Oracle Enterprise Manager Administrator's Guide 
Release 1.6 
A63731-01
 
Library
 
Product
 
Contents
 
Index
 

Prev Next

9
Managing Database Security

This chapter describes how to use Security Manager to control database security. With Security Manager, you can manage users, roles, and profiles. This chapter assumes that you have read Chapter 7, "Overview of the Database Tools" and are familiar with the interface elements of the database tools. The topics in this chapter are:

Starting Security Manager

To start Security Manager, click the Security icon in the Launch Palette or choose Security Manager from the Console Tools menu.

Note:

You can change the database connection with the Change Database Connection option in the File menu. For more information, see Application Menus on page 7-10.

After Security Manager has successfully connected to a database, the Users, Roles, and Profiles folders display in a tree list on the left side of the Security window. These folders are located in the database folder which displays the name of the database that the application is connected to.

Figure 9-1 Security Manager

 

The display on the right side of the window is determined by the object selected on the left side of the screen. The right side may contain a multi-column list, property sheet, or other information. An example of a Security Manager window is shown in Figure 9-1, "Security Manager".

Refer to the following sections:

Security Manager Menus

Security Manager includes the standard menus, File, View, Log, and Help, plus the User, Profile, and Role menus. The options for each of these menus are described in this chapter. For information on the standard menus, see Application Menus on page 7-10.

Context-sensitive menus may also be active when you press the right mouse button to select a specific object from the tree list or the multi-column list. This feature provides quick access to a subset of the menu options provided in the menu bars.

User Menu

The User menu contains the following menu options:

Create

Creates a new user.

Create Like

Creates a new user based on the selected user in the tree list.

Remove

Deletes the selected user from the tree list.

Revoke Privilege

Removes a selected privilege or role.

Show Dependencies

Displays database objects that rely on a selected user and any objects that the selected user relies on.

Add Privileges to User

Adds multiple privileges to one or more users.

Change Account Status (Oracle 8)

Unlock: Unlocks the user's account and enables access to the account.

Lock: Locks the user's account and disables access to the account.

Expire: Expires the user password.

Role Menu

The Role menu contains the following menu options:

Create

Creates a new role.

Create Like

Creates a new role based on the selected role.

Remove

Deletes the selected role.

Revoke Privilege

Removes a privilege or role from a role.

Show Dependencies

Displays database objects that rely on a selected role and any objects that the selected role relies on.

Add Privileges to Roles

Adds privileges or roles to roles.

Note: These menu options are enabled depending on the object selected.

Profile Menu

The Profile menu contains the following menu options:

Create

Creates a new profile.

Create Like

Creates a new profile that is based on the selected profile.

Remove

Deletes the selected profile.

Show Dependencies

Displays database objects that rely on a selected profile and any objects that the selected profile relies on.

Assign Profile to Users

Assigns a profile to a specific user.

Note: These menu options are enabled depending on the object selected in the tree list.

Security Manager Objects and Folders

The objects in the tree list are identified by various icons. In the listing:

Attention:

Roles, Object Privileges, and System Privileges icons appear with a key overlay if these objects have been granted using the Admin option/Grant option.

Users Folder

The User object type folder contains information about the users in the database arranged alphabetically in a tree structure. An individual user can be expanded to show the roles, system privileges, and object privileges granted to the user.

When you select:

For more information about users, see the Oracle Server Concepts, the Oracle Server Administrator's Guide, and the Oracle Server SQL Reference.

Users Multi-Column List

A Users multi-column list displays when a User folder is selected in the tree list. The list contains a row of summary information for each of the users in the Users folder.

If you select an individual User icon, and that icon is also on the main branch of the Database folder, the columns of the multi-column list summarize all information from the General page of the Create User property sheet. For more information on these columns, see the description of the Create User property sheet in Creating a User on page 9-8.

Suggestion: If a multi-column list is wider than the its window display area, you can increase the viewing area by resizing the application window or dragging the splitter between the left and right sections of the window.

Creating a User

To create a new user:

  1. Choose Create from the User menu. The Create User property sheet appears.
  2. Fill in the appropriate property sheet information.
  3. Click the Create button after specifying the requisite parameters.

