IST 318 Database Administration Lecture 10 Managing Roles.
-
Upload
annabelle-bradley -
Category
Documents
-
view
218 -
download
1
Transcript of IST 318 Database Administration Lecture 10 Managing Roles.
![Page 1: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/1.jpg)
IST 318Database Administration
Lecture 10
Managing Roles
![Page 2: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/2.jpg)
Users
Privileges
Roles
UPDATE ON JOBS
INSERT ON JOBS
SELECT ON JOBS
CREATE TABLE
CREATE SESSION
HR_CLERKHR_MGR
A B C
Roles
![Page 3: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/3.jpg)
Easier privilege management Dynamic privilege management Selective availability of privileges Can be granted through the operating system
Benefits of Roles
![Page 4: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/4.jpg)
Roles with ADMIN option:Not identified:
By password:
Identified externally:
CREATE ROLE oe_clerk;
CREATE ROLE hr_clerkIDENTIFIED BY bonus;
CREATE ROLE hr_managerIDENTIFIED EXTERNALLY;
Creating Roles
![Page 5: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/5.jpg)
Role Name Description
CONNECT, These roles are providedRESOURCE, DBA for backward compatibility
EXP_FULL_DATABASE Privileges to export thedatabase
IMP_FULL_DATABASE Privileges to import the database
DELETE_CATALOG_ROLE DELETE privileges ondata dictionary tables
EXECUTE_CATALOG_ROLE EXECUTE privilege ondata dictionary
packages
SELECT_CATALOG_ROLE SELECT privilege on datadictionary tables
Predefined Roles
![Page 6: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/6.jpg)
ALTER ROLE hr_clerkIDENTIFIED EXTERNALLY;
ALTER ROLE hr_managerNOT IDENTIFIED;
ALTER ROLE oe_clerkIDENTIFIED BY order;
Modifying Roles
• Use ALTER ROLE to modify the authentication method.
• Requires the ADMIN option or ALTER ANY ROLE privilege.
![Page 7: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/7.jpg)
GRANT hr_clerk TO hr_manager;
GRANT oe_clerk TO scott;
GRANT hr_manager TO scott WITH ADMIN OPTION;
Assigning Roles
Use GRANT command to assign a role
![Page 8: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/8.jpg)
ALTER USER scottDEFAULT ROLE hr_clerk, oe_clerk;
ALTER USER scott DEFAULT ROLE ALL;
ALTER USER scott DEFAULT ROLE ALL EXCEPT hr_clerk;
ALTER USER scott DEFAULT ROLE NONE;
Establishing Default Roles
• A user can be assigned many roles.
• A user can be assigned a default role.
• Limit the number of default roles for a user.
![Page 9: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/9.jpg)
Application roles can be enabled only by authorized PL/SQL packages.
The USING package clause creates an application role.CREATE ROLE admin_roleIDENTIFIED USING hr.employee;
Application Roles
![Page 10: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/10.jpg)
Enabling and Disabling Roles
Disable a role to revoke the role from a user temporarily.
Enable a role to grant it temporarily.The SET ROLE command enables and disables roles.Default roles are enabled for a user at login.A password may be required to enable a role.
![Page 11: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/11.jpg)
SET ROLE hr_clerk;
SET ROLE oe_clerk IDENTIFIED BY order;
SET ROLE ALL EXCEPT oe_clerk;
Enabling and Disabling Roles
![Page 12: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/12.jpg)
• Revoking roles from users requires the ADMIN OPTION or GRANT ANY ROLE privilege.
• To revoke a role:
REVOKE hr_manager FROM PUBLIC;
REVOKE oe_clerk FROM scott;
Revoking Roles from Users
![Page 13: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/13.jpg)
DROP ROLE hr_manager;
Removing Roles
Dropping a role: Removes it from all users and roles it was granted Removes it from the database
Requires the ADMIN OPTION or DROP ANY ROLE privilege
To drop a role:
![Page 14: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/14.jpg)
HR_MANAGERHR_CLERK PAY_CLERK
Userroles
Applicationroles
Applicationprivileges
Users
Payroll privilegesBenefits privileges
Guidelines for Creating Roles
BENEFITS PAYROLL
![Page 15: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/15.jpg)
Default rolePassword protected(not default)
Select privilegesINSERT, UPDATE, DELETE,and SELECT privileges
PAY_CLERK PAY_CLERK_RO
Guidelines for Using Passwords and Default Roles
![Page 16: IST 318 Database Administration Lecture 10 Managing Roles.](https://reader036.fdocuments.us/reader036/viewer/2022082505/56649efc5503460f94c1016d/html5/thumbnails/16.jpg)
Look at Database through the DBA Views Three Data Dictionary Views
USER_ ALL_ DBA_
Commonly used DBA_ views DBA_OBJECTS DBA_TABLESPACES, DBA_TABLES DBA_DATA_FILES, DBA_TEMP_FILES DBA_CONSTRAINTS DBA_USERS, DBA_ROLES