Database 3rd Lab Notes

Overall Notes
Oracle allows multiple user to use the database , Every user accesses the
database using their password and username , the later determines the access
rights to the objects of the database
The user that creates an object in the database in the owner of it , and only HE can
decide to grant or revoke certain acess rights to other users .

Commands :

GRANT privilege ON [table/view] TO username [WITH GRANT OPTION]

this command gives the concerned privilege on the table or view to the user .

REVOKE privilege ON [table/view] FROM username

A user who has granted a privilege can take it back at any time by using the revoke
command .
WITH GRANT OPTION : A user who has received a privilege with this option can
pass it on to another user .

Privilieges That can given :

SELECT the right to read
INSERT right to insert rows
UPDATE right to update rows
DELETE right to delete rows
ALTER right to modify table definitioon
INDEX right to create index
ALL all above rights

Access to the database is based on user names:

If a user is the owner of a resource, they automatically have access to it. For others to
access it, the creator's permissions are required, typically through the creator.table
format.

why specifying the schema name is important ?

ensures that the database knows where to find the table, as users can have their own
objects with the same name.

User vs SYS vs SYSTEM in granting priviloiges :

1. SYS Privileges:
Access: SYS can access any object in the database without explicit
permissions because it operates with unrestricted authority.
Granting Privileges: SYS can grant privileges (e.g., SELECT, INSERT) on
any object to other users without requiring permission from the object owner.
2. SYSTEM Privileges:
Access: SYSTEM cannot directly access objects owned by other users unless
explicitly granted the necessary privileges.
Granting Privileges: SYSTEM can grant privileges on other users' objects only
if:
SYSTEM has been granted the privileges explicitly with the WITH GRANT
OPTION clause, or
SYSTEM holds a system-level privilege like GRANT ANY OBJECT PRIVILEGE .

GRANT CREATE SESSION TO admin WITH GRANT OPTION;

-- he can pass this privilidge to another user

1. Create another user: Admin

CREATE USER Admin IDENTIFIED BY admin_password;

 why this error ?

we fix this by :

ALTER SESSION SET "_ORACLE_SCRIPT"=true;

Session altered.

CREATE USER Admin IDENTIFIED BY admin123;

User created.

2. Log in with this user. What do you notice?

CONNECT Admin
Enter password: admin123
When you log in with the "Admin" user, you'll likely notice that Admin does not have
access to create sessions, tables, or any specific objects in the database since new
users typically don’t have permissions by default.

3. Give the right to create a session for this user

(Create Session).
After logging in as the SYS user , we grant the create session privilege to the new
user Admin
SYSDBA is a privilege in Oracle, not a user or a role. It is a special administrative
privilege that gives a user full, unrestricted access to the database.

CONNECT sys/password AS SYSDBA;

GRANT CREATE SESSION TO Admin;

4. Give the following privileges to Admin: create

tables, users. Log in with Admin and check.

GRANT CREATE TABLE TO Admin;

GRANT CREATE USER TO Admin;

After logging in, you should now be able to create tables and users with the Admin
account.
Checking :
we use this command to check all the priviledgees that a user have .

SELECT * FROM user_sys_privs;

1. USER_SYS_PRIVS
Shows system-level privileges granted to the current user. These privileges control
what a user can do at the database level, such as logging in, creating users, or altering
the system.

Example privileges: CREATE SESSION , CREATE TABLE , ALTER SYSTEM .

2. USER_TAB_PRIVS
Shows object-level privileges granted on specific database objects (e.g., tables,
views). These privileges control what a user can do with specific objects.

Example privileges: SELECT , INSERT , UPDATE , DELETE .

Summary:
USER_SYS_PRIVS = Database-wide permissions (e.g., login, create users).
USER_TAB_PRIVS = Permissions on specific objects (e.g., read or modify a table).

5. Run the query Q1: Select * from

DBASchool.Teacher . What do you notice?
Since Admin doesn't have read permissions for the Teacher table yet

6. Give this user read permission for the Teacher

table. Run query Q1 now.

GRANT SELECT ON DBASchool.Teacher TO Admin;

Now, running query Q1 should display the contents of the Teacher table without
permission errors.
7. The school increases the salaries of Teachers by
3000 DA if their total number of courses taught is
greater than or equal to 3. What should be done?
What do you notice?

