Users let the database know who you are and what access authorizations you have. You must have the create user privilege to create a user. The user must have the create session privilege in order for the user to connect to the database.
When a user is created, the user is given a password, a default and a temporary tablespace. The user exists but the user cannot do anything, such as log on to the database. A user must be granted privileges to log on to the database and manipulate objects.
A username can have a maximum of 30 characters or numbers and contain no spaces, commas or special characters (!@#$%&*) "The username must begin with an alphabetic character unless you surround the name in double quotation marks ("). In general, Oracle recommends that you do not use the pound or dollar sign in a user name." [Carmichael, Theriault, Viscusi]
Users automatically created by Oracle when the database is created:
|
User-name |
Purpose |
Default password |
|
SYS |
|
CHANGE_ON_INSTALL |
|
SYSTEM |
|
MANAGER |
|
INTERNAL |
|
ORACLE |
|
PUBLIC |
|
N/A |
How to Create a User with SQL*Plus
SQL> desc dba_users
"DBA_USERS contains the list of all users who can access your database." [Carmichael, Theriault, Viscusi]
Select username, default_tablespace, and temporary_tablespace
SQL> select username,default_tablespace,temporary_tablespace
from dba_users;
SQL> desc dba_tablespaces
"The view DBA_TABLESPACES contains information and descriptions of all the tablespaces in the database." [Carmichael, Theriault, Viscusi]
SQL> select tablespace_name,status
from dba_tablespaces;
CREATE USER username IDENTIFIED BY password
DEFAULT TABLESPACE tablespace_name
TEMPORARY TABLESPACE tablespace_name
QUOTA size ON tablespace_name
PROFILE profile_name
PASSWORD EXPIRE
ACCOUNT LOCK|UNLOCK
|
Option |
Function |
|
DEFAULT TABLESPACE |
The tablespace "in which the user creates objects." You should always use the user_data tablespace for the default tablespace. |
|
TEMPORARY TABLESPACE |
The tablespace "in which temporary objects are created for the user’s operations." You should always use the temporary_data tablespace for the temporary tablespace. |
|
QUOTA |
"The amount of physical space within a tablespace that a user can allocate for objects."[Carmichael, Theriault, Viscusi] |
|
PROFILE |
"Assigns a named profile to the user to limit usage of the database resources." |
|
Makes the user’s password expire when they first log in. When you use this option, you will give the user an initial password, but after the user logs in the user will have to change his password. |
|
|
Allows you to lock and unlock the user’s account. When the user’s account is locked, no one can use it until it is unlocked. |
An Example of creating a user
SQL> create user tom identified by tom
default tablespace user_data
temporary tablespace temporary_data
quota 1M on user_data
quota 400K on temporary_data;
User created.
SQL> select tablespace_name,username,bytes,max_bytes
from dba_ts_quotas;
This view shows that Tom was given 1MB of available space in the user_data tablespace and 400K of available space in the temporary_data tablespace. The bytes column displays how much space has been used. The max_bytes column displays show much space is available. The negative one (-1) indicates that the user has unlimited space within the tablespace.
At the SQL prompt type:
SQL> grant create session to tom;
Grant succeeded.
alter user user_name option
SQL> alter user tom password expire;
User altered.
SQL> connect
Enter user-name: tom
Enter password: ***
ERROR:
ORA-28001: the account has expired
Changing password for tom
Old password: ***
New password: ****
Retype new password: ****
Connected.
SQL>
To use the ACCOUNT LOCK|UNLOCK option:alter user user_name option
SQL> alter user tom account lock;
User altered.
SQL> connect
Enter user-name: tom
Enter password: ****
ERROR:
ORA-2800: the account is locked
Warning: You are no longer connected to Oracle
SQL> connect
Enter user-name: SYSTEM
Enter password: *******
Connected.
SQL> alter user tom account unlock;
User altered.
SQL> connect
Enter user-name: TOM
Enter password: ****
Connected.
SQL>
To drop a user
The syntax for the drop user command:
drop user user_name [CASCADE]
Rules to follow when creating passwords:
The password command allows you to change your password. The syntax for the password command is:
The password command may be abbreviated to passw.
The user_name "is the user whose password you want to change. Usually only database administrators (DBA's) can change passwords for other users. You do not need to supply a username if you are changing your own password." [Gennick]
An example of TOM changing his password
SQL> password
Changing password for TOM
Old password: ****
New password: ***
Retype new password: ***
Password changed
SQL>
What is a profile?
