Wikibooks

Oracle Database/Administering Users

< Oracle Database

Within Oracle, users may be managed through the webpage under the administration section, and within the Database Users subsection.

Creating and managing database user accounts

edit

Adding users

edit

New users can be created by an administrator or a user who has a "CREATE USER" privilege using Oracle Enterprise Manager GUI by clicking on the "Create" link in the "Users" section . Enter the username and password for the new user. You can also set the password to expire (where the user must change the password on the next login), and whether an account is locked (to prevent a user from connecting to the system).

In most cases, users should belong to the Connect role. If the user needs to create tables or have more advanced capability, the user should be placed within the Resource role. Database admins should appear in the DBA role. If desired, users may be given individual permissions within Directly Grant Privileges section.

Alternatively, users can also be created using the "CREATE USER" SQL command.

Eg: 

CREATE USER UserTest IDENTIFIED BY MyComplexPassword DEFAULT TABLESPACE Wikibooks PASSWORD EXPIRE QUOTA UNLIMITED ON Wikibooks;
GRANT CONNECT TO UserTest;

After creating the user, the "CONNECT" role needs to be granted for the user to connect to the database.

Listing users

edit 
SELECT * FROM ALL_USERS

Removing users

edit

When a user no longer needs to be present within the database, you click the drop button within the web interface.

To script it: 

DROP USER UserTest;

To remove the attached objects to the user[1]: 

DROP USER UserTest CASCADE;

Creating and managing roles

edit

The roles list is available with: 

SELECT * FROM DBA_ROLES;

CONNECT
RESOURCE
DBA
SELECT_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
EXP_FULL_DATABASE
IMP_FULL_DATABASE
LOGSTDBY_ADMINISTRATOR
DBFS_ROLE
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE
ADM_PARALLEL_EXECUTE_TASK
GATHER_SYSTEM_STATISTICS
XDB_WEBSERVICES_OVER_HTTP
RECOVERY_CATALOG_OWNER
SCHEDULER_ADMIN
HS_ADMIN_SELECT_ROLE
HS_ADMIN_EXECUTE_ROLE
HS_ADMIN_ROLE
OEM_ADVISOR
OEM_MONITOR
PLUSTRACE
CTXAPP
XDBADMIN
XDB_SET_INVOKER
AUTHENTICATEDUSER
XDB_WEBSERVICES
XDB_WEBSERVICES_WITH_PUBLIC
APEX_ADMINISTRATOR_ROLE

Personalized roles can be created[2]: 

CREATE ROLE MyRole;
GRANT CONNECT TO MyRole;
GRANT DBA TO MyROLE;

Then it's possible to use it with the users: 

GRANT MyROLE TO UserTest

Revoking privileges

edit

We can revoke a privilege from a user or a role: 

REVOKE CONNECT FROM MyRole;

Modifying privileges

edit

We can change a password with: 

ALTER ROLE MyRole IDENTIFIED BY MyPassword;

Deleting a role

edit

We can remove a role: 

DROP ROLE MyRole;

Controlling resource usage by users

edit
This section is a stub.
You can help Wikibooks by expanding it.

Applying the principle privilege

edit

Managing accounts

edit

Implementing standard password security features

edit

Auditing database activity

edit

Registering for security updates

edit

Differentiating system privileges from object privileges

edit

Granting privileges on tables

edit

Viewing privileges in the data dictionary

edit

Distinguishing between privileges and roles

edit


References

edit
  1. https://docs.oracle.com/cd/B14117_01/server.101/b10759/statements_9008.htm
  2. https://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6012.htm
Retrieved from "https://en.wikibooks.org/w/index.php?title=Oracle_Database/Administering_Users&oldid=4077797"