Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 50 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
50
Dung lượng
1,87 MB
Nội dung
520 23.2 Privileges
PRINCE originally granted the CREATE VIEW privilege to ARIEL.
Revoked system privileges do not cause cascading revokes; only object priv-
ilege revokes can do that.
CREATE VIEW CA_ARTISTS AS
SELECT * FROM MUSIC.ARTIST WHERE STATE_PROVINCE='CA';
We will now examine some rules about revoking privileges. Using
graphic examples, here are some key points to remember about how revok-
ing of privileges works.
23.2.2.1 Revoked System Privileges DO NOT Cascade
When you revoke a system privilege, the revoke affects only the user you are
naming and does not affect any objects or users created. For example, SYS-
TEM grants the CREATE USER privilege WITH ADMIN OPTION to
ASSISTANT. Then ASSISTANT creates a user named INTERN and
grants her the CREATE USER privilege. Now, INTERN creates another
user named JOE. Figure 23.10 illustrates these events.
Figure 23.10
One New User Is
Created by Each of
These Users:
SYSTEM,
ASSISTANT, and
INTERN.
Chap23.fm Page 520 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
23.2 Privileges 521
Chapter 23
Now, as the DBA, you decide that your assistant does not need to create
users at this point, so you revoke the CREATE USER privilege from
ASSISTANT.
ASSISTANT can no longer create users; however, the users she created
still exist. And, INTERN, who received the system privilege CREATE
USER from ASSISTANT, retains that privilege. Figure 23.11 illustrates this
idea by showing that ASSISTANT cannot create a user, while INTERN
can create a user.
23.2.2.2 Revoked Object Privileges DO Cascade
Revoking an object privilege does result in a cascading set of revoked privi-
leges. For example, imagine that SYSTEM grants SELECT on
MUSIC.ARTIST to ASSISTANT using the WITH GRANT OPTION
clause. Then ASSISTANT grants the same object privilege to INTERN
who in turn grants the privilege (without the WITH GRANT OPTION)
to JOE. Figure 23.12 shows the scenario.
After careful thought, you decide that your assistant no longer requires
the SELECT privilege on the MUSIC.ARTIST table, so you revoke the
privilege. The revoke actually cascades and revokes the privilege from
INTERN, and then it cascades again and revokes the privilege from JOE.
Figure 23.11
ASSISTANT
Failed to Create
MATTHEW, but
INTERN Created
BETH.
Chap23.fm Page 521 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
522 23.3 Grouping Privileges Using Roles
Now, only SYSTEM can successfully query the MUSIC.ARTIST table.
Figure 23.13 shows how this works.
Remember that revoked system privileges do not cascade and revoked
object privileges do cascade.
One of the more repetitive DBA tasks is that of granting the proper
privileges to new users and maintaining privileges for all existing users. Very
often, a group of users has identical privileges. The next section shows you
how to take advantage of this with roles. Roles allow groupings of privileges
and subsequent granting of privilege groups with a single granting or revoke
of a role.
23.3 Grouping Privileges Using Roles
A role is a set or grouping of object and/or system privileges that is assigned
a name. Once a role is established, you can grant the role instead of grant-
ing all of the individual privileges to a user. This capability saves a great deal
of time!
Figure 23.12
SYSTEM,
ASSISTANT, and
INTERN Grant
Object Privileges.
Chap23.fm Page 522 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
23.3 Grouping Privileges Using Roles 523
Chapter 23
Note: PL/SQL code blocks may not recognize database access through
roles. Explicit object privileges may be required for PL/SQL. PL/SQL is
covered in Chapter 24.
23.3.1 Creating and Altering Roles
Figure 23.14 shows the syntax of the CREATE ROLE and ALTER ROLE
commands. Options are identical for both commands. Any user with the
CREATE ROLE system privilege can create a role. The SYSTEM user, of
course, has this privilege. The DBA often grants this privilege to users who
own tables, so that users can create roles associated with their tables and
grant those roles to other users.
A role that will contain sensitive privileges can be assigned a password.
Any user who wants to use that role must provide the password (except
when the role is one of the user’s default roles). You will find out more
about default roles later. At this stage, all we will do is lay some groundwork
for later and create two roles, substitute strings where appropriate.
