Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Copyright © 2009, Oracle. All rights reserved.
Chapter 4.
Administering User Security
Copyright © 2009, Oracle. All rights reserved.4 - 2
Objectives
After completing this lesson, you should be able to:
• Create and manage database user accounts:
– Authenticate users
– Assign default storage areas (tablespaces)
• Grant and revoke privileges
• Create and manage roles
• Create and manage profiles:
– Implement standard password security features
– Control resource usage by users
Copyright © 2009, Oracle. All rights reserved.4 - 3
Database User Accounts
Each database user account has:
• A unique username
• An authentication method
• A default tablespace
• A temporary tablespace
• A user profile
• An initial consumer group
• An account status
A schema:
• Is a collection of database objects that are owned by a
database user
• Has the same name as the user account
Copyright © 2009, Oracle. All rights reserved.4 - 4
Predefined Administrative Accounts
• SYS account:
– Is granted the DBA role, as well as several other roles.
– Has all privileges with ADMIN OPTION
– Is required for startup, shutdown, and some maintenance
commands
– Owns the data dictionary and the Automatic Workload
Repository (AWR)
• SYSTEM account is granted the DBA, MGMT_USER, and
AQ_ADMINISTRATOR_ROLE roles.
• DBSNMP account is granted the OEM_MONITOR role.
• SYSMAN account is granted the MGMT_USER, RESOURCE
and SELECT_CATALOG_ROLE roles.
• These accounts are not used for routine operations.
Copyright © 2009, Oracle. All rights reserved.4 - 5
Creating a User
Select Server > Users, and then click the Create button.
Copyright © 2009, Oracle. All rights reserved.4 - 6
Authenticating Users
• Password
• External
• Global
Copyright © 2009, Oracle. All rights reserved.4 - 7
Administrator Authentication
Operating system security:
• DBAs must have the OS privileges to create and delete
files.
• Typical database users should not have the OS privileges
to create or delete database files.
Administrator security:
• For SYSDBA, SYSOPER, and SYSASM connections:
– DBA user by name is audited for password file and strong
authentication methods
– OS account name is audited for OS authentication
– OS authentication takes precedence over password file
authentication for privileged users
– Password file uses case-sensitive passwords
Copyright © 2009, Oracle. All rights reserved.4 - 8
Creating a User
CREATE USER user IDENTIFIED BY password [DEFAULT
TABLESPACE tablespace] [TEMPORARY TABLESPACE
tablespace] [ QUOTA {integer [K|M] | UNLIMITED } ON tablespace
[QUOTA {integer [K|M] | UNLIMITED} ON
tablespace]...][PASSWORD EXPIRE][ACCOUNT{LOCK|UNLOCK }]
CREATE USER student
IDENTIFIED BY soccer
DEFAULT TABLESPACE data
TEMPORARY TABLESPACE temp
QUOTA 15M ON data
QUOTA 10M ON users
PASSWORD EXPIRE;
Copyright © 2009, Oracle. All rights reserved.4 - 9
Unlocking a User Account and
Resetting the Password
Select the user, select Unlock User, and click Go.
Copyright © 2009, Oracle. All rights reserved.4 - 10
Privileges
There are two types of user privileges:
• System: Enables users to perform particular actions in the
database
• Object: Enables users to access and manipulate a specific
object
System privilege:
Create session
HR_DBA
Object privilege:
Update employees
Copyright © 2009, Oracle. All rights reserved.4 - 11
System Privileges
Copyright © 2009, Oracle. All rights reserved.4 - 12
System Privileges
• Grant CONNECT, RESOURCE to user before they can connect by SQL*Plus
GRANT CONNECT, RESOURCE TO music;
• CONNECT role includes the CREATE SESSION, CREATE VIEW & CREATE SEQUENCE
• RESOURCE role allows the user to create tables and indexes
• You can grant a user to extend privileges to others (ADMIN OPTION)
GRANT CONNECT TO music with ADMIN OPTION;
• Now grant CONNECT & RESOURCE to Jim with ADMIN OPTION
GRANT system_privilege[,system_privilege]...
TO {user|Public} [,user]...[WITH ADMIN
OPTION]
Copyright © 2009, Oracle. All rights reserved.4 - 13
Examples of System Privileges
Example of System Privileges
• Create tablespace
• Create role
• Drop any operation
• Drop any snapshot
• Alter any cluster
• Execute any procedure
• Grant any privilege
• SYSDBA
• SYSOPER
Copyright © 2009, Oracle. All rights reserved.4 - 14
REVOKE privileges
• Privileges can be removed by the REVOKE command
REVOKE RESOURCE FROM Jim;
• DROP USER drops the user if the user does not own
ant objects
• DROP USER with CASCADE option drops the objects
of the user as well
DROP USER jim CASCADE;
REVOKE {system_privilege|role}
[,{system_privilege|role}]...FROM {user|role|PUBLIC}
[, {user|role|PUBLIC} ]...
