Oracle - Practical 12
ACCESS CONTROL
Today we will cover creating new database users, altering and dropping existing users,
monitoring information about existing users and terminating user sessions.
You can control access to an Oracle database by creating, altering, dropping and monitoring
users.
Controlling Access to and Use of the Database
 Create valid usernames and passwords
 Authorize a user to connect to the database.
Each Oracle database has a list of valid database users, identified by usernames.
A username is
 Required to access the database
 Supplied by every database application.
 Defined in the database.
When a user is created, a corresponding schema of the same name is created for that user.
Oracle database Authentication
 A password is assigned with each username and can be changed later by the user.
 The Oracle Server stores usernames and encrypted passwords.
 User authentication is validated by the Oracle Server when a user attempts to
connect to the database.
 Users can be authenticated by the operating system.
Authentication Specification
Default tablespace
Temporary Tablespace
Tablespace quotas
System resource limits
Description
Specifies where objects are built if no
tablespace is referenced in the CREATE
TABLE or CREATE INDEX command.
Provides storage for SQL statements that
require disk space to sort or summarize data.
Determine the maximum space the user may
consume for each tablespace
Include the amount of CPU time, the number
of logical reads, the number of concurrent
sessions per user, and the idle time for a
session, specified through profiles.
Creating a User
CREATE USER SQL command :
Page 1
Oracle - Practical 12
Syntax
CREATE USER user
IDENTIFIED
BY password
externally
DEFAULT TABLESPACE tablespace
TEMPORARY TABLESPACE tablespace
PROFILE profile
QUOTA
integer
UNLIMITED
ON tablespace
where
user
identifies the name of the user to be created.
BY password
specifies the password to log in
EXTERNALLY
verifies user access through the operating system
DEFAULT TABLESPACE
identifies the default tablespace for user objects
TEMPRORARY
TABLESPACE
identifies the temporary tablespace for temporary
segments
QUOTA
allows the user allocate space in the tablespace
Integer
specifies quota in K or M
UNLIMITED
allows the user to allocate space within the tablespace
without boundaries.
PROFILE
assigns the profile named to the user.
Example:
CREATE USER
IDENTIFIED BY
DEFAULT TABLESPACE
TEMPORARY TABLESPACE
QOUTA 15M ON
jack
jill
student
temp
student ;
Now create a user named tom with a password of tom. Tom’s temporary tablespace should
be TEMP, but he should not be assigned a default tablespace at this time. Give tom unlimited
tablespace quota on the SYSTEM tablespace.
Note :
 2 usernames are reserved on an Oracle database : sys and system
 By default, a user does not have access to any tablespace in the database.
 Assign quotas to a user to prevent the objects of the user from excessive
consumption in a tablespace.
Page 2
Oracle - Practical 12
Altering a User
Modify the security settings for an existing database user to change the options associated
with that user. The following options can be changed through the ALTER USER command :





Password
Default tablespace
Temporary tablespace
Quota per tablespace
Default roles
Syntax
ALTER USER user
IDENTIFIED
BY password
external
DEFAULT TABLESPACE tablespace
TEMPORARY TABLESPACE tablespace
PROFILE profile
QUOTA
integer
UNLIMITED
ON tablespace
,
DEFAULT ROLE
role
ALL
EXCEPT
role
NONE
Where
user
identifies the name of the user to be altered.
BY password
specifies the password to log in
EXTERNALLY
verifies user access through the operating system
DEFAULT TABLESPACE
identifies the default tablespace for user objects
TEMPRORARY
TABLESPACE
identifies the temporary tablespace for temporary
segments
QUOTA
allows the user allocate space in the tablespace
Integer
specifies quota in K or M
UNLIMITED
allows the user to allocate space within the tablespace
without boundaries.
PROFILE
assigns the profile named to the user.
Page 3
Oracle - Practical 12
Example : Alter the user joe. Change the password to hill. Change the default tablespace to
staff, with a quota of 10MB
ALTER USER
IDENTIFIED BY
DEFAULT TABLESPACE
QOUTA 10M ON
jack
hill
staff
staff ;
Now, change tom’s default tablespace to staff with a quota of 10M.
Note :
 Only options specified within the ALTER USER SQL command are changed; all
previously given resources remain.
Dropping an Existing User
Syntax:
DROP USER user
CASCADE
Where
user
CASCADE
user to drop
drops all objects in the user’s schema before dropping the user. This option
must be specified to drop any user whose schema contains any objects.
Example : Drop the user joe and select the option that will drop all of joe’s objects.
DROP USER
joe CASCADE;
Note : A user that is currently connected to the database cannot be dropped.
Monitoring Users
You can view user information in the data dictionary, which stores information about every
username. The data dictionary includes information on:
 All users in the database
 The default tablespace for the tables and indexes of each user
 The tablespace used for temporary segments
 Space quotas
Helpful Data Dictionary Views :
 ALL_USERS
 USER_USERS
 DBA_TS_QUOTAS
 USER_TS_QUOTAS
Display information about the current user with the USER_USERS data dictionary view e.g.
SELECT
FROM
*
user_users;
Page 4
Oracle - Practical 12
Display information about all users of the database with the DBA_USERS data dictionary
view e.g.
SELECT
FROM
*
dba_users;
Display tablespace quotas for the current user with the USER_TS_QUOTAS data dictionary
view e.g.
SELECT
FROM
*
user_ts_quotas
Note : A value of –1 represents unlimited quota.
Display tablespace quotas for all users with the DBA_TS_QUOTAS data dictionary
view e.g.
SELECT
FROM
*
dba_ts_quotas
Killing a user session
When necessary, terminate a user’s session while that user is logged on to the database.
Killing a user session
 Prevents a user from issuing further database calls
 Frees locked resources
 Will display a message to the user
 Requires the ALTER SYSTEM privilege.
Kill a user session when
 A user is holding resources urgently needed by another user
 The DBA needs to shutdown the database – use the IMMEDIATE option during
shutdown as an alternative to killing a user session.
Syntax :
ALTER SYSTEM
KILL SESSION
‘integer1, integer2’
Where
KILL SESSION
integer1
integer2
terminates a session
specifies the user SESSION ID
specifies the user serial number
The ALTER SYSTEM KILL SESSION command performs a number of tasks upon execution.
 Rolls back the user’s current transaction
 Releases all currently held table or row locks
 Frees all resources currently reserved by that user
Page 5
Oracle - Practical 12
If the user session is performing some activity that must be completed, such as waiting for a
reply from a remote database or rolling back a transaction, the Oracle Server waits for this
activity to complete.
Query the V$SESSION view to identify the session ID index and serial number of user
sessions.
Example :
SELECT
FROM
sid, serial#, username
v$session;
ALTER SYSTEM
KILL SESSION
‘8,103’;
Note : If username is blank, these are the background processes.
Now, as sys query the V$SESSION table to determine the SERIAL# and SID of your current
session, then list the command that could be used to terminate your connection to the
database. Attempt to execute the statement. What happened and why?
You are never allowed to kill your own session with the ALTER SYSTEM command.
Page 6