The Create User property sheet consists of the following pages when in Advanced mode:

Create User Property Sheet: General Page

The General page allows you to specify a user's name (when creating a new user), their default profile, authentication method, and the default tablespace. The Create User property sheet contains the following:

Name

The name of the user to be created. Enter the name of the new user. The username can only contain characters from your database character set and can be at most 30 bytes long.

Profile

The profile assigned to the user. Use the drop-down list to choose the profile you want to assign to the user. The DEFAULT profile is assigned if you do not make a selection.

Authentication

The method Oracle uses to authenticate the user.

Global: Specifies that the user be identified globally amongst multiple databases. The global authorization option is only available with Oracle 8 databases.

External: Specifies that the operating system verify the user.

Password: Specifies that a password be required for login. Enter the password in the adjacent text entry field. Enter the password again in the Confirm text entry field for verification.

Expire Now: Forces the user's password to expire immediately. If you create a new user with this option selected, the user's password must be changed during the first attempted login. This feature is available for Oracle8 databases only.

Tablespaces

The user's default and temporary tablespaces.

Default: Use the drop-down list to choose the default tablespace for user-created objects.

Temporary: Use the drop-down list to choose the tablespace for the user's temporary segments.

Status (Oracle 8 only)

Active status of the user's account.

Lock: Locks the user's account and prevents further access.

Unlock: Unlocks the user's account and enables access to the account.

Create User Property Sheet: Roles/Privileges Page

On the Privileges page of the Create User property sheet, you can specify the system privileges and roles assigned to the user. The Privileges page contains the following:

Privilege Type

A drop-down list containing System Privileges and Roles. Your selection in the drop-down list determines what is displayed on the rest of the page.

Available

List of available roles or system privileges available for assignment to a user.

Roles: If you selected Roles as the privilege type, the roles that you are allowed grant to a user display in a scrolling list. These are roles you have created and roles you have been granted with the Admin Option.

Roles that you add to the user are assigned as default roles unless you change the specification by clicking on the role's entry in the Default column.

You must add the roles with the Admin Option in a separate operation from the roles you want to add without the Admin Option.

Note:

When you grant the DBA and RESOURCE roles to a user or role with Oracle7 release 7.2.2 or later, the user or role is also granted the UNLIMITED TABLESPACE system privilege. When you revoke either role from a user or role, the UNLIMITED TABLESPACE system privilege is also revoked. The UNLIMITED TABLESPACE can also be revoked independent of the DBA and RESOURCE roles.

System Privileges: If you select System Privileges as the privilege type, system privileges that you are able to grant to a user display in a scrolling list. These are the system privileges the you have been granted with the Admin Option. If you have the GRANT ANY PRIVILEGE system privilege, all privileges are listed. Select the privileges that you want to add to the user.

Attention:

If you want to grant the Admin or Grant option of a current privilege or role, you must add the privilege or role with Admin or Grant option specified as you want.

Up and Down Arrows

Up Arrow adds roles or system privileges that are selected in the Available list to the Granted spreadsheet.

Down Arrow removes roles or system privileges that are selected in the Granted spreadsheet.

Granted

An editable spreadsheet displaying roles or system privileges assigned to a user. New additions (selected but not yet applied) are identified by a hand with a plus sign. When creating a user, the spreadsheet consists of three columns:

System Privilege or Role: Name of the role or system privilege.

Admin Option: When checked, allows the user to grant the system privileges to other users or roles. By default, Admin Option is disabled. You enable the Admin Option by clicking on the spreadsheet entry. In this case, the "X" becomes a check.

Default: (Users property sheet only): When checked, establishes the role as a default for the user upon system logon.

When creating a Role, this spreadsheet consists of two columns: System Privilege or Role and Admin Option.

Create User Property Sheet: Object Privileges Page

The Object Privileges page, available in Advance UI mode, allows you to grant or revoke privileges for a specific user on schema objects. This page contains the following:

Objects

A tree listing of schemas in the database and objects in the schemas displays in the Object window. Click on the '+' to the left of a folder icon to display the object types contained in the schema, then click on the '+' to the left of the object type to display the actual objects.

Select the object from the tree list that you want to grant privileges for. After the object is selected, the available privileges for the object are displayed to the right in the Available Privileges scrolling list.

You can grant an object privilege that you have been granted with the Grant Option. If you are the owner of the object, you can grant all privileges on the object. Select the privileges you want to grant for the selected object. The scrolling list includes the privileges you can grant on this object.

