Week 6Lecture 2

System and Object Privileges

Learning Objectives

Identify and manage system and object privileges

Grant and revoke privileges to users

Understand auditing capabilities and practice using auditing commands

Overview of Privileges

Privileges allow users to perform operations on the database.

2 types of privileges: System privileges: gives user the ability to

manage some part of the database Object privileges: gives user the ability to

perform tasks on tables and objects owned by a schema

Identifying System Privileges

Common system privileges include:

SYSDBA: Allows the user to start up and shut down the database and to

create an spfile (system initialization parameter file). The SYSTEM and SYS predefined users have this privilege.

SYSOPER: Same as SYSDBA, but does not include the ability to create a

database. CREATE SESSION:

You assigned this privilege to a user in the previous chapter. This allows a user to log onto the database.

More System Privileges

CREATE TABLE, CREATE INDEX, and CREATE VIEW: Allow users to create their own tables, indexes, and views.

CREATE USER: DBA must have this privilege to create new users. You logged on

as SYSTEM to create users in the previous chapter. CREATE ANY TABLE:

Usually reserved for the DBA, allowing him or her to create a table in any schema.

DROP ANY TABLE: Allows the user to drop any schema’s tables, except those

needed by the database system itself (the data dictionary tables).

More System Privileges

SELECT ANY TABLE: Usually reserved for the DBA, because it allows the user to query any

table on the database. GRANT ANY PRIVILEGE, GRANT ANY OBJECT PRIVILEGE:

Allow the user (preferably the DBA) to assign any system privilege or any object privilege to other users.

BACKUP ANY TABLE: Allows the user to use the Export utility to export any table in the

database. Exporting

a form of backup that can be used to back up specific tables or schemas, or to back up the entire database.

Using Object Privileges

Object privileges more pinpointed than system privileges. An object privilege has a much narrower focus. Object privileges always pertain to a table, function, procedure, or

other object. Several different object privileges:

some available only for tables and views others only available for functions, procedures, packages, or

user-defined types.

Managing System and Object Privileges

Privileges managed by granting and revoking privileges to users and roles.

Granting a privilege allows the user to perform some action Revoking a privilege removes a privilege from a user so that he

can no longer perform the action

Granting and Revoking System Privileges

Basic syntax of the GRANT command for system privileges:

GRANT <systempriv>, <systempriv>,...|ALL PRIVILEGES

TO <user>,<user>...|PUBLIC

WITH ADMIN OPTION;

Granting System Privileges

List as many system privileges as you want, separating each with a comma. Can also substitute ALL PRIVILEGES for a list of privileges. Use with

caution, because it grants the user all of the 100 plus system privileges except SELECT ANY DICTIONARY.

Add the WITH ADMIN OPTION only when you want the user to be able to grant the same system privilege to other users.

List all the users to whom you want to grant the same system privileges. Alternatively, use PUBLIC instead of a specific user name to grant the

privilege to all users, including users created in the future.

Revoking System Privileges

Basic syntax of the REVOKE command for system privileges:

REVOKE <systempriv>, <systempriv>,...|ALL PRIVILEGES

FROM <user>, <user>,...|PUBLIC;

Final note about system privileges: System privileges are needed to create tables in the database. The

owner (schema) of a table can automatically select, insert, update, and delete data in his own tables. However, no other users (except the DBA) are allowed to even see the table’s name without permission from the owner or the DBA. This is where object privileges come into play.

Granting Object Privileges

Basic syntax for granting object privileges:

GRANT <objectpriv>, <objectpriv>,... |ALL

(<colname>,...) ON <schema>.<object>

TO <user>,...|PUBLIC

WITH GRANT OPTION

WITH HIERARCHY OPTION;

Granting Object Privileges

Column list: Used only when you want to grant a privilege for specific

columns in the table or view. Could employ it as a security feature to restrict users from

updating sensitive fields. Can only be used to grant UPDATE, REFERENCES, and

DELETE privileges.

PUBLIC: Can list object privileges for one object, and you can also

list users who receive those privileges. Substituted for user names when you want to grant the

privilege to all users.

Granting Object Privileges

WITH GRANT OPTION: Similar to the WITH ADMIN OPTION. Use when you want the user to be able to issue

grants to other users.

WITH HIERARCHY OPTION: special feature used for objects that have

subobjects. subobject is an object based on another object

The option is included for completeness of syntax. Instructs Oracle9i to grant the object privilege to the user

on the object and on all its subobjects.

Viewing Privileges

DBA_SYS_PRIVS• All system privileges granted

DBA_TAB_PRIVS• All object privileges granted

USER_TAB_PRIVS_MADE • All object privileges granted by the user

USER_TAB_PRIVS_RECD• All object privileges when the user is the grantee

DBA_COL_PRIVS• All object privileges on column lists

SESSION_PRIVS • User’s privileges currently enabled

Description of Auditing Capabilities

Monitoring activity on the database is called auditing Frequently used to determine who is making unauthorized

updates or deletions to sensitive data Three types of auditing that Oracle9i can run automatically

Description of Auditing Capabilities

Statement auditing: Audits types of SQL commands. You must have the AUDIT

SYSTEM privilege to use this type of auditing.

Privilege auditing: Audits use of particular privileges. You must have the

AUDIT SYSTEM privilege to use this type of auditing.

