11 Cc bin php bo v CSDL Oracle

11.1 Qun l ngi dng Vic phn quyn s dng l cn thit trong cng vic qun tr. C 2 user accounts c t ng to ra ngay t khi to database v c gn quyn DBA (DataBase Administration) l: SYS v SYSTEM. SYS: c to t ng v gn quyn DBA. Mt khu mc nh l change_on_install. C quyn s hu cc bng v cc khung nhn ca t in d liu trong CSDL.

Gio Trnh H Qun Tr C S D Liu - trang 26

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th SYSTEM: c t ng to ra vi mt khu ban u l manager v cng c gn quyn DBA. Tuy nhin, SYSTEM cn c s hu c mt s table, view m rng cha cc thng tin s dng cho cc tools ca Oracle. Lu : Ngay khi to CSDL, Oracle to sn mt quyn gi l "DBA". Quyn ny cho php thc hin cc thao tc qun tr i vi CSDL. Ngi dng c quyn DBA c th can thip c ti cc quyn ca cc user khc s dng trong h thng. V th, nhng qun tr vin database cn thay i mt khu ca mnh trnh s dng mt khu mc nh do Oracle cung cp v user khc c th bit v s dng truy nhp vo h thng mt cch tri php, gy xo trn h thng. Khi to mt ti khon mi, ta cn xc nh cc thng s sau cho ti khon : Default Tablespace (tablespace mc nh) Default Tablespace l tablespace mc nh cha cc segments c tin trnh ca ngi dng s dng lu tr d liu trong trng hp ngi dng khng ch r tn tablespace ngay khi to segment. Tablespace Quotas (hn mc tablespace) Tablespace quotas l dung lng lu tr ti a ng vi kh nng lu tr vt l c php ca ngi dng ny trong CSDL. Temporary Tablespace (tablespace trung gian) Temporary tablespace l ni Oracle server cp pht cc extends phc v cho cng vic sp xp (sort) d liu mi khi ngi dng thc hin lnh truy vn c sp xp. Account Locking (kho account) Cc Accounts c th b kho (locked) ngn cn vic ngi dng thm nhp vo CSDL. Vic ny c th c thc hin mt cch t ng hoc do iu khin ca nh qun tr CSDL. Resource Limits (hn ch ti nguyn) L nhng gii hn c a ra cho ngi dng ny v cc ti nguyn ca h thng nh: thi gian s dng CPU, truy xut vo ra, s lng cc sessions c m ti a,... 11.1.1 Cc bc thc hin khi to mi ngi dng La chn username (tn user dng truy cp CSDL) v c ch xc nhn i vi user ny. Ch ra cc tablespaces cho user dng lu tr d liu. Gn cc default tablespace v temporary tablespace. Phn b hn mc s dng trn tng tablespace. Phn quyn truy nhp (privileges - quyn hoc roles - vai tr) cho user va to lp. To mi ngi dng

11.1.2 C php

CREATE USER tn_user IDENTIFIED {BY mt_khu | EXTERNALLY} [ DEFAULT TABLESPACE tn_tablespace ]

Gio Trnh H Qun Tr C S D Liu - trang 27

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th

[ TEMPORARY TABLESPACE tn_ tblsp] [ QUOTA {s_nguyn [K | M ] | UNLIMITED } ON tablespace [ QUOTA { s_nguyn [K | M ] | UNLIMITED } ON tn_tablespace ] ...]

Vi: Tn truy nhp ca ngi dng. BY mt_khu Xc nh c ch xc nhn bi CSDL vi mt khu truy nhp l mt_khu. EXTERNALLY Xc nh c ch xc nhn user bi h iu hnh. DEFAULT/TEMPORARY tn_tblsp Xc nh tablespace mc nh/tm thi cho ngi dng. QUOTA Xc nh lng khng gian ti a cp pht cho ngi dng lu tr cc i tng trong tng tablespace. T kho UNLIMITED cho bit khng gii hn khng gian cp pht. V d : To mt ngi dng c tn v password l userTest, cp Quota 1M trn tablespace USERS
tn_user CREATE USER userTest IDENTIFIED BY usertest DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE TEMP QUOTA 1M ON USERS ;

11.1.3 Thay i mt khu ca ngi dng C php:

ALTER USER tn_user [ IDENTIFIED {BY mt_khu | EXTERNALLY }]

V d: i mt khu ca ngi dng userTest thnh ptest

ALTER USER userTest IDENTIFIED BY ptest;

