clase 18 privilegios modificada
TRANSCRIPT
Managing Privileges
ObjectivesAfter completing this lesson, you should be able todo the following:• Identify system and object privileges• Grant and revoke privileges• Control operating system or password file authentication• Identify auditing capabilities
Managing Privileges
Two types of privileges: • System: Enables users to perform particular actions in the
database• Object: Enables users to access and manipulate a specific
object
System Privileges
• There are about 126 system privileges.• The ANY keyword in the privileges signifies that users have
the privilege in every schema.• The GRANT command adds a privilege to a user or a group
of users. • The REVOKE command deletes the privileges.
System Privileges: ExamplesCategory Examples
INDEX CREATE ANY INDEXALTER ANY INDEXDROP ANY INDEX
TABLE CREATE TABLECREATE ANY TABLEALTER ANY TABLEDROP ANY TABLESELECT ANY TABLEUPDATE ANY TABLEDELETE ANY TABLE
SESSIONCREATE SESSIONALTER SESSIONRESTRICTED SESSION
TABLESPACE CREATE TABLESPACEALTER TABLESPACEDROP TABLESPACEUNLIMITED TABLESPACE
Granting System Privileges
GRANT CREATE SESSION, CREATE TABLE TO managers;
GRANT CREATE SESSION TO scott WITH ADMIN OPTION;
SYSDBA and SYSOPERPrivileges
Category Examples
SYSOPER STARTUPSHUTDOWN
ALTER DATABASE OPEN | MOUNT ALTER DATABASE BACKUP CONTROLFILE
ALTER TABLESPACE BEGIN/END BACKUP RECOVER DATABASEALTER DATABASE ARCHIVELOGRESTRICTED SESSION
SYSDBA SYSOPER privileges WITH ADMIN OPTIONCREATE DATABASERECOVER DATABASE UNTIL
Password File Authentication
1. Check that the password file has been created; if not, create it using ORAPWD.
2. Check that the initialization parameter REMOTE_LOGIN_PASSWORD_FILE has been set to EXCLUSIVE.
3. Grant SYSOPER and SYSDBA privileges to users.4. Query V$PWFILE_USERS to verify the password file
members.
Displaying System Privileges
DBA_SYS_PRIVS• GRANTEE• PRIVILEGE• ADMIN OPTION
SESSION_PRIVS• PRIVILEGE
Database Level Session Level
System Privilege Restrictions
O7_DICTIONARY_ACCESSIBILITY = TRUE• Reverts to Oracle7 behavior• Removes the restrictions on system
privileges with the ANY keyword• Defaults to TRUE
Revoking System Privileges
REVOKE CREATE TABLE FROM karen;
REVOKE CREATE SESSION FROM scott;
KAREN SCOTT
Revoking System Privileges Using WITH ADMIN OPTION
DBA
GRANT
REVOKE
KAREN SCOTT
DBA
RESULT
Revoking System Privileges Using WITH ADMIN OPTION
DBA KAREN SCOTT
Object PrivilegesObject priv. Table View SequenceProcedure
ALTER Ö Ö
DELETE Ö Ö
EXECUTE Ö
INDEX Ö
INSERT Ö Ö
REFERENCES Ö
SELECT Ö Ö Ö
UPDATE Ö Ö
Granting Object Privileges
GRANT EXECUTE ON dbms_pipe TO public;
GRANT UPDATE(first_name, salary) ON employee TO karen WITH GRANT OPTION;
DBA_TAB_PRIVS
Displaying Object Privileges
DBA_COL_PRIVS
GRANTEEOWNERTABLE_NAMEGRANTORPRIVILEGEGRANTABLE
GRANTEEOWNERTABLE_NAMECOLUMN_NAME GRANTORPRIVILEGEGRANTABLE
Revoking Object Privileges
REVOKE execute ON dbms_pipe FROM scott;
GRANT
REVOKE
Revoking Object Privileges Using WITH GRANT OPTION
SCOTT
SCOTT
USER 1
USER 1
USER 2
USER 2
RESULT
Revoking Object Privileges Using WITH GRANT OPTION
SCOTT USER 1 USER 2
Auditing Guidelines
• Define your purpose of auditing– Suspicious database activity– Gather historical information
• Define what you want to audit– Audit users, statements, or objects– By session– Successful or unsuccessful
• Manage your audit trail– Monitor the growth of the audit trail– Protect the audit trail from unauthorized access
Auditing Categories
• Auditing privileged operations– Always audited– Startup, shutdown, and SYSDBA connections
• Database auditing– Enabled by DBA– Cannot record column values
• Value-based or application auditing– Implemented through code – Can record column values– Used to track changes to tables
Database Auditing
Audit trail
Audit options
Parameter file
Enable database auditing
DBA
Specify audit options
Database
User
Execute command
Generate audit trail
Review audit information
Serverprocess
OS audit trail
Enabling Auditing Options• Statement auditing
• Privilege auditing
• Schema object auditing
AUDIT select any tableBY summit BY ACCESS;
AUDIT user;
AUDIT LOCK ON summit.employeeBY ACCESS WHENEVER SUCCESSFUL;
Data Dictionary View
ALL_DEF_AUDIT_OPTS
DBA_STMT_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS
DBA_OBJ_AUDIT_OPTS
Description
Default audit options
Statement auditing options
Privilege auditing options
Schema object auditing options
Viewing Auditing Options
Audit Trail View
DBA_AUDIT_TRAIL
DBA_AUDIT_EXISTS
DBA_AUDIT_OBJECT
DBA_AUDIT_SESSION
DBA_AUDIT_STATEMENT
Description
All audit trail entries
Records for AUDIT EXISTS/NOT EXISTS
Records concerning schema objects
All connect and disconnect entries
Statement auditing records
Viewing Auditing Results
Summary
In this lesson, you should have learned how to:• Control system and object privileges• Use database auditing