Database Programming

Sections 13–Creating, revoking objects privileges

Marge Hohly 2

Control of User Access

DCL data control language Oracle Server database security, you

can do the following: Control database access Give access to specific objects in the

database Confirm given and received privileges

within the Oracle data dictionary Create synonyms for database objects

Marge Hohly 3

System vs. Object Privileges System Privileges (system security)

System level access Creating users, usernames & passwords, etc. Allocating disk space Granting system privileges Generally granted by the DBA

Object Privileges (data security) Object privileges Access and use Being able to execute DML statements

Marge Hohly 4

Privileges Right to execute particular SQL statements. DBA – high-level user with ability to grant

users access to database and its objects Users require system privileges to gain,

access to databases/objects to manipulate content

Users can be given privilege to grant additional privileges to other users/roles

Marge Hohly 5

Schema

A schema is a collection of objects, such as tables, views, and sequences.

The schema is owned by a database user and has the same name as that user.

In this course, your schema name is - US_1859_SQL01_Sxx , where xx is your number.

Marge Hohly 6

System Privileges (Security) Below are listed typical privileges provided by the

database administrator.

Marge Hohly 7

System privileges of DBA DBAs generally allocate system privileges Any user who owns an object can grant object

privilegesSystem Privilege Operations Authorized

CREATE SESSION Connect to the database

CREATE TABLE Create tables in the user’s schema

CREATE SEQUENCE Create sequences in the user’s schema

CREATE VIEW Create a view in the user’s schema

CREATE PROCEDURE Create a stored procedure, function, or package in the user’s schema

User System Privileges

Determine what the user can do at the database level

GRANT privilege [,privilege….]TO user [,user|role, PUBLIC…];

GRANT create session, create table, create sequence, create viewTO scott;

Marge Hohly 8

Object privileges Each object has set of grantable

privileges1. Only privileges that apply to a sequence are SELECT

and ALTER2. Can grant UPDATE, REFERENCES, and INSERT on

individual columns of a table.Example:GRANT UPDATE(auth_expense) ON d_partners TO allison_plumb;

3. Restrict privileges using a view. Can’t grant SELECT on individual columns

4. A privilege granted on a synonym converts to a privilege on the base table referenced.

Marge Hohly 9

Object privileges

Marge Hohly 10

Object Privilege

Table View Sequence Procedure

ALTER X X

DELETE X X

EXECUTE X

INDEX X X

INSERT X X

REFERENCES X

SELECT X X X

UPDATE X X

Marge Hohly 11

Object Privileges (Security) This level covers access and use of database objects and actions

users have on an object An owner can give specific privileges on that owner’s object GRANT obj_privilege(columns)

ON objectTO USER|ROLE|PUBLIC{WITH GRANT OPTION}

To grant privileges on an object, the object must be in your schema, or you must have been granted the object privileges WITH GRANT OPTION

An object owner can grant any object privilege on the object to any other user or role of the database

The owner of an object automatically acquires all object privileges on that object

GRANT select, insert (name, email)ON address_bookTO Scott WITH GRANT OPTION

REVOKE select, insertON address_bookFROM scott;

Roles

Role is a named group of related privileges that can be granted to a user

Easier to revoke and maintain privileges User may be granted several roles Several users may be assigned to a role Typically created for a database

application DBA creates roles, adds privileges and

assigns to usersMarge Hohly 12

Roles

CREATE ROLE manager; GRANT create table, create view TO

manager; GRANT manager TO jennifer_cho; PRIVILEGES ARE GRANTED TO ROLES PEOPLE ARE ASSIGNED TO ROLES

Marge Hohly 13

Role characteristics

Named groups of related privileges Granted to users Simplify the process of granting and

revoking privileges Created by the DBA

Marge Hohly 14

Marge Hohly 15

Why Roles are easier? How it works.

Grant Object privileges

GRANT object_priv[(column_list)]ON object_nameTO{user|role|PUBLIC}[WITH GRANT OPTION]

Be careful using WITH GRANT OPTION

Marge Hohly 16

Marge Hohly 17

Syntax

Marge Hohly 18

Guidelines to grant object privileges

To grant privileges on an object, the object must be in your own schema, or you must have been granted the object privileges WITH GRANT OPTION.

