Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Oracle security 02-administering user security
1. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Administering User Security
2. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Objectives
After completing this lesson, you should be able to:
• Create and manage database user accounts:
– Authenticate users
– Assign default storage areas (tablespaces)
• Grant and revoke privileges
• Create and manage roles
• Create and manage profiles:
– Implement standard password security features
– Control resource usage by users
3. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Database User Accounts
Each database user account has:
• A unique username
• An authentication method
• A default tablespace
• A temporary tablespace
• A user profile
• An initial consumer group
• An account status
A schema:
• Is a collection of database objects that are owned by a
database user
• Has the same name as the user account
4. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Predefined Administrative Accounts
• SYS account:
– Is granted the DBA role, as well as several other roles.
– Has all privileges with ADMIN OPTION
– Is required for startup, shutdown, and some
maintenance commands
– Owns the data dictionary and the Automatic Workload
Repository (AWR)
• SYSTEM account is granted the DBA, MGMT_USER, and
AQ_ADMINISTRATOR_ROLE roles.
• DBSNMP account is granted the OEM_MONITOR role.
• SYSMAN account is granted the MGMT_USER, RESOURCE
and SELECT_CATALOG_ROLE roles.
• These accounts are not used for routine operations.
5. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
SYSOPER and SYSDBA
6. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating a User
Select Server > Users, and then click the Create button.
7. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Authenticating Users
• Password
• External
• Global
8. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Fixed Database Links
• Create a public fixed database link:
• Use a public database link:
CREATE PUBLIC DATABASE LINK dblk_orcl10g_hr
CONNECT TO hr IDENTIFIED BY oracle USING
‘ORCL10g’;
SELECT * FROM employees@dblk_orcl10g_hr;
ORCL10g
connect hr/oracle
9. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Viewing Database Link Passwords
• A privileged user may view database link
passwords:
• The passwords for fixed links are stored in clear
text in 10g:
SELECT USERID,PASSWORD
FROM SYS.LINK$
WHERE PASSWORD IS NOT NULL;
USERID PASSWORD
---------- ----------
SYSTEM ORACLE
SCOTT TIGER
10. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Database Links Without Credentials
• Creating a connected user database link:
• Creating a current user database link:
CREATE DATABASE LINK sales.division3.acme.com
USING 'sales';
CREATE DATABASE LINK sales
CONNECT TO CURRENT_USER USING 'sales';
11. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Audit Database Links
Local database audits
jane
FINANCE
connect scott/tigerconnect jane/doe
Remote database audits
scott
12. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Administrator Authentication
Operating system security:
• DBAs must have the OS privileges to create and delete
files.
• Typical database users should not have the OS
privileges to create or delete database files.
Administrator security:
• For SYSDBA, SYSOPER, and SYSASM connections:
– DBA user by name is audited for password file and
strong authentication methods
– OS account name is audited for OS authentication
– OS authentication takes precedence over password file
authentication for privileged users
– Password file uses case-sensitive passwords
13. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Locking and Expiring Default
User Accounts
• The Database Configuration Assistant (DBCA)
expires and locks all accounts, except:
– SYS
– SYSTEM
– SYSMAN
– DBSNMP
• For a manual installation, lock and
expire accounts by using:
ALTER USER hr PASSWORD EXPIRE ACCOUNT LOCK;
14. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Privileges
There are two types of user privileges:
• System: Enables users to perform particular actions in
the database
• Object: Enables users to access and manipulate a
specific object
System privilege:
Create session
HR_DBA
Object privilege:
Update employees
15. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
System Privileges
16. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Object Privileges
To grant object privileges:
• Choose the object type.
• Select objects.
• Select privileges.
Search
and
select
objects.
1
2
3
17. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
GRANT
REVOKE
Revoking System Privileges
with ADMIN OPTION
REVOKE CREATE
TABLE FROM joe;
User
Privilege
Object
DBA Joe Emily
Joe EmilyDBA
18. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
GRANT
REVOKE
Revoking Object Privileges
with GRANT OPTION
Bob Joe Emily
EmilyJoeBob
19. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Benefits of Roles
• Easier privilege management
• Dynamic privilege management
• Selective availability of privileges
20. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning Privileges to Roles and
Assigning Roles to Users
Users
Privileges
Roles HR_CLERKHR_MGR
Jenny David Rachel
Delete
employees.
Select
employees.
Update
employees.
Insert
employees.
Create
Job.
21. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Predefined Roles
Role Privileges Included
CONNECT CREATE SESSION
RESOURCE CREATE CLUSTER, CREATE INDEXTYPE, CREATE
OPERATOR, CREATE PROCEDURE, CREATE SEQUENCE,
CREATE TABLE, CREATE TRIGGER, CREATE TYPE
SCHEDULER_ ADMIN CREATE ANY JOB, CREATE EXTERNAL JOB, CREATE
JOB, EXECUTE ANY CLASS, EXECUTE ANY PROGRAM,
MANAGE SCHEDULER
DBA Most system privileges; several other roles. Do not grant
to nonadministrators.
SELECT_
CATALOG_ROLE
No system privileges; HS_ADMIN_ROLE and over 1,700
object privileges on the data dictionary
22. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating a Role
Select Server > Roles.
Click OK
when
finished.
Add privileges and roles
from the appropriate tab.
Add privileges and roles
from the appropriate tab.
