Oracle Database User Authentication PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document provides information about Oracle database user accounts, authentication mechanisms, and database storage structures. It discusses various authentication methods, including database authentication and externally authenticated users, as well as the roles of the DBA. The document also covers tablespaces, datafiles, and segments, providing a foundation of essential database concepts.
Full Transcript
Each database user account has a unique username an authentication method (identified by password) default tablespace temporary tablespace a user profile a lock status quota The SYS account -Is granted the DBA role -Has all privileges with ADMIN OPTION -is required for startup, shut...
Each database user account has a unique username an authentication method (identified by password) default tablespace temporary tablespace a user profile a lock status quota The SYS account -Is granted the DBA role -Has all privileges with ADMIN OPTION -is required for startup, shut down, and maintenance commands -owns the data dictionary -the SYS account is granted the DBA role -these accounts are not used for routine operations SYSOPER privilege can start and shutdown the database perform online and offline backups achieve the current redo log files connect to the database when it is in the RESTRICTED SESSION mode the SYSDBA privilege contains all the rights of SYSOPER plus being able to create a database grant the SYSDBA and SYSOPER privilege to other users users who connect with the SYSDBA privilege connect as the SYS user when creating users CREATE USER user name IDENTIFIED by password DEFAULT TABLESPACE tablespace TEMPORARY TABLESPACE tablespace QUOTA 100M on tablespace PROFILE profile_name PASSWORD EXPIRE ACCOUNT {LOCK|UNLOCK} USERS can be Database authenticated Externally authenticated by the OS Globally - externally maintained user directory For database authenticated users YOU MUST ASSIGN a password ORACLE TABLESPACE a tablespace is a logical storage - used to group and manage segments which are the physical storage units for database objects such as tables, indexes, partitions tablespace provide a way to organize and allocate storage for database objects efficiently Default Tablespace - default tablespace for the user when a user creates objects like tables, indexes without explicitly specifying a tablespace, they will be created in this default tablespace Temporary Tablespace - are used for sorting and storing temporary data during query processing QUOTA on tablespace amount of space that user can utilize in specific tablespaces. when the user gets created and specified their default, temporary tablespace, tablespaces quotas allows for initial configuration tailored to the user's requirements and expected workout. Ensures that the user starts with appropriate storage settings from the beginning Authenticated users password is saved in the database requires explicitly defined username and password when connecting to the database Database Authentication With database authentication, users are authenticated by the database itself using credentials stored within the database. When a user attempts to connect to the database, user provides their username and password which are verified against the database's internal authentication mechanism OS_AUTHENT_PREFIX parameter sets the prefix of the user, by default it is OPS$ EXTERNALLY AUTHENTICATED USER with externally authentication, your database relies on the underlying OS or network authentication service to restrict access to database accounts you don't need a database password for this type of login if your OS or network service permits, then you can have it authenticate users Set the initialization parameter OS_AUTHENT_PREFIX, and use this prefix in Oracle Database user names The OS_AUTHENT_PREFIX parameter defines a prefix that Oracle Database adds to the beginning of every user's operating system account name Oracle compares the prefixed user name with the Oracle user names in the database when a user attempts to connect user authentication is delegated to an external source or system outside of the Oracle Database. This external source could be an operating system, an LDAP (Lightweight Directory Access Protocol) directory service, or another authentication service Users are authenticated based on their credentials stored outside the database such as OS credentials or credentials managed by an LDAP directory Oracle Database supports various external authentication methods including -OS authentication -Kerberos authentication -integration with LDAP directory External authentication i commonly used in environments where user authentication is already managed externally, and organizations want to leverage existing authentication mechanisms without duplicating user credentials in the database Data Storage Structure in non Automatic Storage Management (ASM) environment In a non-ASM environment, database administrators manage storage manually using the operating system's file system. NON ASM Components are Tablespaces - logical container, contains segments Datafiles - fundamental units of data storage, contains the actual database data including tables , indexes, and other database objects. Each datafile is associate with a specific tablespace Segments - used to store specific types of database objects, are made up of extents Extents - is a collection of contiguous blocks that are allocated to a segment, inside of a datafile Blocks - smallest units of storage. Also called database blocks or pages. The size of a block is defined at the time of database creation and usually a multiple of the operating system block size. a inside of an extent They represent the basic building blocks of the database's storage infrastructure A tablespaces contain segments segments are made up of extents, extents are composed of blocks and blocks are stored in datafiles an extent is a contiguous set of data blocks allocated to a specific database object such as a table or an index, when a table or index needs more space to