Oracle® Database 2 Day DBA 11g Release 1 (11.1) Part Number B28301-03 |
|
|
View PDF |
This section provides instructions for creating and managing user accounts for the people and applications that use your database. It contains the following topics:
See Also:
You view user accounts on the Users page of Oracle Enterprise Manager Database Control (Database Control).
To view users:
Go to the Database Home page, logging in with a user account that has privileges to manage users. An example of such a user account is SYSTEM
.
At the top of the page, click Server to view the Server subpage.
In the Security section, click Users.
The Users page appears.
If you want to view the details of a particular user, then in the Select column, click the user, and then click View.
If you do not see the user that you want to view, it may be on another page. In this case, do one of the following:
Just above the list of users, click Next to view the next page. Continue clicking Next until you see the desired user.
Use the Search area of the page to search for the desired user. In the Object Name field, enter the first few letters of the user name, and then click Go.
You can then select the user and click View.
The View User page appears, and displays all user attributes.
Suppose you want to create a user account for a database application developer named Nick, who has requested the password "firesign007." Because Nick is a developer, you+ want to grant him the database privileges and roles that he requires to build and test his applications. You also want to give Nick a 10 megabyte (MB) quota on his default tablespace so that he can create schema objects in that tablespace.
To create the user Nick:
Go to the Users page, as described in "Viewing User Accounts".
On the Users page, click Create.
The Create User page appears, displaying the General subpage.
In the Name field, enter NICK
.
Accept the value DEFAULT
in the Profile list. This assigns the default password policy to user Nick.
Accept the default value Password
in the Authentication list.
For information about advanced authentication schemes, see Oracle Database 2 Day + Security Guide.
In the Enter Password and Confirm Password fields, enter a password, for example, firesign007.
Do not select Expire Password now. If the account status is set to expired, then the user or the database administrator must change the password before the user can log in to the database.
(Optional) Next to the Default Tablespace field, click the flashlight icon, select the USERS
tablespace, and then click Select.
All schema objects that Nick creates will then be created in the USERS
tablespace unless he specifies otherwise. If you leave the Default Tablespace field blank, Nick is assigned the default tablespace for the database, which is USERS
in a newly installed database. For more information about the USERS
tablespace, see "About Tablespaces".
(Optional) Next to the Temporary Tablespace field, click the flashlight icon, select the TEMP
tablespace, and then click Select.
If you leave the Temporary Tablespace field blank, Nick is assigned the default temporary tablespace for the database, which is TEMP
in a newly installed database. For more information about the TEMP
tablespace, see "About Tablespaces".
For the Status option, accept the default selection of Unlocked.
You can later lock the user account to prevent users from logging in with it. To temporarily deny access to a user account, locking the user account is preferable to deleting it, because deleting it also deletes all schema objects owned by the user.
Grant roles, system privileges, and object privileges to the user, as described in "Example: Granting Privileges and Roles to a User Account".
Note:
Do not click OK in Step 13 of "Example: Granting Privileges and Roles to a User Account". Instead, skip that step and continue with Step 12 in this procedure.Assign a 10 MB quota on the USERS
tablespace, as described in "Example: Assigning a Tablespace Quota to a User Account".
If you did not click OK while assigning the tablespace quota (previous step), click OK now to create the user.
If you want to create a user account that is similar in attributes to an existing user account, you can duplicate the existing user account.
To create a new user account by duplicating an existing user account:
Go to the Users page, as described in "Viewing User Accounts".
In the Select column, click the user that you want to duplicate.
In the Actions list, select Create Like, and then click Go.
The Create User page appears. This page displays a new user with the same attributes as the duplicated user.
Enter a user name and password, modify the user attributes or privileges if desired, and then click OK to save the new user.
The Actions list also provides shortcuts for other actions, and provides a way to display the SQL command used to create a user.
