User access privileges.

Managing user accounts.

Creating user account.

To create a user account, we use the CREATE USER statement. The general syntax of the statement is as follows

CREATE USER user_name
  IDENTIFIED { BY password | EXTERNALLY | GLOBALLY AS 'external_name'}
 [ DEFAULT TABLESPACE tablespace_name ]
 [ TEMPORARY TABLESPACE tablespace_name ]
 [ QUOTA { integer [K|M] | UNLIMITED } ON tablespace_name ]
 [ PROFILE profile_name ]
 [ PASSWORD EXPIRE ]
 [ ACCOUNT { LOCK | UNLOCK } ];

Oracle provides three types of authentication:

Database authentication. This is the default option. While creating a user we can provide her or his password by using IDENTIFIED BY clause. The password should not be included in single quotation marks.
External authentication. While using this type of authentication, Oracle only checks that the user is a legitimate user for that database; the password is validated by the operating system or network. Note: this method of authentication is not recommended to use on OS with security issues.
Global authentication. Oracle only checks that the user is a valid user for the database. The password is validated by the Oracle Security Service, a separately licensed and configured service.

If we use the PASSWORD EXPIRE clause in the CREATE USER statement, we tell Oracle that the user must change the password upon logging to the database for the first time.
To assign a specific table spaces, use the DEFAULT TABLESPACE and TEMPORARY TABLESPACE clauses.
The QUOTA clause sets the user quota on the table space specified. The size of the quota is given by the integer number and can be measured in bytes (no suffix), kilobytes (the suffix K), or megabytes (the suffix M).
To create an account, but do not give the user ability to do anything we can specify that this account is LOCKed. This option is especially useful, with ALTER USER command, when we do not want to remove a user (because user has some objects in his/her schema used by other users or applications), but we do want to disable the account. The default value is UNLOCK.
We can also specify the default user profile, and by doing this we can limit the resources that a user's session can consume.

Here is an example

CREATE USER bob
 IDENTIFIED BY secret_word
 PASSOWRD EXPIRE
 DEFAULT TABLESPACE student_space
 QUOTA 10M ON student_space
 DEFAULT PROFILE student;

Modifying user account.

To modify an existing account, we use the ALTER USER statement. The general syntax of the statement is very similar to one of the CREATE USER statement, but this command also allows us to set the default role

ALTER USER user_name
 [ IDENTIFIED { BY password [REPLACE old_passwd] | EXTERNALLY | GLOBALLY AS 'external_name'} ]
 [ DEFAULT TABLESPACE tablespace_name ]
 [ TEMPORARY TABLESPACE tablespace_name ]
 [ QUOTA { integer [K|M] | UNLIMITED } ON tablespace_name ]
 [ PROFILE profile_name ]
 [ PASSWORD EXPIRE ]
 [ ACCOUNT { LOCK | UNLOCK } ]
 [ DEFAULT ROLE { role_list | NONE | ALL [EXCEPT role_list] } ];

For example, we can reassign the password for the user bob and set the default role as student_role

ALTER USER bob
 IDENTIFIED BY password REPLACE secret_word
 DEAFULT ROLE student_role;

We can also lock an account by running

ALTER USER bob ACCOUNT LOCK;

Removing user account.

To drop a user we need to use the DROP USER statement. The syntax is as follows

DROP USER user_name [ CASCADE ];

Specify CASCADE to drop all objects in the user's schema before dropping the user. You must specify this clause to drop a user whose schema contains any objects.

If the user's schema contains tables, then Oracle drops the tables and automatically drops any referential integrity constraints on tables in other schemas that refer to primary and unique keys on these tables.
If this clause results in tables being dropped, then Oracle also drops all domain indexes created on columns of those tables and invokes appropriate drop routines.

Profile settings.

Profiles allow DBAa to manage groups of users by limiting resources consumption or setting password policies. All user accounts have a profile. If no profile is explicitly assigned to an account, the default profile is used.