Figure 23.13
Revoking an Object
Privilege Cascades
to Other Users to
whom the Revokee
Granted the Same
Object Privilege.
Chap23.fm Page 523 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
524 23.3 Grouping Privileges Using Roles
CONNECT SYSTEM/password@OLTP;
CREATE ROLE MINIDBA;
CREATE ROLE MUSIC_ACCESS;
The MINIDBA role will be a highly privileged role, thus I am
using the ALTER ROLE command to restrict access using a pass-
word.
ALTER ROLE MINIDBA IDENTIFIED BY DBA#9876;
Note: The password is the only portion of a role that can be altered. You can
add, change, or remove the password on a role. If you want to change the
name of a role, you must drop and then re-create it with the changed name.
Once roles are created, privileges can be granted to them as if they are
users. Then roles can be granted to users. Once a user has a role granted, he
or she inherits all of the privileges assigned to that role.
23.3.2 Granting and Revoking Privileges on Roles
Granting privileges to a role is exactly the same (syntax-wise) as granting
privileges to a user. Figures 23.5 and 23.9 show the syntax of granting and
revoking privileges to and from roles. Roles can be granted to a user, a role,
or PUBLIC.
Let’s grant some privileges. First connect to the SYSTEM user.
Figure 23.14
A New Role Does
Not Contain Any
Privileges at First.
Chap23.fm Page 524 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
23.3 Grouping Privileges Using Roles 525
Chapter 23
CONNECT SYSTEM/password@OLTP;
Now we give the MINIDBA role three system privileges that you wish
to delegate to an assistant DBA.
GRANT CREATE USER, CREATE SESSION, CREATE ROLE
TO MINIDBA;
Connect to the MUSIC user to grant some object privileges to the other
role.
CONNECT MUSIC/MUSIC@OLTP;
Let’s say that you are the designer for the MUSIC schema’s application
and you know that all users need to be able to change and query some
tables and only query other tables.
GRANT SELECT ON ARTIST TO MUSIC_ACCESS;
GRANT SELECT ON SONG TO MUSIC_ACCESS;
GRANT SELECT ON MUSICCD TO MUSIC_ACCESS;
GRANT SELECT, INSERT, UPDATE, DELETE
ON STUDIOTIME TO MUSIC_ACCESS;
GRANT SELECT, INSERT, UPDATE, DELETE
ON GUESTAPPEARANCE TO MUSIC_ACCESS;
Now that roles are configured, we should now grant the roles to users.
Granting a role to a user uses the same syntax as granting a system privilege.
Refer to Figures 23.5 and 23.9 again. Notice that you can grant a system
privilege, a role, or ALL PRIVILEGES. A role can even be granted to
another role! This can be useful when you have subsets of privileges that can
be logically grouped together under a single role.
So we have added privileges to both roles and now wish to grant roles to
users. The MUSIC user did not create any roles and does not have the
GRANT ANY ROLE system privilege. We have to connect to SYSTEM
again.
CONNECT SYSTEM/password@OLTP;
Chap23.fm Page 525 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
526 23.3 Grouping Privileges Using Roles
Let’s say that you want PRINCE to be allowed to use the MUSIC appli-
cation. In addition, PRINCE will be allowed to grant the role to other
users. Grant the appropriate role to PRINCE using this command:
GRANT MUSIC_ACCESS TO PRINCE WITH ADMIN OPTION;
Granting a role to a user has the same syntax as granting system privi-
leges; therefore, you use the WITH ADMIN OPTION when you want the
user to be able to grant the role to others.
We also decide that the MINIDBA role should have all privileges
granted to the MUSIC_ACCESS role in addition to the system privileges
already granted to it. Grant the MUSIC_ACCESS role to the MINIDBA
role.
GRANT MUSIC_ACCESS TO MINIDBA;
Now, grant the MINIDBA role to ARIEL.
GRANT MINIDBA TO ARIEL;
ARIEL has all privileges from both roles.
Connect to PRINCE.
CONNECT PRINCE/CHARMING@OLTP;
PRINCE is allowed to grant the MUSIC_ACCESS role. He grants it to
ARIEL.
GRANT MUSIC_ACCESS TO ARIEL;
After doing this, we realize that ARIEL already has the
MUSIC_ACCESS role because it is included in the MINIDBA role. So
PRINCE can revoke the redundant role.
