Professional Documents
Culture Documents
11.1 Qun l ngi dng Vic phn quyn s dng l cn thit trong cng vic qun tr. C 2 user accounts c t ng to ra ngay t khi to database v c gn quyn DBA (DataBase Administration) l: SYS v SYSTEM. SYS: c to t ng v gn quyn DBA. Mt khu mc nh l change_on_install. C quyn s hu cc bng v cc khung nhn ca t in d liu trong CSDL.
Khoa CNTT & Truyn Thng - Trng i Hc Cn Th SYSTEM: c t ng to ra vi mt khu ban u l manager v cng c gn quyn DBA. Tuy nhin, SYSTEM cn c s hu c mt s table, view m rng cha cc thng tin s dng cho cc tools ca Oracle. Lu : Ngay khi to CSDL, Oracle to sn mt quyn gi l "DBA". Quyn ny cho php thc hin cc thao tc qun tr i vi CSDL. Ngi dng c quyn DBA c th can thip c ti cc quyn ca cc user khc s dng trong h thng. V th, nhng qun tr vin database cn thay i mt khu ca mnh trnh s dng mt khu mc nh do Oracle cung cp v user khc c th bit v s dng truy nhp vo h thng mt cch tri php, gy xo trn h thng. Khi to mt ti khon mi, ta cn xc nh cc thng s sau cho ti khon : Default Tablespace (tablespace mc nh) Default Tablespace l tablespace mc nh cha cc segments c tin trnh ca ngi dng s dng lu tr d liu trong trng hp ngi dng khng ch r tn tablespace ngay khi to segment. Tablespace Quotas (hn mc tablespace) Tablespace quotas l dung lng lu tr ti a ng vi kh nng lu tr vt l c php ca ngi dng ny trong CSDL. Temporary Tablespace (tablespace trung gian) Temporary tablespace l ni Oracle server cp pht cc extends phc v cho cng vic sp xp (sort) d liu mi khi ngi dng thc hin lnh truy vn c sp xp. Account Locking (kho account) Cc Accounts c th b kho (locked) ngn cn vic ngi dng thm nhp vo CSDL. Vic ny c th c thc hin mt cch t ng hoc do iu khin ca nh qun tr CSDL. Resource Limits (hn ch ti nguyn) L nhng gii hn c a ra cho ngi dng ny v cc ti nguyn ca h thng nh: thi gian s dng CPU, truy xut vo ra, s lng cc sessions c m ti a,... 11.1.1 Cc bc thc hin khi to mi ngi dng La chn username (tn user dng truy cp CSDL) v c ch xc nhn i vi user ny. Ch ra cc tablespaces cho user dng lu tr d liu. Gn cc default tablespace v temporary tablespace. Phn b hn mc s dng trn tng tablespace. Phn quyn truy nhp (privileges - quyn hoc roles - vai tr) cho user va to lp. To mi ngi dng
11.1.2 C php
CREATE USER tn_user IDENTIFIED {BY mt_khu | EXTERNALLY} [ DEFAULT TABLESPACE tn_tablespace ]
Vi: Tn truy nhp ca ngi dng. BY mt_khu Xc nh c ch xc nhn bi CSDL vi mt khu truy nhp l mt_khu. EXTERNALLY Xc nh c ch xc nhn user bi h iu hnh. DEFAULT/TEMPORARY tn_tblsp Xc nh tablespace mc nh/tm thi cho ngi dng. QUOTA Xc nh lng khng gian ti a cp pht cho ngi dng lu tr cc i tng trong tng tablespace. T kho UNLIMITED cho bit khng gii hn khng gian cp pht. V d : To mt ngi dng c tn v password l userTest, cp Quota 1M trn tablespace USERS
tn_user CREATE USER userTest IDENTIFIED BY usertest DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE TEMP QUOTA 1M ON USERS ;
11.1.4 Thay i hn mc (quota) s dng tablespace Trong mt s trng hp, ta c th thay i hn mc s dng tablespace khi: Cc bng ca ngi dng khng th m rng lu tr thm c na. Cc ng dng c ci tin i hi b sung thm cc tables hay indexes. Cc i tng c t chc li v c t trn nhiu tablespaces khc nhau. C php:
ALTER USER tn_user [ DEFAULT TABLESPACE tn_tablespace] [ TEMPORARY TABLESPACE tn_tablespace] [ QUOTA {s_nguyn [K | M] | UNLIMITED } ON tn_tablespace [ QUOTA {s_nguyn [K | M] | UNLIMITED tn_tablespace ] ... ]
ON
Lu : CASCADE s hu tt c cc i tng trong schema trc khi xo ngi dng. N cn c ch r khi schema c cha i tng. Ta khng th hu c cc ngi dng hin ang kt ni ti Oracle server. 11.1.6 Xem thng tin v ngi dng Ta c th ly cc thng tin lin quan ti user trong data dictionary DBA_USERS v DBA_TS_QUOTAS. Vi mi ngi dng, ta c th xc nh c cc thng tin v hn mc. V d: xem cc thng hn mc tin ca ngi dng userTest.