Creating a profile

To create a profile, we use the CREATE PROFILE statement that has the following syntax

CREATE PROFILE profile_name LIMIT
 [ resource_parameter { value | UNLIMITED | DEFAULT } ]
 ...
 [ resource_parameter { value | UNLIMITED | DEFAULT } ]
 [ password_parameter { value | UNLIMITED | DEFAULT } ]
 ...
 [ password_parameter { value | UNLIMITED | DEFAULT } ];

where the kernel resource parameters and password parameters are listed in the table.

Profile settings
Option	Description
Kernel Resource Settings
`CONNECT_TIME`	Limits a session time to the specified number of minutes. When the `CONNECT_TIME` is exceeded, Oracle rolls back the current transaction and ends the session.
`IDLE_TIME`	Sets the maximum number of minutes that Oracle will wait between calls. When the `IDLE_TIME` is exceeded, Oracle rolls back the current transaction and ends the session. Long-running statements are not affected by this setting.
`CPU_PER_CALL`	Limits the amount of CPU time each database call can consume, in hundredths of a second. If a DB call exceeds this setting, the statement fails and rolls back, an error is returned, and the user can then commit or roll back the transaction.
`CPU_PER_SESSION`	Limits the total amount of CPU time each session can consume, in hundredths of a second. If a session exceeds this setting, the statement currently being executed fails and rolls back, an error is returned, and the user must either commit or roll back the transaction and end the session.
`LOGICAL_READS_PER_CALL`	Limits the number of logical reads that each database call can perform. Logical reads are computed as the sum of consistent gets and current mode gets. If a DB call exceeds this setting, the statement fails and rolls back, an error is returned, and the user can then commit or roll back the transaction.
`LOGICAL_READS_PER_SESSION`	Limits the number of logical reads that a session can perform. If a session exceeds this setting, the statement currently being executed fails and rolls back, an error is returned, and the user must either commit or roll back the transaction and end the session.
`SESSIONS_PER_USER`	Limits a number of database sessions that a user may have open concurrently.
`COMPOSITE_LIMIT`	Puts a ceiling on the number of service units that can be consumed during a user session. Service unit is calculated as weighted sum of `CPU_PER_SESSION`, `LOGICAL_READS_PER_SESSION`, `CONNECT_TIME`, and `PRIVATE_SGA` values. The weightings are established with the `ALTER RESOURCE COST` statement and are viewable from the `RESOURCE_COST` data dictionary view. This setting allows an administrator to cap the resource consumption of user groups in more complex way than a single resource limit.
`PRIVATE_SGA`	Limit the amount of SGA memory that a session connecting through a shared server can allocate to the UGA (User Global Area). The UGA contains private SQL areas, sort areas, and bitmap merge areas.
Password Resource Settings
`FAILED_LOGIN_ATTEMPTS`	Limits the number of times a user account can be accessed unsuccessfully. After the limit is reached, the account becomes locked.
`PASSWORD_LIFE_TIME`	Limit the number of days that a password will remain valid. After this limit is reached, the password will expire and need to be changed. The `PASSOWRD_GRACE_TIME` setting must be set to a value other than `UNLIMITED` to actually prevent a user from logging on after the password expiration if the value `PASSWORD_LIFE_TIME` is set.
`PASSOWRD_GRACE_TIME`	Sets the number of days after the `PASSWORD_LIFE_TIME` expiration date that a user will receive a warning about the password expiring. When the grace time is up, the password expires. The DBA can see which accounts have expired passwords by examining the data dictionary view `DBA_USERS` looking for accounts with a status of `EXPIRED` (`GRACE`).
`PASSOWRD_LOCK_TIME`	Sets the number of days after which a locked password will automatically unlock. This parameter is useful together with the `FAILED_LOGON_ATTEMPTS` setting. The `UNLIMITED` value indicates that the account will never automatically unlock.
`PASSOWRD_REUSE_TIME`	Sets the number of days before which a password can be reused. If this setting is set to a value other than `UNLIMITED`, then `PASSOWRD_REUSE_MAX` must be set to `UNLIMITED`.
`PASSOWRD_REUSE_MAX`	Sets the minimum number of password changes before which a password can be reused. If this setting is set to a value other than `UNLIMITED`, then `PASSOWRD_REUSE_TIME` must be set to `UNLIMITED`.
`PASSOWRD_VERIFY_FUNCTION`	Sets the PL/SQL password certification function. This function certifies that the password meets the minimum complexity or other verification rules. Setting this parameter to `NULL` disables password verification.

