1

Users and Schemas

Creating, Altering and droping users.

Profiles

PRIVILEGEs

Session identification and killing them.

Simple auditing

Data dictionary views

Schema : All the objects owned by a user is called schema. Logical unit is
user and the objects are held by the schema.
Ex: If we address emp table in Scott user then logically it is Scott schema that
is holding objects on the database.
Creating a user :
CREATE USER <USER_NAME> IDENTIFIED BY <PASSWORD> | EXTERNALLY |
GLOBALLY
DEFAULT TABLESPACE <TABLESPACE_NAME>
TEMPORARY TABLESPACE <TABLESPACE_NAME>
QUOTA <SIZE> ON <TABLESPACE_NAME>
tablespace
PROFILE <PROFILE_NAME>
PASSWORD EXPIRE
ACCOUNT UNLOCK|LOCK;

--may be default or temporary

1. PASSWORD : Password means database specific.

Externally : Perating system specific or any third party tool for authentication,
this is not as secured as password.
Globally : If you are using some kind of enterprise directory service. Oracle
Internet Directory.
2. Default tablespace : You need to provide the default tablespace
information at the creation of the user to store the data if you donot specify
the default tablespace at the time of creation of a user then the objects of
those users will be saved in the database's default tablespace. for example :
USERS in our case (ORCL ) database.
3. Quota : It is used to allow the user to use the tablespace upto certain
memory specified while the creation of user
example : quota unlimited on ts1 (specifies user can access the complete
memory present in
that tablespace)
on that

quota 0m on ts2 (specifies the user cannot create anymore objects

tablespace)

quota 10m on ts3 (specifies ts3 is the tablespace name and the
user can create or
store data upto 10mb on
the specified tablespace)
4. Profile : Collection of roles specifying the passowrds to behave , how the
reources can be
utilized by the user for example we can consider
how much CPU can be utilized by a
user. If we donot specify any profile to
the user then it will take the default profile of
the database.
5. Passowrd Expire: Considering the option of PASSWORD EXPIRE while
user creation is a decent practice .All it does is it forces the user to enter the
new password after he/she login.
6. Account Unlock|lock : Exclusively we can lock an account but by default
after creation of a user the account is in unlocked.

Dictionay View :
We can see the default tablespace, temporary tablespace of the user using

the view.
select username, default_tablespace,temporary_tablespace from dba_users
where username='<USERNAME>';

Let us suppose if a user abc creates a table in a tablespace where he has a

quota upto 10mb and if he gives the access to another user to insert
statements into the table and if the data exceeds 10 mb then the error is
thrown.
Profiles:
If we donot mention any profile , default profile will be taken while user
creation and the default profile of the database cannot be deleted.
Under profile we have Kernel limitations and Password limitations :
Kernel
1. SESSIONS_PER_USER ( Used to specify number of concurrent sessions for a
user)
2. CPU_PER_SESSION (Used to specify amount of CPU to can be used for a
session)
3. CPU_PER_CALL (Call is a simple sql statement)
4. LOGICAL_READS_PER_SESSION (How many logical blocks a can a session
read from a db)
5. LOGICAL_READS_PER_CALL (Logical blocks that can be read per statement)
6. IDLE_TIME (We can limit the idle time i.e the time we are doing nothing
session will be
disconnected)
7. CONNECT_TIME (We can also specify the connect time)
8. PRIVATE_SGA (It is used by the shard server option)
9. COMPOSITE_LIMIT (It is the weighted average of
CPU_PER_SESSION,LOGICAL_READS_PER_SESSION_CONNECT_TIME,PRIVATE_S
GA)

Passwords

1. FAILED_LOGIN_ATTEMPTS (We can mention the number of failed login

attempts if the
attempts exceeds the user is
locked)
2. PASSWORD_LIFE_TIME (We can specify how long we can use a particular
password in
number of days)
3. PASSWORD_REUSE_TIME (Specifies number of days we can reuse the same
password)
4. PASSWORD_REUSE_MAX (Specifies maximum times we can reuse a
password)
5. PASSWORD_VERIFY_FUNCTION (We need to set this to a function and the
function has
explicit roles like password roles) example : If we want our
password should have
atleast one character,uppercase and a number.
6. PASSWORD_LOCK_TIME(Number of days a password is locked and
automatically unlocked)
7. PASSWORD_GRACE_TIME (Number of days we have before our password
expires
automatically)

Listing the roles in a default profile :

Profile creation :
CREATE PROFILE <PROFILE_NAME> LIMIT
SESSIONS_PER_USER <NUMBER>
IDLE_TIME <NUMBER_IN_MINUTES>
CONNECT_TIME <NUMBER_IN_MINUTES>
FAILED_LOGIN_ATTEMPTS <NUMBER>
PASSWORD_LIFE_TIME <NUMBER_OF_DAYS>
PASSWORD_LOCK_TIME
/

Example :

CREATE PROFILE PROFILE1 LIMIT

SESSIONS_PER_USER 2
IDLE_TIME 30
CONNECT_TIME 480 --8 hours
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LIFE_TIME 365 -- Normally a password will be expired after an
year
PASSWORD_LOCK_TIME 1/1440*5 --generally a day has 1440 minutes (5
minutes)
/

To give profile to a user :

ALTER USER USERNAME PROFILE PROFILE_NAME;

After a user is created we need to grant create session PRIVILEGE to access

the database.

