5 Authorization: Privileges, Roles, Profiles, and Resource Limitations

Authorization includes primarily two processes:

Permitting only certain users to access, process, or alter data Applying varying limitations on user access or actions. The limitations placed on (or removed from) users can apply to objects, such as schemas, tables, or rows; or to resources, such as time (CPU, connect, or idle times).

This chapter introduces the basic concepts and mechanisms for placing or removing such limitations on users, individually or in groups, in the following sections: Topic Category How Privileges Are Acquired and Used How Roles Are Acquired, Used, and Restricted How and Why Resource Limits Are Applied to Users Links to Topics Introduction to Privileges, including system, schema, object, table, procedure, and other privileges Introduction to Roles User Resource Limits

How Profiles Are Determined and Profiles Used

See Also: Chapter 11, "Administering User Privileges, Roles, and Profiles", discusses how to configure and administer privileges, roles, and profiles for users, including DBAs and application programmers.

Introduction to Privileges
A privilege is a right to execute a particular type of SQL statement or to access another user's object. Some examples of privileges include the right to:

Connect to the database (create a session) Create a table Select rows from another user's table Execute another user's stored procedure

You grant privileges to users so these users can accomplish tasks required for their jobs. You should grant a privilege only to a user who requires that privilege to

accomplish the necessary work. Excessive granting of unnecessary privileges can compromise security. A user can receive a privilege in two different ways:

You can grant privileges to users explicitly. For example, you can explicitly grant to user SCOTT the privilege to insert records into the employees table. You can also grant privileges to a role (a named group of privileges), and then grant the role to one or more users. For example, you can grant the privileges to select, insert, update, and delete records from the employees table to the role named clerk, which in turn you can grant to users scottand brian.

Because roles allow for easier and better management of privileges, you should normally grant privileges to roles and not to specific users. See Also:

Chapter 11, "Administering User Privileges, Roles, and Profiles" Oracle Database Administrator's Guide for discussions of managing and using system and schema object privileges Oracle Database SQL Reference for the complete list of system privileges and their descriptions

There are six major categories of privileges, some with significant subcategories:

System Privileges Schema Object Privileges Table Privileges View Privileges Procedure Privileges Type Privileges

System Privileges
A system privilege is the right to perform a particular action, or to perform an action on any schema objects of a particular type. For example, the privileges to create tablespaces and to delete the rows of any table in a database are system privileges. There are over 100 distinct system privileges to manage as described in the following subsections:

Granting and Revoking System Privileges Who Can Grant or Revoke System Privileges?

Granting and Revoking System Privileges

You can grant or revoke system privileges to users and roles. If you grant system privileges to roles, then you can use the roles to manage system privileges. For example, roles permit privileges to be made selectively available. Note: In general, you grant system privileges only to administrative personnel and application developers. End users normally do not require and should not have the associated capabilities. Use either of the following to grant or revoke system privileges to users and roles:

The Oracle Enterprise Manager 10g Database Control The GRANT and REVOKE SQL statements See Also:
o o

For more information about Database Control, see Oracle Database 2 Day DBA. For information about modifying users with Database Control, see the topic "Creating, Editing, and Deleting Users" in the Enterprise Manager online help.

Who Can Grant or Revoke System Privileges? Only two types of users can grant system privileges to other users or revoke such privileges from them:

Users who have been granted a specific system privilege with the Users with the system privilege GRANT ANY PRIVILEGE

ADMIN OPTION

Schema Object Privileges

A schema object privilege is the permission to perform a particular action on a specific schema object. Different object privileges are available for different types of schema objects. The privilege to delete rows from the departments table is an example of an object privilege. Some schema objects, such as clusters, indexes, triggers, and database links, do not have associated object privileges. Their use is controlled with system privileges. For example, to alter a cluster, a user must own the cluster or have the ALTER ANY CLUSTER system privilege. The following subsections discuss granting and revoking such privileges:

Granting and Revoking Schema Object Privileges Who Can Grant Schema Object Privileges? Using Privileges with Synonyms

Object privileges that apply to specific schema objects are discussed in the following sections:

Table Privileges View Privileges Sequences (see Managing Sequences in Oracle Database Administrator's Guide Procedure Privileges Functions and Packages (Managing Object Dependencies in Oracle Database Administrator's Guide) Type Privileges

Granting and Revoking Schema Object Privileges Schema object privileges can be granted to and revoked from users and roles. If you grant object privileges to roles, then you can make the privileges selectively available. Object privileges for users and roles can be granted or revoked using the following:

The SQL statements GRANT and REVOKE The Oracle Enterprise Manager 10g Database Control See Also:
o o

For more information about Database Control, see Oracle Database 2 Day DBA. For information about modifying privileges with Database Control, see the Enterprise Manager online help.