Grant Option box to allow the user to grant the object privilege to other users and roles.

Click the Add button to add the selected object privileges to the user.

Available Privileges

Displays privileges available for the schema object selected in the tree list.

Up and Down Arrows

Down Arrow adds privileges that are selected in the Available Privileges list to the Granted Object Privileges spreadsheet.

Up Arrow removes privileges that are selected in the Granted Object Privileges spreadsheet.

Granted Object Privileges

An editable spreadsheet displaying object privileges to be made available to a user. New additions (selected but not yet applied) are identified by a hand with a plus sign.

When creating a new user, the spreadsheet consists of two columns indicating the name of the object privilege and whether or not the Grant Option is specified for that privilege.

When enabled, the Grant Option allows the user to grant the specific object privilege to other users and roles. By default, this option is disabled. To enable the grant option, click on the specific spreadsheet entry. The "X" is replaced with a check.

When creating a role, the spreadsheet consists of a single Object Privilege column.

Create User Property Sheet: Quotas Page

On the Quotas page of the Create User property sheet, you can specify the tablespaces in which the user can allocate space and the maximum amount of space the user can allocate within each tablespace. This page is available in Advanced mode. The Quotas page contains the following items:

Quota Details

Scrolling list of the tablespaces in the database and the maximum amount of space the user has been allowed in each tablespace. The list can be sorted on the Tablespace or Quota Size column.

To specify a quota size for a tablespace, select the tablespace in the scrolling list and specify a quota size by clicking on the None, Unlimited, or Value button.

None

Click None if you do not want the user to have any quota on the selected tablespace.

Unlimited

To specify an unlimited quota for the tablespace, click the Unlimited button. With an unlimited quota, the user can allocate an unbounded amount of space in the tablespace.

Value

To specify a specific quota, click Value and enter a quota value in the adjacent text entry field. Select the K or M button to specify Kilobytes or Megabytes.

Note:

If the user has been granted the UNLIMITED TABLESPACE System Privilege, the Quota Details option is disabled.

Create Like User

To create a new user with the same attributes an existing user:

  1. Choose Create Like from the User menu. The Create User property sheet appears with all parameters specified except the Name.
  2. Modify any property sheet parameter for the new user as necessary.
  3. Click Create.

You can also perform this operation by selecting a user from the tree list and then choosing the Create Like menu option. You must enter the name of the new user and enter a new password if the Password button is selected.

The format and content of the Create Like property sheet is identical to the Create User property sheet. Refer to Creating a User on page 9-8 for information about the property sheet.

Altering a User

To change the characteristics of a user:

  1. Select the user from the tree list to display the user details property sheet.
  2. Modify the property sheet parameters as necessary.
  3. Click Apply.

You can also display the Quick Edit property sheet by selecting a user from the multi-column list and choosing Quick Edit from the context sensitive menu. The Quick Edit property sheet is identical to the details property sheet.

The details/Quick Edit property sheet is identical in format and content to the Create User property sheet except that the name field is read-only. See Creating a User on page 9-8 for information about the property sheet.

Suggestion: If you want to add privileges or roles to multiple users, use the Add Privileges and Roles to Users menu item. See Adding Privileges or Roles to Users on page 9-15.

Attention: If you alter an object, such as a user named DAVE or a role named CLERK, in any location of the tree list, all instances of the object in the tree are changed.

Removing a User

If you no longer need a particular user in your database, you can remove the user by selecting the user to be dropped from the Users folder in the tree list and choosing Remove from the User menu. The Remove User alert box appears.

The Remove User alert box indicates if the user still owns any objects. If you remove a user who owns objects, Security Manager:

Adding Privileges or Roles to Users

To add multiple roles and grant multiple system or object privileges to users:

  1. Choose Add Privileges to Users from the User menu or one of the context-sensitive menus. The Add Privileges to Users dialog box displays with a scrolling list of users is displayed in the top half of the dialog box.
  2. Select the users in the list that you want to add privileges or roles to.
  3. Select Roles, System Privileges, or Object Privileges from the Privilege Type drop-down list. The display in the bottom half of the dialog box varies according to your selection.
  4. Click OK to commit the changes you have made. For details on the dialog box command buttons, see Dialog Boxes on page 7-15.
Roles

If you selected Roles, the roles that you can grant to a user display in a scrolling list. These are roles you have created and roles you have been granted with the Admin Option. If you have the GRANT ANY ROLE system privilege, all roles are listed.

