Page 1 of 10

Controlling User Access

Lesson#17

Objective:

Differentiate system privileges from object privileges

 User Management
• Grant privileges on tables
• Grant roles
• Distinguish between privileges and roles
 Page 2 of 10

Use the CREATE USER statement to create and configure a database user, which is an account
through which you can log in to the database, and to establish the means by which Oracle Database
permits access by the user.

You can issue this statement in an Automatic Storage Management cluster to add a user and
password combination to the password file that is local to the ASM instance of the current node. Each
node's ASM instance can use this statement to update its own password file. The password file itself
must have been created by the ORAPWD utility.

You can enable a user to connect to the database through a proxy application or application server.

You must have the CREATE USER system privilege. When you create a user with
the CREATE USER statement, the user's privilege domain is empty. To log on to Oracle Database, a
user must have the CREATE SESSION system privilege. Therefore, after creating a user, you should
grant the user at least the CREATE SESSION system privilege. Refer to GRANT for more
information.

Only a user authenticated AS SYSASM can issue this command to modify the Automatic Storage
Management instance password file.
 Page 3 of 10

The BY password clause lets you creates a local user and indicates that the user must specify
password to log on to the database. Passwords are case sensitive. Any subsequent
CONNECT string used to connect this user to the database must specify the password using the
same case (upper, lower, or mixed) that is used in this CREATE USER statement or a subsequent
ALTER USER statement. Passwords can contain any single-byte, multibyte, or special characters, or
any combination of these, from your database character set.

Specify EXTERNALLY to create an external user. Such a user must be authenticated by an external
service, such as an operating system or a third-party service. In this case, Oracle Database relies on
authentication by the operating system or third-party service to ensure that a specific external user
has access to a specific database user.

The GLOBALLY clause lets you create a global user. Such a user must be authorized by the
enterprise directory service (Oracle Internet Directory).

The directory_DN string can take one of two forms:

 The X.509 name at the enterprise directory service that identifies this user. It should be of the
form CN=username,other_attributes, where other_attributes is the rest of the user's distinguished
name (DN) in the directory. This form creates a private global schema.

 A null string (' ') indicating that the enterprise directory service will map authenticated global users
to this database schema with the appropriate roles. This form is the same as specifying
the GLOBALLY keyword alone and creates a shared global schema.
 Page 4 of 10

DEFAULT TABLESPACE Clause

Specify the default tablespace for objects that the user creates. If you omit this clause, then the user's
objects are stored in the database default tablespace. If no default tablespace has been specified for
the database, then the user's objects are stored in the SYSTEM tablespace.
Restriction on Default Tablespaces You cannot specify a locally managed temporary tablespace,
including an undo tablespace, or a dictionary-managed temporary tablespace, as a user's default
tablespace.

TEMPORARY TABLESPACE Clause

Specify the tablespace or tablespace group for the user's temporary segments. If you omit this clause,
then the user's temporary segments are stored in the database default temporary tablespace or, if
none has been specified, in the SYSTEM tablespace.
 Specify tablespace to indicate the user's temporary tablespace.
 Specify tablespace_group_name to indicate that the user can save temporary segments in any
tablespace in the tablespace group specified by tablespace_group_name.
Restrictions on Temporary Tablespace This clause is subject to the following restrictions:
 The tablespace must be a temporary tablespace and must have a standard block size.
 The tablespace cannot be an undo tablespace or a tablespace with automatic segment-space
management.

QUOTA Clause
Use the QUOTA clause to specify the maximum amount of space the user can allocate in the
tablespace.
A CREATE USER statement can have multiple QUOTA clauses for multiple tablespaces.
UNLIMITED lets the user allocate space in the tablespace without bound.
Restriction on the QUOTA Clause You cannot specify this clause for a temporary tablespace.

PROFILE Clause
Specify the profile you want to assign to the user. The profile limits the amount of database resources
the user can use. If you omit this clause, then Oracle Database assigns the DEFAULT profile to the
user.

PASSWORD EXPIRE Clause

Specify PASSWORD EXPIRE if you want the user's password to expire. This setting forces the user
or the DBA to change the password before the user can log in to the database.