Who Can Grant Schema Object Privileges? A user automatically has all object privileges for schema objects contained in his or her schema. A user can grant any object privilege on any schema object he or she owns to any other user or role. A user with the GRANT ANY OBJECT PRIVILEGE can grant or revoke any specified object privilege to another user with or without the GRANT OPTION of the GRANT statement. Otherwise, the grantee can use the privilege, but cannot grant it to other users. For example, assume user
SCOTT

owns a table named

t2:

SQL>GRANT GRANT ANY OBJECT PRIVILEGE TO u1; SQL> CONNECT u1/u1

Connected. SQL> GRANT SELECT ON scott.t2 TO u2; SQL> SELECT GRANTEE, OWNER, GRANTOR, PRIVILEGE, GRANTABLE FROM DBA_TAB_PRIVS WHERE TABLE_NAME = 'employees'; GRANTEE GRANTOR U2 SCOTT OWNER PRIVILEGE SCOTT SELECT NO GRA

------------------------------ ----------------------------------------------------------- ---------------------------------------- ---

See Also:

Oracle Database SQL Reference

Using Privileges with Synonyms A schema object and its synonym are equivalent with respect to privileges. That is, the object privileges granted for a table, view, sequence, procedure, function, or package apply whether referencing the base object by name or by using a synonym. For example, assume there is a table jward.emp with a synonym named and the user jward issues the following statement:
GRANT SELECT ON emp TO swilliams; jward.employee,

The user swilliams can query the synonym jward.employee:

SELECT * FROM jward.emp; SELECT * FROM jward.employee;

jward.emp

by referencing the table by name or by using

If you grant object privileges on a table, view, sequence, procedure, function, or package to a synonym for the object, then the effect is the same as if no synonym were used. For example, if jward wanted to grant the SELECT privilege for the emp table to swilliams, then jward could issue either of the following statements:
GRANT SELECT ON emp TO swilliams; GRANT SELECT ON employee TO swilliams;

If a synonym is dropped, then all grants for the underlying schema object remain in effect, even if the privileges were granted by specifying the dropped synonym.

Table Privileges

Schema object privileges for tables enable table security at the Data Manipulation Language (DML) or Data Definition Language (DDL) level of operation, as discussed in the following subsections:

DML Operations DDL Operations

DML Operations You can grant privileges to use the DELETE, INSERT, SELECT, and UPDATE DML operations on a table or view. Grant these privileges only to users and roles that need to query or manipulate data in a table. You can restrict INSERT and UPDATE privileges for a table to specific columns of the table. With selective INSERT, a privileged user can insert a row with values for the selected columns. All other columns receive NULL or the default value of the column. With selective UPDATE, a user can update only specific column values of a row. Selective INSERT and UPDATE privileges are used to restrict user access to sensitive data. For example, if you do not want data entry users to alter the salary column of the employees table, then selective INSERT or UPDATE privileges can be granted that exclude the salary column. Alternatively, a view that excludes the salary column could satisfy this need for additional security. See Also:

Oracle Database SQL Reference for more information about DML operations
DDL Operations The ALTER, INDEX, and REFERENCES privileges allow DDL operations to be performed on a table. Because these privileges allow other users to alter or create dependencies on a table, you should grant privileges conservatively. A user attempting to perform a DDL operation on a table may need additional system or object privileges. For example, to create a trigger on a table, the user requires both the ALTER TABLE object privilege for the table and the CREATE TRIGGER system privilege. As with the INSERT and UPDATE privileges, the REFERENCES privilege can be granted on specific columns of a table. The REFERENCES privilege enables the grantee to use the table on which the grant is made as a parent key to any foreign keys that the grantee wishes to create in his or her own tables. This action is controlled with a special privilege because the presence of foreign keys restricts the data manipulation and table alterations that can be done to the parent key. A column-specific REFERENCES privilege

restricts the grantee to using the named columns (which, of course, must include at least one primary or unique key of the parent table). See Also: Data Integrity in Oracle Database Concepts for more information about primary keys, unique keys, and integrity constraints