An object owner can grant any object privilege on the object to any other user or role of the database.

The owner of an object automatically acquires all object privileges on that object.

Cont. next slide

Marge Hohly 19

Granting privileges for objects Only privileges that apply to a sequence are SELECT

and ALTER. You can grant UPDATE, REFERENCES, and INSERT on

individual columns on a table. For example: GRANT UPDATE (auth_expense)

ON d_partners TO allison_plumb; You can restricted SELECT privilege by creating a

view with a subset of columns and granting the SELECT privilege only on the view.

You can't grant SELECT on individual columns. Privilege granted to synonym is converted to a

privilege on the base table referenced by the synonym.

Marge Hohly 20

Grant & Revoke Syntax GRANT object_priv[(columns)]

ON objectTO {user|role|PUBLIC}[WITH GRANT OPTION];

REVOKE {privilege [, privilege...]|All}ON objectFROM {user[, user...]|role|PUBLIC}[CASCADE CONSTRAINTS]; CASCADE CONSTRAINTS - required to

remove any referential integrity constraints made to the object by means of the REFERENCES privilege – like creating a reference to your table via foreign key

Marge Hohly 21

Examples DP.13.3.10 1. GRANT  select (Scott owns d_songs and typed this command)

ON     d_songs TO   PUBLIC;

2. GRANT  update (title, artist) (Scott owns d_songs and is granting ON     d_songs authorization to update these columns) TO     jennifer_cho, manager;

3. SELECT  * (Jennifer now types this to view Scotts d_songs table) FROM    scott_king.d_songs;

Jennifer types the following: 4. CREATE SYNONYM songs

FOR scott_king.d_songs;

5. SELECT * FROM songs; (songs is the synonym)

Marge Hohly 22

WITH GRANT OPTION GRANT  select, insert

ON     d_songsTO     scott_kingWITH   GRANT OPTION;

With grant option clause allows the privileges to be passed on to other users.

With Grant Option can be revoked when user’s privileges are revoked.

Marge Hohly 23

Pictorial view WITH GRANT OPTION

Marge Hohly 24

PUBLIC keyword

GRANT  selectON     jason_tsang.d_songsTO     PUBLIC;

Owner of a table can grant access to all users by using keyword PUBLIC

Marge Hohly 25

REVOKE privilege REVOKE {privilege [, privilege...]|ALL}

ON  objectFROM   {user[, user...]|role|PUBLIC}[CASCADE CONSTRAINTS];

CASCADE CONSTRAINTS required to remove any referential integrity constraints made to the object by means of the REFERENCES privilege.

Marge Hohly 26

Revoke privilege

REVOKE select, insertON d_songsFROM us_1859_SQL01_Sxx;

View Privileges

Access the data dictionary to view privileges you have

In APEX try to view the privileges of USER_ROLE_PRIVS

Marge Hohly 27

Viewing privilege in data dictionaryData Dictionary View Description

ROLE_SYS_PRIVS System privileges granted to roles

ROLE_TAB_PRIVS Tables privileges granted to roles

USER_ROLE_PRIVS Roles accessible by the user

USER_TAB_PRIVS_MADE Object privileges granted on the user’s objects

USER_TAB_PRIVS_RECD Object privileges granted to the user

USER_COL_PRIVS_MADE Objects privileges granted on the columns of the user’s objects

USER_COL_PRIVS_RECD Object privileges granted to the user on specific columns

USER_SYS_PRIVS Lists system privileges granted to the user

Marge Hohly 28

Marge Hohly 29

Access errors

Oracle Server error message “table or view does not exist,” you have done one of the following: Named a table or view that does not

exist Attempted to perform an operation on a

table or view for which you do not have the appropriate privileges

Marge Hohly 30

Example of privileges commands

SELECT *FROM role_tab_privsWHERE role = ‘MANAGER’;

SELECT *FROM user_sys_privs;

SELECT *FROM user_role_privs;

Marge Hohly 31

Displaying your privileges

To show what privileges a user has on the databases enter:

SELECT * FROM SESSION_PRIVS ; You have a list of privileges you have

displayed. Run the command to see what you

get. See next slide.

