22 Managing Users and Securing the Database

This chapter briefly discusses the creation and management of database users, with special attention to the importance of establishing security policies to protect your database, and provides cross-references to the appropriate security documentation.

The following topics are contained in this chapter:

The Importance of Establishing a Security Policy for Your Database

It is important to develop a security policy for every database. The security policy establishes methods for protecting your database from accidental or malicious destruction of data or damage to the database infrastructure.

Each database can have an administrator, referred to as the security administrator, who is responsible for implementing and maintaining the database security policy If the database system is small, the database administrator can have the responsibilities of the security administrator. However, if the database system is large, a designated person or group of people may have sole responsibility as security administrator.

For information about establishing security policies for your database, see Oracle Database Security Guide.

Managing Users and Resources

To connect to the database, each user must specify a valid user name that has been previously defined to the database. An account must have been established for the user, with information about the user being stored in the data dictionary.

When you create a database user (account), you specify the following attributes of the user:

  • User name

  • Authentication method

  • Default tablespace

  • Temporary tablespace

  • Other tablespaces and quotas

  • User profile

To learn how to create and manage users, see Oracle Database Security Guide.

Managing User Privileges and Roles

Privileges and roles are used to control user access to data and the types of SQL statements that can be executed. The table that follows describes the three types of privileges and roles:

Type Description
System privilege A system-defined privilege usually granted only by administrators. These privileges allow users to perform specific database operations.
Object privilege A system-defined privilege that controls access to a specific object.
Role A collection of privileges and other roles. Some system-defined roles exist, but most are created by administrators. Roles group together privileges and other roles, which facilitates the granting of multiple privileges and roles to users.

Privileges and roles can be granted to other users by users who have been granted the privilege to do so. The granting of roles and privileges starts at the administrator level. At database creation, the administrative user SYS is created and granted all system privileges and predefined Oracle Database roles. User SYS can then grant privileges and roles to other users, and also grant those users the right to grant specific privileges to others.

To learn how to administer privileges and roles for users, see Oracle Database Security Guide.

Auditing Database Use

You can monitor and record selected user database actions, including those done by administrators. There are several reasons why you might want to implement database auditing. These, and descriptions of the types of auditing available to you, are described in Oracle Database Security Guide.

The Oracle Database Security Guide includes directions for enabling and configuring database auditing.