IST 318Database Administration

Lecture 10

Managing Roles

Users

Privileges

Roles

UPDATE ON JOBS

INSERT ON JOBS

SELECT ON JOBS

CREATE TABLE

CREATE SESSION

HR_CLERKHR_MGR

A B C

Roles

Easier privilege management Dynamic privilege management Selective availability of privileges Can be granted through the operating system

Benefits of Roles

Roles with ADMIN option:Not identified:

By password:

Identified externally:

CREATE ROLE oe_clerk;

CREATE ROLE hr_clerkIDENTIFIED BY bonus;

CREATE ROLE hr_managerIDENTIFIED EXTERNALLY;

Creating Roles

Role Name Description

CONNECT, These roles are providedRESOURCE, DBA for backward compatibility

EXP_FULL_DATABASE Privileges to export thedatabase

IMP_FULL_DATABASE Privileges to import the database

DELETE_CATALOG_ROLE DELETE privileges ondata dictionary tables

EXECUTE_CATALOG_ROLE EXECUTE privilege ondata dictionary

packages

SELECT_CATALOG_ROLE SELECT privilege on datadictionary tables

Predefined Roles

ALTER ROLE hr_clerkIDENTIFIED EXTERNALLY;

ALTER ROLE hr_managerNOT IDENTIFIED;

ALTER ROLE oe_clerkIDENTIFIED BY order;

Modifying Roles

• Use ALTER ROLE to modify the authentication method.

• Requires the ADMIN option or ALTER ANY ROLE privilege.

GRANT hr_clerk TO hr_manager;

GRANT oe_clerk TO scott;

GRANT hr_manager TO scott WITH ADMIN OPTION;

Assigning Roles

Use GRANT command to assign a role

ALTER USER scottDEFAULT ROLE hr_clerk, oe_clerk;

ALTER USER scott DEFAULT ROLE ALL;

ALTER USER scott DEFAULT ROLE ALL EXCEPT hr_clerk;

ALTER USER scott DEFAULT ROLE NONE;

Establishing Default Roles

• A user can be assigned many roles.

• A user can be assigned a default role.

• Limit the number of default roles for a user.

Application roles can be enabled only by authorized PL/SQL packages.

The USING package clause creates an application role.CREATE ROLE admin_roleIDENTIFIED USING hr.employee;

Application Roles

Enabling and Disabling Roles

Disable a role to revoke the role from a user temporarily.

Enable a role to grant it temporarily.The SET ROLE command enables and disables roles.Default roles are enabled for a user at login.A password may be required to enable a role.

SET ROLE hr_clerk;

SET ROLE oe_clerk IDENTIFIED BY order;

SET ROLE ALL EXCEPT oe_clerk;

Enabling and Disabling Roles

• Revoking roles from users requires the ADMIN OPTION or GRANT ANY ROLE privilege.

• To revoke a role:

REVOKE hr_manager FROM PUBLIC;

REVOKE oe_clerk FROM scott;

Revoking Roles from Users

DROP ROLE hr_manager;

Removing Roles

Dropping a role: Removes it from all users and roles it was granted Removes it from the database

Requires the ADMIN OPTION or DROP ANY ROLE privilege

To drop a role:

HR_MANAGERHR_CLERK PAY_CLERK

Userroles

Applicationroles

Applicationprivileges

Users

Payroll privilegesBenefits privileges

Guidelines for Creating Roles

BENEFITS PAYROLL

Default rolePassword protected(not default)

Select privilegesINSERT, UPDATE, DELETE,and SELECT privileges

PAY_CLERK PAY_CLERK_RO

Guidelines for Using Passwords and Default Roles

Look at Database through the DBA Views Three Data Dictionary Views

USER_ ALL_ DBA_

Commonly used DBA_ views DBA_OBJECTS DBA_TABLESPACES, DBA_TABLES DBA_DATA_FILES, DBA_TEMP_FILES DBA_CONSTRAINTS DBA_USERS, DBA_ROLES