store data, oracle database allocates extents to accommodate the additional data USER VIEWS views are database objects that provide a customizable and simplified representation of the underlying data stored in tables, indexes, and other database objects are virtual tables Dictionary Views Data base dictionary views that allow you to get information on database users Dictionary views are database views that store information on the database. They store metadata, which includes details about database objects, users, privileges, and other configurations Roles Role characteristics each role name must be unique among existing usernames and role names just as you can grant a privilege to a user GRANT CREATE TABLE TO user_name you can also do it with roles GRANT role_name to user_name Can consist of both system and object privileges roles can be enabled or disabled for a user can require a password to enable are not owned by anyone, are not in any schema have their description stored in the data dictionary Roles are not allowed WITH ADMIN OPTION or WITH GRANT OPTION Benefits of Roles Reduced granting of privileges Dynamic privilege management Selective availability of privileges No cascading revokes - The CASCADE option revokes the specified privilege and any privileges that are dependent upon the granted privilege this doesn't remove the privilege to a user that has been granted by a user that we just revoked User1 has Role A, which includes privileges like SELECT and INSERT. User1 grants the SELECT privilege (from their role) to User2. If Role A is revoked from User1, User2's SELECT privilege remains intact because revoking the role does not cascade and remove privileges already granted by User1. NOT IDENTIFIED when a user account is created "NOT IDENTIFIED", it means that the user is not required to provide any authentication credentials (such as username or password) typically used for users who will be authenticated externally by the operating system or another external mechanism IDENTIFIED BY password With "IDENTIFIED BY password," the user is required to provide a password when connecting to the database. The password specified in the statement becomes the user's login password. This is the most common method of authentication in Oracle Database. IDENTIFIED USING package "IDENTIFIED USING package" allows for custom authentication mechanisms using a PL/SQL package. When this option is specified, Oracle Database calls the specified PL/SQL package to authenticate the user during the login process. IDENTIFIED EXTERNALLY "IDENTIFIED EXTERNALLY" indicates that the user will be authenticated externally by the operating system or another external mechanism. When a user attempts to connect to the database, Oracle relies on the operating system to authenticate the user based on the operating system user account credentials. OBJECT PRIVILIGE TO A USER GRANT SELECT, UPDATE ON employees(table name) TO hr_clerk (roles) SYSTEM PRIVILEGE GRANT hr_clerk TO David, Rachel (names) ESTABLISHING DEFAULT ROLES SQL> ALTER USER scott DEFAULT ROLE hr_clerk, sales_clerk; a default role is a subset of these roles that is automatically enabled when the user logs on changes the user (scott) to enable the roles when scott logs in ENABLING AND DISABLING ROLES enabling and disabling roles in the user session is controlled by the user disable a role to temporarily revoke the role from the session The SET ROLE command enables and disables roles Default roles are enabled for a user at login A password may be required to enable a role SQL> SET ROLE sales_clerk IDENTIFIED BY commission; enables sales_clerk role with its password REMOVING ROLES SQL> REVOKE hr_clerk FROM david; removes the role hr_clerk from David When you drop a role, the Oracle server revokes it from all users and roles to whom it has been granted and removes it from the database You must have been granted the role WITH ADMIN OPTION or have DROP ANY ROLE system privilege to drop the role. When created, Oracle User does not have any privileges on the database or its objects. The DBA or Security administrator have to assign the least level of privileges that will allow the user to do his/her work CONNECT role allows users to connect to the database RESOURCE role provides basic privileges necessary for creating and managing database objects, such as tables, views, sequences, and procedures. They can also perform common DDL operations within their own schema DBA (Database Administrator): The DBA role is a powerful role that provides extensive privileges for database administration tasks WORKING WITH NON IDENTIFIED DEFAULT ROLES role is considered default role for user when assigned to user Default roles are automatically active when the user connects to the database ALTER USER u1 DEFAULT ROLE ALL EXCEPT R3 this alters u1 and removes R3 as default roles SYSTEM PRIVILEGES GRANT CREATE SESSION TO user1 OBJECT PRIVILEGES GRANT SELECT, INSERT ON table1 TO user1 AUDITING refers to the process of monitoring and recording various activities and events that occur within a system or application auditing can notify administrators of suspicious or questionable activities Types of Auditing Statement Auditing - enables you to audit SQL statements by type of statement Tracks what type of SQL commands are used (CREATE TABLE, DROP TABLE) but does not focus on specific objects (like a particular table or user) Tracks actions regardless of the privilege a user has. It focuses on the type of action Privilege Auditing - tracks the user of specific system privilege, Example: if you enable AUDIT CREATE TABLE, it will track every time a user uses the privilege to create a table If a user has the privilege (e.g., CREATE TABLE) and uses it to create a table, this action will be audited. privilege auditing is more focused than statement auditing to audit a selected user or every user in the database Schema Object Auditing - tracks specific actions like (SELECT, INSERT, UPDATE, or DELETE) on a specific table or object Example: If you enable AUDIT SELECT ON employees, it will track all SELECT statements run on the employees table this