Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,420 --> 00:00:05,620 In this lesson, we're going to take a look at database roles. 2 00:00:05,620 --> 00:00:09,610 So a role is very important to the concept of security, 3 00:00:09,610 --> 00:00:12,940 but particularly from a manageability perspective. 4 00:00:12,940 --> 00:00:16,850 A role is just a container for privileges. 5 00:00:16,850 --> 00:00:20,350 So a role contains privileges, and then users 6 00:00:20,350 --> 00:00:22,450 are assigned roles. 7 00:00:22,450 --> 00:00:26,170 So to look at the importance of this, let's take an example. 8 00:00:26,170 --> 00:00:30,430 For instance, let's say we had 100 users in our database 9 00:00:30,430 --> 00:00:33,430 and we had 1,000 tables. 10 00:00:33,430 --> 00:00:38,230 If we had to directly grant the privileges for 1,000 tables 11 00:00:38,230 --> 00:00:42,100 to 100 different users using object privileges, 12 00:00:42,100 --> 00:00:43,660 I mean, that's a lot of scripting. 13 00:00:43,660 --> 00:00:44,990 That's a lot of work. 14 00:00:44,990 --> 00:00:48,670 And it's also a recipe for disaster to some degree 15 00:00:48,670 --> 00:00:53,880 because, with that many individual direct grants, 16 00:00:53,880 --> 00:00:57,040 there's room for mistakes, and so a user may be given 17 00:00:57,040 --> 00:00:59,590 more privileges than they need. 18 00:00:59,590 --> 00:01:01,660 And that's where roles come into play. 19 00:01:01,660 --> 00:01:04,840 So a role, being a container for privileges, 20 00:01:04,840 --> 00:01:07,660 is going to be assigned to a user 21 00:01:07,660 --> 00:01:10,960 based on whatever their job role is. 22 00:01:10,960 --> 00:01:13,540 So typically speaking, in any environment, 23 00:01:13,540 --> 00:01:18,410 we can classify database users into particular job roles, 24 00:01:18,410 --> 00:01:19,340 if you will. 25 00:01:19,340 --> 00:01:20,890 So we have a developer. 26 00:01:20,890 --> 00:01:22,600 We have a project manager. 27 00:01:22,600 --> 00:01:24,460 We have an application user. 28 00:01:24,460 --> 00:01:26,410 We have a database administrator. 29 00:01:26,410 --> 00:01:29,410 So rather than having individual grants 30 00:01:29,410 --> 00:01:32,650 tailored for every one of the people in those roles, 31 00:01:32,650 --> 00:01:36,610 we can create a role that encapsulates the privileges 32 00:01:36,610 --> 00:01:38,470 that that job needs. 33 00:01:38,470 --> 00:01:41,050 So we might have a developer role 34 00:01:41,050 --> 00:01:44,440 that has all the privileges that a developer needs and a project 35 00:01:44,440 --> 00:01:47,620 manager role for the privileges that a project manager needs 36 00:01:47,620 --> 00:01:49,300 because they're different. 37 00:01:49,300 --> 00:01:51,980 We do need the separation of security. 38 00:01:51,980 --> 00:01:54,730 We don't want to give everyone every privilege. 39 00:01:54,730 --> 00:01:56,560 But we also don't want to be in the business 40 00:01:56,560 --> 00:02:00,280 of having to micromanage all those individual grants. 41 00:02:00,280 --> 00:02:02,830 And so that's why roles are so powerful 42 00:02:02,830 --> 00:02:06,190 and really aren't used as often as they probably should be. 43 00:02:06,190 --> 00:02:10,840 So Oracle has two types of roles, system roles and user 44 00:02:10,840 --> 00:02:12,550 roles. 45 00:02:12,550 --> 00:02:16,420 So system roles are provided by the Oracle RDBMS itself. 46 00:02:16,420 --> 00:02:19,690 They're default roles that exist in the database. 47 00:02:19,690 --> 00:02:23,020 They don't encapsulate object privileges as much 48 00:02:23,020 --> 00:02:25,550 as they do system privileges. 