Oracle Enterprise Manager Administrator's Guide | ![]() Library |
![]() Product |
![]() Contents |
![]() Index |
This chapter describes how to use Security Manager to control database security. With the Security Manager, you can manage users, roles, and profiles. This chapter assumes that you have read Chapter 7, Overview of the Database Tools and are familiar with the interface elements of the database tools. The topics in this chapter are:
After the Security Manager has successfully connected to a database, the Users, Roles, and Profiles folders display in a navigator on the left side of the Security window. These folders are located in the database folder which displays the name of the database that the application is connected to.
Figure 9-1: The Security Manager
The display on the right side of the window is determined by the object selected on the left side of the screen. The right side may contain a multi-column list, property sheet, or other information. An example of a Security Manager window is shown in Figure 9-1: The Security Manager.
Refer to the following sections:
Context-sensitive menus may also be active when you press the right mouse button to select a specific object from the navigator or the multi-column list. This feature provides quick access to a subset of the menu options provided in the menu bars.
Users Menu
The User menu contains the following menu options:
When you select:
If you select an individual User icon, and that icon is also on the main branch of the Database folder, the columns of the multi-column list summarize all information from the General page of the Create User property sheet. For more information on these columns, see the description of the Create User property sheet in Creating a User on page 9-5.
Suggestion:
If a multi-column list is wider than the its window display area, you can increase the viewing area by resizing the application window or dragging the splitter between the left and right sections of the window. Creating a User
To create a new user:
Name
Profile
Authentication
Global: Specifies that the user be identified globally amongst multiple databases. The global authorization option is only available with Oracle 8 databases.
External: Specifies that the operating system verify the user.
Password: Specifies that a password be required for login. Enter the password in the adjacent text entry field. Enter the password again in the Confirm text entry field for verification.
Expire Now: Forces the user's password to expire immediately. If you create a new user with this option selected, the user's password must be changed during the first attempted login. This feature is available for Oracle8 databases only.
Tablespaces
Default: Use the drop-down list to choose the default tablespace for user-created objects.
Temporary: Use the drop-down list to choose the tablespace for the user's temporary segments.
Status (Oracle 8 only)
Lock: Locks the user's account and prevents further access.
Unlock: Unlocks the user's account and enables access to the account.
Privilege Type
Available
Roles: If you selected Roles as the privilege type, the roles that you are allowed grant to a user display in a scrolling list. These are roles you have created and roles you have been granted with the Admin Option.
You must add the roles with the Admin Option in a separate operation from the roles you want to add without the Admin Option.
Note:
System Privileges: If you select System Privileges as the privilege type, system privileges that you are able to grant to a user display in a scrolling list. These are the system privileges the you have been granted with the Admin Option. If you have the GRANT ANY PRIVILEGE system privilege, all privileges are listed. Select the privileges that you want to add to the user.
Up and Down Arrows
Down Arrow removes roles or system privileges that are selected in the Granted spreadsheet.
Granted
System Privilege or Role: Name of the role or system privilege.
Admin Option: When checked, allows the user to grant the system privileges to other users or roles. By default, Admin Option is disabled. You enable the Admin Option by clicking on the spreadsheet entry. In this case, the "X" becomes a check.
Default: (Users property sheet only): When checked, establishes the role as a default for the user upon system logon.
When creating a Role, this spreadsheet consists of two columns: System Privilege or Role and Admin Option.
Objects
Select the object from the navigator that you want to grant privileges for. After the object is selected, the available privileges for the object are displayed to the right in the Available Privileges scrolling list.
You can grant an object privilege that you have been granted with the Grant Option. If you are the owner of the object, you can grant all privileges on the object. Select the privileges you want to grant for the selected object. The scrolling list includes the privileges you can grant on this object.
Grant Option box to allow the user to grant the object privilege to other users and roles.
Click the Add button to add the selected object privileges to the user.
Available Privileges
Up and Down Arrows
Up Arrow removes privileges that are selected in the Granted Object Privileges spreadsheet.
Granted Object Privileges
When creating a new user, the spreadsheet consists of two columns indicating the name of the object privilege and whether or not the Grant Option is specified for that privilege.
When enabled, the Grant Option allows the user to grant the specific object privilege to other users and roles. By default, this option is disabled. To enable the grant option, click on the specific spreadsheet entry. The "X" is replaced with a check.
When creating a role, the spreadsheet consists of a single Object Privilege column.
Quota Details
To specify a quota size for a tablespace, select the tablespace in the scrolling list and specify a quota size by clicking on the None, Unlimited, or Value button.
None
Unlimited
Value
Note:
The format and content of the Create Like property sheet is identical to the Create User property sheet. Refer to Creating a User on page 9-5 for information about the property sheet.
Altering a User
To change the characteristics of a user:
The details/Quick Edit property sheet is identical in format and content to the Create User property sheet except that the name field is read-only. See Creating a User on page 9-5 for information about the property sheet.
Suggestion:
If you want to add privileges or roles to multiple users, use the Add Privileges and Roles to Users menu item. See Adding Privileges or Roles to Users on page 9-11.
Attention:
If you alter an object, such as a user named DAVE or a role named CLERK, in any location of the navigator, all instances of the object in the tree are changed. Removing a User
If you no longer need a particular user in your database, you can remove the user. To remove a user, select the user to be dropped from the Users folder in the navigator and choose Remove from the User menu. The Remove User alert box appears.
Attention:
Click the With Admin Option box to allow the user to grant the role to other users or roles. If you grant a role with the Admin Option, the user can also alter or drop the role.
