案例瑞通过o培训

1、8Copyright 2009, Oracle. All rights reserved.Administering User SecurityCopyright 2009, Oracle. All rights reserved.8 - 2ObjectivesAfter completing this lesson, you should be able to:Create and manage database user accounts: Authenticate users Assign default storage areas (tablespaces)Grant and revo

2、ke privilegesCreate and manage rolesCreate and manage profiles: Implement standard password security features Control resource usage by usersCopyright 2009, Oracle. All rights reserved.8 - 3Database User AccountsEach database user account has:A unique usernameAn authentication methodA default tables

3、pace A temporary tablespaceA user profileAn initial consumer groupAn account statusA schema:Is a collection of database objects that are owned by a database userHas the same name as the user accountCopyright 2009, Oracle. All rights reserved.8 - 4Copyright 2009, Oracle. All rights reserved.8 - 5Pred

4、efined Administrative AccountsSYS account: Is granted the DBA role, as well as several other roles. Has all privileges with ADMIN OPTION Is required for startup, shutdown, and some maintenance commands Owns the data dictionary and the Automatic Workload Repository (AWR)SYSTEM account is granted the

5、DBA, MGMT_USER, and AQ_ADMINISTRATOR_ROLE roles. DBSNMP account is granted the OEM_MONITOR role.SYSMAN account is granted the MGMT_USER, RESOURCE and SELECT_CATALOG_ROLE roles.These accounts are not used for routine operations.Copyright 2009, Oracle. All rights reserved.8 - 6Creating a UserSelect Se

6、rver Users, and then click the Create button.Copyright 2009, Oracle. All rights reserved.8 - 7Authenticating UsersPasswordExternalGlobalCopyright 2009, Oracle. All rights reserved.8 - 8Copyright 2009, Oracle. All rights reserved.8 - 9Administrator AuthenticationOperating system security:DBAs must ha

7、ve the OS privileges to create and delete files.Typical database users should not have the OS privileges to create or delete database files. Administrator security:For SYSDBA, SYSOPER, and SYSASM connections: DBA user by name is audited for password file and strong authentication methods OS account

8、name is audited for OS authentication OS authentication takes precedence over password file authentication for privileged users Password file uses case-sensitive passwordsCopyright 2009, Oracle. All rights reserved.8 - 10Unlocking a User Account andResetting the PasswordSelect the user, select Unloc

9、k User, and click Go.Copyright 2009, Oracle. All rights reserved.8 - 11PrivilegesThere are two types of user privileges:System: Enables users to perform particular actions in the databaseObject: Enables users to access and manipulate a specific objectSystem privilege: Create sessionHR_DBAObject priv

10、ilege: Update employeesCopyright 2009, Oracle. All rights reserved.8 - 12System PrivilegesCopyright 2009, Oracle. All rights reserved.8 - 13Copyright 2009, Oracle. All rights reserved.8 - 14Object PrivilegesTo grant object privileges:Choose the object type.Select objects.Select privileges.Search and

11、 select objects.123Copyright 2009, Oracle. All rights reserved.8 - 15GRANTREVOKERevoking System Privilegeswith ADMIN OPTIONREVOKE CREATE TABLE FROM joe;UserPrivilegeObjectDBAJoeEmilyJoeEmilyDBACopyright 2009, Oracle. All rights reserved.8 - 16GRANTREVOKERevoking Object Privilegeswith GRANT OPTIONBob

12、JoeEmilyEmilyJoeBobCopyright 2009, Oracle. All rights reserved.8 - 17Benefits of RolesEasier privilege managementDynamic privilege managementSelective availability of privilegesCopyright 2009, Oracle. All rights reserved.8 - 18Assigning Privileges to Roles andAssigning Roles to UsersUsersPrivilegesR

13、olesHR_CLERKHR_MGRJennyDavidRachelDeleteemployees.Selectemployees.Updateemployees.Insertemployees.CreateJob.Copyright 2009, Oracle. All rights reserved.8 - 19Predefined RolesRolePrivileges IncludedCONNECTCREATE SESSIONRESOURCECREATE CLUSTER, CREATE INDEXTYPE, CREATE OPERATOR, CREATE PROCEDURE, CREAT

