DB Apps Users and Responsibilities

8/12/2019 DB Apps Users and Responsibilities

1/14

Database User Administration

Database User administration:

Privileges:

The abi l i t y t o sel ect i vel y gr ant t he r i ght t o mani pul at e and accessi nf or mat i on t hr ough pr i vi l eges i s i nt egr al t o assur e t he secur i t y of

t he dat abase. Pr i vi l eges have been gr eat l y enhanced hi st ori cal l y i nOr acl e7 t o al l ow t he DBA t o have more gr anul ar cont r ol over a user spr i vi l ege. Whi l e v6 had 3 pr i vi l eges ( Connect , Resour ce, DBA) t hatcoul d be granted to a user , we now have many mor e.

I n Or acl e7 we i nt r oduced t wo di st i nct t ypes of pr i vi l eges:

Syst em pr i vi l eges Obj ect pr i vi l eges

System privileges:-

Gi ve a user t he r i ght t o per f or m a par t i cul ar act i on or t o per f or m apar t i cul ar act i on on a

Par t i cul ar t ype of obj ect . Thi s i ncl udes cr eat i ng, dr oppi ng andal t er i ng t abl es, vi ews, r ol l back segment s, and pr ocedur es. Si nce systempr i vi l eges ar e power f ul pr i vi l eges t hey ar e nor mal l y gr ant ed onl y t oadmi ni st r at i ve r ol es.

Object privileges:

Obj ect pr i vi l eges al l ow access and mani pul at i on of a speci f i c obj ect .For exampl e, sel ect i ng, del et i ng, i nser t i ng, and r ef er enci ng par t i cul art abl es, vi ews, sequences and pr ocedur es. These are nor mal l y gr ant ed t oend- user s so t hat t hey can per f or m speci f i c oper at i ons. The di st i nct i onbet ween the two t ypes of pr i vi l eges i s ver y i mport ant , becausedi f f er ent r ul es and r est r i ct i ons appl y to each. Addi t i onal l y, many

schema obj ect s l i ke cl ust er s, i ndexes, t r i gger s and dat abase l i nks ar econt r ol l ed usi ng syst em pr i vi l eges.

Roles:

I n order t o ef f ect i vel y manage these pr i vi l eges, Or acl e7 pr ovi ded t heuse of obj ect s cal l ed r ol es. Pr i vi l eges can be gr ouped t oget her andgr ant ed t o the rol e whi ch i s t hen gr ant ed t o user s or ot her r ol es. Bot hsyst em and obj ect pr i vi l eges can be gr ant ed a r ol e. Anyone wi t hpr i vi l ege t o gr ant t hese pr i vi l eges can gr ant t hem t o a r ol e.Pr i vi l eges wi l l cascade f r om t he par ent r ol e t o t he chi l d r ol e. Rol escan thus be used i n combi nat i on t o f ur t her cont r ol access grant ed t oend users .

For exampl e, t he ACCOUNTI NG_DEPT and FI NANCE_DEPT r ol es can be gr antedt o t he MANAGER r ol e whi ch i s t hen gr ant ed t o t he Fi nance and Account i ngManager s t o al l ow t hem access t o each ot her s appl i cat i ons. Empl oyees oft he Account i ng and Fi nance depar t ment s onl y have access t o thei r ownappl i cat i ons t hrough t he ACCOUNTI NG_DEPT and FI NANCE_DEPT r ol es.

Al t hough rol es can be gr ant ed t o ot her r ol es, t hey cannot be gr ant ed i na ci r cul ar f ashi on. For exampl e, Rol e A can be gr ant ed t o Rol e B, butt hen Rol e B cannot i n t urn be grant ed t o Rol e A. Rol es ar e not owned by

________________________________________________________________________Wissen Mattel Internal Page 1 of 14


2/14


anyone and do not bel ong to any schema. Rat her i n a f ashi on t hey aremore l i ke schema user s t hemsel ves si nce they are natur al l y admi ni st eredi n dat a di ct i onar y t abl e USER$ ( but vi si bl e i n DBA_ROLES, notDBA_USERS) . Theref or e r ol es must be uni quel y named amongst al l t heuser names and r ol e names on t he dat abase. They can be cr eated by usi nga si mpl e ' CREATE ROLE' st atement i f t he user has t he ' CREATE ROLE'pr i vi l ege. Si nce r ol es are not owned by t hei r cr eat or, t he user whocr eated t he rol e can be dr opped wi t hout any ef f ect on t he rol e.

