant privileges
GRANT ALL PRIVILEGES ON . . .
Grant all privileges received
REVOKE { { priv, priv } | ALL }
ON object FROM { user | role | PUBLIC }, { same } [ CASCADE CONSTRAINTS ] ;
Revoke
 

 


Security

Authentication methods: database passwords, host operating system, network services or Secure Sockets Layer (SSL).

Encrypt passwords (not yet tried):
Environment variable ORA_ENCRYPT_LOGIN = TRUE on client machine.
Set server initialization parameter DBLINK_ENCRYPT_LOGIN = TRUE.

Basic security:

 


View users

dba_users
View all users
all_users
View users
user_users
View information on current user (one row)
DBA_TS_QUOTAS
USER_TS_QUOTAS
Tablespace quotas
USER_PASSWORD_LIMITS
USER_RESOURCE_LIMITS
RESOURCE_COST
DBA_PROFILES
Profile management
V$SESSION
Session information
V$SESSTAT
V$STATNAME
Session statistics (table statname shows names of statistics)
PROXY_USERS
View users that who can assume other identities
DBA_COL_PRIVS, ALL_COL_PRIVS, USER_COL_PRIVS
ALL_COL_PRIVS_MADE, USER_COL_PRIVS_MADE
ALL_COL_PRIVS_RECD, USER_COL_PRIVS_RECD
Column object grants (compared to tab_privs, contains one column more: "column_name")
DBA_TAB_PRIVS, ALL_TAB_PRIVS, USER_TAB_PRIVS
ALL_TAB_PRIVS_MADE, USER_TAB_PRIVS_MADE
ALL_TAB_PRIVS_RECD, USER_TAB_PRIVS_RECD
Object grants (compared to col_privs, contains one column more: "hierarchy")
DBA_SYS_PRIVS, USER_SYS_PRIVS
Granted system privileges
DBA_ROLES
all roles in database
DBA_ROLE_PRIVS, USER_ROLE_PRIVS
Granted roles
ROLE_ROLE_PRIVS
Roles granted to roles (sub-set of dba_role_privs)
ROLE_SYS_PRIVS
System privileges granted to roles (sub-set of dba_sys_privs)
ROLE_TAB_PRIVS
Object privileges granted to roles (sub-set of dba_tab_privs)
SESSION_PRIVS, SESSION_ROLES
List privileges and roles grantes to user in current session

 

 

 

select u.username
     --, u.user_id
     , substr(to_char(u.created, 'DD/MM/YYYY'), 1, 12) as created_d
     , substr( decode(u.account_status, 'OPEN', ' ', u.account_status), 1, 10) as acct_status
     --, substr ( password, 1, 3) as pwd
     , decode ( password, 'EXTERNAL', 'E ', 'PWD') as pwd_2
     , to_char(u.lock_date, 'DD/MM/YYYY') as lock_date
     , to_char(u.expiry_date, 'DD/MM/YYYY') as expiry_date
     , substr( u.default_tablespace, 1, 15) as def_ts
     , decode ( u.default_tablespace, 'SYSTEM', '<---', ' ') as wrn1
     , substr( u.temporary_tablespace, 1, 15) as temp_ts
     , decode ( u.temporary_tablespace, 'SYSTEM', 'Frag syst!', ' ') as wrn2
     --,u.profile
     --, u.initial_rsrc_consumer_group
     --, substr(u.external_name, 1, 10) as external_name
from dba_users u
order by created;

select q.username
     , q.tablespace_name
     , to_char ( q.bytes /1000/1000 , '999G999') as Mbytes_used
     , decode ( q.max_bytes , -1 , 'Unlimited', to_char (q.max_bytes /1000/1000 , '999G999') ) as Mbytes_max
     , to_char ( q.blocks, '999G999') as blocks_used
     , decode ( q.max_blocks , -1 , 'Unlimited', to_char (q.max_blocks , '999G999') ) as Mbytes_max
from dba_ts_quotas q
order by username;

set heading off

select 'alter user ' , u.username , ' TEMPORARY TABLESPACE TEMP;'
from dba_users u
where u.temporary_tablespace = 'SYSTEM';

select 'alter user ' , u.username , ' DEFAULT TABLESPACE USERS ;'
from dba_users u
where u.default_tablespace = 'SYSTEM';

set heading on

 


Troubleshooting

Check user privileges:
select user, privilege from session_privs;
select user, role from session_roles;

This is my secret. Down to level 5.

select username
     , null as next_to_last_role
     , username as granted_role
     , '   ' as admin_option
     , '  ' as default_role
     , '   ' as admin_option2
     , 0 as the_level
  from dba_users
union all
select u.username
     , null as next_to_last_role
     , r.granted_role
     , r.admin_option
     , r.default_role
     , '   ' as admin_option2
     , 1 as the_level
  from dba_role_privs r
     , dba_users u
  where r.grantee = u.username
union all
select u.username
     , r.granted_role as next_to_last_role
     , rr.granted_role
     , r.admin_option
     , r.default_role
     , rr.admin_option as admin_option2
     , 2 as the_level
  from role_role_privs rr
     , dba_role_privs r
     , dba_users u
  where r.grantee = u.username
    and rr.role = r.granted_role
union all
select u.username
     , rr.granted_role as next_to_last_role
     , rrr.granted_role
     , r.admin_option
     , r.default_role
     , rr.admin_option || rrr.admin_option as admin_option2
     , 3 as the_level
  from role_role_privs rrr
     , role_role_privs rr
     , dba_role_privs r
     , dba_users u
  where r.grantee = u.username
    and rr.role = r.granted_role
    and rrr.role = rr.granted_role
union all
select u.username
     , rrr.granted_role as next_to_last_role
     , rrrr.granted_role
     , r.admin_option
     , r.default_role
     , rr.admin_option || rrr.admin_option || rrrr.admin_option as admin_option2
     , 4 as the_level
  from role_role_privs rrrr
     , role_role_privs rrr
     , role_role_privs rr
     , dba_role_privs r
     , dba_users u
  where r.grantee = u.username
    and rr.role = r.granted_role
    and rrr.role = rr.granted_role
    and rrrr.role = rrr.granted_role
union all
select u.username
     , rrrr.granted_role as next_to_last_role
     , rrrrr.granted_role
     , r.admin_option
     , r.default_role
     , rr.admin_option || rrr.admin_option || rrrr.admin_option || rrrrr.admin_option as admin_option2
     , 5 as the_level
  from role_role_privs rrrrr
     , role_role_privs rrrr
     , role_role_privs rrr
     , role_role_privs rr
     , dba_role_privs r
     , dba_users u
  where r.grantee = u.username
    and rr.role = r.granted_role
    and rrr.role = rr.granted_role
    and rrrr.role = rrr.granted_role
    and rrrrr.role = rrrr.granted_role
order by username, granted_role;