11.1.4 Thay i hn mc (quota) s dng tablespace Trong mt s trng hp, ta c th thay i hn mc s dng tablespace khi: Cc bng ca ngi dng khng th m rng lu tr thm c na. Cc ng dng c ci tin i hi b sung thm cc tables hay indexes. Cc i tng c t chc li v c t trn nhiu tablespaces khc nhau. C php:
ALTER USER tn_user [ DEFAULT TABLESPACE tn_tablespace] [ TEMPORARY TABLESPACE tn_tablespace] [ QUOTA {s_nguyn [K | M] | UNLIMITED } ON tn_tablespace [ QUOTA {s_nguyn [K | M] | UNLIMITED tn_tablespace ] ... ]

ON

V d: Tng hn mc cho ngi dng userTest thnh 2M

ALTER USER userTest QUOTA 2M ON USERS ;

11.1.5 Xa ngi dng C php: Gio Trnh H Qun Tr C S D Liu - trang 28

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th

DROP USER tn_user [CASCADE]

Lu : CASCADE s hu tt c cc i tng trong schema trc khi xo ngi dng. N cn c ch r khi schema c cha i tng. Ta khng th hu c cc ngi dng hin ang kt ni ti Oracle server. 11.1.6 Xem thng tin v ngi dng Ta c th ly cc thng tin lin quan ti user trong data dictionary DBA_USERS v DBA_TS_QUOTAS. Vi mi ngi dng, ta c th xc nh c cc thng tin v hn mc. V d: xem cc thng hn mc tin ca ngi dng userTest.
SELECT tablespace_name, blocks, max_blocks, bytes, max_bytes FROM dba_ts_quotas WHERE username = 'userTest';

Nu kt qu tr v c gi tr -1 trong ct MAX_BLOCKS v MAX_BYTES ngha l quota khng gii hn (UNLIMITED). Hoc ta cng c th ly cc thng tin v ti khon ca ngi dng V d:
SELECT username, account_status, temporary_tablespace FROM dba_users;

11.2 Qun l quyn Mi ngi dng c to ra c th c gn 2 loi quyn: Quyn h thng (System Privileges): Cc quyn ny cho php ngi dng thc hin thao tc no trong CSDL chng hn to bng, to view,.. Quyn i tng (Object Privileges). Cc quyn ny cho php ngi dng thc hin thao tc no trong mt i tng ca CSDL chng hn quyn SELECT, INSERT, UPDATE,.. trong mt bng no .
11.2.1 Quyn h thng

11.2.1.1 Cc loi quyn h thng Oracle database c khong 140 quyn h thng v con s ny ang tip tc tng ln. Cc quyn h thng c th chia ra nh sau: Cc quyn cho php thc hin cc thao tc truy cp, to dung lng lu tr trn h thng v d nh: CREATE SESSION, CREATE TABLESPACE. Cc quyn cho php qun l cc i tng thuc v mt ngi dng v d nh: CREATE TABLE. Cc quyn cho php qun l cc i tng trong bt c mt schema no v d nh cu lnh: CREATE ANY TABLE. C th iu khin cc quyn bng cch cu lnh GRANT hay REVOKE. Phn loi Cc quyn thng dng
CREATE TABLE

Gio Trnh H Qun Tr C S D Liu - trang 29

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th

CREATE ANY TABLE ALTER ANY TABLE DROP ANY TABLE SELECT ANY TABLE UPDATE ANY TABLE DELETE ANY TABLE CREATE SESSION SESSION ALTER SESSION RESTRICTED SESSION CREATE TABLESPACE TABLESPACE ALTER TABLESPACE DROP TABLESPACE UNLIMITED TABLESPACE
Bng 1. Mt s quyn h thng thng dng

TABLE

Ch :
CREATE SESSION l quyn ti

thiu nht ca mt user c th kt ni vo

CSDL. Cc quyn nh CREATE TABLE, CREATE PROCEDURE, CREATE TRIGGER bao gm c cc quyn xo cc i tng . CREATE TABLE bao gm cc quyn CREATE INDEX v ANALYZE. Vi quyn ny, ngi dng cn c quota trn tablespace hay phi c gn UNLIMITED TABLESPACE. c th xa ht d liu (truncate) ca cc bng th quyn DROP ANY TABLE phi c s dng. 11.2.1.2 Gn cc quyn h thng S dng c php sau y gn quyn h thng cho ngi dng
GRANT {quyn_h_thng|tn_role}[, {quyn_h_thng|tn_role} ]... TO {tn_user|tn_role|PUBLIC}[, {tn_user|tn_role|PUBLIC} ]... [WITH ADMIN OPTION]

Vi:
quyn_h_thng tn_role PUBLIC WITH ADMIN OPTION

ch nh quyn h thng s dng. ch nh tn Role c gn. gn quyn h thng cho tt c ngi dng. cho php ngi dng c gn quyn c th gn quyn hay Role cho ngi dng khc.