Suppose you are creating or modifying a user account named Nick. Because Nick is a database application developer, you want to grant him the APPDEV
role, which enables him to create database objects in his own schema. (You created the APPDEV
role in "Example: Creating a Role".) Because you want Nick to be able to create tables and views in other schemas besides his own, you want to grant him the CREATE
ANY
TABLE
and CREATE
ANY
VIEW
system privileges. In addition, because he is developing a human resources application, you want him to be able to view the tables in the hr
sample schema and use them as examples. You therefore want to grant him the SELECT
object privilege on those tables. Finally, you want Nick to be able to log in to Database Control so that he can use the graphical user interface to create and manage his database objects. You therefore want to grant him the SELECT
ANY
DICTIONARY
system privilege. The following table summarizes the privileges and roles that you want to grant to Nick.
Grant Type | Privilege or Role Name |
---|---|
System privileges | CREATE ANY TABLE , CREATE ANY VIEW , and SELECT ANY DICTIONARY |
Object privileges | SELECT on all tables in the hr schema |
Roles | APPDEV |
The following example assumes that you are already in the process of creating the user account for Nick or editing the account. This means that you have already accessed the Create User page and have entered all required fields on the General subpage (see "Example: Creating a User Account"), or that you have already accessed the Edit User page for Nick (see "Example: Modifying a User Account"). The example also assumes that you have not yet granted any privileges or roles to Nick.
To grant privileges and roles to the user Nick:
Toward the top of the Create User or Edit User page, click Roles to display the Roles subpage.
The Roles subpage shows that the CONNECT
role is assigned to Nick. Database Control automatically assigns this role to all users that you create. (The selected Default check box indicates that the CONNECT
role is a default role for Nick, which means that it is automatically enabled whenever Nick logs in.)
Click Edit List.
The Modify Roles page appears.
In the Available Roles list, locate the APPDEV
role, double-click it to add it to the Selected Roles list, and then click OK.
The Create User or Edit User page returns, showing that both the CONNECT
and APPDEV
roles are granted to Nick.
Note:
Double-clicking a role is a shortcut. You can also select the role and then click the Move button. To select multiple privileges, hold down the Shift key while selecting a range of privileges, or press the Ctrl key and select individual privileges, then click Move after you have selected the privileges.Toward the top of the page, click System Privileges to select the System Privileges subpage.
Click Edit List.
The Modify System Privileges page appears.
In the Available System Privileges list, scroll to locate the CREATE
ANY
TABLE
, CREATE
ANY
VIEW
, and SELECT
ANY
DICTIONARY
privileges, double-click each to add them to the Selected System Privileges list, and then click OK.
The Create User or Edit User page returns, showing the newly added system privileges.
Toward the top of the page, click Object Privileges to select the Object Privileges subpage.
In the Select Object Type list, select Table and then click Add.
The Add Table Object Privileges page appears.
Click the flashlight icon next to the Select Table Objects list.
The Select Table Objects dialog box appears.
In the Schema list, select HR
, and then click Go.
All tables in the hr
schema are displayed.
Click Select All, and then click the Select button.
The Select Table Objects dialog box closes, and the names of all tables in the hr
schema appear in the Select Table Objects field on the Add Table Object Privileges page.
In the Available Privileges list, double-click the SELECT
privilege to move it to the Selected Privileges list, and then click OK.
The Create User or Edit User page returns, showing that the SELECT
object privilege for all hr
tables is granted to user Nick.
Note:
To revoke an object privilege, select it on the Create User or Edit User page (Object Privileges subpage), and then click Delete.Do one of the following to save the role and privilege grants:
If you are creating a user account, click OK to save the new user account.
If you are modifying a user account, click Apply to save the changes for the user account.
Suppose you are creating or modifying a user account named Nick. You want to assign Nick a space usage quota of 10 MB on his default tablespace.
You must assign Nick a tablespace quota on his default tablespace before he can create objects in that tablespace. (This is also true for any other tablespace in which Nick wants to create objects.) After a quota is assigned to Nick for a particular tablespace, the total space used by all of his objects in that tablespace cannot exceed the quota. You can also assign a quota of UNLIMITED
.