Select the roles that you want to add to the selected users.

Attention: The roles that you add to the users are assigned as default roles unless you change the specification on the Default Roles page of the Alter property sheet of each user.

Click the With Admin Option box to allow the user to grant the role to other users or roles. If you grant a role with the Admin Option, the user can also alter or drop the role.

You must add the roles with the Admin Option in a separate operation from the roles you want to add without the Admin Option.

Note: When you grant the DBA and RESOURCE roles to a user or role with Oracle7 release 7.2.2 or later, the user or role is also granted the UNLIMITED TABLESPACE system privilege. When you revoke either role from a user or role, the UNLIMITED TABLESPACE system privilege is also revoked. The UNLIMITED TABLESPACE can also be revoked independent of the DBA and RESOURCE roles.

From the SQL Worksheet, use the GRANT command to grant privileges on a column in a table or view. For information about the GRANT command, see the Oracle Server SQL Reference.

System Privileges: A scrolling list of the system privileges that you are able to grant to users. These are the system privileges you have been granted with the Admin Option. If you have the GRANT ANY PRIVILEGE system privilege, all privileges are listed.

Select the privileges that you want to add to the selected users. Click the With Admin Option box to allow the user to grant the system privileges to other users or roles.

Attention:

You must add the privileges with the Admin Option in a separate operation from the privileges you want to add without the Admin Option.

Object Privileges

A tree listing of schemas in the database and objects in the schemas displays in the Object window. Click on the '+' to the left of a folder icon next to display the object types contained in the schema and then click on the '+' to the left of the object type folder to display available objects. Select the objects that you want to grant privileges for.

After the object is selected, the available privileges for the object are displayed to the right in the Privileges scrolling list.

You can grant an object privilege that you have been granted with the Grant Option. If you are the owner of the object, you can grant all privileges on the object. Select the privileges you want to grant for the selected objects.

Attention: You must add the privileges with the Grant Option in a separate operation from the privileges you want to add without the Grant Option.

Removing Privileges or Roles from a User

To remove the roles or privileges that are currently assigned to a user:

  1. From the Users folder in the tree list, click on the '+' to the left of the user to expand the Roles Granted, System Privileges Granted, and Object Click on the '+' to the left of the folder icon to display the privileges or roles that have been assigned to the user.
  2. Select the privilege or role that you want to remove from a user.
  3. Choose Revoke Privilege from the User menu or Revoke from the the context-sensitive menu to remove the selected privilege or role from the user.

Privileges Multi-Column Lists

The Privileges multi-column scrolling list displays when a Roles Granted, System Privileges Granted or Object Privileges Granted object type folder is selected in the tree list. The list contains information about privileges assigned to the user or role.

Roles Granted

The columns in the Roles Granted list include:

Role

Name of the role.

Admin option

Whether the role was granted with the Admin option to the user or role.

Default

Indicates the role as a default for the user upon system logon

System Privileges Granted

The columns in the System Privileges Granted list include:

System Privilege

Name of the system privilege.

Admin Option

Whether the privilege was granted with the Admin option to the user or role.

Object Privileges Granted

The columns in the Object Privileges Granted list include:

Object Privilege

Name of the object privilege.

Grant option

Whether the privilege was granted with the Grant option to the user.

For more information on these columns, see the description of the Create User property sheet in the section, Creating a User on page 9-8.

Roles Folder

The Roles object type folder contains information about the roles defined in your database arranged alphabetically in a tree structure. An individual role can be expanded to show the system privileges, object privileges, and roles granted to the role.

When you select:

Roles are named groups of privileges granted to users or other roles. For information about managing roles, see the Oracle Server Concepts, the Oracle Server Administrator's Guide, and the Oracle Server SQL Reference.

Roles Multi-Column List

A Roles multi-column list displays when a Roles or Roles Granted folder is selected in the tree list. The multi-column scrolling list contains a row of summary information for each of the roles in the roles folder.

If the folder is named Roles Granted and is contained in a user or role, the list only contains information about roles assigned to the user or role. The columns of the Roles multi-column list include:

Role

Name of the role.

Authentication

Type of authentication used: none, external, password, or global.