V d:
GRANT CREATE SESSION,CREATE TABLE TO userTest;

Hoc nu mun cho userTest ny c th cp li quyn ca mnh cho user khc, ta s dng thm mnh WITH ADMIN OPTION
GRANT CREATE SESSION,CREATE TABLE TO userTest WITH ADMIN OPTION;

Gio Trnh H Qun Tr C S D Liu - trang 30

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th Mt s hng dn Ngi dng c gn quyn a vi tu chn WITH ADMIN OPTION th c th tip tc gn quyn a cho mt ngi dng khc, thm ch vi ty chn WITH ADMIN OPTION. Bt c mt ngi dng no c quyn GRANT ANY ROLE c th gn bt k quyn no trong CSDL cho ngi dng khc. Mt ngi dng nu c gn quyn a vi tu chn WITH ADMIN OPTION th c th gn quyn ny hay ly li cc quyn ny t bt c ngi dng hay role no trong database. 11.2.1.3Thu hi cc quyn h thng S dng c php sau y ly li cc quyn h thng:
REVOKE {quyn_h_thng|tn_role} [,{quyn_h_thng|tn_role} ]... FROM {tn_user|tn_role|PUBLIC} [, {tn_user|tn_role|PUBLIC} ]...

V d:
REVOKE CREATE TABLE FROM userTest;

Ch : Lnh REVOKE ch c th ly li quyn ca ngi dng c gn trc tip bng lnh GRANT. Thu hi cc quyn h thng c th nh hng n mt s cc i tng ph thuc. V d: nu quyn SELECT ANY TABLE c gn cho mt ngi dng v ngi dng c gn cc th tc hay view m s dng cc bng thuc v cc ngi dng khc th vic ly li cc quyn s lm cho cc th tc hay view tr nn khng hp l. 11.2.1.4Xem thng tin v cc quyn h thng Thng tin v cc quyn c ly t cc view ca data dictionary: DBA_SYS_PRIVS v SESSION_PRIVS. Cc thng tin bao gm:
DBA_SYS_PRIVS: GRANTEE, PRIVILEGE, ADMIN OPTION SESSION_PRIVS: PRIVILEGE

V d 1: Lt k cc quyn h thng c gn cho user v role:

SELECT * FROM DBA_SYS_PRIVS;

V d 2: Mun bit user hin hnh c quyn g.

SELECT * FROM SESSION_PRIVS;

11.2.2

Quyn i tng

11.2.2.1Cc quyn trn i tng Quyn trn i tng c gn cho ngi dng l thao tc m ngi dng c th thc hin trn i tng . Bng di y lit k cc quyn thng dng c th c gn trn mt i tng:

Gio Trnh H Qun Tr C S D Liu - trang 31

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th Quyn

ALTER DELETE EXECUTE

Table
X X XINSERT XSELECT XUPDATE

View
X X X X

Procedure

Bng 2. Mt s quyn trn i tng thng dng

11.2.2.2Gn cc quyn trn i tng S dng c php sau y gn mt quyn trn i tng:
GRANT { quyn_i_tg [(ds_ct)][, quyn_i_tg [(ds_ct)] ]... |ALL [PRIVILEGES]} ON [tn_schema.]tn_i_tng TO {tn_user|tn_role|PUBLIC}[, {tn_user|tn_role|PUBLIC} ]... [WITH GRANT OPTION]

Vi:
quyn_i_tg ds_ct ALL tn_i_tng WITH GRANT OPTION

Ch nh quyn i tng c gn Ch nh cc ct ca mt bng hay view (tu chn ny ch s dng khi gn cc quyn INSERT hay UPDATE. Gn tt c cc quyn cho i tng m c gn vi WITH GRANT OPTION. ch nh i tng trn cc quyn c gn. cho php ngi c gn quyn c th gn cc quyn cho mt ngi dng khc.

Lu : gn cc quyn trn i tng, i tng phi thuc v schema ca ngi dng thc hin gn hoc ngi dng c quyn WITH GRANT OPTION. Mc nh nu mt i tng thuc v mt ngi dng no th ngi dng c y cc quyn trn i tng . Tu chn WITH GRANT OPTION khng dng cho vic gn cc quyn i tng cho cc Role. V d: ng nhp vi ti khon ca ngi dng scott v password l tiger, sau thc hin cp quyn xem v cp nht d liu trn bng Emp cho userTest
GRANT select,update ON Emp to userTest;

11.2.2.3Thu hi cc quyn trn i tng S dng c php sau y ly li quyn cp:

REVOKE { quyn_i_tg [, quyn_i_tg]... | ALL [PRIVILEGES] } ON [tn_schema.]tn_i_tng FROM {tn_user|tn_role|PUBLIC} {tn_user|tn_role|PUBLIC}...] [,

Gio Trnh H Qun Tr C S D Liu - trang 32

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th

[CASCADE CONSTRAINTS]

Vi:
quyn_i_tgCh nh quyn trn i tng c gn .

Thu hi ton b cc quyn trn i tng c gn cho ngi dng. ON Ch nh i tng trn cc quyn trn i tng c thu hi. FROM Ch nh ngi dng hay role b thu hi quyn. CASCADE CONSTRAINTS Xo tt c cc tham chiu m vic thu hi c nh ngha do s dng quyn REFERENCES hay ALL. V d: ng nhp vi ti khon ca ngi dng scott v password l tiger, sau thc hin thu hi quyn cp nht d liu trn bng Emp t userTest
ALL REVOKE update ON Emp FROM userTest;

11.2.2.4 Thng tin v cc quyn trn i tng Thng tin v cc quyn c lu tr trong cc data dictionary. Mt s thng tin ta cn quan tm:
DBA_TAB_PRIVS: GRANTEE, OWNER, TABLE_NAME, GRANTOR, PRIVILEGE, GRANTABLE DBA_COL_PRIVS: GRANTEE, GRANTOR, PRIVILEGE, GRANTABLE OWNER, TABLE_NAME, COLUMN_NAME,

V d: DBA c th truy vn bng DBA_TAB_PRIVS ly thng tin v cc quyn trn i tng c gn cho ngi dng userTest.
SELECT * FROM dba_tab_privs WHERE GRANTEE='userTest'

11.3 Qun l Role (vai tr)

11.3.1 Khi nim Role Gi s mt CSDL c cp M quyn nh nhau cho N users c cng chc nng trong h thng, nh vy h thng cn thc hin N*M thao tc gn quyn. Hn na, sau mt thi gian, gi s h thng cn thu hi mt quyn no trn N users ny, h thng phi thc hin N thao tc thu quyn. Mt khc, cc thao tc gn quyn v thu quyn ny l nh nhau cho mi user, vic ny c th dn n s nhm chn v mt thi gian trong cng vic. tng y l s dng mt nhm cc quyn, nhm ny s c gn cho cc users c cng chc nng trong h thng, v vic gn hay thu hi quyn trn mt nhm s nh hng trc tip n cc user thuc vo nhm . V th, cng vic gn quyn s tr nn nh nhng v linh ng hn. Theo tng , Oracle cung cp mt cng c cho php qun l mt cch d dng cc quyn thng qua vic s dng vai tr (Role). Role l mt tp hp cc quyn c ch nh bng mt tn ring v c th c gn cho cc user hay Role khc.

Gio Trnh H Qun Tr C S D Liu - trang 33

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th

Hnh 8. Role trong database

11.3.2

Cc tnh cht ca Role c gn v ly li t ngi dng. C th gn role cho bt c ngi dng no ngoi tr cho chnh n. C th bao gm c quyn h thng (system privileges) v quyn i tng (object privileges). C th enable v disable cc Role c gn cho cc ngi dng. C th yu cu password khi cn enable cc Role. Tn cc Role khng trng vi tn ngi dng v tn cc Role ang tn ti. Khng thuc v bt c ngi dng no v khng thuc v bt c schema no. Li ch ca vic s dng Role

11.3.3

Gim cng vic gn cc quyn: s dng cc Role n gin ho vic qun l cc quyn, bng cch gn mt tp cc quyn cho ngi dng. C th gn cc quyn cho mt Role v sau gn Role cho cc ngi dng. Qun l cc quyn mt cch linh ng: khi thay i cc quyn c trong mt Role th quyn ca tt c cc ngi dng c gn cc Role s b thay i theo. 11.3.4 To role Role c to ra phi m bo khng trng tn vi cc ngi dng hoc role khc. C php:
CREATE ROLE tn_role [NOT IDENTIFIED | IDENTIFIED {BY mt_khu | EXTERNALLY }]

