Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,420 --> 00:00:05,620
In this lesson, we're going to
take a look at database roles.
2
00:00:05,620 --> 00:00:09,610
So a role is very important
to the concept of security,
3
00:00:09,610 --> 00:00:12,940
but particularly from a
manageability perspective.
4
00:00:12,940 --> 00:00:16,850
A role is just a
container for privileges.
5
00:00:16,850 --> 00:00:20,350
So a role contains
privileges, and then users
6
00:00:20,350 --> 00:00:22,450
are assigned roles.
7
00:00:22,450 --> 00:00:26,170
So to look at the importance
of this, let's take an example.
8
00:00:26,170 --> 00:00:30,430
For instance, let's say we
had 100 users in our database
9
00:00:30,430 --> 00:00:33,430
and we had 1,000 tables.
10
00:00:33,430 --> 00:00:38,230
If we had to directly grant
the privileges for 1,000 tables
11
00:00:38,230 --> 00:00:42,100
to 100 different users
using object privileges,
12
00:00:42,100 --> 00:00:43,660
I mean, that's a
lot of scripting.
13
00:00:43,660 --> 00:00:44,990
That's a lot of work.
14
00:00:44,990 --> 00:00:48,670
And it's also a recipe for
disaster to some degree
15
00:00:48,670 --> 00:00:53,880
because, with that many
individual direct grants,
16
00:00:53,880 --> 00:00:57,040
there's room for mistakes,
and so a user may be given
17
00:00:57,040 --> 00:00:59,590
more privileges than they need.
18
00:00:59,590 --> 00:01:01,660
And that's where
roles come into play.
19
00:01:01,660 --> 00:01:04,840
So a role, being a
container for privileges,
20
00:01:04,840 --> 00:01:07,660
is going to be
assigned to a user
21
00:01:07,660 --> 00:01:10,960
based on whatever
their job role is.
22
00:01:10,960 --> 00:01:13,540
So typically speaking,
in any environment,
23
00:01:13,540 --> 00:01:18,410
we can classify database users
into particular job roles,
24
00:01:18,410 --> 00:01:19,340
if you will.
25
00:01:19,340 --> 00:01:20,890
So we have a developer.
26
00:01:20,890 --> 00:01:22,600
We have a project manager.
27
00:01:22,600 --> 00:01:24,460
We have an application user.
28
00:01:24,460 --> 00:01:26,410
We have a database
administrator.
29
00:01:26,410 --> 00:01:29,410
So rather than having
individual grants
30
00:01:29,410 --> 00:01:32,650
tailored for every one of
the people in those roles,
31
00:01:32,650 --> 00:01:36,610
we can create a role that
encapsulates the privileges
32
00:01:36,610 --> 00:01:38,470
that that job needs.
33
00:01:38,470 --> 00:01:41,050
So we might have
a developer role
34
00:01:41,050 --> 00:01:44,440
that has all the privileges that
a developer needs and a project
35
00:01:44,440 --> 00:01:47,620
manager role for the privileges
that a project manager needs
36
00:01:47,620 --> 00:01:49,300
because they're different.
37
00:01:49,300 --> 00:01:51,980
We do need the
separation of security.
38
00:01:51,980 --> 00:01:54,730
We don't want to give
everyone every privilege.
39
00:01:54,730 --> 00:01:56,560
But we also don't want
to be in the business
40
00:01:56,560 --> 00:02:00,280
of having to micromanage
all those individual grants.
41
00:02:00,280 --> 00:02:02,830
And so that's why
roles are so powerful
42
00:02:02,830 --> 00:02:06,190
and really aren't used as often
as they probably should be.
43
00:02:06,190 --> 00:02:10,840
So Oracle has two types of
roles, system roles and user
44
00:02:10,840 --> 00:02:12,550
roles.
45
00:02:12,550 --> 00:02:16,420
So system roles are provided
by the Oracle RDBMS itself.
46
00:02:16,420 --> 00:02:19,690
They're default roles that
exist in the database.
47
00:02:19,690 --> 00:02:23,020
They don't encapsulate
object privileges as much
48
00:02:23,020 --> 00:02:25,550
as they do system privileges.
49
00:02:25,550 --> 00:02:28,600
Now, a user role can have
system privileges or object
50
00:02:28,600 --> 00:02:29,380
privileges.