UPDATE DBASchool.Teacher
SET Salary = Salary + 3000
WHERE TeacherID IN (
SELECT TeacherID
FROM DBASchool.COURSE_ASSIGNMENT
GROUP BY TeacherID
HAVING COUNT(CourseID) >= 3
);

You will likely encounter an error due to insufficient privileges, as Admin does not have
UPDATE rights on the TEACHER table and SELECT rights on the COURSE_ASSIGNMENT
table .

8. Try again after giving this user update rights for

the Teacher table and read rights for the
COURSE_ASSIGNMENT table.

GRANT UPDATE ON DBASchool.Teacher TO Admin;

GRANT SELECT ON DBASchool.COURSE_ASSIGNMENT TO Admin;

Now, rerun the UPDATE query from step 7. The update should execute successfully.
9. Create a LastName_IX index on the LastName
attribute of the Teacher table. What do you notice?
What are indexes ?
Index : special data structures that improve the speed of data retrieval operations
on a database table. They function like the index of a book : they allow the
database to quickly locate specific rows without scanning the entire table.
Indexes are especially useful when dealing with large datasets and can significantly
enhance query performance, especially for SELECT queries involving search
conditions (e.g., WHERE clauses), sorting ( ORDER BY ), and joins.

Try creating the index:

CREATE INDEX LastName_IX ON DBASchool.Teacher(LastName);

--> fail because Admin does not have index creation privileges on the Teacher table.

10. Give the index creation rights to Admin for the

Teacher table and try to create the index again. What
happens?

GRANT INDEX ON Teacher TO Admin;

 Oracle Assigns tablespace 'USERS' t3 system , in the creation of any user by
default
HOW TO FIX
make sure the user has sufficient privileges to acess both USERS tablespace and
School_TBS to be bale to create the index

ALTER USER Admin Quota unlimited on School_TBS;

ALTER USER Admin Quota unlimited on USERS;

QUOTA UNLIMITED : used to grant a user permission to use a specific

tablespacewithout any limitations on the amount of space they can use.
Now, try creating the index again. It should succeed without issues:

CREATE INDEX LastName_IX ON DBASchool.Teacher(LastName);

11. Revoke the previously granted privileges.

REVOKE CREATE TABLE, CREATE USER, CREATE SESSION FROM Admin; --as
system
REVOKE SELECT, UPDATE ON Teacher FROM Admin; --as DBASchool
REVOKE SELECT ON COURSE_ASSIGNMENT FROM Admin; --as DBASchool
REVOKE INDEX ON Teacher FROM Admin ; --as DBASchool
12. Verify that the privileges have been revoked.
To verify, you can use the following query:

SELECT * FROM DBA_TAB_PRIVS WHERE GRANTEE = 'Admin';

The output should show no entries for the privileges that were just revoked.

13. Create a profile School_Profile with the

specified characteristics.
What are profiles ?
Profile : is a set of resource limits and password management policies that can be
assigned to users to control and manage their database activities. Profiles allow
administrators to enforce restrictions on users to ensure resource usage is
controlled and to enhance security.

13. Create a profile "School_Profile" which is characterized by: 3 simultaneous

sessions allowed, asystem call cannot consume more than 35 seconds of CPU,
eachsession cannot exceed 90 minutes, a system call cannot read more than
1200 blocks of data in memory and on the disk. Each session cannot allocate
more than 25 KB of memory in SGA. For each session, a maximum of 30
minutes of inactivity is allowed. 5 login attempts before the account is blocked.
The password is valid for 50 days, and it willtake 40 days before it can be used
again. Only one day of access ban after the 5 login attempts have been reached.
The grace period that extends the use of the password before changing it is 5
days.