Role Advantages:

Ther e ar e sever al i mpor t ant advant ages t o usi ng r ol es f or pr i vi l egemanagement . By combi ni ng r el ated pr i vi l eges i nt o a si ngl e r ol e, t he DBAcan str eaml i ne the task of gr ant i ng mul t i pl ePri vi l eges to mul t i pl e users . The DBA can gr ant or r evoke severalpr i vi l eges t o a r ol e, t hen gr ant t hat r ol e t o mul t i pl e user s. Thus, t heuse of r ol es can dr amat i cal l y reduce t he need t o i ndi vi dual l yadmi ni st er mul t i pl e pr i vi l eges per user .

Addi t i onal l y, r ol es al l evi at e t he need f or t he DBA t o r emember t hei ndi vi dual pr i vi l eges r equi r ed f or a new user . I f r ol es ar e used t or ef l ect a cer t ai n j ob ( f or exampl e, ACCOUNTI NG_DEPT r ol e) , t he DBA doesnot need t o r emember what i ndi vi dual grant s ar e needed f or t he newempl oyee of t he Account i ng Depart ment . He wi l l si mpl y gr ant t heACCOUNTI NG_DEPT rol e t o t he new user .

Rol es al so al l ow t he DBA t o dynami cal l y change t he users pr i vi l eges ast he responsi bi l i t i es change. For exampl e, i f t he empl oyees of t heAccount i ng Depar t ment now need access t o addi t i onal t abl es, t he DBA cansi mpl y gr ant t he appr opr i ate pr i vi l eges to the ACCOUNTI NG_DEPT r ol e.Such a change wi l l af f ect al l user s t hat have been gr at ed t hi s r ol e i none command.

Note: t he use of r ol es has no ef f ect on expl i ci t l y gr ant ed pr i vi l eges.

Role Limitations:

I n order t o ef f ect i vel y use rol es, t he DBA must al so under st and t hei rl i mi t at i ons. I n gener al , a user cannot acqui r e a DML pr i vi l ege neededt o per f or m a DDL oper at i on vi a r ol e. The user must be expl i ci t l ygr ant ed t he necessary obj ect pr i vi l ege. A user cr eat i ng a vi ew onanot her user ' s t abl e cannot r ecei ve t he pr i vi l ege t o sel ect f r om t het abl e t hr ough a r ol e. I t i s concept ual l y i mpor t ant t o under st and t hatt he pr i vi l eges assi gned t o a r ol e can be associ at ed wi t h a user sessi ononl y and t hese pr i vi l eges cannot be i nher i t ed by any obj ect s ( vi ews,

st or ed procedures) t hat are owned by a user who happens t o have beengr ant ed the r ol e.

I n addi t i on i f t he user want s t o gr ant ot her s access t o hi s vi ew t hent he vi ew cr eat or must have been grant ed t he obj ect pr i vi l ege on t heunder l yi ng t abl es ' WI TH GRANT OPTI ON' .

For exampl e, User A has a t abl e , User B want s t o cr eat e a vi ew basedon t hi s t abl e. User B must be expl i ci t l y gr ant ed sel ect on t he t abl e t o



3/14


cr eate a vi ew. I f , however , User B want s t o gr ant hi s vi ew t o User C,User A must al so gr ant hi m sel ect ' WI TH GRANT OPTI ON' .

Si mi l ar l y when cr eat i ng pr ocedur es, t he user who i s cr eat i ng apr ocedur e must have access t o the under l yi ng obj ects r ef erenced i n t hebody of t he pr ocedur e. Al t hough these pr i vi l eges cannot be gr ant ed vi aa r ol e, t he r i ght t o execut e the pr ocedur e can. Ther ef ore, a user whoi s execut i ng a pr ocedur e requi r es onl y EXECUTE pr i vi l ege on thepr ocedur e and does not r equi r e any access t o t he r ef erenced obj ects.

Thi s r educes t he number of pr i vi l eges t hat need t o be granted t o user sand al so enhances dat abase secur i t y. The same appl i es t o a user want i ngt o r ef er ence anot her ' s t abl e. The ref er enced pr i vi l ege must beexpl i ci t l y gr ant ed t o t he user .

