Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
I will make a deal with you: If you refer me to a company that needs
database support, from a few hours per week to full time, and I am able to sign
a contract with them.
Then I will give you 10% of the monthly
contract or deal price every month. When
the contract ends, and we re-sign the contract, I will again give you 10% of
the monthly contract price. This will go
on until the company no longer employs or contracts me or my agents to look
after their databases.
I can do this, because that 10% is my
marketing budget. When we re-sign the
contract, in the future, it may depend on you giving the thumbs up again, and
that is worth 10% of the monthly contract price, to be given to you as
commission.
Security,
Privileges, Roles, Profiles and Resource Limitations - Part
1
There are two primary processes involved with
authorization:
·
Permitting
only authorized users to access, process, or alter data
·
Applying
limitations on user access or actions, according to the users credentials.
The limitations
given to or removed from users can apply to objects such as schemas, tables, or
rows. The limitations can also apply to
resources such as CPU time, connect time, or idle time.
The following broad categories are all part of
the description of privileges, roles, profiles and resource limitations:
·
How
privileges are acquired and used
·
How
roles are acquired, used, and restricted
·
How
and why resource limits are applied to users
·
How
profiles are determined and used
Introduction to Privileges
A privilege is the right to execute a stored procedure or
select, insert, update, or delete rights on objects. Privileges include some of the following
rights:
·
Connect to the
database, which involves the create session privilege
·
Create table privilege
·
Select rows from
another users table
·
Execute another users
stored procedure
You can grant privileges to users to enable them to
accomplish the tasks that they need to do.
You should only grant the necessary privileges to users to enable them
to enable them to do their work.
Excessive privileges can compromise security. You can grant privileges to users in tow
different ways:
·
You can grant the
privilege explicitly for a specific task, for example “grant insert on
<schema.table_name> to <username>;”
·
You can grant the
privilege to a role, and then grant the role to one or more users. A role is a named group of privileges. Roles allow for more efficient and better
management of privileges, so it is better practice to grant the privileges to a
role, and then grant the role to the specified users
There are six categories of privileges
·
System Privileges
·
Schema Object
Privileges
·
Table Privileges
·
View Privileges
·
Procedure Privileges
·
Type Privileges
System Privileges
System privileges are very
powerful privileges, and involves the right to perform a particular
action. It involves the right to perform
an action on any schema object of a particular type. CREATE TABLEPACE is a system privilege. Delete the rows from any table in the
database is a system privilege. In
Oracle database server 10g, there are over 100 distinct system privileges, that
need to be managed.
Granting and Revoking System Privileges
You can grant and revoke system
privileges to users and to roles. If you
grant the system privileges to roles, then you can use the roles to manage the
system privileges. You can have
different roles with different sets of system privileges defined, to make
available to users with specific requirements.
System privileges should only be granted to administrative personnel,
and application developers. End users
should not require system privileges, and their associated capabilities. You can grant and revoke system privileges
from SQL*Plus, or from Oracle Enterprise Manager Database Control.
Franz Devantier,
Need a database health check, or a security audit?
Classifieds
No comments:
Post a Comment