For more information on these columns, see the description of the Create User property sheet in the section, Creating a User on page 9-8 .

Suggestion:

If a multi-column list that is wider than the window display area, you can increase the viewing area by resizing the application window or dragging the splitter between left and right section of the window.

Creating a Role

To create a new role:

  1. Choose Create from the Role menu or one of the context-sensitive menus. The General page of the Create Role property sheet appears.
  2. Fill in the property sheet with the desired parameters.
  3. Click the Create button to apply the changes you have made to the property sheet and create the new role. For details on the property sheet command buttons, see Property Sheets on page 7-17 .

The Create Role property sheet contains the following pages.

Create Role Property Sheet: General Page

The General page allows you to enter the following information:

Role

Name of the role to be created. Enter the name of the new role.

Authentication

Method used to enable the role.

None specifies that a user granted the role may enable it without specifying a password.

Global: Specifies that a user granted the role may enable it globally amongst multiple databases. The global authorization option is only available with Oracle 8 databases.

External: Specifies that the operating system or an external security utility to verify the role.

Password: Specifies that a password is required to enable the role. Enter the password in the Enter Password entry field. Enter the password again in the Confirm Password entry field to verify the new password.

Create Like Role

If you want to create a new role with the similar parameters as an existing role:

  1. Select the desired role from the tree list.
  2. Choose Create Like menu option from the Role menu.
  3. Modify the property sheet as desired.
  4. Click the Create button.

You can also perform this operation by selecting a role in the tree list and choosing the Create Like menu option from the context-sensitive menu. You must enter the name of the new role and enter a new password if the Password button is selected.

This property sheet is identical to the Create Role property sheet. Refer to Creating a User on page 9-8 for information about Create Role property sheet.

Modifying a Role

To alter the property sheet information for an existing role:

  1. Select the role to be altered from the tree list. The property sheet for that role appears.
  2. Modify the property sheet as desired.
  3. Click the Apply Button.

You can also modify a role by selecting a role from the Role multi-column list with the right mouse button to call up the context-sensitive menu. Select Quick Edit to bring up the Quick Edit property sheet appears.

The Role property sheet is identical to the Create Role property sheet except that the name is read-only. Refer to Creating a User on page 9-8 for information about the property sheet.

If you want to add privileges or roles to multiple roles, use the Add Privileges to Roles menu item. See Adding Privileges or Roles to Roles on page 9-22.

If you alter an object, such as a user named DAVE or a role named CLERK, in any location of the tree list, all instances of the object in the tree list are changed.

Removing a Role

To remove a role that is no longer needed:

  1. Select a role in the tree list.
  2. Choose Remove from the Role menu. The Remove Role alert box appears.
  3. Click Yes to remove the role.

You can also remove a role by selecting the role to be dropped from the Roles object type folder in the tree list and choosing Remove from the context-sensitive menu.

Adding Privileges or Roles to Roles

To assign subroles and grant individual privileges to multiple roles, or add roles and grant privileges to multiple roles:

  1. Choose Add Privileges to Roles from the Role menu to display the Add Privileges to Roles dialog box. A scrolling list of roles is displayed in the top half of the dialog box.
  2. Select the roles in the list that you want to add privileges or roles to.
  3. Select System Privileges, Object Privileges, or Roles from the drop-down list. The display in the bottom half of the dialog box varies according to your selection.
Roles

If you selected Roles, the roles that you can grant to a role display in a scrolling list. These are roles you have created and roles you have been granted with the Admin Option. If you have the GRANT ANY ROLE system privilege, all roles are listed.

  1. Select the roles that you want to add to the role.
  2. Click the With Admin Option box to allow the role to grant the role to other users or roles. If you grant a role with the Admin Option, the role can also alter or drop the role.
  3. Click the Apply button to add the selected roles to the role.
Attention:

You must add the roles with the Admin Option in a separate operation from the roles you want to add without the Admin Option.

System Privileges

A scrolling list of the system privileges that you are able to grant to a role. These are the system privileges you have been granted with the Admin Option. If you have the GRANT ANY PRIVILEGE system privilege, all privileges are listed.

  1. Select the privileges that you want to add to the role.
  2. Click the With Admin Option box to allow the role to grant the system privileges to other users or roles.
  3. Click the Add button to add the selected system privileges to the role.
Attention:

You must add the privileges with the Admin Option in a separate operation from the privileges you want to add without the Admin Option.