Granting Roles and Privileges:

I n order f or r ol es and pr i vi l eges t o be ef f ect i ve, t hey must be gr ant edt o t he users. Any user wi t h ' GRANT ANY ROLE' pr i vi l ege can gr ant r ol es.Any syst empr i vi l ege or r ol e can be gr ant ed ' WI TH ADMI N OPTI ON' t o

al l ow t he gr ant ee t o i n t ur n gr ant t he pr i vi l ege or r ol e. The gr ant ee WI TH ADMI N OPTI ON' can gr ant or r evoke t he pr i vi l ege or r ol e to orf r om any user or r ol e i n t he dat abase. The gr ant ee can al so al t er ordr op t he rol e. Si nce ' WI TH ADMI N OPTI ON' i s so power f ul , ext r emecaut i on needs t o be t aken when gr ant i ng t hi s pr i vi l ege.

The user who cr eates a r ol e i s automat i cal l y gr anted ' WI TH ADMI NOPTI ON' on t hat r ol e. Obj ect pr i vi l eges can be gr ant ed by t he creat or ,or one who i s gr ant ed ' WI TH GRANT OPTI ON' on t he obj ect . The usergr ant ed an obj ect pr i vi l ege al so gr ant ' WI TH GRANT OPTI ON' . Gr ant s t o auser t ake ef f ect i mmedi at el y wher eas gr ant s t o r ol es r equi r e t he r ol et o be enabl ed.

Addi t i onal l y, syst em pr i vi l eges and rol es cannot be gr ant ed wi t h obj ectpr i vi l eges i n t he same GRANT st at ement .

Fi nal l y, obj ect pr i vi l eges may not be gr ant ed ' WI TH GRANT OPTI ON' t o ar ol e si nce t he RDBMS does not al l ow obj ect pr i vi l eges to be pr opagatedt hr ough rol es. The ' WI TH ADMI N OPTI ON' i s not val i d when gr ant i ng ar ol e t o anot her r ol e.

Examples:

Gr ant i ng obj ect pr i vi l ege t o a r ol e:

SQL> GRANT SELECT ON account s TO anal yst ;

Gr ant i ng syst em pr i vi l ege t o a r ol e:

SQL> GRANT CREATE SESSI ON TO anal yst ;

Gr ant i ng r ol e AND abi l i t y to gr ant r ol e t o a user :

SQL> GRANT anal yst TO st i ger WI TH ADMI N OPTI ON;

Revoking Roles and Privileges:



4/14


A user wi t h the r i ght t o gr ant has t hat same r i ght t o r evoke. Revoker est r i ct i on on a pr i vi l ege i s dependent on t he t ype of pr i vi l ege.

For exampl e, any user wi t h the ' WI TH ADMI N OPTI ON' on a syst empr i vi l ege can r evoke system pr i vi l eges. However , onl y the gr ant or of anobj ect pr i vi l ege can r evoke i t . Obj ect execut i on can be af f ect ed, i ft he cr eat or' s pr i vi l ege i s r evoked, but not when t he r evoke i s made t oa rol e.

Revoki ng pr i vi l ege f r om a r ol e never causes vi ews or pr ocedur es t o f ai lbecause execut i on uses onl y pr i vi l eges di r ect l y gr ant ed t o t he owner oft he vi ew or t he pr ocedur e. Dependi ng on t he type of pr i vi l ege, t her emay or may not be cascadi ng ef f ect s i f a pr i vi l ege i s r evoked. Ther ear e no cascadi ng ef f ect s when revoki ng a system pr i vi l ege rel at ed toDDL oper at i ons r egardl ess of whet her t he pr i vi l ege was grant ed wi t h orwi t hout t he ' WI TH ADMI N OPTI ON' .

For exampl e, i f user A has grant ed t he ' CREATE TABLE' pr i vi l ege to userB who then cr eat es a t abl e, a revoke of user A' s pr i vi l ege, doesn' t

dr op any of hi s obj ect s and user B can st i l l cr eat e t abl es.