Add privileges and roles
from the appropriate tab.
23. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
CREATE ROLE secure_application_role
IDENTIFIED USING <security_procedure_name>;
Secure Application Roles
• Roles can be nondefault and enabled when required.
• Roles can be protected
through authentication.
• Roles can also be secured programmatically.
SET ROLE vacationdba;
24. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing a Secure Application Role
1. Create the role.
2. Create the package that sets the role:
a. Create the package specification.
b. Create the package body.
3. Grant the execute privilege on the package.
4. Write the application server code that sets the role.
25. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
CREATE ROLE oe_sales_rep
IDENTIFIED USING secure.oe_roles;
Step 1: Create the Role
• The CREATE ROLE command identifies the package
that sets the role.
• The package does not need to exist.
• Example:
26. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
CREATE OR REPLACE PACKAGE oe_roles
AUTHID CURRENT_USER
IS
PROCEDURE set_sales_rep_role;
END;
/
Step 2.1: Create the Package Specification
• The OE_ROLES package is referenced in the
CREATE ROLE command.
• The AUTHID CURRENT_USER clause is required to
properly set the role.
• Example:
27. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
...
SELECT id
INTO v_id
FROM oe.app_roles
WHERE username = sys_context
('userenv','current_user')
AND role = 'SALES_REP'
AND ip_address = sys_context
('userenv','ip_address');
dbms_session.set_role('oe_sales_rep');
...
Step 2.2: Create the Package Body
28. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
GRANT execute
ON oe_roles
TO appsrv;
Step 3: Grant the EXECUTE Privilege
on the Package
• The application server connects as the appsrv
user.
• It sets the role after it starts the user’s session.
• Example:
29. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Step 4: Write the Application Server
Code That Sets the Role
• When starting, the application server:
– Connects as the APPSRV user
– Creates a connection pool
• When starting a session for a user, the application
server:
– Gets a connection from the pool
– Starts a session for the user
– Sets the user’s role
• Set the user’s role by using:
secure.oe_roles.set_sales_rep_role;
30. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Data Dictionary Views
SQL> SELECT *
2 FROM dba_application_roles
3 WHERE ROLE = 'OE_SALES_REP';
ROLE SCHEMA PACKAGE
------------- ------- --------
OE_SALES_REP SECURE OE_ROLES
SQL>
31. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning Roles to Users
32. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
All passwords created in Oracle Database 11g are not
case-sensitive by default.
1. True
2. False
33. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
A database role:
1. Can be enabled or disabled
2. Can consist of system and object privileges
3. Is owned by its creator
4. Cannot be protected by a password
34. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Profiles and Users
Users are assigned only
one profile at a time.
Profiles:
• Control resource
consumption
• Manage account
status and
password
expiration
Note: RESOURCE_LIMIT must be set to TRUE before profiles can impose
resource limitations.
35. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Implementing Password
Security Features
Password
history
Account
locking
Password aging
and expiration
Password
complexity
verification
User Setting up
profiles
Note: Do not use profiles that cause the SYS, SYSMAN, and DBSNMP
passwords to expire and the accounts to be locked.
36. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Creating a Password Profile
37. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Supplied Password Verification Function:
VERIFY_FUNCTION_11G
The VERIFY_FUNCTION_11G function insures that the
password is:
• At least eight characters
• Different from the username, username with a number,
or username reversed
• Different from the database name or the database
name with a number
• A string with at least one alphabetic and one numeric
character
• Different from the previous password by
at least three letters
Tip: Use this function as a template to create
your own customized password verification.
38. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Assigning Quotas to Users
Users who do not have the UNLIMITED TABLESPACE
system privilege must be given a quota before they can
create objects in a tablespace.
Quotas can be:
• A specific value in megabytes or kilobytes
• Unlimited
39. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Applying the Principle of Least Privilege
• Protect the data dictionary:
• Revoke unnecessary privileges from PUBLIC.
• Use access control lists (ACL) to control network
access.
• Restrict the directories accessible by users.
• Limit users with administrative privileges.
• Restrict remote database authentication:
O7_DICTIONARY_ACCESSIBILITY=FALSE
REMOTE_OS_AUTHENT=FALSE
40. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Protect Privileged Accounts
Privileged accounts can be protected by:
• Using password file with case-sensitive passwords
• Enabling strong authentication for administrator roles
SYSDBA
41. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Separation of Responsibilities
Users with DBA privileges must be trusted, but
separation of responsibilities can:
• Prevent abuse of trust
• Allow audit trails to protect the trusted position
To implement separation of trust:
• DBA responsibilities must be shared
• Accounts must never be shared
• DBA and system administrator must be different
people
• SYSOPER and SYSDBA responsibilities must be
separated.
42. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
43. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
44. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
Applying the principle of least privilege is not enough to
harden the Oracle database.
1. True
2. False
45. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Quiz
With RESOURCE_LIMIT set at its default value of FALSE,
profile password limitations are ignored.
1. True
2. False
46. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Summary
In this lesson, you should have learned how to:
• Create and manage database user accounts:
– Authenticate users
– Assign default storage areas (tablespaces)
• Grant and revoke privileges
• Create and manage roles
• Create and manage profiles:
– Implement standard password security features
– Control resource usage by users
47. 云和恩墨 成就所托 by 王朝阳 18516271611 sonne.k.wang@gmail.com
Q&A