Lesson

Managing Roles

MAS-CS352-DBMS2
Lesson Objectives:
After completing this lesson, the student should be
able to:
 Create a new USER
 Grant Privilege access to a specific User.
 Changes password
 Create and Grant role
 Pass Privileges
 Revoke Privileges

MAS-CS352-DBMS2
Controlling User Access

MAS-CS352-DBMS2
Controlling User Access cont.
 In a multiple-user environment, you want to maintain security of the
database access and use. With Oracle server database security,
you can do the following:
 Control database access
 Give access to specific objects in the database
 Confirm given and received privileges with the Oracle data dictionary
 Create synonyms for database objects
 Database security can be classified into two categories: system
security and data security.
 System security covers access and use of the database at the system
level such as the username and password, the disk space allocated to
users, and the system operations that users can perform.
 Database security covers access and use of the database objects and
the actions that those users can have on the objects.

MAS-CS352-DBMS2
 Privileges
 Database security:
 System security
 Data security
 System privileges: Gaining access to the
database
 Object privileges: Manipulating the content
of the database objects
 Schemas: Collection of objects such as
tables, views, and sequences

MAS-CS352-DBMS2
 System Privileges
 More than 100 privileges are available.
 The database administrator has high-level
system privileges for tasks such as:
 Creating new users
 Removing users
 Removing tables
 Backing up tables

MAS-CS352-DBMS2
 Creating Users
 The DBA creates users with the CREATE USER
statement.
 Syntax:
CREATE USER user_name
IDENTIFIED BY user_password;
 Example:

MAS-CS352-DBMS2
 User System Privileges
 After a user is created, the DBA can grant specific system
privileges to that user.
 Syntax:
GRANT PRIVILEGE [privilege_type….]
TO user_name [,user| role, PUBLIC…];
 An application developer, for example, may have the following
system privileges:
 CREATE SESSION
 CREATE TABLE
 CREATE SEQUENCE
 CREATE VIEW
 CREATE PROCEDURE

MAS-CS352-DBMS2
 User System Privileges
 The DBA can grant specific system privileges to a user.
 Example:

 In the given example user IT_MGR was given a role to CREATE

SESSION, TABLE and VIEW.
 Try to exit normally your isqlplus* and then try to log-on using the
role created and password.
 Note Password is always hidden.

MAS-CS352-DBMS2
User System Privileges: cont.
 Supposed that a user TIGER with a password of TIGER with a
privilege of creating a session only.
 When this user try to create a table which is not granted as shown in
the example:

 Automatically this user cannot perform any DDL statement.

MAS-CS352-DBMS2
What Is a Role?

MAS-CS352-DBMS2
 What Is a Role?
 What Is a Role?
 A role is a named group of related privileges that can be granted to the user. This
method makes it easier to revoke and maintain privileges.
 A user can have access to several roles, and several users can be assigned the
same role. Roles are typically created for a database application.
 Creating and Assigning a Role
 First, the DBA must create the role. Then the DBA can assign privileges to the
role and assign the role to users.
 Syntax

CREATE ROLE role;

 In the syntax:
role is the name of the role to be created
After the role is created, the DBA can use the GRANT statement to
assign the role to users as well as assign privileges to the role.

MAS-CS352-DBMS2
 Creating and Granting Privileges to a Role
 Create a role
 Grant privileges to a role
 Grant a role to users
Note:
The example creates a
SECRETARY role and then
enables SECRETARY to create
tables and views. It then grant
IT_MGR the role of SECRETARY.
Now IT_MGR, tiger user can
create tables and views.
If users have multiple roles
granted to them, they receive all of
the privileges associated with all of
the roles.
MAS-CS352-DBMS2
 Changing Your Password

 The DBA creates your user account and initializes your password.
 You can change your password by using the ALTER USER
statement.
 Example:

 Try to exit isqlplus* then log-on using IT_MGR with the new
password MGR.

MAS-CS352-DBMS2
Object Privileges

MAS-CS352-DBMS2
 Object Privileges: cont.

