Previous | Table of Contents | Next

Page 571

assigned to that user, but the password will be the reserved word external. This will tell Oracle to identify the user only and enable an external source to authenticate the password. ANO will use an authentication server that will have usernames, passwords, and hostnames to verify the password. If the password is authenticated, the user is allowed access to the Oracle database.

Enterprise Authentication

Enterprise Authentication allows a central source for password management and can enforce single sign-on using Oracle Security Service (OSS). The user is called a global user and must be created on each database that he or she will use with the password globally. This will tell Oracle to identify the user only and enable an OSS to authenticate the password and convey user enterprise authorizations. If the password is authenticated, the user is allowed access to the Oracle database. OSS will interface with Oracle Enterprise Manager to centralize security role management and enterprise authorizations. This will enable the user to have global identities that are centrally managed.

Global RolesGlobal roles are different than database roles because they enable you to assign authorization information to (global) users across multiple databases. When a global user logs on to a database, the global roles are dynamically assigned to that user. Global roles must first be assigned to a global user in the Oracle Security Server, then have privileges associated with each global role on the database server. The privileges associated with a global role can differ between databases.

Tablespace Assignment and UsageWhen the user is created, you must tell Oracle where you want to store objects that the user creates in the database; if a storage clause does not specify where to place the objects, this is called the user's default tablespace. The default tablespace should be specified to prevent database objects such as tables or indexes from being created in the system tablespace; if the user will never have the privilege to create an object in the database, you can let it default to system. If the user will be creating objects in the system tablespace, tablespace fragmentation or an out-of-space condition could be the result. The temporary tablespace is really a sort-work area and is used by SQL statements (such as

Page 572

ORDER BY and GROUP BY). The temporary tablespace also is used when a user builds an index. You should specify a temporary tablespace other than the system tablespace, due to the increased contention with the data dictionary.

A tablespace quota limits the size of database objects that users create in a tablespace. The default is to have no quota size limitation, but if a user has allocated database objects in a tablespace and you would like to restrict the use of that tablespace, set the quota for that user to 0 for that tablespace. With this restriction in place, the current objects in that tablespace cannot be allocated any more space, but they will remain in the tablespace.

Database Privilege Management

A privilege can be either an object privilege or system privilege. There are over 60 distinct system privileges that allow users to perform administrative activities on the database (see Table 23.1).

Table 23.1 System Privileges
Privilege Actions Allowed
ANALYZE
ANALYZE ANY Analyze any table, cluster, or index in the database.
AUDIT
AUDIT ANY Audit any schema object in the database.
AUDIT SYSTEM Enable and disable statement and privilege audit options.
CLUSTER
CREATE CLUSTER Create a cluster in own schema.
CREATE ANY CLUSTER Create a cluster in any schema. Behaves similarly to CREATE ANY TABLE.
ALTER ANY CLUSTER Alter any cluster in the database.
DROP ANY CLUSTER Drop any cluster in the database.
DATABASE
ALTER DATABASE Alter the database; add files to the operating system via Oracle, regardless of operating system privileges.
DATABASE LINK
CREATE DATABASE LINK Create private database links in own schema.


Page 573


Privilege Actions Allowed
INDEX
CREATE ANY INDEX Create an index in any schema on any table.
ALTER ANY INDEX Alter any index in the database.
DROP ANY INDEX Drop any index in the database.
LIBRARY
CREATE LIBRARY Create callout libraries in own schema.
CREATE ANY LIBRARY Create callout libraries in any schema
DROP LIBRARY Drop callout libraries in own schema.
DROP ANY LIBRARY Drop callout libraries in any schema.
PRIVILEGE
GRANT ANY PRIVILEGE Grant any system privilege (not object privileges).
PROCEDURE
CREATE PROCEDURE Create stored procedures, functions, and packages in own schema.
CREATE ANY PROCEDURE Create stored procedures, functions, and packages in any schema. (Requires that user also have ALTER ANY TABLE, BACKUP ANY TABLE, DROP ANY TABLE, SELECT ANY TABLE, INSERT ANY TABLE, UPDATE ANY TABLE, DELETE ANY TABLE, or GRANT ANY TABLE privileges.)
ALTER ANY PROCEDURE Compile any stored procedure, function, or package in any schema.
DROP ANY PROCEDURE Drop any stored procedure, function, or package in any schema.
EXECUTE ANY PROCEDURE Execute any procedure or function (standalone or packaged), or reference any public package variable in any schema.
PROFILE
CREATE PROFILE Create profiles.
ALTER PROFILE Alter any profile in the database.
DROP PROFILE Drop any profile in the database.
ALTER RESOURCE COST Set costs for resources used in all user sessions.
								continues

Previous | Table of Contents | Next