Attention:
Note:
Attention:
System Privileges: A scrolling list of the system privileges that you are able to grant to users. These are the system privileges you have been granted with the Admin Option. If you have the GRANT ANY PRIVILEGE system privilege, all privileges are listed.
Select the privileges that you want to add to the selected users. Click the With Admin Option box to allow the user to grant the system privileges to other users or roles.
Attention:
Object Privileges: A tree listing of schemas in the database and objects in the schemas displays in the Object window. Click on the '+' to the left of a folder icon next to display the object types contained in the schema and then click on the '+' to the left of the object type folder to display available objects. Select the objects that you want to grant privileges for.
After the object is selected, the available privileges for the object are displayed to the right in the Privileges scrolling list.
You can grant an object privilege that you have been granted with the Grant Option. If you are the owner of the object, you can grant all privileges on the object. Select the privileges you want to grant for the selected objects.
Clicking the With Grant Option box allows the user to grant the object privilege to other users and roles.
Attention:
Role
Admin option
Default
System Privilege
Admin Option
Object Privilege
Grant option
For more information on these columns, see the description of the Create User property sheet in the section, Creating a User on page 9-5.
Roles Folder
The Roles object type folder contains information about the roles defined in your database arranged alphabetically in a tree structure. An individual role can be expanded to show the system privileges, object privileges, and subroles granted to the role.
If the folder is named Roles and is a main branch of the database folder, the columns include all the fields on the General page of the Create Role property sheet. For information on these columns, see the description of the Create Role property sheet in the section, Creating a User on page 9-5.
If the folder is named Roles Granted and is contained in a user or role, the list only contains information about roles assigned to the user or role. The columns include:
Name of the role.
Whether the role was granted with the Admin option to the user or role.
Whether the role has been assigned as a default role to the user or role granted to a user.
Suggestion:
If a multi-column list that is wider than the window display area, you can increase the viewing area by resizing the application window or dragging the splitter between left and right section of the window. Creating a Role
To create a new role:
Role
Authentication
None specifies that a user granted the role may enable it without specifying a password.
Global: Specifies that a user granted the role may enable it globally amongst multiple databases. The global authorization option is only available with Oracle 8 databases.
External: Specifies that the operating system or an external security utility to verify the role.
Password: Secifies that a password is required to enable the role. Enter the password in the Enter Password entry field. Enter the password again in the Confirm Password entry field to verify the new password.
This property sheet is identical to the Create Role property sheet. Refer to Creating a User on page 9-5 for information about Create Role property sheet.
Modifying a Role
To alter the property sheet information for an existing role:
The Role property sheet is identical to the Create Role property sheet except that the name is read-only. Refer to Creating a User on page 9-5 for information about the property sheet.
Suggestion:
If you want to add privileges or roles to multiple roles, use the Add Privileges to Roles menu item. See Adding Privileges or Roles to Roles on page 9-17.
Attention:
If you alter an object, such as a user named DAVE or a role named CLERK, in any location of the navigator, all instances of the object in the tree are changed. Removing a Role
To remove a role that is no longer needed:
System Privileges
Object Privileges
After the object is selected, the available privileges for the object is displayed to the right in the Privileges scrolling list.
When you select:
Oracle automatically creates a default profile named DEFAULT. The DEFAULT profile initially defines unlimited resources. You can alter the DEFAULT profile to change any of its resource limits.
Any user who is not explicitly assigned a profile is subject to the limits defined in the DEFAULT profile. Also, if the profile that is explicitly assigned to a user omits a limit for a resource or specifies the value DEFAULT for a limit, then the user is subject to the limit on that resource as defined in the DEFAULT profile.
Attention:
For more information about profiles, see the Oracle7 Server Concepts, the Oracle7 Server Administrator's Guide, and the Oracle7 Server SQL Reference.
The columns include all the fields on the pages of Create Profile property sheet. For more information on these columns, see Creating a Profile on page 9-19.
Suggestion:
If a multi-column list that is wider than the window display area, you can increase the viewing area by resizing the application window or dragging the splitter between left and right section of the window. Creating a Profile
To create a profile: Create Profile: General Page
Name
This field allows you to enter the name of a new profile.
These fields determine the amount of time allocated to the CPU per Session, CPU per Call, Connect Time, and Idle Time for this profile. The fields are:
These fields determine the database services allocated to this profile. The fields are:
In the SQL Worksheet, you can use the SQL command ALTER RESOURCE COST to specify the weights for the resources in the Composite Limit. For information about the ALTER RESOURCE COST command, see the Oracle7 Server SQL Reference.
Default: Use the limit specified for this resource in the DEFAULT profile. Create Like Profile
To create a new profile that has identical parameter settings to an existing profile:
The Create Like property sheet is identical to the Create Profile property sheet. See Creating a Profile on page 9-19 for information about the property sheet.
Altering a Profile
To alter the resource limits for an existing profile:
The Quick Edit property sheet is identical to the Create Profile property sheet except that the name field is read-only. See Creating a Profile on page 9-19 for information about the property sheet.
Attention:
In the SQL Worksheet, you can use the SQL command ALTER RESOURCE COST to specify the weights for the resources in the Composite Limit. For information about the ALTER RESOURCE COST command, see the Oracle7 Server SQL Reference. Removing a Profile
To remove a profile that is no longer needed:
![]() ![]() Prev Next |
![]() Copyright © 1996 Oracle Corporation. All Rights Reserved. |
![]() Library |
![]() Product |
![]() Contents |
![]() Index |