Copyright © 2009, Oracle. All rights reserved.4 - 15
Object Privileges
To grant object privileges:
• Choose the object type.
• Select objects.
• Select privileges.
Search
and
select
objects.
1
2
3
Copyright © 2009, Oracle. All rights reserved.4 - 16
Object Privileges
• Object privileges can be granted on a table with INSERT, UPDATE,
DELETE, ALTER, INDEX and REFERENCES or even on some
columns
CONNECT student/learn;
Grant SELECT ON course TO music;
GRANT UPDATE (cost, description) On course To music;
GRANT ALL ON course To music WITH GRANT OPTION;
• Object privileges can be revoked
REVOKE UPDATE ON course FROM music;
GRANT {object_privilege [(column_list)]
[,object_privilege[(column_list)]] … |ALL} ON
[schema.]object TO {user|role|PUBLIC}
[,{user|role|PUBLIC}]... [WITH GRANT OPTION]
Copyright © 2009, Oracle. All rights reserved.4 - 17
REVOKE privileges
REVOKE {object_privilege[, object_privilege ]...
|ALL} ON [schema.]object FROM user|role|PUBLIC}
[,{user|role|PUBLIC}]...
Object priv. Table View Sequence Procedure
ALTER
DELETE
EXECUTE
INDEX
INSERT
REFERENCES
SELECT
UPDATE
Copyright © 2009, Oracle. All rights reserved.4 - 18
GRANT
REVOKE
Revoking System Privilegeswith ADMIN OPTION
REVOKE CREATE
TABLE FROM joe;
User
Privilege
Object
DBA Joe Emily
Joe EmilyDBA
Copyright © 2009, Oracle. All rights reserved.4 - 19
GRANT
REVOKE
Revoking Object Privilegeswith GRANT OPTION
Bob Joe Emily
EmilyJoeBob
Copyright © 2009, Oracle. All rights reserved.4 - 20
Benefits of Roles
• Easier privilege management
• Dynamic privilege management
• Selective availability of privileges
Copyright © 2009, Oracle. All rights reserved.4 - 21
Assigning Privileges to Roles and
Assigning Roles to Users
Users
Privileges
Roles HR_CLERKHR_MGR
Jenny David Rachel
Delete
employees.
Select
employees.
Update
employees.
Insert
employees.
Create
Job.
Copyright © 2009, Oracle. All rights reserved.4 - 22
Predefined Roles
Role Privileges Included
CONNECT CREATE SESSION
RESOURCE CREATE CLUSTER, CREATE INDEXTYPE, CREATE
OPERATOR, CREATE PROCEDURE, CREATE
SEQUENCE, CREATE TABLE, CREATE TRIGGER,
CREATE TYPE
SCHEDULER_ ADMIN CREATE ANY JOB, CREATE EXTERNAL JOB, CREATE
JOB, EXECUTE ANY CLASS, EXECUTE ANY
PROGRAM, MANAGE SCHEDULER
DBA Most system privileges; several other roles. Do not grant
to nonadministrators.
SELECT_
CATALOG_ROLE
No system privileges; HS_ADMIN_ROLE and over 1,700
object privileges on the data dictionary
Copyright © 2009, Oracle. All rights reserved.4 - 23
Creating a Role
CREATE ROLE r01 [NOT IDENTIFIED];
CREATE ROLE r02 IDENTIFIED BY abc123;
Copyright © 2009, Oracle. All rights reserved.4 - 24
CREATE ROLE secure_application_role
IDENTIFIED USING <security_procedure_name>;
Secure Roles
• Roles can be nondefault and enabled when required.
• Roles can be protected
through authentication.
• Roles can also be secured programmatically.
SET ROLE vacationdba;
Copyright © 2009, Oracle. All rights reserved.4 - 25
Assigning Roles to Users
Copyright © 2009, Oracle. All rights reserved.4 - 26
Assigning Roles to Users
GRANT role [, role ]... TO
{user|role|PUBLIC}[, {user|role|PUBLIC}
]...[WITH ADMIN OPTION]
GRANT hr_clerk TO hr_manager;
GRANT oe_clerk TO scott;
GRANT hr_manager TO scott WITH ADMIN OPTION;
Copyright © 2009, Oracle. All rights reserved.4 - 27
What for ???