ACCOUNT Clause
Specify ACCOUNT LOCK to lock the user's account and disable access.
Specify ACCOUNT UNLOCK to unlock the user's account and enable access to the account.
 Page 5 of 10

Creating a Database User: Example If you create a new user with PASSWORD EXPIRE, then the user's
password must be changed before the user attempts to log in to the database. You can create the
user sidney by issuing the following statement:

CREATE USER sidney

IDENTIFIED BY out_standing1
DEFAULT TABLESPACE example
QUOTA 10M ON example
TEMPORARY TABLESPACE temp
QUOTA 5M ON system
PROFILE app_user
PASSWORD EXPIRE;

Creating External Database Users: Examples The following example creates an external user, who
must be identified by an external source before accessing the database:

To create another user accessible only by an operating system account, prefix the user name with the
value of the initialization parameter OS_AUTHENT_PREFIX. For example, if this value is "ops$", then you
can create the externally identified user external_user with the following statement:

CREATE USER ops$malik

IDENTIFIED EXTERNALLY
DEFAULT TABLESPACE example
QUOTA 5M ON example
PROFILE P_ACC;

Creating a Global Database User: Example The following example creates a global user. When you
create a global user, you can specify the X.509 name that identifies this user at the enterprise directory
server:

CREATE USER global_user

IDENTIFIED GLOBALLY AS 'CN=analyst, OU=division1, O=oracle, C=US'
DEFAULT TABLESPACE example
QUOTA 5M ON example;
 Page 6 of 10

create user milky identified by milky;

grant connect to milky;

grant create table to milky;

alter user milky quota 1m on users;

CREATE USER milky2 IDENTIFIED BY milky2

DEFAULT TABLESPACE "USERS"
TEMPORARY TABLESPACE "TEMP";

ALTER USER "MILKY2" QUOTA 2M ON USERS;

GRANT "CONNECT" TO "MILKY2" ;

GRANT CREATE TABLE TO "MILKY2" ;

 Page 7 of 10

Privileges

• Database security:
– System security
– Data security
• System privileges: Performing a particular action within the database
• Object privileges: Manipulating the content of the database objects

Schemas
A schema is a collection of objects such as tables, views, and sequences. The schema is owned by a
database user and has the same name as that user.

System privileges

With Oracle Server database security, you can do the following:

• Control database access.
• Give access to specific objects in the database.
• Confirm given and received privileges with the Oracle data dictionary.

Database security can be classified into two categories: system security and data security.

System security covers access and use of the database at the system level, such as the username
and password, the disk space allocated to users, and the system operations that users can perform.
Database security covers access and use of the database objects and the actions that those users
can perform on the objects.

• More than 100 system privileges are available.

• The database administrator has high-level system

privileges for tasks such as:

– Creating new users
– Removing users
– Removing tables
– Backing up tables

User System Privileges

– CREATE SESSION
– CREATE TABLE
– CREATE SEQUENCE
– CREATE VIEW
– CREATE PROCEDURE
 Page 8 of 10

Object Privileges
An object privilege is a privilege or right to perform a particular action on a specific table, view,
sequence, or procedure.

• Object privileges vary from object to object.

• An owner has all the privileges on the object.
• An owner can give specific privileges on that owner’s object.

grant select, update on hr.employees to milky;

grant delete on hr.departments to milky;

Role
A role is a named group of related privileges that can be granted to the user. This method makes it
easier to revoke and maintain privileges.
use for easy management
 Page 9 of 10

Passing On Your Privileges

A privilege that is granted with the WITH GRANT OPTION clause can be passed on to other users
and roles by the grantee.

ROLE_SYS_PRIVS
ROLE_TAB_PRIVS
USER_ROLE_PRIVS
USER_SYS_PRIVS

SYSTEM privilege
select *
from dba_sys_privs
where grantee = 'MILKY';

OBJECT Privileges
select *
from dba_tab_privs
where grantee = 'MILKY';

--ROLE privileges
select *
from dba_role_privs
where grantee = 'MILKY';

Privileges assigned to Roles

ROLE_ROLE_PRIVS
ROLE_SYS_PRIVS
ROLE_TAB_PRIVS
 Page 10 of 10

Revoking Object Privileges

• You use the REVOKE statement to revoke privileges granted to other users.
• Privileges granted to others through the WITH GRANT OPTION clause are also revoked.

revoke create user from milky;.

Changing Your Password

alter user milky2 identified by Milky2pwd;

SQL> connect milky/milky

Connected.
SQL> password
Changing password for MILKY
Old password:
New password:
Retype new password:
Password changed
SQL>

----- END -----------------------------------------------