Private and Public Synonyms

Simplifies object names, with an alternate name for tables, view, sequence, procedures or other objects

Synonyms can be private (default) or public

Public synonyms created by DBA or those with that privilege

CREATE PUBLIC SYNONYM not given to you in APEX

Marge Hohly 32

Regular expressions

Regular expressions are a method of describing both simple and complex patterns for searching and manipulating.

In Oracle it is an extension of POSIX (Portable Operating System for UNIX)

Based on the use of meta characters which are special characters with special meaning

See next slide

Marge Hohly 33

META charactersSymbol Description

* Matches zero or more occurrences

| Alteration operator for specifying alternative matches

^/$ Matches the start-of-line/end-of-line

[] Bracket expression for a matching list matching any one of the expressions represented in the list

{m} Matches exactly m times

{m.n} Matches at least m times but no more than n times

[::] Specifies a character class and matches any character in that class

Marge Hohly 34

Meta characters cont.Symbol Description

| Can have 4 different meanings: 1. stand for itself. 2. Quote the next character. 3. Introduce an operator. 4. Do nothing.

+ Matches one or more occurrence

? Matches zero or one occurrence

. Matches any character in the supported character set, except NULL

() Grouping expression, treated as a single subexpression

[==] Specifies equivalence classes

\n Back-reference expression

[..] Specifies one collation element, such as a multi-character element

Marge Hohly 35

Example

Which of the following strings would match ‘a.c’? An ‘a’ followed by the letter ‘c’.‘ABC’, ‘abc’, ‘aqx’, ‘axc’, ‘aBc’, ‘abC’

Standard SQL: WHERE column LIKE ‘a_c’

Regular expression would be: ‘a.c’

Marge Hohly 36

Example answer

‘ABC’, ‘abc’, ‘aqx’, ‘axc’, ‘aBc’, ‘abC’ Red matched the regular expression Others failed either wrong letters or in

the wrong place or wrong case

Marge Hohly 37

Example

Search for Stephen or Steven Regular expression = ‘^Ste(v|ph)en$’ ^ = start of string to search (start of group | specifies an OR )finishes the group of choices $ specifies the end of the string being

searchedMarge Hohly 38

Regular Expression FunctionsName Description

REGEXP_LIKE Similar to the LIKE operator, but performs regular expression matching instead of simple pattern matching

REGEXP_REPLACE Searched for a regular expression pattern and replaces it with a replacement string

REGEXP_INSTR Searches for a given string for a regular expression pattern and returns the position where the match is found

REGEXP_SUBSTR Searches for a regular expression pattern within a given string and returns the matched substring

REGEXP_COUNT Returns the number of times a pattern appears in a string. You specify the string and the pattern. You can also specify the start position and matching options(for example, c for case sensitivity).

Marge Hohly 39

Examples

Review the examples provided in iLearning

Marge Hohly 40

From Wikipedia, the free encyclopedia (http://en.wikipedia.org/wiki/Regular_expression) “In computing, regular expressions provide a concise and flexible means for identifying text of

interest, such as particular characters, words, or patterns of characters. Regular expressions are written in a formal language that can be interpreted by a regular expression processor, a program that either serves as a parser generator or examines text and identifies parts that match the provided specification. The following examples illustrate a few specifications that could be expressed in a regular expression: The sequence of characters “car” in any context, such as “car”, “cartoon”,

or “bicarbonate”. The word “car”, when it appears as an isolated word. The word “car” when preceded by the word “blue” or “red”. This would not

find “green car”. A dollar sign immediately followed by one or more digits, and then optionally a period and exactly two more digits. Regular expressions can be much more complex than these examples.Regular expressions (abbreviated as regex or regexp, with plural forms regexes, regexps, or regexen) are used by many text editors, utilities, and programming languages to search and manipulate text based on patterns. For example, Perl and Tcl have a powerful regular expression engine built directly into their syntax. Several utilities provided by UNIX distributions — including the editor ed and the filter grep—were the first to popularize the concept of regular expressions.

Marge Hohly 41

Read notes

Marge Hohly 42