GRANT system_privilege [, system_privilege]...
TO role [WITH ADMIN OPTION]
GRANT object_privilege[,object_privilege]...
TO role [,role];
REVOKE role [, role ] FROM {user|role|PUBLIC}
[, {user|role|PUBLIC}];
DROP ROLE role;
Copyright © 2009, Oracle. All rights reserved.4 - 28
Thông tin về chức danh có thể lấy bằng cách truy vấn các
views sau:
• DBA_ROLES: Tất cả các chức danh có trong CSDL
• DBA_ROLE_PRIVS: Các chức danh gán cho user và chức
danh
• DBA_SYS_PRIVS: Các quyền hệ thống gán cho user và
chức danh
• ROLE_SYS_PRIVS: Các quyền hệ thống gán cho chức
danh của user hiện tại.
• ROLE_TAB_PRIVS: Các quyền đối tượng gán cho chức
danh
• SESSION_ROLES: Các chức danh user hiện enable
Copyright © 2009, Oracle. All rights reserved.4 - 29
Quiz
All passwords created in Oracle Database 11g are not case-
sensitive by default.
1. True
2. False
Copyright © 2009, Oracle. All rights reserved.4 - 30
Quiz
A database role:
1. Can be enabled or disabled
2. Can consist of system and object privileges
3. Is owned by its creator
4. Cannot be protected by a password
Copyright © 2009, Oracle. All rights reserved.4 - 31
Profiles and Users
Users are assigned only one profile at a time.
Profiles:
• Control resource consumption
• Manage account status and password expiration
Note: RESOURCE_LIMIT must be set to TRUE before profiles can impose
resource limitations.
Copyright © 2009, Oracle. All rights reserved.4 - 32
Implementing Password
Security Features
Password
history
Account
locking
Password aging
and expiration
Password
complexity
verification
User Setting up
profiles
Note: Do not use profiles that cause the SYS, SYSMAN, and DBSNMP
passwords to expire and the accounts to be locked.
Copyright © 2009, Oracle. All rights reserved.4 - 33
Creating a Password Profile
Copyright © 2009, Oracle. All rights reserved.4 - 34
Supplied Password Verification Function: VERIFY_FUNCTION_11G
The VERIFY_FUNCTION_11G function insures that the
password is:
• At least eight characters
• Different from the username, username with a number, or
username reversed
• Different from the database name or the database name
with a number
• A string with at least one alphabetic and one numeric
character
• Different from the previous password by
at least three letters
Tip: Use this function as a template to create
your own customized password verification.
Copyright © 2009, Oracle. All rights reserved.4 - 35
Assigning Quotas to Users
Users who do not have the UNLIMITED TABLESPACE system
privilege must be given a quota before they can create objects
in a tablespace.
Quotas can be:
• A specific value in megabytes or kilobytes
• Unlimited
Copyright © 2009, Oracle. All rights reserved.4 - 36
Applying the Principle of Least Privilege
• Protect the data dictionary:
• Revoke unnecessary privileges from PUBLIC.
• Use access control lists (ACL) to control network access.
• Restrict the directories accessible by users.
• Limit users with administrative privileges.
• Restrict remote database authentication:
O7_DICTIONARY_ACCESSIBILITY=FALSE
REMOTE_OS_AUTHENT=FALSE
Copyright © 2009, Oracle. All rights reserved.4 - 37
Protect Privileged Accounts
Privileged accounts can be protected by:
• Using password file with case-sensitive passwords
• Enabling strong authentication for administrator roles
SYSDBA
Copyright © 2009, Oracle. All rights reserved.4 - 38
Quiz
Applying the principle of least privilege is not enough to harden
the Oracle database.
1. True
2. False
Copyright © 2009, Oracle. All rights reserved.4 - 39
Quiz
With RESOURCE_LIMIT set at its default value of FALSE,
profile password limitations are ignored.
1. True
2. False
Copyright © 2009, Oracle. All rights reserved.4 - 40
Summary
In this lesson, you should have learned how to:
• Create and manage database user accounts:
– Authenticate users
– Assign default storage areas (tablespaces)
• Grant and revoke privileges
• Create and manage roles
• Create and manage profiles:
– Implement standard password security features
– Control resource usage by users
Copyright © 2009, Oracle. All rights reserved.4 - 41
Administering Users
This practice covers the following topics:
• Creating a profile to limit resource consumption
• Creating two roles:
– HRCLERK
– HRMANAGER
• Creating four new users:
– One manager and two clerks
– One schema user for the next practice session