For example

CREATE PROFILE student LIMIT
  CONNECT_TIME 300
  IDLE_TIME 60
  SESSIONS_PER_USER 5;

Modifying profiles.

To change an existing profile, use the ALTER PROFILE statement. The syntax of the statement is practically identical to the syntax of the CREATE PROFILE statement

ALTER PROFILE profile_name LIMIT
 [ resource_parameter { value | UNLIMITED | DEFAULT } ]
 ...
 [ resource_parameter { value | UNLIMITED | DEFAULT } ]
 [ password_parameter { value | UNLIMITED | DEFAULT } ]
 ...
 [ password_parameter { value | UNLIMITED | DEFAULT } ];

For example, let's modify previously created profile student

ALTER PROFILE student LIMIT

Removing a profile.

To remove a profile, use the DROP PROFILE statement. This statement has syntax as follows:

DROP PROFILE profile_name [ CASCADE ];

Specify CASCADE to deassign the profile from any users to whom it is assigned. Oracle automatically assigns the default profile to such users. You must specify this clause to drop a profile that is currently assigned to users. Note: we cannot remove the default profile (name DEFAULT).

Privileges and roles.

Object privileges.

There are 11 types of object privileges as shown in the table.

Object privileges.
Privilege	Description
`ALTER`	Allows the grantee to execute the `ALTER TABLE` and `LOCK TABLE` commands on a table and `ALTER SEQUENCE` on a sequence. (Applied to tables and sequences.)
`DELETE`	Allows the grantee to execute a `DELETE` statement on a table or view. The `SELECT` privilege must be granted together with the `DELETE` privilege, or the grantee will be unable to delete selected rows. This privilege also allows to lock the table. This privilege can be granted on specific columns only. (Applied to tables and views.)
`EXECUTE`	Allows the grantee to execute the specified programs or use the specified objects. (Applied to functions, procedures, packages, DB objects, libraries, operators, and types.)
`INDEX`	Allows the grantee to create indexes on specified tables. This privilege also allows to lock the tables. (Applied to tables only.)
`INSERT`	Allows the grantee to create new rows in a table or view. This privilege can be granted on specific columns. (Applied to tables and views.)
`READ`	Allows the grantee to read `BFILE`s in the specified directory. (Applied to directories only.)
`WRITE`	Allows the grantee to write to a directory. (Applied to directories only.)
`REFERENCES`	Allows the grantee to create an integrity constraint that references the specified table. This privilege can also lock the table. Note that this privilege must be granted directly to a user, not through a role. (Applied to tables only.)
`SELECT`	Allows the grantee to execute a `SELECT` command on specified tables and views. On a sequence this privilege gives the permission to obtain the next and current value. (Applied to tables, views, and sequences.)
`UNDER`	Allows the grantee to create a view based on an existing view. (Applied to views and user-defined types.)
`UPDATE`	Allows the grantee to modify data values. The `SELECT` privilege must be granted as well. This privilege can be granted on particular columns only. (Applied to tables and views.)

The GRANT statement grants the privileges. The syntax of the command for granting object privileges is

GRANT { privilege_list | ALL [PRIVILEGES] | role_list }
   ON object_list
   TO { user_list | role_list | PUBLIC }
   [ WITH GRANT OPTION ] ;

Where the keyword ALL specifies all mentioned privileges, the keyword PUBLIC grants the specified privileges to all users, and the clause WITH GRANT OPTION allows the grantee to grant them further. For example

GRANT SELECT
   ON ist466.employees
   TO student;
GRANT INSERT, SELECT
   ON system.objects_created
   TO bob, bill
   WITH GRANT OPTION;

In the case of granting DELETE, INSERT, or UPDATE privileges we may use the list of columns we would like to grant these privileges on. These columns should be specified in parentheses after the privilege name. For example

GRANT UPDATE (grade)
   ON ist.my_records
   TO PUBLIC;

To revoke a privilege, we need to use the REVOKE statement. The syntax of the statement is

REVOKE { privilege_list | ALL | role_list }
    ON object_list
  FROM { user_list | role_list | PUBLIC }
  [ CASCADE CONSTRAINTS ] [ FORCE ];

The CASCADE CONSTRAINTS clause is relevant only if you revoke the REFERENCES privilege or ALL privileges. It drops any referential integrity constraints that the revokee has defined using the REFERENCES privilege (which might have been granted either explicitly or implicitly through a grant of ALL privilege).