SELECT tablespace_name, blocks, max_blocks, bytes, max_bytes FROM dba_ts_quotas WHERE username = 'userTest';
Nu kt qu tr v c gi tr -1 trong ct MAX_BLOCKS v MAX_BYTES ngha l quota khng gii hn (UNLIMITED). Hoc ta cng c th ly cc thng tin v ti khon ca ngi dng V d:
SELECT username, account_status, temporary_tablespace FROM dba_users;
11.2 Qun l quyn Mi ngi dng c to ra c th c gn 2 loi quyn: Quyn h thng (System Privileges): Cc quyn ny cho php ngi dng thc hin thao tc no trong CSDL chng hn to bng, to view,.. Quyn i tng (Object Privileges). Cc quyn ny cho php ngi dng thc hin thao tc no trong mt i tng ca CSDL chng hn quyn SELECT, INSERT, UPDATE,.. trong mt bng no .
11.2.1 Quyn h thng
11.2.1.1 Cc loi quyn h thng Oracle database c khong 140 quyn h thng v con s ny ang tip tc tng ln. Cc quyn h thng c th chia ra nh sau: Cc quyn cho php thc hin cc thao tc truy cp, to dung lng lu tr trn h thng v d nh: CREATE SESSION, CREATE TABLESPACE. Cc quyn cho php qun l cc i tng thuc v mt ngi dng v d nh: CREATE TABLE. Cc quyn cho php qun l cc i tng trong bt c mt schema no v d nh cu lnh: CREATE ANY TABLE. C th iu khin cc quyn bng cch cu lnh GRANT hay REVOKE. Phn loi Cc quyn thng dng
CREATE TABLE
TABLE
Ch :
CREATE SESSION l quyn ti
CSDL. Cc quyn nh CREATE TABLE, CREATE PROCEDURE, CREATE TRIGGER bao gm c cc quyn xo cc i tng . CREATE TABLE bao gm cc quyn CREATE INDEX v ANALYZE. Vi quyn ny, ngi dng cn c quota trn tablespace hay phi c gn UNLIMITED TABLESPACE. c th xa ht d liu (truncate) ca cc bng th quyn DROP ANY TABLE phi c s dng. 11.2.1.2 Gn cc quyn h thng S dng c php sau y gn quyn h thng cho ngi dng
GRANT {quyn_h_thng|tn_role}[, {quyn_h_thng|tn_role} ]... TO {tn_user|tn_role|PUBLIC}[, {tn_user|tn_role|PUBLIC} ]... [WITH ADMIN OPTION]
Vi:
quyn_h_thng tn_role PUBLIC WITH ADMIN OPTION
ch nh quyn h thng s dng. ch nh tn Role c gn. gn quyn h thng cho tt c ngi dng. cho php ngi dng c gn quyn c th gn quyn hay Role cho ngi dng khc.
V d:
GRANT CREATE SESSION,CREATE TABLE TO userTest;
Hoc nu mun cho userTest ny c th cp li quyn ca mnh cho user khc, ta s dng thm mnh WITH ADMIN OPTION
GRANT CREATE SESSION,CREATE TABLE TO userTest WITH ADMIN OPTION;
Khoa CNTT & Truyn Thng - Trng i Hc Cn Th Mt s hng dn Ngi dng c gn quyn a vi tu chn WITH ADMIN OPTION th c th tip tc gn quyn a cho mt ngi dng khc, thm ch vi ty chn WITH ADMIN OPTION. Bt c mt ngi dng no c quyn GRANT ANY ROLE c th gn bt k quyn no trong CSDL cho ngi dng khc. Mt ngi dng nu c gn quyn a vi tu chn WITH ADMIN OPTION th c th gn quyn ny hay ly li cc quyn ny t bt c ngi dng hay role no trong database. 11.2.1.3Thu hi cc quyn h thng S dng c php sau y ly li cc quyn h thng:
REVOKE {quyn_h_thng|tn_role} [,{quyn_h_thng|tn_role} ]... FROM {tn_user|tn_role|PUBLIC} [, {tn_user|tn_role|PUBLIC} ]...
