Oracle Database - Roles & Profiles

ROLES

What is a Role ?
A role is group of related privileges that can be granted to the user. This method makes it easier to revoke and maintain privileges.

Roles : Set of privileges

Privileges : Set of permissions

Types of Privileges :

System Privilege ( create table, create view, create index, create user )
Object Privilege ( select, insert, update, delete )

Note :

Roles can contain system privileges
Roles can contain object privileges
Roles can contain roles

Creating Roles

	SQL> create role tesdbrole;
	Role created.

Create Password protection for Role

	SQL> create role tesdbrole1 identified by tesdbrole1;
	Role created.

Assign User to create Role

	SQL> grant create role to tes;
	SQL> conn tes/tes

Assigning multiple privileges in single role

	SQL> create role role_r1;
	Role created.

	SQL> grant select on tes_tab to role_r1;
	Grant succeeded.

	SQL>  grant select on tes_tab1 to role_r1;
	Grant succeeded.

	SQL> grant select on tes_tab2 to role_r1;
	Grant succeeded.

Checking Roles and privileges

SQL> select role, table_name, privilege
	 from role_tab_privs where role='ROLE_R1';

	ROLE		TABLE_NAME		PRIVILEGE
	------------------------------------------
	ROLE_R1		TES_TAB			SELECT
	ROLE_R1		TES_TAB2		SELECT


	ROLE		TABLE_NAME		PRIVILEGE
	------------------------------------------
	ROLE 		TABLE_NAME 		PRIVILEGE
	ROLE_R1		TES_TAB1		SELECT

Assigning Roles

	SQL> show user
	USER is "TES"
	SQL>
	SQL> grant role_r1 to scott;

	Grant succeeded.

	SQL> conn scott/tiger
	Connected.

	select role, table_name, privilege from role_tab_privs
	where owner='TES';

	ROLE		TABLE_NAME		PRIVILEGE
	---------------------------------------
 	ROLE_R1		TES_TAB			SELECT
 	ROLE_R1		TES_TAB2		SELECT


	ROLE		TABLE_NAME		PRIVILEGE
	--------------------------------------
 	ROLE_R1		TES_TAB1		SELECT

Create role to System Privileges

	SQL> create role tes_set;
	Role created.

	SQL> grant connect to  tes_set;
	Grant succeeded.

	SQL> grant datapump_exp_full_database,
	 datapump_imp_full_database to tes_set;
	Grant succeeded.

	1*  select granted_role from role_role_privs
	   where role='TES_SET'
	SQL> /

	GRANTED_ROLE
	-----------------------------
	DATAPUMP_IMP_FULL_DATABASE
	DATAPUMP_EXP_FULL_DATABASE
	CONNECT

	1*  revoke datapump_imp_full_database from tes_set
	SQL> /
	Revoke succeeded.

	SQL> drop role tes_set;
	Role dropped.

PROFILES

Profiles are a means to limit resources a user can use.
Default profile available in oracle database.
Oracle allow to create new profile with create profile statement.
These profiles assign to the user depend up on the user priority

SESSION_PER_USER
No. of allowed concurrent sessions for a user

CPU_PER_SESSION
CPU time limit for a session, expressed in hundredth of seconds.

CPU_PER_CALL
Specify teh CPU time limit for a call (a parse, execute, or fetch), expressed in hundredths of seconds.

CONNECT_TIME
Specify teh total elapsed time limit for a session, expressed in minutes.

IDLE_TIME
Specify teh permitted periods of continuous inactive time during a session, expressed in minutes.

LOGICAL_READS_PER_SESSION
Specify teh permitted number of data blocks read in a session, including blocks read from memory and disk

LOGICAL_READS_PER_CALL
permitted number of data blocks read for a call to process a SQL statement (a parse, execute, or fetch).

PRIVATE_SGA
SGA a session can allocate in teh shared pool of teh system global area (SGA), expressed in bytes.

FAILED_LOGIN_ATTEMPTS
No. of failed attempts to log in to the user account before the account is locked

PASSWORD_LIFE_TIME
No. of days the account will be open. after dat it will expiry.