Specify FORCE to revoke the EXECUTE object privilege on user-defined type objects with table or type dependencies. We must use FORCE to revoke the EXECUTE object privilege on user-defined type objects with table dependencies.
If we specify FORCE, then all privileges will be revoked, but all dependent objects are marked INVALID, data in dependent tables becomes inaccessible, and all dependent function-based indexes are marked UNUSABLE. (Re-granting the necessary type privilege will re-validate the table.)

Please note several things about revoking object privileges:

we can revoke only the privilege we granted (same true for system privileges);
if user A granted a privilege to user B with the WITH GRANT OPTION, and user B granted the same privilege to user C, then after revoking this privilege from user B, user C looses it as well;
the same thing is true if we drop user B. When we drop a user, all objects privileges granted by the user are lost;
we cannot revoke only the ability to grant the privilege further, we have to revoke the whole privilege and re-grant without the WITH GRANT OPTION;
we cannot revoke the DELETE, INSERT, or UPDATE privileges on specific columns, we have to revoke the entire privilege.

Example

REVOKE SELECT
    ON ist.employees
  FROM bob;

System privileges.

The system privileges allow the grantee to create, drop, alter, and manage database objects or features. There is a long list of system privileges available in Oracle9i. The complete list of the privileges can be retrieved from the dictionary view SYSTEM_PRIVILEGE_MAP.

To grant system privilege we use the same GRANT statement, but with slightly different syntax

GRANT { privilege_list | ALL [PRIVILEGES] | role_list }
   ON object_list
   TO { user_list | role_list | PUBLIC }
   [ IDENTIFIED BY password ]
   [ WITH ADMIN OPTION ] ;

Use the IDENTIFIED BY clause to specifically identify an existing user by password or to create a nonexistent user. This clause is not valid if the grantee is a role or PUBLIC.

Unlike object privileges, the grantor of the system privileges or role privileges is not kept; that is, if user A granted a system privilege to user B with the WITH ADMIN OPTION, and user B granted it further to user C, then if user B is dropped or the privilege was revoked from her/him, then user C still retains the privilege.

To revoke a system privilege we use the same REVOKE statement as we do for object privileges, but for system privileges we cannot use the CASCADE CONTRAINTS clause. Thus, the syntax of revoking system privileges is

REVOKE { privilege_list | ALL | role_list }
    ON object_list
  FROM { user_list | role_list | PUBLIC };

Roles.

A role is an instrument for administering privileges. A role is just a collection of privileges, that can be granted at once. This is especially convenient when we need to administer a group of users with the same privileges. Instead of manually granting all needed privileges to all users we create a role, grant all required privileges to the role, and then grant the role to all users from the group. If later we need to grant additional privileges to all the users from the group or revoke some privileges from them, it is enough to grant to revoke these privileges to the role.

To create a role, we need to use the CREATE ROLE statement. The syntax for the statement is

CREATE ROLE role_name
 [ IDENTIFIED BY { password | EXTERNALLY | GLOBALLY } ];

Once a role is created, we can grant all the privileges we want to the role using the same GRANT command. We also grant the role to users using the GRANT statement with the role name instead of a privilege. For example

CREATE ROLE ist466_role;
GRANT ALTER SESSION,
      CREATE SEQUENCE,
      CREATE SESSION,
      CREATE SYNONYM,
      CREATE TABLE,
      CREATE VIEW
   TO ist466_role;
grant ist466_role TO dementiev;