14、E SEQUENCE, CREATE TABLE, CREATE TRIGGER, CREATE TYPESCHEDULER_ ADMINCREATE ANY JOB, CREATE EXTERNAL JOB, CREATE JOB, EXECUTE ANY CLASS, EXECUTE ANY PROGRAM, MANAGE SCHEDULERDBAMost system privileges; several other roles. Do not grant to nonadministrators.SELECT_CATALOG_ROLENo system privileges; HS_

15、ADMIN_ROLE and over 1,700 object privileges on the data dictionaryCopyright 2009, Oracle. All rights reserved.8 - 20Creating a RoleSelect Server Roles. Click OK when finished.Add privileges and roles from the appropriate tab.Add privileges and roles from the appropriate tab.Add privileges and roles

16、from the appropriate tab.Copyright 2009, Oracle. All rights reserved.8 - 21CREATE ROLE secure_application_roleIDENTIFIED USING ;Secure RolesRoles can be nondefault and enabled when required.Roles can be protected through authentication.Roles can also be secured programmatically.SET ROLE vacationdba;

17、Copyright 2009, Oracle. All rights reserved.8 - 22Assigning Roles to UsersCopyright 2009, Oracle. All rights reserved.8 - 23QuizAll passwords created in Oracle Database 11g are not case-sensitive by default. 1.True 2.FalseCopyright 2009, Oracle. All rights reserved.8 - 24QuizA database role: 1.Can b

18、e enabled or disabled 2.Can consist of system and object privileges 3.Is owned by its creator 4.Cannot be protected by a password Copyright 2009, Oracle. All rights reserved.8 - 25Profiles and UsersUsers are assigned only one profile at a time.Profiles:Control resource consumptionManage account stat

19、us and password expirationNote: RESOURCE_LIMIT must be set to TRUE before profiles can impose resource limitations.Copyright 2009, Oracle. All rights reserved.8 - 26Copyright 2009, Oracle. All rights reserved.8 - 27Implementing Password Security FeaturesPassword historyAccount lockingPassword aging

20、and expiration Password complexity verificationUserSetting up profilesNote: Do not use profiles that cause the SYS, SYSMAN, and DBSNMP passwords to expire and the accounts to be locked.Copyright 2009, Oracle. All rights reserved.8 - 28Copyright 2009, Oracle. All rights reserved.8 - 29Creating a Pass

21、word ProfileCopyright 2009, Oracle. All rights reserved.8 - 30Supplied Password Verification Function: VERIFY_FUNCTION_11GThe VERIFY_FUNCTION_11G function insures that the password is:At least eight charactersDifferent from the username, username with a number, or username reversedDifferent from the

22、 database name or the database name with a numberA string with at least one alphabetic and one numeric characterDifferent from the previous password by at least three lettersTip: Use this function as a template to create your own customized password verification.Copyright 2009, Oracle. All rights re

23、served.8 - 31Assigning Quotas to UsersUsers who do not have the UNLIMITED TABLESPACE system privilege must be given a quota before they can create objects in a tablespace. Quotas can be:A specific value in megabytes or kilobytesUnlimitedCopyright 2009, Oracle. All rights reserved.8 - 32Copyright 200

24、9, Oracle. All rights reserved.8 - 33Applying the Principle of Least PrivilegeProtect the data dictionary:Revoke unnecessary privileges from PUBLIC.Use access control lists (ACL) to control network access.Restrict the directories accessible by users.Limit users with administrative privileges.Restric

25、t remote database authentication:O7_DICTIONARY_ACCESSIBILITY=FALSEREMOTE_OS_AUTHENT=FALSECopyright 2009, Oracle. All rights reserved.8 - 34Copyright 2009, Oracle. All rights reserved.8 - 35Protect Privileged AccountsPrivileged accounts can be protected by:Using password file with case-sensitive passwordsEnabling strong authentication for administrator rolesSYSDBACopyright 2009, Oracle. All rights reserved.8 - 36QuizApplying the principle of least privilege is not enough to harden the Oracle database. 1.True 2.False Copyright 2009, Oracle. All rig