 Object privileges vary from object to object.

 An owner has all the privileges on the object.
 An owner can give specific privileges on that
owner’s object.
 Syntax:
GRANT object_priv [(columns)]
ON object
TO {user|role|PUBLIC}
[WITH GRANT OPTION];

MAS-CS352-DBMS2
 Object Privileges: cont.

 Grant Object Privileges using the example below:

 By granting SELECT on user IT_MGR and tiger, these two users should
used the example below in order to view the values on EMPLOYEES
table:

 Where:
 SYSTEM: is the original user who grant a SELECT roles to IT_MGR and tiger.
 EMPLOYEES: is the name of the table granted to used SELECT statement.

MAS-CS352-DBMS2
 Object Privileges: cont.

 Grant privileges to update specific columns to users and roles.

 Suppose that EMPLOYEES table have the following values.

 Performing UPDATE on column LASTNAME, FIRSTNAME is

granted to user IT_MGR and tiger.

MAS-CS352-DBMS2
 Passing on your Privileges

 Give a user authority to pass along privileges as shown in the example

below:

 A privilege that is granted with the WITH GRANT OPTION clause can be
passed on to other users and roles by the grantee. Object privileges granted
with the WITH GRANT OPTION clause are revoked when the grantor’s
privilege is revoked.
 The example on the slide gives user TIGER access to EMPLOYEES table
with the privileges to query the table and add rows to the table. The
example also shows that TIGER can give others these privileges.

MAS-CS352-DBMS2
 Passing on your Privileges: Specific User

 In the example: the user TIGER was able to pass the privilege given
to IT_MGR user.

 Since privilege has been passed to user TIGER this user can now
insert a new row to EMPLOYEES table as shown in the example
below:

MAS-CS352-DBMS2
 Passing on your Privileges: PUBLIC

 Allow all users on the system to query data from SYSTEM.

EMPLOYEES table.
 Example:

 An owner of a table can grant access to all users by using the

PUBLIC keyword.
 The example allows all users on the system to query data from
SYSTEM’s EMPLOYEES table.

MAS-CS352-DBMS2
 Confirming Privileges Granted

Data Dictionary View Description

ROLE_SYS_PRIVS System privileges granted to roles
ROLE_TAB_PRIVS Table privileges granted to roles
USER_ROLE_PRIVS Roles accessible by the user
USER_TAB_PRIVS_MADE Object privileges granted on the user’s objects
USER_TAB_PRIVS_RECD Object privileges granted to the user
USER_COL_PRIVS_MADE Object privileges granted on the
columns of the user’s objects
USER_COL_PRIVS_RECD Object privileges granted to the user on specific
columns
USER_SYS_PRIVS System privileges granted to the user

MAS-CS352-DBMS2
 Revoking other Privileges

 You use the REVOKE statement to revoke privileges

granted to other users.
 Privileges granted to others through the WITH GRANT
OPTION clause are also revoked.
 Syntax:
REVOKE {privilege [, privilege...]|ALL}
ON object(table/view)
FROM {user[, user...]|role|PUBLIC}
[CASCADE CONSTRAINTS];

MAS-CS352-DBMS2
 Revoking Object Privileges: Example

 As user TIGER, revoke the SELECT and INSERT privileges given to

user IT_MGR on the EMPLOYEES table.

 Whenever IT_MGR tries to insert a new values he will encounter the

system error: insufficient provileges

MAS-CS352-DBMS2
 DELETING AN EXISTING USER

 To delete a specific User: Used the DROP command

MAS-CS352-DBMS2
Lesson Summary:
In this lesson, you should have learned about statements that control
access to the database and database objects.
 Create new user using CREATE USER user and is usually
performed by the Database Admin
 Grant specific privileges either Private or Public using the GRANT
option.
 Create specific privileges by using the CREATE ROLE
 Change password created by using the ALTER USER statement
 Removes privileges on an object by using the REVOKE statement

MAS-CS352-DBMS2