ch10.htm

Teach yourself Oracle8 in 21 day

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>

	<TITLE>Teach Yourself Oracle 8 In 21 Days -- Ch 10 -- Administering User Accounts</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../buttonart/sams.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Teach Yourself Oracle 8 In 21 Days</FONT></H1>
</CENTER>
<CENTER>
<P><A HREF="../ch09/ch09.htm"><IMG SRC="../buttonart/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch11/ch11.htm"><IMG
SRC="../buttonart/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../buttonart/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">- Day 10 -<BR>
Administering User Accounts</FONT></H1>
</CENTER>
<P>Today you will learn how to administer user accounts in the Oracle RDBMS. You
will see how user accounts, profiles, and roles are defined and modified. Administering
user accounts is probably the most common job of the Oracle DBA because new user
accounts are constantly being added or modified. You will see in this lesson how
this task is simplified by using roles and profiles.</P>
<P>Oracle security is administered differently depending on what resource is needed.
Access to the database is allowed or disallowed based on a user ID. This user ID
has permissions associated with it. These permissions can be assigned either individually
or via a role or profile.</P>
<P><FONT COLOR="#000077"><B>New Term:</B></FONT><B> </B>Roles and profiles each control
a different type of resource. A <I>role</I> is used to assign privileges that allow
the user to access different objects and operations; a <I>profile</I> is used to
control the amount of system resources that the user is allowed to consume.</P>
<P>A user can be assigned both a role and a profile as necessary. You will learn
more about roles and profiles as the lesson continues.
<H2><FONT COLOR="#000077"><B>Creating User Accounts</B></FONT></H2>
<P>You can create user accounts with Enterprise Manager, Security Manager, or the
<TT>CREATE USER</TT> command. You will essentially be doing the same job no matter
which of these tools you use. I present all three of these methods in the following
sections.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>You must have the <TT>CREATE USER</TT>
	system privilege to create a new user. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Creating User Accounts with Enterprise Manager</B></FONT></H3>
<P>To create user accounts with Enterprise Manager, go into Enterprise Manager and
drill down into the database where you want to add a user or users. Below the Databases
entry you will see a number of different symbols representing different objects.
By right-clicking the Users entry, you will be presented with a menu. From this menu,
click the Create button to invoke the Create User screen, shown in Figure 10.1.</P>
<P><A NAME="01"></A><A HREF="01.htm"><B>Figure 10.1.</B></A></P>
<P><I>The Create User screen.</I></P>
<P>In this screen you need to fill out the username, the profile (if you aren't using
<TT>DEFAULT</TT>), authentication information such as where the password is taken
from and what that password is, and the default and temporary tablespaces that this
user will use. You also need to specify whether the user account will be locked or
unlocked when created. As always, I have clicked the Show SQL button to display the
SQL statement that will create this user. A filled-in Create User screen is shown
in Figure 10.2. As you can see, I've identified this user's name, profile (if not
<TT>DEFAULT</TT>), default tablespace, and temporary space. I've also given this
user an initial password for security.</P>
<P><A NAME="02"></A><A HREF="02.htm"><B>Figure 10.2.</B></A></P>
<P><I>The Create User screen.</I></P>
<P>If you want to create a user account that is identical to another user account
already defined in the system, you can right-click the user account you will be utilizing
as a template and select the Create Like button.</P>
<P>This will again invoke the Create User screen, this time with the values used
by the selected user <TT>SYS2</TT> already in place, as shown in Figure 10.3.</P>
<P><A NAME="03"></A><A HREF="03.htm"><B>Figure 10.3.</B></A></P>
<P><I>The Create User screen with the values of user <TT>SYS2</TT> already in place.</I></P>
<P>With this function, you can essentially clone user accounts to a new username.
If you are adding a large number of user accounts that all require the same profile
and tablespaces, this can be a real timesaver. It is also possible to add user accounts
with Security Manager.
<H3><FONT COLOR="#000077"><B>Creating User Accounts with Security Manager</B></FONT></H3>
<P>As with Enterprise Manager, you can create user accounts with Security Manager.
When you invoke Security Manager and click the Users icon, you will see the already-created
user accounts on the left side of the screen and a wealth of information about the
user accounts on the right side, as shown in Figure 10.4.</P>
<P><A NAME="04"></A><A HREF="04.htm"><B>Figure 10.4.</B></A></P>
<P><I>The main screen of Security Manager.</I></P>
<P>This information includes the following for each user:

<UL>
	<LI>Username.
	<P>
	<LI>Account Status--Whether the account is online.
	<P>
	<LI>Expire Date--When the password will expire.
	<P>
	<LI>Authentication--Whether it's done by OS, by password file, and so on.
	<P>
	<LI>Default Tablespace--Where the user's schema objects are, by default.
	<P>
	<LI>Temporary Tablespace--Where the user's sorts will take place (if needed).
	<P>
	<LI>Profile--The user's profile.
</UL>