PASSWORD_REUSE_TIME
number of days before which a password cannot be reused

PASSWORD_REUSE_MAX
number of days before which a password can be reused

PASSWORD_LOCK_TIME
Number of days teh user account remains locked after failed login

PASSWORD_GRACE_TIME
Number of grace days for user to change password

PASSWORD_VERIFY_FUNCTION
PL/SQL that can be used for password verification

To check the profiles for PASSWORD resource_type

	  1*  select resource_name, limit from dba_profiles
		  where resource_type='PASSWORD' and profile='DEFAULT'
	SQL> /



	RESOURCE_NAME FAILED_LOGIN_ATTEMPTS PASSWORD_LIFE_TIME PASSWORD_REUSE_TIME
	--------------- --------------- ---------------
	---------------
	
	LIMIT 10 180 UNLIMITED





	RESOURCE_NAME PASSWORD_REUSE_MAX PASSWORD_VERIFY_FUNCTION PASSWORD_LOCK_TIME
	--------------- --------------- ---------------
	---------------
	
	LIMIT UNLIMITED NULL 1





	RESOURCE_NAME PASSWORD_GRACE_TIME INACTIVE_ACCOUNT_TIME  
	--------------- --------------- ---------------  

	
	LIMIT 7 UNLIMITED  




	8 rows selected.

To check the profiles for KERNEL resource_type
	select resource_name, limit from dba_profiles where resource_type='KERNEL' and profile='DEFAULT'
	SQL> /

	
	
	
		RESOURCE_NAME COMPOSITE_LIMIT SESSIONS_PER_USER CPU_PER_SESSION
		------------------- ------------------- -------------------
		-------------------
		
		LIMIT UNLIMITED UNLIMITED UNLIMITED
		 
		 
	
	
		RESOURCE_NAME CPU_PER_CALL LOGICAL_READS_PER_SESSION LOGICAL_READS_PER_CALL
		------------------- ------------------- -------------------
		-------------------
		
		LIMIT UNLIMITED UNLIMITED UNLIMITED
			 
		 
	
	
		RESOURCE_NAME IDLE_TIME CONNECT_TIME PRIVATE_SGA
		------------------- --------------- --------------- ---------------
		LIMIT UNLIMITED UNLIMITED UNLIMITED
	
	
	
	
	9 rows selected.

Creating profile with session limit

	create profile tes_profile limit sessions_per_user 3
	SQL> /
	Profile created.

	SQL>  select distinct(profile) from dba_profiles;
	PROFILE
	------------------------------------------------------
	TES_PROFILE
	DEFAULT
	ORA_STIG_PROFILE

Creating profile with different parameters

	SQL> create profile tes_profile1 limit sessions_per_user unlimited
		cpu_per_session unlimited cpu_per_call 3000  connect_time 45
		logical_reads_per_session default logical_reads_per_call 1000;

	Profile created.

Setting profile to user

	SQL> alter user tes profile tes_profile;
	User altered.

	SQL> select username, profile  from dba_users where username ='TES';

	USERNAME	PROFILE
	--------	------------
	TES		TES_PROFILE

Alter the profile for cpu_per_cal

	SQL> alter profile tes_profile limit cpu_per_call default;
	Profile altered.

	SQL> select resource_name, limit  from dba_profiles  where resource_type='KERNEL'
	and profile='TES_PROFILE';




	RESOURCE_NAME COMPOSITE_LIMIT SESSIONS_PER_USER CPU_PER_SESSION
	--------------- --------------- ---------------
	---------------
	
	LIMIT DEFAULT 3 DEFAULT
	 
	 


	RESOURCE_NAME CPU_PER_CALL LOGICAL_READS_PER_SESSION LOGICAL_READS_PER_CALL
	--------------- --------------- ---------------
	---------------
	
	LIMIT DEFAULT DEFAULT DEFAULT
		 
	 


	RESOURCE_NAME IDLE_TIME CONNECT_TIME PRIVATE_SGA
	--------------- --------------- --------------- ---------------
	LIMIT DEFAULT DEFAULT DEFAULT




9 rows selected.

USER LOCKED

	SQL> conn tes
	Enter password:
	ERROR:
	ORA-28000: The account is locked.

	Warning: You are no longer connected to ORACLE.
	SQL>

CHECK THE USER STATUS

	SQL> select username, account_status from dba_users where username='TES';

	USERNAME		ACCOUNT_STATUS
	--------		-------------
	TES			LOCKED

UNLOCK THE USER

	SQL> alter user tes account unlock;

	User altered.

	SQL> select username, account_status from dba_users where username='TES';

	USERNAME		ACCOUNT_STATUS
	--------		-------------
	TES			OPEN

« Previous Next Topic » (Oracle Database - User Management)