"A profile is a set of specific resource limits that can be assigned to an Oracle username. Profiles give the DBA an easy and efficient way to manage resource usage within the database. Some of the resources that can be limited are:
Profile options applicable to
a Personal Oracle8 database: FAILED_LOGIN_ATTEMPTS: The maximum number of times a user can try to log in to the database with an incorrect log in. If the user exceeds the maximum, then his account is locked. PASSWORD_LIFE_TIME: The maximum number of days the user can use his password before having to change it. PASSWORD_REUSE_TIME: The minimum number of days before a password can be reused. PASSWORD_REUSE_MAX: The minimum number of times the user has to change his password before being able to reuse a previous password. PASSWORD_LOCK_TIME: How long the user’s account is locked after the user has exceeded the specified maximum number of failed login attempts. PASSWORD_GRACE_TIME: The number of days the user can continue to use
his password after it has expired. During this period, a warning message
displays each time the user logs in to the database. To create a profile: Use the create profile command. The syntax for the
create profile command: create profile profile_name limit
An example of creating a profile
SQL> create profile sam_user limit
failed_login_attempts 2
password_life_time 60
password_grace_time 5;
Profile created.
To assign a profile to a username that already exists:
An example
In this example, you will assign the profile sam_user to SAM. Because the user SAM already exists, use the alter user command.
SQL> alter user sam profile sam_user;
User altered.
To assign a profile to a username who does not already exist:
SQL> create user sally identified by guest
default tablespace user_data
temporary tablespace temporary_data
profile sam_user;
User created.
SQL> grant create session to sally;
Grant succeeded.
To check that the profile was created:
SQL> select * from dba_profiles
To check the password settings in effect for a username:
Enter user-name: sam
Enter password: ***
Connected.
To view the profile assigned to each user in the database:
SQL> select username, account_status, default_tablespace,
temporary_tablespace, profile
from dba_users
order by username;
The dba_users view displays the user’s account status, assigned default tablespace and temporary tablespace, and profile.
To drop a profile:
drop profile profile_name
"You must have DROP PROFILE system privilege." (Koch, Looney)
What is a role?
"A role is a named group of privileges granted to a user or another role." (Fieldhouse) "When a role is first created, it has no privileges associated with it." (Koch, Loney)
Why use roles rather than directly grant privileges to users?
"Rather than grant privileges to users directly, you grant privileges to a role and then grant the role to users. Now, when you add a new object, you only have to grant access to the role, and all users who are granted that role automatically inherit that access." In sum, roles make managing privileges easier.[Carmichael, Theriault, Viscusi]
A note on privileges: Oracle distinguishes between object privileges and system privileges. Object privileges allow you to manipulate data. "Object privileges include the following rights:
System privileges allow you to perform actions that affect the structure of the database. System privileges include the following rights:
To view information about all the roles that have been defined in the database:
SQL> select * from dba_roles;
Oracle creates 3 standard roles when the database is created:
|
Role name |
Privileges |
|
CONNECT |
|
|
RESOURCE |
|
|
DBA |
|
To view which roles are granted to each user or role in the database:
SQL> select grantee, granted_role
from dba_role_privs
order by grantee;
To view the privileges enabled for the current session whether granted directly or via roles
SQL> select * from SESSION_PRIVS;
order by privilege;
To view the roles enabled for the current session
SQL> select * from SESSION_ROLES;
order by role;
Note: The session_privs and session_roles views are available to all users.
There are two ways to create and grant roles: using SQL*Plus or the Navigator
SQL*Plus method
To create a role using SQL*Plus:
The syntax for the create role command:
SQL> create role assist;
Role created.
SQL>create role manager;
Role created.
An example of granting object privileges to a role using SQL*Plus:
Remember that when a role is first created, it has no privileges associated with it.
SQL> grant select on player to assist;
The privilege to select rows from the PLAYER table will now be available to any user who is granted the ASSIST role.
SQL> grant insert on player to assist;
To grant a role to another role using SQL*Plus:
The MANAGER role will inherit the privileges that have been granted to the ASSIST role.
To grant a role to a user using SQL*Plus:
SQL>grant manager to sally;
Now Sally will be able to insert, update, select, and delete rows from/to the PLAYER table.SQL>connect sally/guest;
SQL>select * from sam.player;
To revoke a role from a user or another role:
In this example, you will revoke the delete privilege from the MANAGER role.
Revoke succeeded.
To drop a role:
drop role role_name
This command drops the specified role.
"You must have drop any role system privilege." [Koch, Loney]
The Navigator method
To create a role using the Navigator: