Administering User Security管理用户安全

show parameter case;

you should be able to:

1、Create and manage database user accounts:2、Authenticate users3、Assign default storage areas (tablespaces)4、Grant and revoke privileges5、Create and manage roles6、Create and manage profiles:7、Implement standard password security features8、Control resource usage by users

Database User Accounts

Each database user account has:

A unique usernameAn authentication methodA default tablespace A temporary tablespaceA user profileAn initial consumer groupAn account statusA schema:Is a collection of database objects that are owned by a database userHas the same name as the user account

Predefined Administrative Accounts

SYS account:

Is granted the DBA role, as well as several other roles.Has all privileges with ADMIN OPTIONIs required for startup, shutdown, and some maintenance commandsOwns the data dictionary and the Automatic Workload Repository (AWR)

SYSTEM account is granted the DBA, MGMT_USER, and AQ_ADMINISTRATOR_ROLE roles.

DBSNMP account is granted the OEM_MONITOR role.

SYSMAN account is granted the MGMT_USER, RESOURCE and SELECT_CATALOG_ROLE roles.

These accounts are not used for routine operations.

create , update 操作 with admin option 转授权限,

revoke时系统权限不会级联回收，但对象权限会级联回收，对象如scott.emp表

Administrator Authentication

Operating system security:

DBAs must have the OS privileges to create and delete files.Typical database users should not have the OS privileges to create or delete database files.

Administrator security:

For SYSDBA, SYSOPER, and SYSASM connections: DBA user by name is audited for password file and strong authentication methodsOS account name is audited for OS authenticationOS authentication takes precedence over password file authentication for privileged usersPassword file uses case-sensitive passwords

There are two types of user privileges:

System: Enables users to perform particular actions in the databaseObject: Enables users to access and manipulate a specific object

Benefits of Roles 角色的好处:

Easier privilege managementDynamic privilege managementSelective availability of privileges

profile

show parameter resource_limit;resource_limit 必须为真true,所有profile设定才能生效，默认为false;

Supplied Password Verification Function: VERIFY_FUNCTION_11G

The VERIFY_FUNCTION_11G function insures that the password is:

At least eight charactersDifferent from the username, username with a number, or username reversedDifferent from the database name or the database name with a numberA string with at least one alphabetic and one numeric characterDifferent from the previous password by at least three lettersTip: Use this function as a template to create your own customized password verification.

最小权限化原则