The following example assumes that you are already in the process of creating the user account for Nick or editing the account. This means that you have already accessed the Create User page and have entered all required fields on the General subpage (see "Example: Creating a User Account"), or that you have already accessed the Edit User page for Nick (see "Example: Modifying a User Account"). The example also assumes that Nick has not yet been assigned a quota on any tablespaces.
To assign a tablespace quota to user Nick:
Toward the top of the Create User or Edit User page, select the Quotas subpage.
The Quotas subpage appears, showing that user Nick does not have a quota assigned on any tablespace.
In the Quota column for tablespace USERS
, select Value from the list.
In the Value column for tablespace USERS
, enter 10
.
Do one of the following to save the new quota assignment:
If you are creating a user account, click OK to save the new user account.
If you are modifying a user account, click Apply to save changes for the user account.
Suppose you want to remove the quota limitations for the user Nick on his default tablespace, USERS
. To do so, you must modify his user account.
To modify the user Nick:
Go to the Users page, as described in "Viewing User Accounts".
In the Select column, select the user account Nick, and then click Edit.
If you do not see user Nick, he may be on another page. In this case, do one of the following:
Just above the list of user accounts, click Next to view the next page. Continue clicking Next until you see the user account for Nick.
Use the Search area of the page to search for his account. In the Object Name field, enter the letters NI, and then click Go.
You can then select the user account for Nick and click Edit.
The Edit User page appears, and displays the general attributes for Nick.
Toward the top of the page, select the Quotas subpage.
In the Quota column for tablespace USERS
, select Unlimited from the list, and then click Apply.
A message appears, indicating that user Nick was modified successfully.
To temporarily deny access to the database for a particular user account, you can lock the user account. If the user then attempts to connect, the database displays an error message and does not allow the connection. You can unlock the user account when you want to permit database access again for that user.
To lock or unlock a user account:
Go to the Users page, as described in "Viewing User Accounts".
In the Select column, click the desired user account.
If you do not see the desired user account, it may be on another page. In this case, use the Next button to view additional pages or use the Search area of the page to search for the desired user account.
Do one of the following:
To lock the account, select Lock User from the Actions list, and then click Go.
To unlock the account, select Unlock User from the Actions list, and then click Go.
A confirmation message appears.
Click Yes.
When you expire a user password, the user is prompted to change his or her password the next time that user logs in. Reasons to expire a password include the following:
A user password becomes compromised.
You have a security policy in place that requires users to change their passwords on a regular basis.
Note:
You can automate the automatic expiring of user passwords after a certain interval. See "Setting the Database Password Policy".A user has forgotten his or her password.
In this third case, you modify the user account, assign a new temporary password, and expire the password. The user then logs in with the temporary password and is prompted to choose a new password.
To expire a user password:
Go to the Users page, as described in "Viewing User Accounts".
In the Select column, click the desired user account.
If you do not see the desired user account, it may be on another page. In this case, do one of the following:
Just above the list of user accounts, click Next to view the next page. Continue clicking Next until you see the desired user account.
Use the Search area of the page to search for the desired user account. In the Object Name field, enter the first few letters of the user account name, and then click Go.
You can then select the user account.
Select Expire Password from the Actions list, and then click Go.
A confirmation message appears.
Click Yes to complete the task.
Suppose user Nick has moved to another department. Because it is no longer necessary for him to have access to the database, you want to delete his user account.
You must use caution when deciding to deleting a user account, because this action also deletes all schema objects owned by the user. To prevent a user from logging in to the database while keeping the schema objects intact, lock the user account instead. See "Locking and Unlocking User Accounts".
To delete user Nick:
Go to the Users page, as described in "Viewing User Accounts".
In the Select column, select the user account Nick, and then click Delete.
If you do not see the user account Nick, it may be on another page. In this case, do one of the following:
Just above the list of user accounts, click Next to view the next page. Continue clicking Next until you see the user account for Nick.
Use the Search area of the page to search for the user account. In the Object Name field, enter the letters NI, and then click Go.
You can then select the user account for Nick and click Delete.
A confirmation page appears.
Click Yes to confirm the deletion of the user account.