From the documentation I understood that the schemas are related to one user. I want to create 6 schemas that each will have its tables, but I want just one user that can connect through php and insert some data in those tables (will hace access to the other schemas).
I know you can just assign the CONNECT and RESOURCE roles to those users, but from what i read its not the best option regarding security.
I thought about making 2 roles, one for the schema users and another for the php user.
For the php user: GRANT CREATE SESSION, UNLIMITED TABLESPACE to
For the schema users; but do i need some privileges for these users? Since they will not be accessed
Is this a correct way to do this?
In Oracle each schema is also a user. You can lock users that you do not want people to log in to and then give the user that you want to login privileges on the objects in the other schemas.
Related
I have a database and want to give out roles and privileges.
My aim is to allow multiple users - all have the same privileges - to be able to create, edit and view the tables (That's it).
I understand there are user table privileges that allow a user to Create, alter, drop and delete items in tables. But I also understand that there is a
resource user pre-defined role that allows a user to do the same thing.
Would I offer both of the roles? The table-level privileges and predefined roles? What would happen if I do offer both? Can I?
That is more a database administration question, as you have users that develop their own tables. And the heart of your question, "one size fits all prepacked" role RESOURCE or better a bespoke solution for your set of users is really one of administrative style, taste, and your special case.
Personally, I don't like the role RESOURCE as it lacks the privilege CREATE VIEW.
Please note that the privilege CREATE TABLE (granted directly or via a role) allows the user to create tables in his/her own schema. To create tables in other schemas (or "all the tables on the database"), you need the privilege CREATE ANY TABLE. See documentation for details.
I want to import schema to my new host. First I had created new user account:
CREATE USER test IDENTIFIED BY test;
What kind of privileges I need to grant to have super role?
(create schema, tables, packages, triggers...etc)
It's one privilege to grant me access to all of them?
You should grant only those privileges that are required for a newly created user to work. One by one.
CREATE SESSION is the first one; without it, user can't even connect to the database.
CREATE TABLE is most probably also required, if user TEST is going to create his own tables.
That's enough to get it started. Once it appears that user needs to create a procedure, you'll grant CREATE PROCEDURE. And so forth.
There are/were roles named CONNECT and RESOURCE which contained the "most frequent" privileges one needed, but their use is - as far as I can tell & in my opinion - discouraged.
I'm using Oracle's 10g version.
In the database, I would like to create a configuration table and fill it with data.
Then the other users can not change anything in it, and even better that it was not at all visible to other users. Is it possible to somehow hide the table?
Regards
Create a separate schema for that table. Create a package that provides an API to your configuration data (e.g. to get a value that is needed by another program).
Revoke CREATE SESSION privilege from that schema (i.e. just don't grant any privileges to the schema at all). Don't grant any privileges on the table. The only users who will be able to see the table are those with DBA privileges.
The only thing that database sessions will be able to do is execute the package, IF they have been granted EXECUTE privilege on it.
If you do not grant enough privileges to other users, they could not see your objects.
An application needs to access various Oracle database. Some databases have tables in Schemas, some don't - there's no control over this.
If a database has a schema in use, the applicable won't work unless the user enters a schema. I'd like it to be able determine via a SQL query if a schema is required to access the tables so the user can be alerted to this.
I'm aware of the question - How do I obtain a list of schemas that an Oracle user has access to - but that only tells me what schema's can be accessed, not if use of the schema is required to access tables.
Is there an SQL query to one of the system tables that can do this with that user's rights?
Note: The application only has login credentials and doesn't know any table details.
Hope that's clear. Thanks.
Question is confusing. For most part in Oracle, you can consider LOGIN == USER == SCHEMA. When you login into your database with your user, you are able to see and access all objects in that user's schema.
Objects in other schemas (on same database server) can be accesed by SCHEMA2.TABLE1 if connected user has privileges to acces table (there are different privileges...). As already stated in some comments, you do not need to prefix table if synonym exists. Your user can access even tables on some remote server if exists appropriate database link.
I would like to create a role connected as SYSTEM. But because I have a lot of schemas with a lot of roles and all of them will be created this way, I don't want the created roles to be granted to SYSTEM (otherwise it eventually will exceed the 148-roles limit).
=> Is that possible to disable the automatic grant on the creator?
NB: for now I work on Oracle 9i but it will soon be upgraded to 11g
There are 2 parts to my answer:
Roles in Oracle are a bit like keys on your keyring: just because they're on the keyring doesn't mean your using them all the time. Oracle has the concept of default roles: these roles are activated automatically when the session is created. The other roles can be enabled later if the user so desires.
The 148 role limit applies to active roles, see for example this documentation link for oracle 10g: http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_6012.htm#sthref7227
To disable roles from being default, use ALTER USER ... DEFAULT ROLE ..., see http://docs.oracle.com/cd/B19306_01/server.102/b14200/statements_4003.htm#sthref5717
Don't create any objects, even roles, when connected as SYSTEM. Instead you should be using an ordinary user to create a role and adding objects to it that is appropriate for that user's schema's objects. You will need to grant the CREATE ROLE system privilege to those users that need to own objects and have roles for them, but that's all part of the Oracle security model.
The maximum number of user-defined roles that can be enabled for a
single user at one time is 148.
You can pretty much create as many roles as you like - just don't enable them all at once.
When you create a role (other than a user role), it is granted to you
implicitly and added as a default role. You receive an error at login
if you have more than MAX_ENABLED_ROLES. You can avoid this error by
altering the user's default roles to be less than MAX_ENABLED_ROLES.
Thus, you should change the DEFAULT ROLE settings of SYS and SYSTEM
before creating user roles.
http://docs.oracle.com/cd/B10500_01/server.920/a96521/privs.htm#15539
e.g.
ALTER USER SYSTEM DEFAULT ROLE DBA