49 00:02:25,550 --> 00:02:28,600 Now, a user role can have system privileges or object 50 00:02:28,600 --> 00:02:29,380 privileges. 51 00:02:29,380 --> 00:02:31,690 But by default, these system roles 52 00:02:31,690 --> 00:02:35,660 generally encapsulate system-level privileges. 53 00:02:35,660 --> 00:02:38,290 So let's talk about the main system roles 54 00:02:38,290 --> 00:02:40,390 that Oracle has available. 55 00:02:40,390 --> 00:02:42,100 First is CONNECT. 56 00:02:42,100 --> 00:02:45,340 Now, CONNECT is very deceiving because, by that name, 57 00:02:45,340 --> 00:02:48,850 you would think that the CONNECT role just allows a user 58 00:02:48,850 --> 00:02:50,990 to connect to the database. 59 00:02:50,990 --> 00:02:55,180 Unfortunately, it does allow that with the CREATE SESSION 60 00:02:55,180 --> 00:02:59,900 system privilege, but it also allows a lot more. 61 00:02:59,900 --> 00:03:03,540 It allows the ability to create a table, create an index, 62 00:03:03,540 --> 00:03:05,840 and many other database objects. 63 00:03:05,840 --> 00:03:09,700 So the CONNECT system role should be used very carefully. 64 00:03:09,700 --> 00:03:12,130 And, in fact, because of the sort 65 00:03:12,130 --> 00:03:15,100 of confusion with that name, a lot of DBAs 66 00:03:15,100 --> 00:03:17,740 choose not to use CONNECT at all. 67 00:03:17,740 --> 00:03:22,610 If you want to give the user the ability to create a session, 68 00:03:22,610 --> 00:03:25,570 then you give them the CREATE SESSION privilege, not 69 00:03:25,570 --> 00:03:27,250 the CONNECT role. 70 00:03:27,250 --> 00:03:29,380 The next system role is RESOURCE. 71 00:03:29,380 --> 00:03:35,530 So RESOURCE is additional object privileges mainly in the PL SQL 72 00:03:35,530 --> 00:03:40,430 range, the ability to create a procedure, to create a package, 73 00:03:40,430 --> 00:03:42,790 create a function, those types of things. 74 00:03:42,790 --> 00:03:46,840 Again, RESOURCE is probably a little too powerful. 75 00:03:46,840 --> 00:03:49,510 It should be pared down a little bit. 76 00:03:49,510 --> 00:03:51,400 Oracle has acknowledged the problems 77 00:03:51,400 --> 00:03:53,080 with CONNECT and RESOURCE. 78 00:03:53,080 --> 00:03:56,260 Although they do still exist for backward compatibility, 79 00:03:56,260 --> 00:03:59,530 they generally persuade against their use. 80 00:03:59,530 --> 00:04:01,240 The next system role is the one that's 81 00:04:01,240 --> 00:04:03,140 probably the most familiar to people, 82 00:04:03,140 --> 00:04:05,550 and that is the DBA role. 83 00:04:05,550 --> 00:04:08,770 DBA role is full admin rights in the database. 84 00:04:08,770 --> 00:04:12,310 There's very little that a user that's been granted the DBA 85 00:04:12,310 --> 00:04:14,050 role cannot do. 86 00:04:14,050 --> 00:04:17,290 There are a couple of things, such as starting up 87 00:04:17,290 --> 00:04:19,960 and shutting down a database, but for the most part 88 00:04:19,960 --> 00:04:23,300 DBA has full admin rights in the database. 89 00:04:23,300 --> 00:04:27,700 So if we create a user and grant them the DBA role, 90 00:04:27,700 --> 00:04:30,910 then they're going to have a lot of power in that database. 91 00:04:30,910 --> 00:04:34,180 So the DBA role should be used very sparingly. 92 00:04:34,180 --> 00:04:37,630 However, in my experience, it is quite the opposite. 93 00:04:37,630 --> 00:04:41,980 Because people know that the DBA role has full admin rights, 94 00:04:41,980 --> 00:04:45,610 I've often seen a lot of users being granted the DBA 95 00:04:45,610 --> 00:04:50,470 role because no one wanted to go through the work involved 96 00:04:50,470 --> 00:04:53,800 in finding out exactly what privileges the user needed. 