V d:
REVOKE CREATE TABLE FROM userTest;
Ch : Lnh REVOKE ch c th ly li quyn ca ngi dng c gn trc tip bng lnh GRANT. Thu hi cc quyn h thng c th nh hng n mt s cc i tng ph thuc. V d: nu quyn SELECT ANY TABLE c gn cho mt ngi dng v ngi dng c gn cc th tc hay view m s dng cc bng thuc v cc ngi dng khc th vic ly li cc quyn s lm cho cc th tc hay view tr nn khng hp l. 11.2.1.4Xem thng tin v cc quyn h thng Thng tin v cc quyn c ly t cc view ca data dictionary: DBA_SYS_PRIVS v SESSION_PRIVS. Cc thng tin bao gm:
DBA_SYS_PRIVS: GRANTEE, PRIVILEGE, ADMIN OPTION SESSION_PRIVS: PRIVILEGE
11.2.2
Quyn i tng
11.2.2.1Cc quyn trn i tng Quyn trn i tng c gn cho ngi dng l thao tc m ngi dng c th thc hin trn i tng . Bng di y lit k cc quyn thng dng c th c gn trn mt i tng:
Table
X X XINSERT XSELECT XUPDATE
View
X X X X
Procedure
11.2.2.2Gn cc quyn trn i tng S dng c php sau y gn mt quyn trn i tng:
GRANT { quyn_i_tg [(ds_ct)][, quyn_i_tg [(ds_ct)] ]... |ALL [PRIVILEGES]} ON [tn_schema.]tn_i_tng TO {tn_user|tn_role|PUBLIC}[, {tn_user|tn_role|PUBLIC} ]... [WITH GRANT OPTION]
Vi:
quyn_i_tg ds_ct ALL tn_i_tng WITH GRANT OPTION
Ch nh quyn i tng c gn Ch nh cc ct ca mt bng hay view (tu chn ny ch s dng khi gn cc quyn INSERT hay UPDATE. Gn tt c cc quyn cho i tng m c gn vi WITH GRANT OPTION. ch nh i tng trn cc quyn c gn. cho php ngi c gn quyn c th gn cc quyn cho mt ngi dng khc.
Lu : gn cc quyn trn i tng, i tng phi thuc v schema ca ngi dng thc hin gn hoc ngi dng c quyn WITH GRANT OPTION. Mc nh nu mt i tng thuc v mt ngi dng no th ngi dng c y cc quyn trn i tng . Tu chn WITH GRANT OPTION khng dng cho vic gn cc quyn i tng cho cc Role. V d: ng nhp vi ti khon ca ngi dng scott v password l tiger, sau thc hin cp quyn xem v cp nht d liu trn bng Emp cho userTest
GRANT select,update ON Emp to userTest;
Vi:
quyn_i_tgCh nh quyn trn i tng c gn .
Thu hi ton b cc quyn trn i tng c gn cho ngi dng. ON Ch nh i tng trn cc quyn trn i tng c thu hi. FROM Ch nh ngi dng hay role b thu hi quyn. CASCADE CONSTRAINTS Xo tt c cc tham chiu m vic thu hi c nh ngha do s dng quyn REFERENCES hay ALL. V d: ng nhp vi ti khon ca ngi dng scott v password l tiger, sau thc hin thu hi quyn cp nht d liu trn bng Emp t userTest
ALL REVOKE update ON Emp FROM userTest;
11.2.2.4 Thng tin v cc quyn trn i tng Thng tin v cc quyn c lu tr trong cc data dictionary. Mt s thng tin ta cn quan tm:
DBA_TAB_PRIVS: GRANTEE, OWNER, TABLE_NAME, GRANTOR, PRIVILEGE, GRANTABLE DBA_COL_PRIVS: GRANTEE, GRANTOR, PRIVILEGE, GRANTABLE OWNER, TABLE_NAME, COLUMN_NAME,
V d: DBA c th truy vn bng DBA_TAB_PRIVS ly thng tin v cc quyn trn i tng c gn cho ngi dng userTest.