Object Privileges

A tree listing of schemas in the database and objects within the schemas displays in the Object window. Click on the '+' to the left of a folder icon to display the objects contained in the schema, then select the objects that you want to grant privileges for.

After the object is selected, the available privileges for the object is displayed to the right in the Privileges scrolling list.

  1. Select the privileges you want to grant for the selected object. The scrolling list includes the object privileges you can grant on an object.
  2. Click the Apply button to add the selected object privileges to the role.
  3. Click on the Apply button to save any changes you have made in the dialog box. For details on the dialog box command buttons, see Dialog Boxes on page 7-15.

Removing Privileges or Roles from a Role

To remove privileges or subroles that are assigned to a role in the Roles folder:

  1. From the tree list, select the privilege or subrole that you want to remove from a role. If necessary, click on the '+' to the left of the folder icon to display the privileges or subroles that have been assigned to the role.
  2. Choose the Remove from Role menu.

To conveniently remove multiple privileges or subroles from a single role, use the appropriate property sheet.

Profiles Folder

The Profiles folder contains information about the profiles defined for the database arranged alphabetically in a tree structure. An individual profile can be expanded to show the users that have been assigned the profile.

When you select:

A profile is a set of limits on database resources. When you assign a profile to a user, that user cannot exceed the limits set in the profile.

Oracle automatically creates a default profile named DEFAULT. The DEFAULT profile initially defines unlimited resources. You can alter the DEFAULT profile to change any of its resource limits.

Any user who is not explicitly assigned a profile is subject to the limits defined in the DEFAULT profile. Also, if the profile that is explicitly assigned to a user omits a limit for a resource or specifies the value DEFAULT for a limit, then the user is subject to the limit on that resource as defined in the DEFAULT profile.

Attention:

The initialization parameter RESOURCE_LIMIT must be set to TRUE to enforce the limits set in database profiles. For more information, see the Oracle Server Reference.

For more information about profiles, see the Oracle Server Concepts, the Oracle Server Administrator's Guide, and the Oracle Server SQL Reference.

Profile Multi-Column Lists

The profiles multi-column list displays when the Profiles folder is selected in the tree list. The scrolling list contains a row of summary information for each of the profiles in the Profiles folder.

The columns include all the fields on the pages of Create Profile property sheet. For more information on these columns, see Creating a Profile on page 9-25.

Creating a Profile

To create a profile:

Choose Create from the Profile menu.The Create Profile property sheet appears. This property sheet contains the General and Password pages.

Create Profile Property Sheet: General Page
Name

This field allows you to enter the name of a new profile.

Details

These fields determine the amount of time allocated to the CPU per Session, CPU per Call, Connect Time, and Idle Time for this profile. The fields are:

CPU/Session: Total amount of CPU time allowed in a session. The limit is expressed in seconds.

CPU/Call: Maximum amount of CPU time allowed for a call (a parse, execute, or fetch). The limit is expressed in seconds.

Connect Time: Maximum elapsed time allowed for a session. The limit is expressed in minutes.

Idle Time: Maximum idle time allowed in a session. Idle time is a continuous period of inactive time during a session. Long-running queries and other operations are not subject to this limit. The limit is expressed in minutes.

You can enter a value in a field or choose from the drop-down list adjacent to the field. Click on the down-arrow to display the list. The drop-down list provides the following choices:

Database Services

These fields determine the database services allocated to this profile. The fields are:

Concurrent Sessions: Maximum number of concurrent sessions allowed for a user.

Reads/Session: Total number of data block reads allowed in a session. The limit includes blocks read from memory and disk.

Reads/Call: Maximum number of data block reads allowed for a call (a parse, execute, or fetch) to process a SQL statement.

Private SGA: Maximum amount of private space a session can allocate in the shared pool of the System Global Area (SGA). The Private SGA limit applies only if you are using the multi-threaded server architecture. The limit is expressed in kilo bytes (KBytes).

Composite Limit: Total resource cost for a session. The resource cost for a session is the weighted sum of the CPU time used in the session, the connect time, the number of reads made in the session, and the amount of private SGA space allocated.

