Administering User Security管理用戶安全
show parameter case;
you should be able to:
1、Create and manage database user accounts:
2、Authenticate users
3、Assign default storage areas (tablespaces)
4、Grant and revoke privileges
5、Create and manage roles
6、Create and manage profiles:
7、Implement standard password security features
8、Control resource usage by users
Database User Accounts
Each database user account has:
A unique username
An authentication method
A default tablespace
A temporary tablespace
A user profile
An initial consumer group
An account status
A schema:
Is a collection of database objects that are owned by a database user
Has the same name as the user account
Predefined Administrative Accounts
SYS account:
Is granted the DBA role, as well as several other roles.
Has all privileges with ADMIN OPTION
Is required for startup, shutdown, and some maintenance commands
Owns the data dictionary and the Automatic Workload Repository (AWR)
SYSTEM account is granted the DBA, MGMT_USER, and AQ_ADMINISTRATOR_ROLE roles.
DBSNMP account is granted the OEM_MONITOR role.
SYSMAN account is granted the MGMT_USER, RESOURCE and SELECT_CATALOG_ROLE roles.
These accounts are not used for routine operations.
create , update 操作 with admin option 轉授權限,
revoke時系統權限不會級聯回收,但對象權限會級聯回收,對象如scott.emp表
Administrator Authentication
Operating system security:
DBAs must have the OS privileges to create and delete files.
Typical database users should not have the OS privileges to create or delete database files.
Administrator security:
For SYSDBA, SYSOPER, and SYSASM connections:
DBA user by name is audited for password file and strong authentication methods
OS account name is audited for OS authentication
OS authentication takes precedence over password file authentication for privileged users
Password file uses case-sensitive passwords
There are two types of user privileges:
System: Enables users to perform particular actions in the database
Object: Enables users to access and manipulate a specific object
Benefits of Roles 角色的好處:
Easier privilege management
Dynamic privilege management
Selective availability of privileges
profile
show parameter resource_limit;
resource_limit 必須爲真true,所有profile設定才能生效,默認爲false;
Supplied Password Verification Function: VERIFY_FUNCTION_11G
The VERIFY_FUNCTION_11G function insures that the password is:
At least eight characters
Different from the username, username with a number, or username reversed
Different from the database name or the database name with a number
A string with at least one alphabetic and one numeric character
Different from the previous password by at least three letters
Tip: Use this function as a template to create your own customized password verification.
最小權限化原則