SELECT * FROM dba_tab_privs WHERE GRANTEE='userTest'
11.3.2
Cc tnh cht ca Role c gn v ly li t ngi dng. C th gn role cho bt c ngi dng no ngoi tr cho chnh n. C th bao gm c quyn h thng (system privileges) v quyn i tng (object privileges). C th enable v disable cc Role c gn cho cc ngi dng. C th yu cu password khi cn enable cc Role. Tn cc Role khng trng vi tn ngi dng v tn cc Role ang tn ti. Khng thuc v bt c ngi dng no v khng thuc v bt c schema no. Li ch ca vic s dng Role
11.3.3
Gim cng vic gn cc quyn: s dng cc Role n gin ho vic qun l cc quyn, bng cch gn mt tp cc quyn cho ngi dng. C th gn cc quyn cho mt Role v sau gn Role cho cc ngi dng. Qun l cc quyn mt cch linh ng: khi thay i cc quyn c trong mt Role th quyn ca tt c cc ngi dng c gn cc Role s b thay i theo. 11.3.4 To role Role c to ra phi m bo khng trng tn vi cc ngi dng hoc role khc. C php:
CREATE ROLE tn_role [NOT IDENTIFIED | IDENTIFIED {BY mt_khu | EXTERNALLY }]
Vi: tn ca Role NOT IDENTIFIED ch nh khng cn kim tra Role khi enable Role BY mt_khu mt khu ngi dng cn cung cp khi enable Role EXTERNALLY ch nh ngi dng phi c xc lp bi dch v bn ngoi (nh h iu hnh hay dch v bn th ba) trc khi kch hot Role. V d: To role c tn StudentsGroup
tn_role
Vi:
tn_role NOT IDENTIFIED IDENTIFIED BY mt_khu EXTERNALLY
tn ca Role cn thay i. ch nh khng cn xc nhn khi enable Role ch nh cn xc nhn khi enable cc Role cung cp mt khu xc nhn khi enable Role ch nh user cn c xc nhn bi dch v bn ngoi (c ch xc nhn bi h iu hnh)
11.3.6 Cp quyn cho Role C php ging nh cp quyn cho ngi dng. 11.3.7 Gn cc Role cho ngi dng C php :
GRANT tn_role [, tn_role ]... TO {tn_user|tn_role|PUBLIC} {tn_user|tn_role|PUBLIC} ]... [WITH ADMIN OPTION] [,
V i : tn ca Role tn_user tn ca user c gn vo Role_name tn_role tn ca Role c gn vo Role_name PUBLIC Gn cho tt c cc ngi dng WITH ADMIN OPTION cho php ngi dng c gn Role c th gn Role tng ng cho ngi dng khc. V d:
tn_role GRANT StudentsGroup TO userTest;
11.3.8 Thu hi cc Role t cc user S dng c php sau y thu hi cc Role t cc ngi dng:
REVOKE tn_role [, tn_role ]... FROM {tn_user|tn_role|PUBLIC} ]... {tn_user|tn_role|PUBLIC}[,
Vi:
tn_role tn_user tn_role
tn ca cc Role cn thu hi. tn ngi dng b thu hi Role. tn ca cc Role b thu hi Role. Gio Trnh H Qun Tr C S D Liu - trang 35
11.3.10
CONNECT RESOURCE DBA
Cc Role c nh ngha sn Tn Role Din gii Role cung cp sn vi cc phin bn trc Tt c cc quyn h thng, c tu chn:
tng thch
Quyn export d liu ca database Quyn import d liu vo database Quyn xo d liu
hin mt th
Cc roles
tn DELETE_CATALOG_ROLE, EXCUTE_CATALOG_ROLE v SELECT_CATALOG_ROLE cho php thc hin truy xut ti cc views v cc packages trong data dictionary. Cc Role ny c th gn cho user khng c quyn DBA nhng mun xem thng tin trong cc bng v view thuc data dictionary. 11.3.11 Thng tin v cc role Thng tin v cc Role c ly trong data dictionary. C rt nhiu tables v views cha thng tin v cc quyn c gn cho user. Tn view DBA_ROLES S ROLE_PRIVS DBA_SYS_PRIVS ROLE_SYS_PRIV S ROLE_TAB_PRIV S SESSION_ROLES Cc Role c php ca user hin thi Quyn trn table c gn cho Role Cc Role c gn quyn cho Role khc Quyn h thng gn cho user hay Role Quyn h thng gn cho Role Din gii Tt c cc Role trong CSDL
Cc
Role