1.創建用戶
DBA用CREATE USER 語句創建用戶
CREATE USER user
INDENTIFIED BY password;
例:CREATE USER test IDENTIFIED BY clerk;
2.修改用戶口令
ALTER USER user
IDENTIFIED BY password;
例:ALTER USER test IDENTIFIED BY test;
3.授權
GRANT privilege [,privilege...]
TO user[,user | role,PUBLIC...];
例:GRANT create session,create table,create sequence,create view
TO test;
注:應用程序的開發者,可能有下面的系統權限:
-CREATE SESSION
-CREATE TABLE
-CREATE SEQUENCE
-CREATE VIEW
-CREATE PROCEDURE
4.創建角色
CREATE ROLE manager;
5.授權給一個角色
GRANT DROP ANY table,DROP ANY view
TO manager;
6.授一個角色給用戶
GRANT manager TO test;
7.關於角色的數據字典
ROLE_SYS_PRIVS ----授予給角色的系統權限
USER_ROLE_PRIVS ----可由用戶訪問的角色
ROLE_ROLE_PRIVS ----授予角色的角色權限
8.對象權限
對象權限 表 視圖 序列 過程,函數,包
ALTER Y Y
SELECT Y Y Y
DELETE Y Y
INSERT Y Y
UPDATE Y Y
INDEX Y
EXECUTE Y
9.給對象授權
GRANT object_priv[(columns)]
ON object
TO {user|role|PUBLIC}
[WITH GRANT OPTION];
例1:給EMP表授予查詢權
GRANT select
ON emp
TO test;
例2:授予列的更新權限到用戶和角色
GRANT update(sal,comm)
ON emp
TO test,manager;
例3:給一個用戶授權以級聯權限授予
GRANT select,insert
ON dept
TO test
WITH GRANT OPTION;
例4:允許所有在系統上的用戶從scott的dept表中查詢數據
GRANT select
ON scott.dept
TO PUBLIC;
10.確認已授予的權限
數據字典視圖 說明
ROLE_SYS_PRIVS 授予角色的系統權限
USER_SYS_PRIVS 授予用戶的系統權限
ROLE_ROLE_PRIVS 授予角色的角色權限
USER_ROLE_PRIVS 可由用戶訪問的角色
ROLE_TAB_PRIVS 授予角色的表權限
USER_TAB_PRIVS 授予用戶的對象權限
USER_COL_PRIVS 授予用戶在對象列上的權限
11.撤銷對象權限
REVOKE {privilege[,privilege...]|ALL}
ON object
FROM {user[,user...]|role|PUBLIC};
注:通過WITH GRANT OPTION子句授予其他用戶的權限也被撤消
例:用戶scott撤消在DEPT表上給予用戶test的SELECT和INSERT權限
REVOKE select,insert
ON dept
FROM test;
12.撤消系統權限
REVOKE {privilege[,privilege...]}
FROM user[,user|role,PUBLIC...]
例:撤消test用戶的create view系統權限
REVOKE create view
FROM test;
13.創建數據庫連接
CREATE DATABASE LINK remote
USING 'qqq';
14.寫使用數據庫連接的SQL語句
SELECT * FROM emp@remote;
15.總結
語句 作用
CREATE USER 創建用戶(通常由DBA執行)
ALTER USER 改變用戶口令
CREATE ROLE 創建一個權限的集合(通常由DBA執行)
GRANT 給予其他用戶權限來訪問本用戶的對象
REVOKE 刪除在用戶對象上的權限
練習
1.創建用戶soft,密碼爲yang
CONN sys/sys@orcl as sysdba;
CREATE USER soft IDENTIFIED BY yang;
2.修改用戶soft的口令爲soft
ALTER USER soft IDENTIFIED BY soft;
3.授予soft用戶登錄權限、create table、create any view權限
GRANT create session,create table,create any view
TO soft;
4.查看用戶soft被授予的權限
CONN soft/soft@orcl;
SELECT *
FROM USER_SYS_PRIVS;
5.創建角色CLERK
CONN sys as sysdba;
password:sys
CREATE ROLE clerk;
6.授予角色CLERK以下系統權限:alter any table、drop any view
GRANT alter any table,drop any view TO clerk;
7.將角色clerk授予soft用戶
GRANT clerk TO soft;
8.查詢所授予的角色
CONN soft/soft@orcl;
SELECT * FROM ROLE_SYS_PRIVS;
SELECT * FROM USER_ROLE_PRIVS;
9.授予soft用戶查詢、更新(dname列)、插入scott用戶的dept表的權限
CONN scott/tiger@orcl;
GRANT select,update(dname),insert
ON dept
TO soft;
10.soft用戶插入、查詢scott用戶的dept表中數據
CONN soft/soft@orcl;
SELECT * FROM scott.dept;
INSERT INTO scott.dept
VALUES (70,'coding','shenyang');
11.更新dept表中數據
UPDATE scott.dept
SET dname='dep'
WHERE deptno=70;
12.scott用戶將emp表的查詢權限使用WITH GRANT OPTION授予soft用戶,然後soft用戶將該查詢權限再授予test用戶
CONN scott/tiger@orcl;
GRANT select ON emp
TO soft
WITH GRANT OPTION;
CONN sys/sys@orcl as sysdba;
CREATE USER test IDENTIFIED BY test;
CONN soft/soft@orcl;
GRANT select ON scott.emp TO test;
13.在soft用戶下創建視圖dept_v,查詢scott用戶下的dept表
CREATE OR REPLACE VIEW dept_v
AS SELECT *
FROM scott.dept;
14.查看該視圖信息
DESC dept_v;
15.刪除soft用戶對於scott用戶的dept表的select權限
CONN scott/tiger@orcl;
REVOKE select ON dept
FROM soft;
16.查看soft用戶的dept_v視圖
CONN sys/sys@orcl as sysdba;
或:
CONN soft/soft@orcl;
DESC soft.dept_v;
注:scott用戶無法查看
17.刪除soft用戶CREATE TABLE的系統權限
REVOKE create table
FROM soft;
18.刪除用戶soft
DROP USER soft;
GRANT select ON emp
TO soft
WITH GRANT OPTION;
CREATE USER test IDENTIFIED BY test;
GRANT create session TO test;
GRANT select ON emp TO test;
13.在soft用戶下創建視圖dept_v,查詢scott用戶下的dept表
CREATE OR REPLACE VIEW dept_v
AS SELECT *
FROM scott.dept_v;
14.查看該視圖信息
DESC dept_v;
15.刪除soft用戶對於scott用戶的dept表的select權限
REVOKE select ON scott.dept
FROM soft;
16.查看soft用戶的dept_v視圖
DESC soft.dept_v;
17.刪除soft用戶CREATE TABLE的系統權限
REVOKE create view
FROM soft;