PASSWORD_VERIFY_FUNCTION : To use this profile oracle provides a

script we need to run the script.
Location : $ORACLE_HOME\rdbms\admin\utlpwdmg.sql

At the end of the script we can find the parameters and the values of the
default profile where we can modify the parameters of a database default
profile :

After the values have been altered we need to remove the comments and
then run the script as sysdba in the instance.

Composite_limit : Weighted average of

1. CPU_PER_SESSION (100th of second)
2. LOGICAL_READS_PER_SESSION(blocks)
3. CONNECT_TIME (minutes)
4. PRIVATE_SGA(bytes)

The compose_limit can only be modified on the database level(i.r, we cannot

modify this on the profile level)
If a user session has reached the threshold level given by the
COMPOSITE_LIMIT then the session will terminate.
To see the weightages :

SQL> SELECT * FROM RESOURCE_COST;

RESOURCE_NAME
--------------------------------

UNIT_COST
----------

CPU_PER_SESSION
LOGICAL_READS_PER_SESSION

0
0

CONNECT_TIME
PRIVATE_SGA

0
0

All these are set to zero hence we can see that there is no weightage average
to composite_limit.
If we alter the values of the parameter to aany nonzero value. For example :
CONNECT_TIME=5
CPU_PER_SESSION TO 8 100th of the second :
OUTPUT :
SQL > ALTER RESOURCE COST
2

CONNECT_TIME 5

CPU_PER_SESSION 8;

SQL > RESOURCE COST ALTERED;

To see the resource cost ,issue the same command : SELECT * FROM
RESOURCE_COST;
Let us assume user has connected for 30mins and has used 300 seconds of
CPU time according to the alterations done by the previous query :
(30 * 5) + (30000 * 8) = 2550 (Composite time)

Let us consider that we are modifying the composite_limit to 50000

SQL > ALTER PROFILE PROFILE1 LIMIT
COMPOSITE_LIMIT 50000
LOGICAL_READS_PER_SESSION 90000;
SQL > ALTER USER SCOTT PROFILE PROFILE1;

After user is created we need to give SYSTEM PRIVILEGES :

CREATE SESSION, CREATE TABLE,....
CREATE TABLE allows the user to create table in his schema only .
CREATE ANY TABLE allows the user to create table in other schemas also.
CREATE ANY INDEX .. (database objects)
UNLIMITED TABLESPACE (Granting this user can store the objects in any
tablespace with unlimited QUOTA)

ROLE : Is collection of PRIVILEGEs which makes the task of DBA easier to

assign all the PRIVILEGEs to the user using a single role name.
CONNECT,RESOURCE
To check the PRIVILEGEs which are contained in a row :
SELECT GRANTEE, PRIVILEGE FROM DBA_SYS_PRIVS WHERE
GRANTEE='CONNECT';
GRANT CONNECT,RESOURCE,UNLIMITER TABLESACE TO USER;

Killing a session :
To identify a session there is a data dictionary view : V$SESSION
SELECT SID,SERILA#,USERNAME,OSUSER,LOGON_TIME FROM V$SESSION;
To kill a session :
ALTER SYSTEM KILL 'SID,SERIAL#' ;
> If the above statement is not working :
ALTER SYSTEM KILL 'SID,SERIAL#' IMMEIDATE;
Simple Auditing :
To configure auditing :
ALTER SYSTEM SET AUDIT_TRAIL=DB SCOPE = SPFILE
ALTER SYSTEM SET AUDIT_FILE_DEST='<PATH TO FILE>';

Dictionary Views for auditing :

DBA_STMT_AUDIT_OPTS
DBA_PRIV_AUDIT_OPTS

[NO] AUDIT CREATE SESSION;

[NO] AUDIT CREATE TABLE BY SCOTT WHENEVER UNSUCCESFUL;
SELECT * FROM DBA_AUDIT_SESSION;
DBA_AUDIT_TRAIL

To see privileges audited are :

SELECT USER_NAME,PRIVILEGE FROM DBA_PRIV_AUDIT_OPTS;
To audit a users session : Suppose to audit the info of tables created by scott
SQL > AUDIT CREATE TABLE BY SCOTT;
If we wanted to audit unsuccesful logons then
SELECT USERNAME, TERMINAL,TIMESTAMP, LOGOFF_TIME FROM
DBA_AUDIT_TRAIL WHERE RETURNCODE !=0; (RETURN CODE NOT EQUAL TO
ZERO IS FAILURE)
EXACT TIMESTAMP : TO_CHAR(TIMESTAMP,'mm/dd/yy hh24:mi') timestamp
Dictionary views for managing users
DBA_USERS
DBA_PROFILES
DBA_TS_QUOTAS
DBA_SYS_PRIVS
RESOURCE_COSTS
SESSION_PRIVS
V$SESSION
DBA_STMT_AUDIT_OPTS

DBA_PRIV_AUDIT_OPTS
DBA_AUDIT_SESSION
DBA_AUDIT_TRAIL