Vi: tn ca Role NOT IDENTIFIED ch nh khng cn kim tra Role khi enable Role BY mt_khu mt khu ngi dng cn cung cp khi enable Role EXTERNALLY ch nh ngi dng phi c xc lp bi dch v bn ngoi (nh h iu hnh hay dch v bn th ba) trc khi kch hot Role. V d: To role c tn StudentsGroup
tn_role

Gio Trnh H Qun Tr C S D Liu - trang 34

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th

CREATE ROLE StudentsGroup;

11.3.5 Sa cha cc Role C php:

ALTER ROLE tn_role {NOT IDENTIFIED | IDENTIFIED {BY mt_khu | EXTERNALLY }};

Vi:
tn_role NOT IDENTIFIED IDENTIFIED BY mt_khu EXTERNALLY

tn ca Role cn thay i. ch nh khng cn xc nhn khi enable Role ch nh cn xc nhn khi enable cc Role cung cp mt khu xc nhn khi enable Role ch nh user cn c xc nhn bi dch v bn ngoi (c ch xc nhn bi h iu hnh)

11.3.6 Cp quyn cho Role C php ging nh cp quyn cho ngi dng. 11.3.7 Gn cc Role cho ngi dng C php :
GRANT tn_role [, tn_role ]... TO {tn_user|tn_role|PUBLIC} {tn_user|tn_role|PUBLIC} ]... [WITH ADMIN OPTION] [,

V i : tn ca Role tn_user tn ca user c gn vo Role_name tn_role tn ca Role c gn vo Role_name PUBLIC Gn cho tt c cc ngi dng WITH ADMIN OPTION cho php ngi dng c gn Role c th gn Role tng ng cho ngi dng khc. V d:
tn_role GRANT StudentsGroup TO userTest;

11.3.8 Thu hi cc Role t cc user S dng c php sau y thu hi cc Role t cc ngi dng:
REVOKE tn_role [, tn_role ]... FROM {tn_user|tn_role|PUBLIC} ]... {tn_user|tn_role|PUBLIC}[,

Vi:
tn_role tn_user tn_role

tn ca cc Role cn thu hi. tn ngi dng b thu hi Role. tn ca cc Role b thu hi Role. Gio Trnh H Qun Tr C S D Liu - trang 35

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th

PUBLIC

thu hi cc quyn hay Role t tt c cc ngi dng.

V d: Chuyn userTest ra khi role StudentsGroup

REVOKE StudentsGroup FROM userTest;

11.3.9 Xo cc Role xo cc Role t database s dng cu lnh sau:

DROP ROLE role_name;

11.3.10
CONNECT RESOURCE DBA

Cc Role c nh ngha sn Tn Role Din gii Role cung cp sn vi cc phin bn trc Tt c cc quyn h thng, c tu chn:

tng thch

EXP_FULL_DATABASE IMP_FULL_DATABASE DELETE_CATALOG_ROLE EXECUTE_CATALOG_ROLE SELECT_CATALOG_ROLE

WITH ADMIN OPTION

Quyn export d liu ca database Quyn import d liu vo database Quyn xo d liu

Quyn thc tc Quyn ly d liu

B

hin mt th

Cc roles

tn DELETE_CATALOG_ROLE, EXCUTE_CATALOG_ROLE v SELECT_CATALOG_ROLE cho php thc hin truy xut ti cc views v cc packages trong data dictionary. Cc Role ny c th gn cho user khng c quyn DBA nhng mun xem thng tin trong cc bng v view thuc data dictionary. 11.3.11 Thng tin v cc role Thng tin v cc Role c ly trong data dictionary. C rt nhiu tables v views cha thng tin v cc quyn c gn cho user. Tn view DBA_ROLES S ROLE_PRIVS DBA_SYS_PRIVS ROLE_SYS_PRIV S ROLE_TAB_PRIV S SESSION_ROLES Cc Role c php ca user hin thi Quyn trn table c gn cho Role Cc Role c gn quyn cho Role khc Quyn h thng gn cho user hay Role Quyn h thng gn cho Role Din gii Tt c cc Role trong CSDL

Cc

Role

DBA_ROLE_PRIV Cc Role c gn quyn cho user hay Role khc

Gio Trnh H Qun Tr C S D Liu - trang 36

Khoa CNTT & Truyn Thng - Trng i Hc Cn Th

Bng 4. Thng tin v cc roles

V d: Xem thng tin v cc quyn cp pht cho ngi dng

SELECT Role, password_required FROM dba_Roles