4 Copyright © 2006, Oracle. All rights reserved. Deploying the Oracle Management Agent.
17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.
-
Upload
nancy-hall -
Category
Documents
-
view
220 -
download
0
Transcript of 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.
![Page 1: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/1.jpg)
17Copyright © Oracle Corporation, 2001. All rights reserved.
Managing Roles
![Page 2: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/2.jpg)
17-2 Copyright © Oracle Corporation, 2001. All rights reserved.
Objectives
After completing this lesson, you should be able to do the following:
• Create and modify roles
• Control availability of roles
• Remove roles
• Use predefined roles
• Display role information from the data dictionary
![Page 3: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/3.jpg)
17-3 Copyright © Oracle Corporation, 2001. All rights reserved.
Users
Privileges
Roles
UPDATE ON JOBS
INSERT ON JOBS
SELECT ON JOBS
CREATE TABLE
CREATE SESSION
HR_CLERKHR_MGR
A B C
Roles
![Page 4: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/4.jpg)
17-4 Copyright © Oracle Corporation, 2001. All rights reserved.
• Easier privilege management
• Dynamic privilege management
• Selective availability of privileges
• Can be granted through the operating system
Benefits of Roles
![Page 5: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/5.jpg)
17-5 Copyright © Oracle Corporation, 2001. All rights reserved.
Roles with ADMIN option:
• Not identified:
• By password:
• Identified externally:
CREATE ROLE oe_clerk;
CREATE ROLE hr_clerkIDENTIFIED BY bonus;
CREATE ROLE hr_managerIDENTIFIED EXTERNALLY;
Creating Roles
![Page 6: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/6.jpg)
17-7 Copyright © Oracle Corporation, 2001. All rights reserved.
Role Name Description
CONNECT, These roles are providedRESOURCE, DBA for backward compatibility
EXP_FULL_DATABASE Privileges to export thedatabase
IMP_FULL_DATABASE Privileges to import the database
DELETE_CATALOG_ROLE DELETE privileges ondata dictionary tables
EXECUTE_CATALOG_ROLE EXECUTE privilege ondata dictionary
packages
SELECT_CATALOG_ROLE SELECT privilege on datadictionary tables
Predefined Roles
![Page 7: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/7.jpg)
17-8 Copyright © Oracle Corporation, 2001. All rights reserved.
ALTER ROLE hr_clerkIDENTIFIED EXTERNALLY;
ALTER ROLE hr_managerNOT IDENTIFIED;
ALTER ROLE oe_clerkIDENTIFIED BY order;
Modifying Roles
• Use ALTER ROLE to modify the authentication method.
• Requires the ADMIN option or ALTER ANY ROLE privilege.
![Page 8: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/8.jpg)
17-10 Copyright © Oracle Corporation, 2001. All rights reserved.
GRANT hr_clerk TO hr_manager;
GRANT oe_clerk TO scott;
GRANT hr_manager TO scott WITH ADMIN OPTION;
Assigning Roles
Use GRANT command to assign a role
![Page 9: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/9.jpg)
17-13 Copyright © Oracle Corporation, 2001. All rights reserved.
ALTER USER scottDEFAULT ROLE hr_clerk, oe_clerk;
ALTER USER scott DEFAULT ROLE ALL;
ALTER USER scott DEFAULT ROLE ALL EXCEPT hr_clerk;
ALTER USER scott DEFAULT ROLE NONE;
Establishing Default Roles
• A user can be assigned many roles.
• A user can be assigned a default role.
• Limit the number of default roles for a user.
![Page 10: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/10.jpg)
17-15 Copyright © Oracle Corporation, 2001. All rights reserved.
• Application roles can be enabled only by authorized PL/SQL packages.
• The USING package clause creates an application role.
CREATE ROLE admin_roleIDENTIFIED USING hr.employee;
Application Roles
![Page 11: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/11.jpg)
17-16 Copyright © Oracle Corporation, 2001. All rights reserved.
Enabling and Disabling Roles
• Disable a role to revoke the role from a user temporarily.
• Enable a role to grant it temporarily.
• The SET ROLE command enables and disables roles.
• Default roles are enabled for a user at login.
• A password may be required to enable a role.
![Page 12: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/12.jpg)
17-18 Copyright © Oracle Corporation, 2001. All rights reserved.
SET ROLE hr_clerk;
SET ROLE oe_clerk IDENTIFIED BY order;
SET ROLE ALL EXCEPT oe_clerk;
Enabling and Disabling Roles
![Page 13: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/13.jpg)
17-19 Copyright © Oracle Corporation, 2001. All rights reserved.
• Revoking roles from users requires the ADMIN OPTION or GRANT ANY ROLE privilege.
• To revoke a role:
REVOKE hr_manager FROM PUBLIC;
REVOKE oe_clerk FROM scott;
Revoking Roles from Users
![Page 14: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/14.jpg)
17-21 Copyright © Oracle Corporation, 2001. All rights reserved.
DROP ROLE hr_manager;
Removing Roles
• Dropping a role:– Removes it from all users and roles it was granted– Removes it from the database
• Requires the ADMIN OPTION or DROP ANY ROLE privilege
• To drop a role:
![Page 15: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/15.jpg)
17-23 Copyright © Oracle Corporation, 2001. All rights reserved.
HR_MANAGERHR_CLERK PAY_CLERK
Userroles
Applicationroles
Applicationprivileges
Users
Payroll privilegesBenefits privileges
Guidelines for Creating Roles
BENEFITS PAYROLL
![Page 16: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/16.jpg)
17-24 Copyright © Oracle Corporation, 2001. All rights reserved.
Default rolePassword protected(not default)
Select privilegesINSERT, UPDATE, DELETE,and SELECT privileges
PAY_CLERK PAY_CLERK_RO
Guidelines for Using Passwords and Default Roles
![Page 17: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/17.jpg)
17-25 Copyright © Oracle Corporation, 2001. All rights reserved.
Obtaining Role Information
Information about roles can be obtained by querying the following views:
• DBA_ROLES: All roles that exist in the database
• DBA_ROLES_PRIVS: Roles granted to users and roles
• ROLE_ROL_PRIVS: Roles that are granted to roles
• DBA_SYS_PRIVS: System privileges granted to users and roles
• ROLE_SYS_PRIVS: System privileges granted to roles
• ROLE_TAB_PRIVS: Object privileges granted to roles
• SESSION_ROLES: Roles that the user currently has enabled
![Page 18: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/18.jpg)
17-26 Copyright © Oracle Corporation, 2001. All rights reserved.
In this lesson, you should have learned how to:
• Create roles
• Assign privileges to roles
• Assign roles to users or roles
• Establish default roles
Summary
![Page 19: 17 Copyright © Oracle Corporation, 2001. All rights reserved. Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082517/56649efc5503460f94c101a0/html5/thumbnails/19.jpg)
17-27 Copyright © Oracle Corporation, 2001. All rights reserved.
Practice 17 Overview
This practice covers the following topics:
• Listing system privileges for a role
• Creating, assigning, and dropping roles
• Creating application roles