REVOKE MUSIC_ACCESS FROM ARIEL;
Chap23.fm Page 526 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
23.3 Grouping Privileges Using Roles 527
Chapter 23
Note: Roles can be granted to other roles, establishing groups of groupings
of privileges.
23.3.3 Setting User Roles
A role, once assigned to a user, can be either enabled or disabled in the
user’s session. By default, any role assigned to a user is enabled. The DBA
can adjust which roles are enabled by default for each user when that user
logs in, using the ALTER USER command. In addition, a user can enable a
role using the SET ROLE command.
The ALTER USER command syntax is shown in Figure 23.15. The
ALTER USER command has many other uses. Figure 23.15 shows only
portions of syntax catering to user default roles.
When a user starts a session (connects to a database), roles are enabled
according to settings made by the DBA using the ALTER USER command.
A user can modify his or her session and change the enabled role set using
the SET ROLE command. Figure 23.16 shows the syntax for the SET
ROLE command.
Let’s show some use of role allocation. First, reconnect to SYSTEM
using this command:
CONNECT SYSTEM/password@OLTP;
Figure 23.15
Modify a User’s
Default Roles with
ALTER USER.
Chap23.fm Page 527 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
528 23.3 Grouping Privileges Using Roles
All roles assigned to a user start out enabled by default, including roles
with passwords. If you want the user to be required to use the password
before enabling the role, you must remove the role from the user’s list of
default roles. The MINIDBA role has a password and has been granted to
ARIEL. Remove this role from ARIEL’s default roles.
ALTER USER ARIEL DEFAULT ROLE ALL EXCEPT MINIDBA;
Now connect to ARIEL replacing the variable as usual.
CONNECT ARIEL/MERMAID@OLTP;
ARIEL cannot perform any tasks that need the system privileges found
in the MINIDBA role (such as creating new users), because the role is dis-
abled. She enables the MINIDBA role by using the SET ROLE command,
including the appropriate password.
SET ROLE MINIDBA IDENTIFIED BY DBA#9876;
Note: Be careful to include all of the roles you wish to enable in your SET
ROLE command.
Figure 23.16
Users Can Only
Enable Roles
Previously Granted
to Them.
Chap23.fm Page 528 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
23.3 Grouping Privileges Using Roles 529
Chapter 23
Roles not included in the SET ROLE command become disabled. For
example, let’s say you have three roles enabled by default (VIEWMUSIC,
UPDATEMUSIC, and DELETEMUSIC) and one role (INSERTMUSIC)
disabled by default. If the command SET ROLE INSERTMUSIC is exe-
cuted, you will enable the INSERTMUSIC role and disable the VIEW-
MUSIC, UPDATEMUSIC, and DELETEMUSIC roles. Oracle Database
10g provides some predefined roles you can use if you wish. There are many
predefined roles. Some of them are listed as follows:
CONNECT. System privileges needed to log on and work as a data-
base developer. Privileges include CREATE TABLE, CREATE
VIEW, CREATE SESSION, CREATE CLUSTER, and so on. Each
operating system has a slightly different group of privileges, but gen-
erally, you have all you need to do basic database work.
RESOURCE. System privileges needed for other database develop-
ment, such as creating types. Privileges include CREATE TYPE and
CREATE PROCEDURE. Like the CONNECT role, the exact priv-
ileges vary from system to system.
SELECT_CATALOG_ROLE. Allows access to data dictionary
metadata and performance views, the catalog.
Use these to help you get started in administering your database. Oracle
recommends, however, that you study the underlying privileges and create
your own roles for most tasks. The CONNECT and RESOURCE roles
may not be created automatically in future releases of Oracle.
23.3.4 Dropping Roles
This final section on roles involves removing roles. Whenever you remove a
role, it is revoked from all users who currently have the role. Syntax for the
DROP ROLE command is shown in Figure 23.17.
Roles are an excellent way to consolidate privileges needed for running
applications.
Figure 23.17
Dropping a Role
Also Revokes the
Role from Users.
