Best practice to create user in greenplum - greenplum

I have created a database in Greenplum.
CREATE DATABASE production
WITH OWNER = gpadmin
TEMPLATE = template1
CONNECTION LIMIT = -1;
I have assigned the owner to gpadmin. gpadmin is default user. What is best practice to assign the owner to any database in the Greenplum?

gpadmin is a superuser and a good candidate for the ownership of a database.

Some companies have a dedicated, non-superuser account which owns all objects in a database. This makes permission handling easier, because ownership of objects is not "distributed" across dozens of accounts.

Related

Drop SYS and SYSTEM accounts, good idea?

I'm new to Oracle and I'm currently hardening a database.
It's a good idea to drop SYS and SYSTEM users? normally default accounts are dropped because of security reasons, I can do that on Oracle, or I will break something?
From the documentation (emphasis added):
All databases include the administrative accounts SYS, SYSTEM, and DBSNMP. Administrative accounts are highly privileged accounts, and are needed only by individuals authorized to perform administrative tasks such as starting and stopping the database, managing database memory and storage, creating and managing database users, and so on. You log in to Oracle Enterprise Manager Database Express (EM Express) with SYS or SYSTEM. You assign the passwords for these accounts when you create the database with Oracle Database Configuration Assistant (DBCA). You must not delete or rename these accounts.
And:
All base (underlying) tables and views for the database data dictionary are stored in the SYS schema. These base tables and views are critical for the operation of Oracle Database.
So no, it is not a good idea, and it would destroy your database.
normally default accounts are dropped because of security reasons, I can do that on Oracle, or I will break something?
The first documentation link above also says (emphasis added again):
All databases also include internal accounts, which are automatically created so that individual Oracle Database features or components such as Oracle Application Express can have their own schemas. To protect these accounts from unauthorized access, they are initially locked and their passwords are expired. (A locked account is an account for which login is disabled.) You must not delete internal accounts, and you must not use them to log in to the database.
And it mentions sample schema accounts, which you can choose not to install in the first place, but which could be dropped if required.
The main thing is to secure all accounts, and you should limit any accounts you create to only have the minimum privileges necessary.
You can also read more about this in the database administrator's guide,
It is a very bad idea. I don't think the database will even work without them and doubt that the drop is allowed. Make sure the accounts are safe instead.

Schema users and permissions

From the documentation I understood that the schemas are related to one user. I want to create 6 schemas that each will have its tables, but I want just one user that can connect through php and insert some data in those tables (will hace access to the other schemas).
I know you can just assign the CONNECT and RESOURCE roles to those users, but from what i read its not the best option regarding security.
I thought about making 2 roles, one for the schema users and another for the php user.
For the php user: GRANT CREATE SESSION, UNLIMITED TABLESPACE to
For the schema users; but do i need some privileges for these users? Since they will not be accessed
Is this a correct way to do this?
In Oracle each schema is also a user. You can lock users that you do not want people to log in to and then give the user that you want to login privileges on the objects in the other schemas.

How to duplicate Oracle database without sysdba privilege

We have an oracle 11g installed on a linux machine. I want to duplicate the database on my local 64-bit windows machine. We have total 403 tables and a few of them have foreign key constraints. I am not a dba so I don't have the sysdba privilege. Also I cannot shutdown the remote database. Is there a quick way to do this rather than I copy the tables one by one? Thanks
Considering you do not have DBA role granted and not having access to server machine, you won't be able to do a cold backup and install in on your machine, because cold backup requires database getting shut downed.
Secondly, you can't use rman utility either.
You can use expdp utility to get database exported as files and import it to your db with impdp utility.But in order to get data exported you at least need CONNECT and RESOURCE roles granted to your user ( Assuming you already have CONNECT otherwise you won't be able to connect to db at all ) and with those roles you can only import objects you already have access to. Including objects you own.
On the other hand, if you need a full database export, then you need EXP_FULL_DATABASE granted. DBA, SYS and some other roles has this role included. So your best chance is to contact dba's asking for the role granted to your user, see how they react to that.

How do I determine if I a user requires a schema to access a table?

An application needs to access various Oracle database. Some databases have tables in Schemas, some don't - there's no control over this.
If a database has a schema in use, the applicable won't work unless the user enters a schema. I'd like it to be able determine via a SQL query if a schema is required to access the tables so the user can be alerted to this.
I'm aware of the question - How do I obtain a list of schemas that an Oracle user has access to - but that only tells me what schema's can be accessed, not if use of the schema is required to access tables.
Is there an SQL query to one of the system tables that can do this with that user's rights?
Note: The application only has login credentials and doesn't know any table details.
Hope that's clear. Thanks.
Question is confusing. For most part in Oracle, you can consider LOGIN == USER == SCHEMA. When you login into your database with your user, you are able to see and access all objects in that user's schema.
Objects in other schemas (on same database server) can be accesed by SCHEMA2.TABLE1 if connected user has privileges to acces table (there are different privileges...). As already stated in some comments, you do not need to prefix table if synonym exists. Your user can access even tables on some remote server if exists appropriate database link.

Oracle DBA Role and its specific functions (and possible replacement)

I have to install an application server that requires an user to write to the database, possibly create new schemes and such. However, I've always used the "work around" to assign the DBA Role to that user.
I have some questions, as I am not that deep into Oracle security.
Has the DBA role a level of privileges that can affect the whole Oracle installation?
Where can I find what privileges the DBA role exactly have?
How do I create an alternative role?
Thanks,
1) Yes, the dba role should have enough privileges to screw up a database beyond fixing.
2)
select *
from role_sys_privs
where grantee = 'DBA';
3) Unless you plan on having several user with similar privileges, I recommend creating a user and grant all needed privileges explicitly to this user instead of via a role.
You can read more about the topic in
Oracle Database Security Guide chapter 11, Administering User Privileges, Roles, and Profiles
First look into Ronnis' solution. If this is not sufficient create a package, owned by SYSTEM, and grant EXECUTE to the user or users that need it. Add procedures that perform the needed operations taking care to limit their power as much as possible.

Resources