Object auditing: Audits activity on a certain object. You can use the AUDIT

command to set up object auditing for any object you own. Otherwise, you must have the AUDIT ANY privilege to audit objects.

Description of Auditing Capabilities

Auditing has no effect until you set the AUDIT_TRAIL initialization parameter. Valid settings for AUDIT_TRAIL include:

TRUE or DB: • Starts auditing and places the audit trail records into the

SYS.AUD$ table.

FALSE or NONE: • Turns off auditing. Default is NONE.

OS: • Starts auditing and places the audit trail records into an operating

system file in the directory named in the AUDIT_FILE_DEST initialization parameter.

Object Auditing

Syntax of the AUDIT command for object auditing:

AUDIT <objpriv>,<objpriv>,...|ALL

ON <schema>.<object>|DEFAULT|NOT EXISTS

BY SESSION|BY ACCESS

WHENEVER SUCCESSFUL|WHENEVER NOT SUCCESSFUL;

Object Auditing

To set this auditing for the automatic turn on of any new object that is created, substitute DEFAULT for an object name.

Substitute NOT EXISTS for an object name, and Oracle9i creates an audit trail record for attempted actions that fail with the “object does not exist” error.

Privilege Auditing

Syntax of the AUDIT command for privilege auditing:

AUDIT <priv>,<priv>,...|ALL PRIVILEGES|CONNECT|RESOURCE|DBA

BY <username>

BY SESSION|BY ACCESS

WHENEVER SUCCESSFUL|WHENEVER NOT SUCCESSFUL;

SQL Statement Auditing

Syntax of the AUDIT command for SQL statement auditing:

AUDIT <sql>,<sql>,...|ALL

BY <username>

BY SESSION|BY ACCESS

WHENEVER SUCCESSFUL|WHENEVER NOT SUCCESSFUL;

Description of Auditing Capabilities

BY SESSION: Tells Oracle9i to write one record to the audit trail for each

session for the same SQL or privilege on the same object. Saves space in the audit trail.

BY ACCESS: Tells Oracle9i to write one record to the audit trail for every

occurrence of the audited event. The default. Can specify either BY ACCESS or BY SESSION, but not

both.

Description of Auditing Capabilities

WHENEVER SUCCESSFUL: Tells Oracle9i to write a record to the audit trail only

when the operation is successful.

WHENEVER NOT SUCCESSFUL: Tells Oracle9i to write a record to the audit trail only

when the operation is not successful. If you don’t specify this or the previous clause,

Oracle9i writes a record for the operation it is auditing regardless of whether it succeeds.

Viewing Audit Results

DBA_AUDIT_EXISTS: • Audit trail records generated by object auditing of non-existent objects

DBA_AUDIT_OBJECT: • Audit trail records generated by object auditing

DBA_AUDIT_SESSION: • Audit trail records generated by session auditing

DBA_AUDIT_STATEMENT: • Audit trail records generated by statement auditing

DBA_AUDIT_TRAIL: • All audit trail records All of these have a corresponding

USER_counterpart, except DBA_AUDIT_EXISTS.

Stopping and Altering Audits

Audits are turned off and modified with the NOAUDIT command

The NOAUDIT command’s structure is exactly like the AUDIT command; it turns off the auditing it names

You can turn off selective portions of the audit you have set up

Lecture Summary

System privileges allow a user to manage some part of the database system

Object privileges allow a user to work with an object. SYSDBA and SYSOPER are system privileges that allow a

user to start up and shut down the database, as well as other high-level tasks

The CREATE SESSION system privilege is needed to log onto the database

Lecture Summary

Typical object privileges for a table include SELECT, INSERT, UPDATE, and DELETE

The GRANT and REVOKE commands are used for both system and object privileges

Use WITH ADMIN OPTION when granting system privileges to allow the user to grant that privilege to others

Lecture Summary

A grant made to PUBLIC gives all users the privilege Revoked system privileges do not cascade to other users Use WITH GRANT OPTION when granting object

privileges to allow the user to grant that privilege to others Revoked object privileges cascade to other users

Lecture Summary

Object privileges can be granted on columns The owner of a table can grant object privileges on that

table The grantor grants the privilege and the grantee receives

the privilege Querying an object without privileges to query causes an

error stating that the object does not exist

Lecture Summary

Statement auditing is the monitoring of activity on a particular type of statement, such as SELECT

Privilege auditing audits any command that is authorized by the privilege, such as CREATE TABLE

Object auditing generates audit trail records as soon as the object is used, such as with SELECT or DELETE statements

Lecture Summary

The SYS.AUD$ table holds auditing records unless the AUDIT_TRAIL initialization parameter is set to “OS”

AUDIT_SYS_OPERATIONS is an initialization parameter that, when set to “TRUE,” causes Oracle9i to audit all activity by SYS or users with SYSDBA privileges

BY ACCESS or BY SESSION tell Oracle9i whether to write a record for each occurrence of an audited event or a summary record for the session

Lecture Summary

The following clauses limit the writing of audit trail records: WHENEVER SUCCESSFUL and WHENEVER NOT SUCCESSFUL

AUDIT_TRAIL is a static parameter, so you must restart the database after changing it

A group of data dictionary views shows audit trail records for each type of auditing

Use the NOAUDIT command to stop specific auditing activities