However , cascadi ng ef f ects wi l l be obser ved when r evoki ng a syst empr i vi l ege r el ated t o a DML operat i on. I f SELECT ANY TABLE i s r evokedf r oma user , t hen al l pr ocedur es cont ai ned i n t he users schema r el yi ngon t hi s pr i vi l ege wi l l f ai l unt i l t he pr i vi l ege i s reaut hor i zed.

Revoki ng an obj ect pr i vi l ege can have sever al cascadi ng ef f ect s t hatmust be i nvest i gated bef ore i ssui ng the REVOKE. Obj ect execut i on can beaf f ected, i f t he creat or s pr i vi l ege i s r evoked.

For exampl e, a pr ocedur e t hat r equi r es t he cr eat or t o have SELECT on at abl e, wi l l f ai l i f t hi s access i s then r evoked. Si mi l ar l y, vi ewscr eat ed on t hat t abl e wi l l now f ai l . When r evoki ng t he REFERENCESpr i vi l ege, t he r evoke st atement must i ncl ude the ' CASCADE CONSTRAI NTS'opt i on, so t hat const r ai nt s t he user no l onger has pr i vi l eges on ar edr opped.

For exampl e, user A has r ef er ence pr i vi l ege to user B' s t abl e. He i nt ur n cr eat es a const r ai nt on hi s tabl e based on t hi s pr i vi l ege. Ther evoker must use ' CASCADE CONSTRAI NTS' whi ch wi l l t hen drop user A' sconst r ai nt . Al so, t he user s pr i vi l ege r ecei ved t hr ough t he use of ' WI THGRANT OPTI ON' ar e r evoked i f t he gr ant ors obj ect pr i vi l ege i s r evoked.Assume t hat user A has been grant ed .

SELECT on a t abl e ' WI TH GRANT OPTI ON' and t hen grants SELECT on t hatt abl e t o user B. I f user A' s pr i vi l ege i s r evoked, t hen User B can no

l onger sel ect f r om t he t abl e.

A good r ul e of t humb i s t hat DML r evokes wi l l cascade, wher eas DDLr evokes do not . So, i f user B had cr eat ed a vi ew based on t he tabl e,user B' s vi ew no l onger i s val i d when user A l oses t he sel ectpr i vi l ege. Fi nal l y, i f a pr i vi l ege r el at ed t o a DML oper at i on i sr evoked f r om PUBLI C, al l pr ocedur es i n t he dat abase rel yi ng on t hi spr i vi l ege ( i ncl udi ng f unct i ons and packages) must be r eaut hori zedbef or e t hey can be used agai n.



5/14


Note: The ' WI TH ADMI N OPTI ON' or ' WI TH GRANT OPTI ON' can not besel ect i vel y r evoked. The ent i r e pr i vi l ege must be r evoked t henr egr ant ed wi t hout t hese opt i ons.

Oracle Apps Tutorials :

Sys Admin - Users and Responsibilities:

Thi s t ut or i al provi des you wi t h a concept ual over vi ew of user s andr esponsi bi l i t i es, cover i ng t he f ol l owi ng t opi cs: Cr eat i on of User ,Cr eat i on of Responsi bi l i t i es and Assi gni ng Responsi bi l i t i es t o User s.

Overview

User s and Responsi bi l i t i es ar e cr eat ed i n or acl e appl i cat i ons i n or dert o cont r ol t he access t o the dat a. User s are assi gned a set ofr esponsi bi l i t i es t hr ough whi ch t hey can r et r i eve or modi f y cer t ai n setof dat a. Responsi bi l i t y i s a gr oupi ng of access i n a l ogi cal manner .Account s payabl e responsi bi l i t y woul d cont ai n al l t he pr i vi l eges t o

cr eate i nvoi ces, make payment s etc. Al l t he users f r omt he payabl esdepart ment woul d be gi ven t hi s r esponsi bi l i t y. You can cr eat e users ,r esponsi bi l i t y thr ough syst em admi ni st r at or r esponsi bi l i t y i n or acl eappl i cat i ons.

Creation of User

Navi gat i on Syst em Admi ni st r at or - >Secur i t y - > User - > Def i ne



6/14


Fi gur e 1. Cr eate User Navi gat i on

Fol l ow t he above t he navi gat i on pat h and cl i ck on Def i ne. You wi l l seef ol l owi ng screen i n f r ont of you.