CREATE PROFILE School_Profile2

LIMIT
SESSIONS_PER_USER 3 --3 simu sessions allowed
CPU_PER_CALL 35000 --not more than 35seconds
CONNECT_TIME 90 --max time of the session
LOGICAL_READS_PER_CALL 1200 --sys call can not read more than
1200 block of memeory on disk
PRIVATE_SGA 25K --max memory allocated by session in SGA
IDLE_TIME 30 --max 30mins of inactivity for session
FAILED_LOGIN_ATTEMPTS 5 --login attempts
 PASSWORD_LIFE_TIME 50 --lifetime of password
PASSWORD_REUSE_TIME 40 --when it can be used again
PASSWORD_GRACE_TIME 5 --how long u can keep using this password
for after the warning to change it
PASSWORD_LOCK_TIME 1; --the duration a user account remains
locked after exceeding the maximum number of allowed failed login
attempt

if you are in CDB make sure to switch to the correct PDB to create the profile in it
(that is the only correct way )

14. Assign this profile to the Admin user.

ALTER USER Admin PROFILE School_Profile;

15. Create the role: School_MANAGER with specified

privileges.
What is a Role ?
named collection of privileges that can be granted to users or other roles. It allows
you to simplify and manage user permissions more efficiently by grouping together
 privileges and assigning them to users in bulk.

CREATE ROLE School_MANAGER;

GRANT SELECT ON DBASchool.EXAM TO School_MANAGER;
GRANT SELECT ON DBASchool.STUDENT TO School_MANAGER;
GRANT SELECT ON DBASchool.COURSE TO School_MANAGER;
GRANT UPDATE ON DBASchool.TEACHER TO School_MANAGER;
GRANT UPDATE ON DBASchool.ENROLLMENT TO School_MANAGER;
GRANT UPDATE ON DBASchool.COURSE_ASSIGNMENT TO School_MANAGER;
GRANT UPDATE ON DBASchool.EXAM_RESULT TO School_MANAGER;

16. Assign this role to Admin and verify permissions.

GRANT School_MANAGER TO Admin;

Now, you can verify that Admin has inherited the privileges by running:

SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTEE = 'Admin';

SELECT * FROM DBA_TAB_PRIVS WHERE GRANTEE = 'Admin';

The results should show Admin's access to the specified tables and permissions
provided by the School_MANAGER role.

Additional notes
To check all PDBs in the CDB
 don't forget to ALTER SESSION SET "_ORACLE_SCRIPT"=true; for this cdb pdb
problem.
Here is a summary of the SQL syntax and steps involved in creating users,
profiles, roles, and addressing the "no privileges on the tablespace" issue:

1. Creating a User:
Syntax:

CREATE USER username

IDENTIFIED BY password
[DEFAULT TABLESPACE tablespaceName [QUOTA {integer [K | M] |
UNLIMITED} ON tablespaceName]]
[TEMPORARY TABLESPACE tablespaceName [QUOTA {integer [K | M] |
UNLIMITED} ON tablespaceName]]
[PROFILE profileName]
[PASSWORD EXPIRE]
[ACCOUNT {LOCK | UNLOCK}];

Key Options:
IDENTIFIED BY password : Assigns a password to a local user.
DEFAULT TABLESPACE : Assigns a default tablespace for storage.
TEMPORARY TABLESPACE : Assigns a temporary tablespace for temporary objects.
QUOTA : Limits or allows unlimited space on a tablespace.
PROFILE : Assigns a profile to manage user session and resource limits.
PASSWORD EXPIRE : Forces a user to change their password on first login.
ACCOUNT LOCK/UNLOCK : Controls access to the account.

2. Creating a Profile:
Syntax:

CREATE PROFILE profileName

LIMIT {Resource Setting | Password Setting};
 Resource Settings:
SESSIONS_PER_USER , CPU_PER_SESSION , CONNECT_TIME , IDLE_TIME , etc., to
control resource consumption.
Password Settings:
FAILED_LOGIN_ATTEMPTS , PASSWORD_LIFE_TIME , PASSWORD_REUSE_TIME , etc.,
to enforce password policies.

3. Creating a Role:
Syntax:

CREATE ROLE rolename [NOT IDENTIFIED | IDENTIFIED {BY password

| USING [schema.] package | EXTERNALLY | GLOBALLY}];

Purpose: Roles allow you to group multiple privileges and assign them to users.

4. Fixing "No Privileges on the Tablespace"

Error:
If you encounter the error "no privileges on the tablespace" , it means the user
does not have the required privileges to create tables in a specified tablespace.

Solution: Grant the user a quota on the tablespace:

ALTER USER Admin QUOTA UNLIMITED ON SCHOOL_TBS;

This gives the user Admin unlimited space in the SCHOOL_TBS tablespace, allowing
them to create tables.