type of auditing applies to all users enables you to audit specific statements on a particular schema object such as AUDIT SELECT ON employees. Fine Grained Auditing - Tracks actions based on detailed, custom conditions. Enables auditing based on access to or changes in a column. Audit records include information about the operation that was audited the user performing and the date and time of the operation Audit records can be stored in one of two places Data dictionary table, called the database audit trail Operating system files, called an operating system audit trail Database Audit Trail The database audit trail consists of a single table named SYS.AUD$ in the SYS schema of the data dictionary of each Oracle database Oracle Database allows audit trail records to be directed to an operating system audit trail if the operating system makes such an audit trail available to Oracle Database. If not, then audit records are written to a file outside the database In Windows, the information is normally accessed through Event Viewer Some database-related actions are always recorded into the operating system and syslog audit trails regardless of whether database auditing is enabled The fact that these records are always created is sometimes referred to as mandatory auditing At instance startup, an audit record is generated that includes the operating system user starting the instance, the terminal identifier of the user, and the date and time stamp. This information is recorded into the operating system or syslog audit trails because the database audit trail is not available until after startup has successfully completed. At instance shutdown, an audit record is generated that details the operating system user shutting down the instance, the terminal identifier of the user, and the date and time stamp when a user shutting down the instance an audit record is generated that details the operating system user connecting to Oracle Database with administrator privileges When are Audit Records created? Standard auditing for the entire database is EITHER ENABLED OR DISABLED BY THE SECURITY ADMINISTRATOR if it is disabled, then no audit records are created if database auditing, enabled by the security administrator, then individual audit options become effective. These audit options can be set by any authorized database user for database objects he owns. when auditing is enabled in the database and an action set to be audited occurs, an audit record is generated during the execute phase of the statement SQL statements inside PL/SQL program units are individually audited, as necessary, when the program unit is executed Regardless of whether the transaction is committed or rolled back, the audit record about the transaction is still saved. For statement, privilege, and schema object auditing, Oracle allows the selective auditing of successful executions of statements (using WHENEVER SUCCESSFUL clause) unsuccessful attempts to execute statements (USING WHENEVER NOT SUCCESFFUL clause) both (using neither clause) In Oracle, you can configure statement, privilege, and schema object auditing to track successful or unsuccessful actions (or both) performed by users. Therefore, you can monitor actions even if the audited statements do not complete successfully. Statements that fail to execute because they were not valid cannot be audited SETUP STANDARD AUDITING AUDIT_TRAIL - this parameter specifies where audit records are written. It determines the destination for the audit trail Possible values: OS: Audit records are written to the operating system's audit trail. This option is available only on platforms where the operating system provides auditing capabilities. XML: Audit records are written in XML format to the operating system's audit trail or to the operating system file system AUDIT_FILE_DEST-This parameter specifies the directory location where audit files are stored when AUDIT_TRAIL is set to OS or XML AUDIT_SYS_OPERATIONS: This parameter determines whether to audit operations issued by users connecting as SYSDBA or SYSOPER. What can be audited? Statement Privilege Object Network Restoration is the process of copying backup files to their original locations to make them available to the Oracle database server Recovery involves updating these restored files using archived and online redo logs. These logs contain records of changes made to the database after the backup was taken. This step ensures the database reflects all changes up to the point of failure RMAN (Recovery Manager) can be used to automate the recovery process. It can also utilize incremental backups, which contain only the data blocks that changed since the last backup, making the recovery process faster and more efficient Media recovery process - Media recovery involves applying archived redo logs and online redo logs to roll forward the restored database files. This updates the datafiles to include all changes made since the last backup Oracle Flashback Technology: Oracle Flashback provides tools like Flashback Database and Flashback Table to quickly revert the database to a previous state in case of logical data corruption or user errors, without going through the full recovery process Crash and Instance Recovery: Oracle automatically performs crash recovery and instance recovery after a database failure. Crash recovery is for single-instance databases that have crashed, while instance recovery applies to Oracle Real Application Clusters (RAC) where one or more instances have failed A backup is a copy of data from a database that you save to another location to protect against data loss. There are different types of backups, each serving different purposes Full Backups: A full backup includes every allocated block in a datafile. (It copies everything that is in use.) Incremental Backups Incremental backups copy only the data blocks that have changed since a previous backup Types Differential Incremental Backups: Back up all changes since that last incremental backup at the same or lower level Cumulative Incremental Backups: Back up all changes since the last level 0 backup