<P>By right-clicking on the Users entry, you can invoke the Create User screen as
shown in Figure 10.1. As you can see, this is the same Create User screen that you
have seen with Enterprise Manager. The function is the same: Just fill in the boxes
and click the OK button, and the new user will be created. As with Enterprise Manager,
by right-clicking on a user's icon you will get the option to Create Like that user,
as shown in Figure 10.5.</P>
<P><A NAME="05"></A><A HREF="05.htm"><B>Figure 10.5.</B></A></P>
<P><I>You can choose Create Like from the right-click menu to base a new user on
an existing user.</I></P>
<P>By filling out this screen, you will be able to create a user identical to an
existing user but with a different username.</P>
<P>As you will see in the next section, there are many more options available with
the command function <TT>CREATE USER</TT> than with Enterprise Manager or Security
Manager.
<H3><FONT COLOR="#000077"><B>Creating User Accounts with the </B>CREATE USER<B> Command</B></FONT></H3>
<P>The new user account can also be created with the <TT>CREATE USER</TT> command.
This command supports more options than Enterprise Manager or Security Manager.
<H4><FONT COLOR="#000077"><B>The Syntax for the </B>CREATE USER<B> Command</B></FONT></H4>
<P>The <TT>CREATE USER</TT> command is run with the following syntax:</P>
<P><B>SYNTAX:</B></P>
<PRE><FONT COLOR="#0066FF">CREATE USER user_name
IDENTIFIED BY password 
     or IDENTIFIED EXTERNALLY 
     or IDENTIFIED GLOBALLY 
AS `CN=user'
[ DEFAULT TABLESPACE ts_name ]
[ TEMPORARY TABLESPACE ts_name ]
[ QUOTA [ number K or M or UNLIMITED ] ON ts_name ]
[, QUOTA [ number K or M or UNLIMITED ] ON ts_name ]
[ PROFILE profile_name ]
[ PASSWORD EXPIRE ]
[ ACCOUNT LOCK or ACCOUNT UNLOCK ]
</FONT></PRE>
<P>The parameters for this command are

<UL>
	<LI><TT>CREATE USER </TT>user_name--The <TT>CREATE USER</TT> command requires a username
	for the user you want to create.
	<P>
	<LI><TT>IDENTIFIED BY</TT>password--Oracle internally maintains a password for this
	user. This is the original password that is created.
	<P>
	<LI><TT>IDENTIFIED EXTERNALL</TT> --The username is authenticated in the OS. The
	username must be identical to the username defined in the OS.
	<P>
	<LI><TT>IDENTIFIED GLOBALLY AS `CN</TT>user<TT>'</TT>--The username is authenticated
	by the Oracle security domain central server. The <TT>CN</TT> name identifies the
	external name of the user.
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>One of the previous three qualifiers
	must be used in the <TT>CREATE USER</TT> command or the command will fail. 
<HR>


</BLOCKQUOTE>


<UL>
	<LI><TT>DEFAULT TABLESPACE </TT>ts_name--The default tablespace to which the user
	is connected. If not specified, the <TT>SYSTEM</TT> tablespace will be used.
	<P>
	<LI><TT>TEMPORARY TABLESPACE</TT>ts_name--The temporary tablespace that the user
	will use by default. If not specified, the <TT>SYSTEM</TT> tablespace will be used.
	<P>
	<LI><TT>QUOTA</TT>number<TT> K or M ON </TT>ts_name--Specifies that the user has
	a quota of number<I> </I><TT>K</TT> (kilobytes) or <TT>M</TT> (megabytes) on the
	identified tablespace.
	<P>
	<LI><TT>QUOTA UNLIMITED ON</TT>ts_name--Specifies that the user has an unlimited
	quota on the identified tablespace.
	<P>
	<LI><TT>PROFILE</TT>profile_name--The name of the profile that is used for this user.
	<P>
	<LI><TT>PASSWORD EXPIR</TT>--Immediately sets the password to the expired state.
	The user must change his password before he can log on to the database.
	<P>
	<LI><TT>ACCOUNT LOC</TT>--If this is set, the account is locked after creation.
	<P>
	<LI><TT>ACCOUNT UNLOC</TT>--If this is set, the account is not locked after creation.
</UL>

<P>There is little you can do with the <TT>CREATE USER</TT> command that you cannot
do with the graphical tools. The <TT>QUOTA</TT> option is the only additional feature
you get with the command-line option.
<H2><FONT COLOR="#000077"><B>Modifying User Accounts</B></FONT></H2>
<P>Modifying a user is very similar to creating one. You can modify a user with either
of the two graphical utilities or with the <TT>ALTER USER</TT> command. As with the
process of user creation, there is only a slight difference between the functionality
of the graphical utilities and the command-line utility. Let's look at these operations.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>You must have the <TT>ALTER USER</TT>
	system privilege to modify a user account. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Modifying User Accounts with Enterprise Manager</B></FONT></H3>
<P>You can modify a user in Enterprise Manager by drilling down to the level of the
users. When you see the user you want to modify, right-click the user's icon and
choose the Quick Edit option from the pop-up menu. This will bring up the Quick Edit
User screen, as shown in Figure 10.6.</P>
<P><A NAME="06"></A><A HREF="06.htm"><B>Figure 10.6.</B></A></P>
<P><I>You modify a user with the Quick Edit User screen.</I></P>
<P>From here you can change the profile, the password identification method, the
tablespaces, the password, and whether the user is locked or unlocked. This is essentially
the Create User screen without the option of specifying the username.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>You can also remove the user from
	the same menu that invoked the Quick Edit option. This will permanently remove the