Oracle 12c: SQL 7-1

Chapter 7
User Creation and Management

At a Glance
Instructor’s Notes
♦ Chapter Overview

♦ Chapter Objectives

♦ Instructor Notes

♦ Troubleshooting Tips

♦ Quick Quizzes

♦ Discussion Questions

♦ Key Terms
Oracle 12c: SQL 7-2

Chapter Overview
The purpose of this chapter is to demonstrate the requirements for connecting a new user to an
Oracle database. Users need both a valid account and the CREATE SESSION privilege. In
addition, account management and security concepts are discussed. Strategies to simplify
privilege administration are presented in terms of roles.

Students must have the CREATE USER privilege to create the user accounts in this chapter. In
addition, students must have been granted CREATE SESSION privilege with the WITH
ADMIN OPTION to grant this privilege to new accounts. To create the role examples, the
students will need the CREATE ROLE system privilege.

Chapter Objectives
After completing this chapter, you should be able to do the following:

♦ Explain the concept of data security

♦ Create a new user account
♦ Identify two types of privileges: system and object
♦ Grant privileges to a user
♦ Address password expiration requirements
♦ Change the password of an existing account
♦ Create a role
♦ Grant privileges to a role
♦ Assign a user to a role
♦ View privilege information
♦ Revoke privileges from a user and a role
♦ Remove a user and roles

Instructor Notes
If you issue student Oracle accounts on a school server, assigning users account creation
privileges may not be an option. Please review the Instructor’s Setup Guide provided in the
Instructor Downloads area for suggestions in providing students limited access enabling
experimentation with much of the chapter content.

Data Security
Recent events have caused more attention to be focused in the areas of cyberterrorism and the
need for network security. Due to the type of detailed personal information contained in the
databases of government and business organizations, organizations are expected, even required,
Oracle 12c: SQL 7-3

to protect this information. It is not uncommon for a company whose database has been illegally
accessed to be sued for negligence due to lack of proper security measures. Oracle 12c supports
various levels of security, especially for verifying user identity, including support for third-party
biometric devices.

Quick Quiz
1. What is the purpose of authentication?
ANSWER: To ensure that users are who they claim they are

2. Why is authentication necessary?

ANSWER: To protect the data contained in the database

3. What is a standard authentication procedure used by most organizations before access to

the database is allowed?
ANSWER: A valid user name and password

4. What term is used to describe individuals who gain illegal access to a system?
ANSWER: Hackers

Creating a User
When a user account is created, a password must be assigned. It is preferable to immediately
expire the password, which will force the user to change the DBA assigned password as soon as
the user first successfully connects to the database. Although a user may have a valid user
account, this does not imply that user will be to access the database. Privileges will still be
required, even with a valid account.

Troubleshooting Tip Have the students create a user account and then attempt to
connect to the database to demonstrate the need for the CREATE
SESSION privilege.
Oracle 12c: SQL 7-4

Quick Quiz
1. What clause is used with the CREATE USER command to specify a password for the
user?
ANSWER: IDENTIFIED BY

2. How can a user disconnect and reconnect to an Oracle database in one step?
ANSWER: Use the CONNECT command

3. What is the maximum number of characters for a user name?

ANSWER: 30

4. Does having a valid user account allow a user to connect to a database?

ANSWER: No, the correct privilege must be assigned.

5. What symbols can be included in a user name?

ANSWER: Underscore, dollar sign, and number sign

Assigning User Privileges

There are two categories of privileges: object and system privileges. Although the GRANT
command is used to assign both types of privileges, they cannot be included in the same GRANT
command because object privileges require use of the ON clause. A user will automatically have
all privileges associated with objects he or she created.

Troubleshooting Tip Remind students that the ADMIN keyword is associated with
system privileges, whereas the GRANT keyword is associated
with object privileges, and that a cascade effect can occur when
revoking object privileges.
Oracle 12c: SQL 7-5

Quick Quiz
1. What is the difference between system privileges and object privileges?
ANSWER: Object privileges are granted on specific objects, whereas system privileges
apply across the entire database.

2. Which type of privilege is the WITH ADMIN OPTION used with?

ANSWER: System privileges

3. What does the ALL keyword specify?

ANSWER: That all privileges of that type (system or object) are being granted to the
indicated user(s)

4. What does the PUBLIC keyword specify?

ANSWER: That the specified privilege(s) is granted to all users

5. Which privilege is required for a user to connect to a database?

ANSWER: CREATE SESSION privilege

Utilizing Roles
Roles can be used to organize privileges granted to users. They can be organized based on the
type of tasks that need to be performed by users. A default role can be established for users.
However, users have the ability to enable other assigned roles when needed using the SET ROLE
command.

Troubleshooting Tip Demonstrate the number of steps that would be required to

assign privileges to new users versus assigning the privileges via
a role that has already been created.

Quick Quiz
1. What is a role?
ANSWER: A collection of privileges

2. Which option, the WITH ADMIN OPTION or WITH GRANT OPTION, cannot be used
when a privilege is assigned to a role?
ANSWER: WITH GRANT OPTION

3. How can a user be assigned a default role?

ANSWER: Use the DEFAULT ROLE keywords
Oracle 12c: SQL 7-6

4. Can a password be assigned to a role?

ANSWER: Yes

5. How many roles can a user have enabled at a time?

ANSWER: One

Viewing Privilege Information

Various data dictionary views can be queried to determine the privileges currently assigned
to a user or role.

Removing Privileges and Roles

When a privilege is revoked from a user or a role, the effect is immediate and the user will no
longer be able to use that privilege. However, if a role is revoked from the user and the role was
enabled at the time it was revoked, the user will be able to use the privileges assigned to that role
for the remainder of the current session. However, it will not be available at the time of the next
session.

Quick Quiz
1. What command is used to revoke a system privilege from a role?
ANSWER: REVOKE

2. How can you change a user name?

ANSWER: Drop the user account and create another one using the correct name

3. What command is used to delete a role?

ANSWER: DROP ROLE

4. Which type of privilege could have a cascade effect on other users when it is revoked?
ANSWER: An object privilege granted with the WITH GRANT OPTION

5. What command is used to remove a user from the database?

ANSWER: DROP USER

Discussion Questions
1. How could roles be used to simplify the administration of privileges in a large
organization that consists of eight departments and a minimum of three levels of
management within each department?
Oracle 12c: SQL 7-7

2. Describe different roles that an insurance company might create to manage user groups.

Key Terms
authentication — The process of validating the identity of computer users.

coding scheme — When a DBA creates a user account, the user's identity is set by using a code;
the "scheme" of the code often consists of the user’s first initial followed by last name. Used
widely in industry for part numbers, customer numbers, etc.

hackers — A slang term generally applied to computer criminals who gain illegal access to
information systems.

object privileges — Allow users to perform DML or retrieval operations on the data contained
within database objects.

privileges — Allow database access to users. Oracle 12c has system privileges and object
privileges.

role — A group, or collection, of privileges. In most organizations, roles correlate to users' job
duties.

system privileges — Allow access to the Oracle 12c database and let users perform DDL
operations such as CREATE, ALTER, and DROP on database objects. An object privilege
combined with the keyword ANY is also considered a system privilege.