Administering User Security

<back to oca>

Create and manage database user accounts

Authentication methods:

  1. database: “identified by”
  2. external: “identified externally” (attenzione a REMOTE_OS_AUTH, OS_AUTHENT_PREFIX)
  3. globally, ad esempio tramite oracle advanced security oid: “create user SCOTT identified globally as ‘CN=scott, OU=division1, O=oracle C=US’;

Create and manage roles

Roles behaves as system privileges, they can be granted “with admin option” and their revoke does not cascade. So if a role has an object privilege the behaviour of object privilege is not the same as the object privilege alone. You can grant a system privilege ”with admin option” to a role so that who has that role can grant that privilege to others. You cannot grant  object privilege to a role ”with grant option” so who has that role cannot grant that privilege to others, but if she has got the role with admin option she can grant the role to others.

Grant and revoke privileges

Create and manage profiles (security guide, cap 11, SQL Reference)

To abilitate resource limiting with profiles database parameter RESOURCE_LIMIT must be set to true. There are two group of parameters:


Resource parameters

  • CONNECT_TIME (minutes)
  • CPU_PER_CALL (hundreths of seconds)
  • IDLE_TIME (minutes)
  • PRIVATE_SGA (limits private shared pool allocation by session only with shared server)
  • COMPOSITE_LIMIT (cpu_per_session,logical_reads_per_session, connect_time, private_sga) RESOURCE_COST view shows costs, ALTER RESOURCE COST X Y;

Password parameters

  • PASSWORD_REUSE_MAX (if this and preceding are UNLIMITED then they are disabled)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: