Oracle8: Database Administration 19-25 . Revoking Object Privileges Revoking Object Privileges Syntax Use the following command to revoke an object privileges: REVOKE { object_priv [, object_priv ] |ALL [ PRIVILEGES] } ON [schema.]object FROM {user|role|PUBLIC} [, {user|role|PUBLIC} ] [CASCADE CONSTRAINTS] where: object_priv specifies the object privilege to be granted ALL revokesallobjectprivilegesthataregranted to the user ON identifies the object on which the object privileges are revoked 19-17 Copyright  Oracle Corporation, 1998. All rights reserved. Revoking Object Privileges REVOKE execute ON dbms_pipe FROM scott; 19-26 Oracle8: Database Administration . Lesson 19: Managing Privileges FROM identifies users or roles from which the object privileges are revoked CASCADE CONSTRAINTS drops any referential integrity constraints that the revoke has defined using REFERENCES or ALL privileges Restriction Grantors can revoke privileges from only those users to whom they have granted privileges. Oracle8: Database Administration 19-27 . Revoking Object Privileges 19-18 Copyright  Oracle Corporation, 1998. All rights reserved. GRANT REVOKE Revoking Object Privileges Using WITH GRANT OPTION SCOTT SCOTT USER 1 USER 1 USER 2 USER 2 19-19 Copyright  Oracle Corporation, 1998. All rights reserved. RESULT Revoking Object Privileges Using WITH GRANT OPTION SCOTT USER 1 USER 2 19-28 Oracle8: Database Administration . Lesson 19: Managing Privileges Revoking object privileges will cascade when given using the WITH GRANT OPTION. Following scenario illustrates this: Scenario 1 USER 1 is granted the SELECT object privilege with the GRANT OPTION. 2 USER 1 grants the SELECT privilege on EMP to USER 2. The result: 3 Later, the SELECT privilege is revoked from USER 1. This revoke is cascaded to USER 2 as well. Oracle8: Database Administration 19-29 . Summary Summary Quick Reference Context Reference Initialization parameters O7_DICTIONARY_ACCESSIBILITY Dynamic performance views None Data dictionary views DBA_SYS_PRIVS SESSION_PRIVS DBA_TAB_PRIVS DBA_COL_PRIVS Commands GRANT REVOKE Packaged procedures and functions 19-20 Copyright  Oracle Corporation, 1998. All rights reserved. Summary Controlling system and object privileges 19-30 Oracle8: Database Administration . Lesson 19: Managing Privileges 20 Managing Roles 20-2 Oracle8: Database Administration . Lesson 20: Managing Roles Instructor Note Topic Timing Lecture 45 minutes Practice 20 minutes Total 65 minutes Oracle8: Database Administration 20-3 . Objectives Objectives 20-2 Copyright  Oracle Corporation, 1998. All rights reserved. Objectives • Creating and modifying roles • Controlling availability of roles • Removing roles • Using predefined roles • Displaying role information from the data dictionary 20-4 Oracle8: Database Administration . Lesson 20: Managing Roles Overview Oracle provides for easy and controlled privilege management through roles. Roles are named groups of related privileges that are granted to users or other roles. They are designed to ease the administration of privileges in the database. Role Characteristics • Granted to and revoked from users with the same commands used to grant and revoke system privileges • May be granted to any user or role, except to itself (even indirectly) • Can consist of both system and object privileges • May be enabled or disabled for each user granted the role • Can require a password to enable • Each role name must be unique among existing usernames and role names • Are not owned by anyone; are not in any schema • Have their descriptions stored in the data dictionary Instructor Note For creating stored procedures or views based on objects in another schema, the access privileges have to be granted to the individual user directly and not through a role. Therefore, roles may not be appropriate for application developers who create stored procedures, functions, or views. 20-3 Copyright  Oracle Corporation, 1998. All rights reserved. Roles Users Privileges Roles UPDATE ON EMP INSERT ON EMP SELECT ON EMP CREATE TABLE CREATE SESSION HR_CLERKHR_MGR A B C [...]... system or a third-party service) before enabling the role Oracle8 : Database Administration 20 -11 Lesson 20 : Managing Roles OEM 1 Use Oracle Security Manager 2 Expand the Role node 3 Select the role 4 Indicate the identification method 5 Click Apply 20 - 12 Oracle8 : Database Administration Assigning Roles Assigning Roles Assigning... these roles Oracle8 : Database Administration 20 -19 Lesson 20 : Managing Roles NONE disables all roles for the current session (Only privileges granted directly to the user are active.) The ALL option without the EXCEPT clause works only when every role that is enabled does not have a password 20 -20 Oracle8 : Database Administration Controlling Availability... page in detail 20 -22 Oracle8 : Database Administration Controlling Availability of Roles Removing Roles DROP ROLE hr_manager; 20 -13 Copyright © Oracle Corporation, 19 98 All rights reserved Syntax: To remove a role from the database use the following syntax: DROP ROLE role where: role is the role to be removed When you drop a role, the Oracle server revokes it from all... RECOVERY_CATALOG_OWNER NO IMP_FULL _DATABASE NO EXP_FULL _DATABASE NO SNMPAGENT NO SALES_CLERK YES HR_CLERK EXTERNAL 14 rows selected Oracle8 : Database Administration 20 -27 Lesson 20 : Managing Roles Summary Summary • Creating roles • Assigning privileges to roles • Assigning roles to users or roles • Establishing default roles 20 -17 Copyright © Oracle Corporation, 19 98 All rights reserved... and removes it from the database You must have been granted the role with the ADMIN OPTION or have DROP ANY ROLE system privilege to drop the role OEM 1 Use Oracle Security Manager 2 Expand the Role node 3 Select the role 4 Select Role—>Remove 5 In the dialog box, click Yes Oracle8 : Database Administration 20 -23 Lesson 20 : Managing Roles Guidelines for Creating... SELECT_CATALOG_ROLE SELECT privilege on DD tables 20 -6 Copyright © Oracle Corporation, 19 98 All rights reserved The roles listed are defined automatically for Oracle databases Connect and Resource roles are provided for backward compatibility to earlier versions of Oracle and can be modified in the same manner as any other role in an Oracle database The EXP_FULL _DATABASE and IMP_FULL _DATABASE roles are provided for convenience... roles for database security These roles may not be created automatically by future versions of Oracle 20 -10 Oracle8 : Database Administration Creating and Modifying Roles Modifying Roles ALTER ROLE sales_clerk IDENTIFIED BY commission; ALTER ROLE hr_clerk IDENTIFIED EXTERNALLY; ALTER ROLE hr_manager NOT IDENTIFIED; 20 -7 Copyright © Oracle Corporation, 19 98 All rights... receive the new privileges 20 -24 Oracle8 : Database Administration Controlling Availability of Roles Guidelines for using Passwords and Default Roles Password protected non-default Default role PAY_CLERK Insert, update, delete and select privileges 20 -15 PAY_CLERK_RO Select privileges Copyright © Oracle Corporation, 19 98 All rights reserved Using Passwords • Passwords... users Oracle8 : Database Administration 20 -21 Lesson 20 : Managing Roles OEM 1 Use Oracle Security Manager 2 Expand the User or Role node 3 Select the user or role 4 Select the Roles/Privileges 5 Select Roles as the Privilege Type 6 Under Granted, select the Role to be revoked 7 Click the up arrow to remove the role from the granted list 8 Click Apply Instructor... the database Oracle8 : Database Administration 20 -5 Lesson 20 : Managing Roles No Cascading Revokes Object privileges can be revoked without causing cascading revokes Improved Performance By disabling roles, there are fewer privileges to verify during statement execution Using roles reduces the number of grants stored in the data dictionary 20 -6 Oracle8 : . Roles 20 -2 Oracle8 : Database Administration . Lesson 20 : Managing Roles Instructor Note Topic Timing Lecture 45 minutes Practice 20 minutes Total 65 minutes Oracle8 : Database Administration 20 -3 . 1 USER 2 USER 2 19-19 Copyright  Oracle Corporation, 19 98. All rights reserved. RESULT Revoking Object Privileges Using WITH GRANT OPTION SCOTT USER 1 USER 2 19- 28 Oracle8 : Database Administration . bonus; CREATE ROLE hr_manager IDENTIFIED EXTERNALLY; 20 -8 Oracle8 : Database Administration . Lesson 20 : Managing Roles OEM 1 Use Oracle Security Manager. 2 Choose Role—>Create. 3 Enter the role