97 00:04:53,800 --> 00:04:55,870 You give them the DBA role, and then they 98 00:04:55,870 --> 00:04:58,450 have no roadblocks to do anything they need to do. 99 00:04:58,450 --> 00:05:00,850 And that is true, however, they also 100 00:05:00,850 --> 00:05:04,650 have more admin rights than they really should have. 101 00:05:04,650 --> 00:05:07,800 The next system role is SELECT_CATALOG_ROLE, 102 00:05:07,800 --> 00:05:10,620 and this is the role that you give to a user 103 00:05:10,620 --> 00:05:14,370 when they want to see data dictionary views. 104 00:05:14,370 --> 00:05:16,530 It used to be that you would give SELECT ANY 105 00:05:16,530 --> 00:05:19,770 TABLE to a user in order for them to see the data 106 00:05:19,770 --> 00:05:20,730 dictionary. 107 00:05:20,730 --> 00:05:24,360 In recent versions, Oracle created the SELECT_CATALOG_ROLE 108 00:05:24,360 --> 00:05:27,690 because they recognized that a user may need to see the data 109 00:05:27,690 --> 00:05:32,010 dictionary but may not need to see every table in the database 110 00:05:32,010 --> 00:05:34,980 to be able to select from every table. 111 00:05:34,980 --> 00:05:37,740 So SELECT_CATALOG_ROLE role allows the data dictionary 112 00:05:37,740 --> 00:05:39,900 to be viewed by a user. 113 00:05:39,900 --> 00:05:41,860 The lab system role is a little different. 114 00:05:41,860 --> 00:05:43,110 It's called PUBLIC. 115 00:05:43,110 --> 00:05:46,410 And PUBLIC is sort of like a super role. 116 00:05:46,410 --> 00:05:49,410 The PUBLIC role is already a part 117 00:05:49,410 --> 00:05:52,290 of every user that's connected to the database. 118 00:05:52,290 --> 00:05:55,710 So any privilege granted to PUBLIC 119 00:05:55,710 --> 00:06:00,090 will be granted, by default, to any user in the database. 120 00:06:00,090 --> 00:06:02,220 An example of where we might want to do this 121 00:06:02,220 --> 00:06:03,930 is something like CREATE SESSION, 122 00:06:03,930 --> 00:06:06,150 a very simple privilege. 123 00:06:06,150 --> 00:06:10,470 If we create a database user, we may be under the assumption 124 00:06:10,470 --> 00:06:13,740 that any user created needs to be able to connect 125 00:06:13,740 --> 00:06:14,850 to the database. 126 00:06:14,850 --> 00:06:18,240 So we might grant CREATE SESSION to PUBLIC, 127 00:06:18,240 --> 00:06:20,870 and, thereby, any user created in the database 128 00:06:20,870 --> 00:06:24,000 will have the ability to create a session, nothing more than 129 00:06:24,000 --> 00:06:26,970 that unless we grant them specific privileges 130 00:06:26,970 --> 00:06:29,160 or grant those privileges to PUBLIC. 131 00:06:29,160 --> 00:06:32,240 But they would have the ability to create a session. 132 00:06:32,240 --> 00:06:35,180 The other type of roles are user roles. 133 00:06:35,180 --> 00:06:37,150 And so those are created for users. 134 00:06:37,150 --> 00:06:39,980 So these are more specific to the objects that 135 00:06:39,980 --> 00:06:41,930 are within the database itself. 136 00:06:41,930 --> 00:06:46,050 We use the term RBAC for Role-Based Access Control. 137 00:06:46,050 --> 00:06:49,910 And this is a very good approach at administering security 138 00:06:49,910 --> 00:06:53,510 in Oracle database because it encapsulates privileges 139 00:06:53,510 --> 00:06:56,040 into particular roles. 140 00:06:56,040 --> 00:06:59,990 So let's look at an example of this. 141 00:06:59,990 --> 00:07:02,310 We have Kara and Scott. 142 00:07:02,310 --> 00:07:06,350 I'm also going to open a connection to System. 143 00:07:06,350 --> 00:07:10,430 System is going to have the ability to create these roles. 144 00:07:10,430 --> 00:07:17,370 So when we create a role, we simply say, create role, 145 00:07:17,370 --> 00:07:19,080 and the role is created. 