You can enter a value in a field or choose from the drop-down list adjacent to the field. Click on the down-arrow to display the list. The drop-down list provides the following choices:

Attention:

In the SQL Worksheet, you can use the SQL command ALTER RESOURCE COST to specify the weights for the resources in the Composite Limit. For information about the ALTER RESOURCE COST command, see the Oracle Server SQL Reference.

Drop-down List Selections

Default: Use the limit specified for this resource in the DEFAULT profile.

Unlimited: The user's access to this resource is unlimited.

Values: Select one of the existing values. The default values vary by field and are common values for the field. If you have entered a value in the field, that value appears in the drop-down list.

Create Profile Property Sheet: Password Page (Oracle 8)

The Password page allows you to set account password parameters. This page consists of the following:

Expire Password

Expire in: Limits the number of days after which a password expires. Select a value from the drop-down list, or enter a specific value.

Lock: Limits the number of days during which a password can be changed following the first successful login after password expiration.

Keep Password History

Keep: Specifies the number of times a password must be changed before it can be reused. Keep for is disabled if a value is specified in this field.

Keep for: Limits the number of days before a password can be reused after it expires. Keep is disabled if a value is specified in this field.

Enforce Password Complexity

Allows a PL/SQL routine to be used for password verification when users who are assigned this profile log into a database. This PL/SQL routine must be locally available for execution on the database to which this profile applies.

Oracle provides a default script (utlpwdmg.sql), however, you can also create your own routine, or use third-party software as an alternative. The password verification routine must be owned by SYS.

NULL (no password verification) is set by default.

Lock account on failed logon

Lock after: Limits the number of failed logon attempts allowed before a user is locked out from the account.

Lock for: Specifies the number of days the account is locked after failing the specified number of logon attempts. If UNLIMITED is specified, only the database administrator can unlock the account.

Note: If Default is selected for any password options, values defined in the Default profile are used.

Create Like Profile

To create a new profile that has identical parameter settings to an existing profile:

  1. Select the profile to be copied from the tree list.
  2. Choose Create Like from the Profile menu. The Create Profile property sheet appears.
  3. Specify a profile name and modify the property sheet parameters if necessary.
  4. Click the Create button.

You can also perform this operation by selecting a profile from the tree or multi-column list and choosing the Create Like menu option. You must enter the name of the new profile.

The Create Like property sheet is identical to the Create Profile property sheet. See Creating a Profile on page 9-25 for information about the property sheet.

Altering a Profile

To alter the resource limits for an existing profile:

  1. Select the profile to be altered from the tree list. The Profile property sheet appears.
  2. Modify the resource limits as necessary.
  3. Click the Apply button.

You can also use the Quick Edit property sheet to modify a profile by selecting a profile from the multi-column list using the right mouse button and choosing Quick Edit from the context-sensitive menu.

The Quick Edit property sheet is identical to the Create Profile property sheet except that the name field is read-only. See Creating a Profile on page 9-25 for information about the property sheet.

In the SQL Worksheet, you can use the SQL command ALTER RESOURCE COST to specify the weights for the resources in the Composite Limit. For information about the ALTER RESOURCE COST command, see the Oracle Server SQL Reference.

Showing Profile Dependents and Dependencies

To display dependents for a particular profile:

  1. Select a profile from the tree list.
  2. Choose Show Dependencies from the Profiles menu.

Dependencies are organized by user. Expanding individual users in the Dependencies Viewer displays the schema objects, roles, and privileges associated with that user.

Removing a Profile

To remove a profile that is no longer needed:

  1. Select the profile to be deleted from the tree list.
  2. Choose Remove from the Profile menu. The Remove Profile alert box appears.

The Remove Profile alert box indicates if the profile you wish to drop is assigned to any users. If you drop a profile that is assigned to users, Security Manager assigns the DEFAULT profile to them.

  1. Click OK.

Note: You cannot drop the DEFAULT profile.

Assigning a Profile to Users

To assign a profile to multiple users in the database:

  1. Choose the Assign Profile to Users menu option from the Profile menu. The Assign Profile dialog box appears.
  2. Select the profile that you want to assign from the drop-down list.
  3. In the scrolling list, select the users that you want to assign the profile to.
  4. Click the Apply button to assign the selected profile to the user(s). You can click OK to assign the profile and close the dialog box.


 
Prev
 
Next
 
Oracle 
Copyright © 1998 Oracle Corporation. 
All Rights Reserved. 
 
Library
 
Product
 
Contents
 
Index