Fi gur e 2. Cr eate User



7/14


Fi gur e 3. Cr eat e User I ndi r ect Responsi bi l i t i es



8/14


Fi gur e 4. Cr eat e User Secur i ng At t r i but es

Fields

User Name - Gi ve t he user name i n t hi s f i el d.

Password - Ent er desi r ed password t wi ce i n t hi s f i el d. You woul d ber equi r ed to change the password when you l ogi n f i r st t i me wi t h thi suser name.

Descr i pt i on - Pr ovi de br i ef descr i pt i on of t he user i n t hi s f i el d.

Password Expi r at i on - Days - No. of Days af t er whi ch t he passwordwi l l expi r e f or t he user .

Accesses - No. of Accesses af t er whi ch t he password wi l l expi r e f ort he user .

None - The password wi l l never expi r e

Per son - You can at t ach empl oyee t o t hi s user . Thi s i s used f or HRMSappl i cat i ons

Cust omer - To at t ach cust omer t o t hi s user .

Suppl i er - To at t ach suppl i er t o t hi s user .



9/14


Emai l - Pr ovi de emai l addr ess f or t he user . I t s use to sendnot i f i cat i ons t o the user t hr ough or acl e appl i cat i ons.

Fax - Fax number f or t he user .

Ef f ect i ve Dates - Fr om and To dat es between whi ch t he user woul d be

acti ve.

Responsi bi l i t i es - Li st of r esponsi bi l i t i es assi gned t o t he user .

Secur i ng at t r i but es are used by Or acl e HTML- based appl i cat i ons t o al l owr ows ( r ecor ds) of dat a t o be vi si bl e t o speci f i ed user s orr esponsi bi l i t i es based on t he speci f i c dat a (att r i but e val ues)cont ai ned i n t he row. You may assi gn one or more val ues f or any of t hesecur i ng at t r i but es assi gned t o t he user . I f a secur i ng at t r i but e i sassi gned t o both a r esponsi bi l i t y and t o a user , but t he user does nothave a val ue f or t hat secur i ng at t r i but e, no i nf or mat i on i s r et ur nedf or t hat at t r i but e.

For exampl e, t o al l ow a user i n t he ADMI N r esponsi bi l i t y t o see rowscont ai ni ng a CUSTOMER_I D val ue of 1000, assi gn t he secur i ng at t r i buteof CUSTOMER_I D t o t he ADMI N r esponsi bi l i t y. Then gi ve the user asecur i t y at t r i but e CUSTOMER_I D val ue of 1000.

When the user l ogs i nt o t he Admi n responsi bi l i t y, t he onl y cust omerdat a t hey have access t o has a CUSTOMER_I D val ue of 1000.

Fields

Attribute : Sel ect an at t r i but e you want used t o determi ne whi chr ecor ds t hi s user can access. You can sel ect f r om any of t he at t r i but esassi gned t o t he user ' s r esponsi bi l i t y.

Value : Ent er t he val ue f or t he at t r i but e you want used t o det er mi newhi ch r ecords t hi s user can access.

Creation of Responsibility

Navi gat i on Syst em Admi ni st r at or - >Secur i t y - > Responsi bi l i t y - >Def i ne



10/14


Fi gur e 5. Cr eat e Responsi bi l i t y Navi gat i on

Fol l ow t he above t he navi gat i on pat h and cl i ck on Def i ne. You wi l l seef ol l owi ng screen i n f r ont of you.



11/14


Fi gur e 6. Cr eat e Responsi bi l i t y

Fields

Responsibility Name - I f you have mul t i pl e r esponsi bi l i t i es, a pop- upwi ndow i ncl udes t hi s name af t er you si gn on.

Application - Thi s appl i cat i on name does not pr event t he user of t hi sr esponsi bi l i t y f r om accessi ng ot her appl i cat i ons' f or ms and f unct i onsi f you def i ne t he menu to access ot her appl i cat i ons.

Responsibility Key - Thi s i s a uni que name f or a r esponsi bi l i t y t hat i sused by l oader pr ogr ams. Loaders are concurr ent pr ogr ams used to " l oad"such i nf ormat i on as messages, user pr of i l es and user pr of i l e val uesi nt o your Or acl e Appl i cat i ons t abl es. To hel p ensur e t hat yourr esponsi bi l i t y key i s uni que t hr oughout your syst em, begi n eachResponsi bi l i t y Key name wi t h t he appl i cat i on shor t name associ at ed wi t hthi s r espons i bi l i t y.