If a role was created without a password (the default option), then it's enabled immediately for the user who has been granted the role. If a role was created with IDENTIFIED BY clause, then that role is disabled by default. To enable the role, we need to use the SET ROLE statement

SET ROLE
  { role_name [IDETIFIED BY password] | ALL [EXCEPT role_list] | NONE };

Oracle provides some predefined roles. The three most important roles are
Oracle predefined roles
Role Privileges granted

CONNECT ALTER SESSION, CREATE CLUSTER, CREATE DATABASE LINK, CREATE SEQUENCE, CREATE SESSION, CREATE SYNONYM, CREATE TABLE, CREATE VIEW

RESOURCE CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE

DBA This role has 124 system privileges granted to let the user full administrative privilege over the database.

To retrieve all roles predefined in the database and privileges granted to these roles use the dictionary views ROLE_SYS_PRIVS and ROLE_TAB_PRIVS. For example, to print all system privileges granted to the predefined role DBA we can execute

Oracle predefined roles
Role	Privileges granted
`CONNECT`	ALTER SESSION, CREATE CLUSTER, CREATE DATABASE LINK, CREATE SEQUENCE, CREATE SESSION, CREATE SYNONYM, CREATE TABLE, CREATE VIEW
`RESOURCE`	CREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPE
`DBA`	This role has 124 system privileges granted to let the user full administrative privilege over the database.

SELECT privilege
  FROM role_sys_privs
 WHERE role = 'DBA';

Now, to create a valid user who can connect to Oracle database and be able to create her/his own tables we can execute the commands:

CREATE USER student IDENTIFIED BY psswrd;
GRANT CONNECT TO student;

Oracle dictionary about privileges.

Oracle maintains a list of dictionary views and tables that contain information about roles defined in the database, privileges granted to these roles, privileges granted to users, etc. Some of these roles are in the table below.

Oracle dictionary view on privileges and roles
View	Description
`ALL_COL_PIVS`	describes the following types of grants: Column object grants for which the current user is the object owner, grantor, or grantee Column object grants for which an enabled role or `PUBLIC` is the grantee
`DBA_COL_PRIVS`	describes all column object grants in the database
`USER_COL_PIVS`	describes the column object grants for which the current user is the object owner, grantor, or grantee
`ALL_COL_PRIVS_MADE`	describes the column object grants for which the current user is the object owner or grantor
`USER_COL_PRIVS_MADE`	describes the column object grants for which the current user is the object owner
`ALL_COL_PRIVS_RECD`	describes the following types of grants: Column object grants for which the current user is the grantee Column object grants for which an enabled role or `PUBLIC` is the grantee
`USER_COL_PRIVS_RECD`	describes the column object grants for which the current user is the grantee
`ALL_TAB_PRIVS`	describes the following types of grants: Object grants for which the current user is the object owner, grantor, or grantee Object grants for which an enabled role or `PUBLIC` is the grantee
`DBA_TAB_PRIVS`	describes all object grants in the database
`USER_TAB_PRIVS`	describes the object grants for which the current user is the object owner, grantor, or grantee
`ALL_TAB_PRIVS_MADE`	describes the object grants for which the current user is the object owner or grantor
`USER_TAB_PRIVS_MADE`	describes the object grants for which the current user is the object owner
`USER_TAB_PRIVS_RECD`	describes the following types of grants: Object grants for which the current user is the grantee Object grants for which an enabled role or `PUBLIC` is the grantee
`USER_TAB_PRIVS_RECD`	describes the object grants for which the current user is the grantee
`DBA_ROLE_PRIVS`	describes the roles granted to all users and roles in the database
`USER_ROLE_PRIVS`	describes the roles granted to the current user
`DBA_SYS_PRIVS`	describes system privileges granted to users and roles
`USER_SYS_PRIVS`	describes system privileges granted to the current user
`ROLE_ROLE_PRIVS`	describes the roles granted to other roles
`ROLE_SYS_PRIVS`	describes system privileges granted to roles
`ROLE_TAB_PRIVS`	describes table privileges granted to roles. Information is provided only about roles to which the user has access
`SESSION_PRIVS`	lists the privileges that are currently available to the user