Chap23.fm Page 529 Thursday, July 29, 2004 10:15 PM
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
[...]... PL /SQL a Programming Language? PL /SQL extends SQLwith programming controls and features such as procedures, variables, and control structures Let’s begin the meat of this chapter by asking: Why is PL /SQL classified as a programming language? 24.2 Why Is PL /SQL a Programming Language? PL /SQL is a programming language because, unlike SQL, it allows dependencies to exist between multiple SQL commands, within... PL /SQL In this chapter: What is PL /SQL? What are variables and PL /SQL datatypes? What are procedures, functions, triggers, and packages? How is data retrieved from the database using PL /SQL? What programming control structures exist in PL /SQL? What is dynamic or generic SQL? This chapter covers basic reference material and examples on how to write programs in PL /SQL It should be noted that the PL /SQL. .. command to execute a DDL command inside a PL /SQL block All DDL commands executed from within a PL /SQL block should be executed using the EXECUTE IMMEDIATE command BEGIN EXECUTE IMMEDIATE 'ALTER INDEX XUK_ARTIST_NAME REBUILD'; END; / Note: Previous versions of Oracle used a provided package called DBMS _SQL to execute dynamic SQL code inside PL /SQL blocks DBMS _SQL can still be used, but the recommended... Is PL /SQL a Programming Language? Figure 24.3 Executing a Named, Stored Procedure from within SQL EXCEPTION WHEN OTHERS THEN DBMS_OUTPUT.PUT_LINE(SQLERRM(SQLCODE)); RAISE; END; / CREATE OR REPLACE TRIGGER uARTIST AFTER UPDATE OF NAME ON ARTIST FOR EACH ROW BEGIN DBMS_OUTPUT.PUT_LINE('Artist changed from ' ||:OLD.NAME||' to '||:NEW.NAME); EXCEPTION WHEN OTHERS THEN DBMS_OUTPUT.PUT_LINE(SQLERRM(SQLCODE));... purchase PDF Split-Merge on www.verypdf.com to remove this watermark 24.6 Dynamic SQL 551 The DBMS _SQL package This option is out of date, and the EXECUTE IMMEDIATE command is now recommended The command EXECUTE IMMEDIATE is used to submit a string value as an Oracle SQL command to the Oracle SQL parser from inside a PL /SQL block In this example, you are creating a stored procedure named GETROWS that... PL /SQL It should be noted that the PL /SQL is a wrapper extension of Oracle SQL in that its original purpose was that of database access only However, in recent years, PL /SQL has been expanded voluminously to become more of a programming language 24.1 What is PL /SQL? PL /SQL is an acronym for Programming Language /SQL Structured Query Language (SQL) is a scripting language A scripting language usually does... PL /SQL 545 Figure 24.6 Using an Explicit Cursor Following are three example PL /SQL anonymous blocks: the first contains INSERT and UPDATE statements, the second a SELECT … INTO statement, and the third a cursor FOR loop 24.4.2.1 The Internal SQL Implicit Cursor The results of the most recently executed implicit cursor are stored in an internal Oracle cursor called SQL Note how the first example uses SQL% NOTFOUND... purchase PDF Split-Merge on www.verypdf.com to remove this watermark 24.5 Changing Data in PL /SQL 549 Figure 24.9 An Implicit Cursor FOR Loop Now let’s describe some small facts about changing data from within PL /SQL blocks 24.5 Changing Data in PL /SQL Not only can data in tables be changed from within PL /SQL blocks, but there are some small additions making coding a little easier and more efficient... within the same block of code In Oracle SQL, each SQL statement cannot pass a result on to another SQL statement or control structure, but PL /SQL can Also, perhaps more important, a programming language block structure allows one procedure to call another, allowing for a modular, compartmentalized, or perhaps even pseudo-object hierarchical programming structure Therefore, PL /SQL is a programming language... go into any further detail 24.4.2 Implicit Cursors Every SQL statement both in SQL and inside a PL /SQL block not declared explicitly as a cursor is an implicit cursor An implicit cursor is opened and closed by SQL or PL /SQL and is used to process INSERT, UPDATE, DELETE, and SELECT statements A special type of implicit cursor exclusive to PL /SQL is called a cursor FOR loop A cursor FOR loop is an implicit . exist between multiple SQL commands, within the same block
of code. In Oracle SQL, each SQL statement cannot pass a result on to
another SQL statement or control. examples on how to
write programs in PL /SQL. It should be noted that the PL /SQL is a wrap-
per extension of Oracle SQL in that its original purpose was that