Effective Dates From/To - Ent er t he st ar t / end dat es on whi ch t her esponsi bi l i t y becomes act i ve/ i nact i ve. The def aul t val ue f or t he st ar tdat e i s t he cur r ent dat e, and i f you do not ent er an end dat e, t herespons i bi l i ty i s val i d i ndef i ni t el y.

You cannot del et e a r esponsi bi l i t y because i t s i nf or mat i on hel ps t opr ovi de an audi t t r ai l . You can deact i vat e a r esponsi bi l i t y at any t i meby set t i ng t he end dat e to t he cur r ent dat e. I f you wi sh t o react i vat e



12/14


t he responsi bi l i t y, change t he end dat e t o a dat e af t er t he cur r entdat e, or cl ear t he end dat e.

Available From - A r esponsi bi l i t y may be associ at ed wi t h onl y oneappl i cat i ons syst em. Sel ect bet ween Or acl e Sel f - Ser vi ce WebAppl i cat i ons or Or acl e Appl i cat i ons.

Data Group - Name/ Appl i cat i on The dat a gr oup def i nes t he pai r i ng ofappl i cat i on and ORACLE user name. Sel ect t he appl i cat i on whose ORACLEuser name f orms connect t o when you choose t hi s r esponsi bi l i t y. TheORACLE user name det ermi nes t he dat abase tabl es and t abl e pr i vi l egesaccessi bl e by your r esponsi bi l i t y. Transact i on manager s can onl ypr ocess r equest s f r omr esponsi bi l i t i es assi gned t he same dat a gr oup ast he t r ansact i on manager .

Menu - The menu whose name you ent er must al r eady be def i ned wi t hOr acl e Appl i cat i ons.

Web Host Name - I f your Web Ser ver r esi des on a di f f er ent machi ne f r om

your dat abase, you must desi gnate the host name (URL) her e. Ot her wi se,t he Web Host Name def aul t s t o t he cur r ent database host ser ver .

Web Agent Name - Ent er t he PL/ SQL Agent Name f or t he dat abase used byt hi s r esponsi bi l i t y. I f you do not speci f y an Agent Name, t her esponsi bi l i t y def aul t s t o t he agent name cur r ent at l og- on.

Request Group Name/Application - I f you do not assi gn a requestsecur i t y gr oup t o t hi s responsi bi l i t y, a user wi t h t hi s responsi bi l i t ycannot r un r equest s, r equest sets, or concur r ent pr ogr ams f r omt heSubmi t Request s wi ndow, except f or r equest set s owned by t he user . Theuser can access r equest s f r om a Submi t Request s wi ndow you cust omi zewi t h a r equest group code t hrough menu paramet er s.

Menu Exclusions Block

Def i ne f unct i on and menu excl usi on r ul es t o r est r i ct t he appl i cat i onf uncti onal i t y accessi bl e t o a r esponsi bi l i t y.

Type : Sel ect ei t her Funct i on or Menu as t he t ype of excl usi on r ul e t oappl y agai nst t hi s r esponsi bi l i t y.

When you excl ude a f unct i on f r om a responsi bi l i t y, al loccur r ences of t hat f unct i on t hr oughout t he r esponsi bi l i t y' smenu st r uct ure ar e excl uded.

When you excl ude a menu, al l of i t s menu ent r i es, t hat i s, al lt he f unct i ons and menus of f unct i ons t hat i t sel ect s ar e

excl uded.

Name : Sel ect t he name of t he f unct i on or menu you wi sh t o excl ude f r omt hi s r esponsi bi l i t y. The f unct i on or menu you speci f y must al r eady bedef i ned i n Or acl e Appl i cat i ons.



13/14


Fi gur e 7. Cr eat e Responsi bi l i t y Excl uded I t ems

Excluded Items : Use t he Li st of Val ues t o sel ect val i d at t r i but es. Youcan assi gn any number of Excl uded At t r i but es t o a r esponsi bi l i t y



14/14


Fi gur e 8. Cr eat e Responsi bi l i t y Secur i ng At t r i but es


Documents

DB Apps Users and Responsibilities