146 00:07:19,080 --> 00:07:21,900 Now the role is essentially useless 147 00:07:21,900 --> 00:07:24,240 because it's not been granted to a user 148 00:07:24,240 --> 00:07:26,170 and it has no privileges. 149 00:07:26,170 --> 00:07:30,880 So let's test some things out with Kara again. 150 00:07:30,880 --> 00:07:33,910 So Scott's tables are BONUS and DEPT. 151 00:07:33,910 --> 00:07:37,480 We've dealt with Kara's access to BONUS. 152 00:07:37,480 --> 00:07:43,160 What if we try to do select star from scott.dept? 153 00:07:43,160 --> 00:07:45,930 We get table or view does not exist. 154 00:07:45,930 --> 00:07:48,340 How about EMP? 155 00:07:48,340 --> 00:07:50,030 Again, table or view does not exist. 156 00:07:50,030 --> 00:07:55,630 So Kara doesn't have access to Scott's tables DEPT and EMP. 157 00:07:55,630 --> 00:07:57,400 Now, we could give her direct grants, 158 00:07:57,400 --> 00:07:59,650 but then we're starting to go down the road that we've 159 00:07:59,650 --> 00:08:02,650 discussed of having all those different individual grants 160 00:08:02,650 --> 00:08:04,180 that need to be managed. 161 00:08:04,180 --> 00:08:05,950 We already have a role here. 162 00:08:05,950 --> 00:08:07,930 Let's grant some privileges to the role. 163 00:08:10,620 --> 00:08:12,390 But we don't grant them to Kara. 164 00:08:12,390 --> 00:08:16,500 We grant them to the role, similarly. 165 00:08:19,770 --> 00:08:24,830 So now select privilege on the DEPT table in the Scott schema 166 00:08:24,830 --> 00:08:28,220 has been granted to the role called new_role. 167 00:08:28,220 --> 00:08:30,700 So let's try this again. 168 00:08:30,700 --> 00:08:32,390 Again, we get the same failure. 169 00:08:32,390 --> 00:08:33,220 Why? 170 00:08:33,220 --> 00:08:36,130 Because even though we've granted them to the role, 171 00:08:36,130 --> 00:08:39,190 we haven't granted that role to Kara. 172 00:08:39,190 --> 00:08:42,070 So we have to make the individual grants to the role, 173 00:08:42,070 --> 00:08:44,530 and we have to grant the role to the user. 174 00:08:44,530 --> 00:08:49,840 We'll grant new_role to Kara. 175 00:08:49,840 --> 00:08:53,720 And now, if Kara selects, table or view does not exist. 176 00:08:59,340 --> 00:09:02,100 We're going to right-click on Kara's connection 177 00:09:02,100 --> 00:09:04,580 and open a new connection here. 178 00:09:07,480 --> 00:09:09,520 We have a problem with this, and this 179 00:09:09,520 --> 00:09:12,650 is sort of a bug in SQL Developer, if you will. 180 00:09:12,650 --> 00:09:17,980 So let's try to verify that this role in fact does work. 181 00:09:17,980 --> 00:09:22,510 Let's go ahead and close out Kara's session. 182 00:09:22,510 --> 00:09:26,980 We're going to click Disconnect. 183 00:09:26,980 --> 00:09:30,790 And we'll allow Commit Changes and reconnect. 184 00:09:33,560 --> 00:09:37,520 And you can see that we have given the role to Kara, 185 00:09:37,520 --> 00:09:41,250 but SQL Developer required us to reconnect. 186 00:09:41,250 --> 00:09:45,770 Now, if this was an application or SQL*Plus, 187 00:09:45,770 --> 00:09:50,420 it does not require that, and that is a bug in SQL Developer. 188 00:09:50,420 --> 00:09:53,720 So we want to demonstrate that, because if you attempt this 189 00:09:53,720 --> 00:09:55,470 yourself, you will see that. 190 00:09:55,470 --> 00:10:00,330 But in fact, Kara does have that access through that role now. 191 00:10:00,330 --> 00:10:03,320 And we can also look at another one that 192 00:10:03,320 --> 00:10:06,530 was granted through the role to see 193 00:10:06,530 --> 00:10:10,640 that, in granting privileges to the role and then the role 194 00:10:10,640 --> 00:10:14,740 to the user, we're achieving role-based security. 15987