51
00:02:29,380 --> 00:02:31,690
But by default,
these system roles
52
00:02:31,690 --> 00:02:35,660
generally encapsulate
system-level privileges.
53
00:02:35,660 --> 00:02:38,290
So let's talk about
the main system roles
54
00:02:38,290 --> 00:02:40,390
that Oracle has available.
55
00:02:40,390 --> 00:02:42,100
First is CONNECT.
56
00:02:42,100 --> 00:02:45,340
Now, CONNECT is very deceiving
because, by that name,
57
00:02:45,340 --> 00:02:48,850
you would think that the
CONNECT role just allows a user
58
00:02:48,850 --> 00:02:50,990
to connect to the database.
59
00:02:50,990 --> 00:02:55,180
Unfortunately, it does allow
that with the CREATE SESSION
60
00:02:55,180 --> 00:02:59,900
system privilege, but it
also allows a lot more.
61
00:02:59,900 --> 00:03:03,540
It allows the ability to create
a table, create an index,
62
00:03:03,540 --> 00:03:05,840
and many other database objects.
63
00:03:05,840 --> 00:03:09,700
So the CONNECT system role
should be used very carefully.
64
00:03:09,700 --> 00:03:12,130
And, in fact,
because of the sort
65
00:03:12,130 --> 00:03:15,100
of confusion with that
name, a lot of DBAs
66
00:03:15,100 --> 00:03:17,740
choose not to use
CONNECT at all.
67
00:03:17,740 --> 00:03:22,610
If you want to give the user
the ability to create a session,
68
00:03:22,610 --> 00:03:25,570
then you give them the
CREATE SESSION privilege, not
69
00:03:25,570 --> 00:03:27,250
the CONNECT role.
70
00:03:27,250 --> 00:03:29,380
The next system
role is RESOURCE.
71
00:03:29,380 --> 00:03:35,530
So RESOURCE is additional object
privileges mainly in the PL SQL
72
00:03:35,530 --> 00:03:40,430
range, the ability to create a
procedure, to create a package,
73
00:03:40,430 --> 00:03:42,790
create a function,
those types of things.
74
00:03:42,790 --> 00:03:46,840
Again, RESOURCE is probably
a little too powerful.
75
00:03:46,840 --> 00:03:49,510
It should be pared
down a little bit.
76
00:03:49,510 --> 00:03:51,400
Oracle has acknowledged
the problems
77
00:03:51,400 --> 00:03:53,080
with CONNECT and RESOURCE.
78
00:03:53,080 --> 00:03:56,260
Although they do still exist
for backward compatibility,
79
00:03:56,260 --> 00:03:59,530
they generally persuade
against their use.
80
00:03:59,530 --> 00:04:01,240
The next system role
is the one that's
81
00:04:01,240 --> 00:04:03,140
probably the most
familiar to people,
82
00:04:03,140 --> 00:04:05,550
and that is the DBA role.
83
00:04:05,550 --> 00:04:08,770
DBA role is full admin
rights in the database.
84
00:04:08,770 --> 00:04:12,310
There's very little that a user
that's been granted the DBA
85
00:04:12,310 --> 00:04:14,050
role cannot do.
86
00:04:14,050 --> 00:04:17,290
There are a couple of
things, such as starting up
87
00:04:17,290 --> 00:04:19,960
and shutting down a database,
but for the most part
88
00:04:19,960 --> 00:04:23,300
DBA has full admin
rights in the database.
89
00:04:23,300 --> 00:04:27,700
So if we create a user and
grant them the DBA role,
90
00:04:27,700 --> 00:04:30,910
then they're going to have a
lot of power in that database.
91
00:04:30,910 --> 00:04:34,180
So the DBA role should
be used very sparingly.
92
00:04:34,180 --> 00:04:37,630
However, in my experience,
it is quite the opposite.
93
00:04:37,630 --> 00:04:41,980
Because people know that the
DBA role has full admin rights,
94
00:04:41,980 --> 00:04:45,610
I've often seen a lot of
users being granted the DBA
95
00:04:45,610 --> 00:04:50,470
role because no one wanted to
go through the work involved
96
00:04:50,470 --> 00:04:53,800
in finding out exactly what
privileges the user needed.
97
00:04:53,800 --> 00:04:55,870
You give them the DBA
role, and then they
98
00:04:55,870 --> 00:04:58,450
have no roadblocks to do
anything they need to do.
99
00:04:58,450 --> 00:05:00,850
And that is true,
however, they also
100
00:05:00,850 --> 00:05:04,650
have more admin rights than
they really should have.
101
00:05:04,650 --> 00:05:07,800
The next system role
is SELECT_CATALOG_ROLE,
102
00:05:07,800 --> 00:05:10,620
and this is the role
that you give to a user
103
00:05:10,620 --> 00:05:14,370
when they want to see
data dictionary views.
104
00:05:14,370 --> 00:05:16,530
It used to be that you
would give SELECT ANY
105
00:05:16,530 --> 00:05:19,770
TABLE to a user in order
for them to see the data
106
00:05:19,770 --> 00:05:20,730
dictionary.
107
00:05:20,730 --> 00:05:24,360
In recent versions, Oracle
created the SELECT_CATALOG_ROLE
108
00:05:24,360 --> 00:05:27,690
because they recognized that a
user may need to see the data
109
00:05:27,690 --> 00:05:32,010
dictionary but may not need to
see every table in the database
110
00:05:32,010 --> 00:05:34,980
to be able to select
from every table.
111
00:05:34,980 --> 00:05:37,740
So SELECT_CATALOG_ROLE role
allows the data dictionary
112
00:05:37,740 --> 00:05:39,900
to be viewed by a user.
113
00:05:39,900 --> 00:05:41,860
The lab system role
is a little different.
114
00:05:41,860 --> 00:05:43,110
It's called PUBLIC.
115
00:05:43,110 --> 00:05:46,410
And PUBLIC is sort
of like a super role.
116
00:05:46,410 --> 00:05:49,410
The PUBLIC role
is already a part
117
00:05:49,410 --> 00:05:52,290
of every user that's
connected to the database.
118
00:05:52,290 --> 00:05:55,710
So any privilege
granted to PUBLIC
119
00:05:55,710 --> 00:06:00,090
will be granted, by default,
to any user in the database.
120
00:06:00,090 --> 00:06:02,220
An example of where we
might want to do this
121
00:06:02,220 --> 00:06:03,930
is something like
CREATE SESSION,
122
00:06:03,930 --> 00:06:06,150
a very simple privilege.
123
00:06:06,150 --> 00:06:10,470
If we create a database user,
we may be under the assumption
124
00:06:10,470 --> 00:06:13,740
that any user created
needs to be able to connect
125
00:06:13,740 --> 00:06:14,850
to the database.
126
00:06:14,850 --> 00:06:18,240
So we might grant CREATE
SESSION to PUBLIC,
127
00:06:18,240 --> 00:06:20,870
and, thereby, any user
created in the database
128
00:06:20,870 --> 00:06:24,000
will have the ability to create
a session, nothing more than
129
00:06:24,000 --> 00:06:26,970
that unless we grant
them specific privileges
130
00:06:26,970 --> 00:06:29,160
or grant those
privileges to PUBLIC.
131
00:06:29,160 --> 00:06:32,240
But they would have the
ability to create a session.
132
00:06:32,240 --> 00:06:35,180
The other type of
roles are user roles.
133
00:06:35,180 --> 00:06:37,150
And so those are
created for users.
134
00:06:37,150 --> 00:06:39,980
So these are more specific
to the objects that
135
00:06:39,980 --> 00:06:41,930
are within the database itself.
136
00:06:41,930 --> 00:06:46,050
We use the term RBAC for
Role-Based Access Control.
137
00:06:46,050 --> 00:06:49,910
And this is a very good approach
at administering security
138
00:06:49,910 --> 00:06:53,510
in Oracle database because
it encapsulates privileges
139
00:06:53,510 --> 00:06:56,040
into particular roles.
140
00:06:56,040 --> 00:06:59,990
So let's look at
an example of this.
141
00:06:59,990 --> 00:07:02,310
We have Kara and Scott.
142
00:07:02,310 --> 00:07:06,350
I'm also going to open
a connection to System.
143
00:07:06,350 --> 00:07:10,430
System is going to have the
ability to create these roles.
144
00:07:10,430 --> 00:07:17,370
So when we create a role,
we simply say, create role,
145
00:07:17,370 --> 00:07:19,080
and the role is created.
146
00:07:19,080 --> 00:07:21,900
Now the role is
essentially useless
147
00:07:21,900 --> 00:07:24,240
because it's not been
granted to a user
148
00:07:24,240 --> 00:07:26,170
and it has no privileges.
149
00:07:26,170 --> 00:07:30,880
So let's test some things
out with Kara again.
150
00:07:30,880 --> 00:07:33,910
So Scott's tables
are BONUS and DEPT.
151
00:07:33,910 --> 00:07:37,480
We've dealt with
Kara's access to BONUS.
152
00:07:37,480 --> 00:07:43,160
What if we try to do select
star from scott.dept?
153
00:07:43,160 --> 00:07:45,930
We get table or
view does not exist.
154
00:07:45,930 --> 00:07:48,340
How about EMP?
155
00:07:48,340 --> 00:07:50,030
Again, table or
view does not exist.
156
00:07:50,030 --> 00:07:55,630
So Kara doesn't have access to
Scott's tables DEPT and EMP.
157
00:07:55,630 --> 00:07:57,400
Now, we could give
her direct grants,
158
00:07:57,400 --> 00:07:59,650
but then we're starting to
go down the road that we've
159
00:07:59,650 --> 00:08:02,650
discussed of having all those
different individual grants
160
00:08:02,650 --> 00:08:04,180
that need to be managed.
161
00:08:04,180 --> 00:08:05,950
We already have a role here.
162
00:08:05,950 --> 00:08:07,930
Let's grant some
privileges to the role.
163
00:08:10,620 --> 00:08:12,390
But we don't grant them to Kara.
164
00:08:12,390 --> 00:08:16,500
We grant them to
the role, similarly.
165
00:08:19,770 --> 00:08:24,830
So now select privilege on the
DEPT table in the Scott schema
166
00:08:24,830 --> 00:08:28,220
has been granted to the
role called new_role.
167
00:08:28,220 --> 00:08:30,700
So let's try this again.
168
00:08:30,700 --> 00:08:32,390
Again, we get the same failure.
169
00:08:32,390 --> 00:08:33,220
Why?
170
00:08:33,220 --> 00:08:36,130
Because even though we've
granted them to the role,
171
00:08:36,130 --> 00:08:39,190
we haven't granted
that role to Kara.
172
00:08:39,190 --> 00:08:42,070
So we have to make the
individual grants to the role,
173
00:08:42,070 --> 00:08:44,530
and we have to grant
the role to the user.
174
00:08:44,530 --> 00:08:49,840
We'll grant new_role to Kara.
175
00:08:49,840 --> 00:08:53,720
And now, if Kara selects,
table or view does not exist.
176
00:08:59,340 --> 00:09:02,100
We're going to right-click
on Kara's connection
177
00:09:02,100 --> 00:09:04,580
and open a new connection here.
178
00:09:07,480 --> 00:09:09,520
We have a problem
with this, and this
179
00:09:09,520 --> 00:09:12,650
is sort of a bug in SQL
Developer, if you will.
180
00:09:12,650 --> 00:09:17,980
So let's try to verify that
this role in fact does work.
181
00:09:17,980 --> 00:09:22,510
Let's go ahead and close
out Kara's session.
182
00:09:22,510 --> 00:09:26,980
We're going to click Disconnect.
183
00:09:26,980 --> 00:09:30,790
And we'll allow Commit
Changes and reconnect.
184
00:09:33,560 --> 00:09:37,520
And you can see that we
have given the role to Kara,
185
00:09:37,520 --> 00:09:41,250
but SQL Developer
required us to reconnect.
186
00:09:41,250 --> 00:09:45,770
Now, if this was an
application or SQL*Plus,
187
00:09:45,770 --> 00:09:50,420
it does not require that, and
that is a bug in SQL Developer.
188
00:09:50,420 --> 00:09:53,720
So we want to demonstrate that,
because if you attempt this
189
00:09:53,720 --> 00:09:55,470
yourself, you will see that.
190
00:09:55,470 --> 00:10:00,330
But in fact, Kara does have that
access through that role now.
191
00:10:00,330 --> 00:10:03,320
And we can also look
at another one that
192
00:10:03,320 --> 00:10:06,530
was granted through
the role to see
193
00:10:06,530 --> 00:10:10,640
that, in granting privileges
to the role and then the role
194
00:10:10,640 --> 00:10:14,740
to the user, we're achieving
role-based security.
15987
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.