ch10.htm

Teach yourself Oracle8 in 21 day

	user from the Oracle system. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Modifying User Accounts with Security Manager</B></FONT></H3>
<P>You can also modify a user in the Security Manager utility. Specify the user you
want to modify by clicking on that user's icon on the left side of Security Manager.
On the right side you will see information about that user that you can modify.</P>
<P>You can alter all the data presented on the right side of the screen, except for
the username. You can change the profile, the password identification method, the
tablespaces, the password, and whether the user is locked or unlocked. Again, this
is essentially the Create User screen without the option to specify the username.</P>
<P>Security Manager will also allow you to change permissions and remove users, and
lock, unlock, and terminate the user's password, as shown in Figure 10.7.</P>
<P><A NAME="07"></A><A HREF="07.htm"><B>Figure 10.7.</B></A></P>
<P><I>Use Security Manager options to modify the user's attributes.</I></P>
<P>By choosing the Add Privileges to Users option, you can add user privileges. Selecting
this option brings up the Add Privileges to Users screen, as shown in Figure 10.8.</P>
<P><A NAME="08"></A><A HREF="08.htm"><B>Figure 10.8.</B></A></P>
<P><I>Use the Add Privileges to Users screen to modify the user's privileges.</I></P>
<P>From here you can modify the user's privileges by selecting roles, system privileges,
or object privileges with or without the <TT>ADMIN</TT> option. Remember, the <TT>ADMIN</TT>
option allows you to pass that privilege to other user accounts.
<H3><FONT COLOR="#000077"><B>Modifying User Accounts with the </B>ALTER USER<B> Command</B></FONT></H3>
<P>You can also modify user accounts via the Oracle command <TT>ALTER USER</TT>.
<TT>ALTER USER</TT> has similar functionality to Enterprise Manager and Security
Manager, plus a few options not available with the graphical utilities. The <TT>ALTER
USER</TT> command is used to alter various attributes of the user account.
<H4><FONT COLOR="#000077"><B>The Syntax for the </B>ALTER USER<B> Command</B></FONT></H4>
<P>The <TT>ALTER USER</TT> command is run with the following syntax:</P>
<P><B>SYNTAX:</B></P>
<PRE><FONT COLOR="#0066FF">ALTER USER user_name
IDENTIFIED BY password 
     or IDENTIFIED EXTERNALLY or IDENTIFIED GLOBALLY AS `CN=user'
[ DEFAULT TABLESPACE ts_name ]
[ TEMPORARY TABLESPACE ts_name ]
[ QUOTA [ number K or M or UNLIMITED ] ON ts_name ]
[, QUOTA [ number K or M or UNLIMITED ] ON ts_name ]
[ PROFILE profile_name ]
[ PASSWORD EXPIRE ]
[ ACCOUNT LOCK or ACCOUNT UNLOCK ]
[ DEFAULT ROLE role [, role ] 
     or [ DEFAULT ROLE ALL [ EXCEPT role [, role ] ] ] or [ DEFAULT ROLE NONE ]
</FONT></PRE>


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>With the exception of the <TT>DEFAULT
	ROLE</TT> option, the syntax of the <TT>ALTER USER</TT> command is identical to that
	of the <TT>CREATE USER</TT> command. 
<HR>


</BLOCKQUOTE>

<P>The parameters for this command are

<UL>
	<LI><TT>ALTER USER </TT>user_name--The <TT>ALTER USER</TT> command requires a username
	that is to be modified.
	<P>
	<LI><TT>IDENTIFIED BY</TT>password--Oracle internally maintains a password for this
	user. The password is changed to the one specified here.
	<P>
	<LI><TT>IDENTIFIED EXTERNALL</TT>--The username is authenticated in the OS. The username
	must be identical in the username defined in the OS.
	<P>
	<LI><TT>IDENTIFIED GLOBALLY AS `CN</TT>user<TT>'</TT>--The username is authenticated
	by the Oracle security domain central server. The <TT>CN</TT> name identifies the
	external name of the user.
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>One of the previous three qualifiers
	must be used. If you do not specify an <TT>IDENTIFIED</TT> qualifier, the command
	will fail. 
<HR>


</BLOCKQUOTE>


<UL>
	<LI><TT>DEFAULT TABLESPACE </TT>ts_name--The default tablespace to which the user
	is connected. If not specified, the <TT>SYSTEM</TT> tablespace is used as the default.
	<P>
	<LI><TT>TEMPORARY TABLESPACE</TT>ts_name--The temporary tablespace that the user
	will use by default. If not specified, the <TT>SYSTEM</TT> tablespace is used as
	the default.
	<P>
	<LI><TT>QUOTA</TT>number<TT> K or M ON </TT>ts_name--Specifies that the user has
	a quota of number<I> </I><TT>K</TT> (kilobytes) or <TT>M</TT> (megabytes) on the
	identified tablespace.
	<P>
	<LI><TT>QUOTA UNLIMITED ON</TT>ts_name--Specifies that the user has an unlimited
	quota on the identified tablespace.
	<P>
	<LI><TT>PROFILE</TT>profile_name--The name of the profile that is used for this user.
	<P>
	<LI><TT>PASSWORD EXPIR</TT>--Changes the password to the expired state. The password
	must be set before the user can log on to the database.
	<P>
	<LI><TT>ACCOUNT LOC</TT>--If set, the account is locked after creation.
	<P>
	<LI><TT>ACCOUNT UNLOC</TT>--If set, the account is not locked after creation.
	<P>
	<LI><TT>DEFAULT ROLE</TT>role<TT> [, </TT>role<TT>]</TT>--Specifies the default role
	or roles for this user.
	<P>
	<LI><TT>DEFAULT ROLE AL</TT>--Specifies that all roles are enabled for this user.
	In conjunction with the <TT>EXCEPT </TT>role<TT> [,</TT>role<TT>]</TT> qualifier,
	all roles are enabled except for those specified.
	<P>
	<LI><TT>DEFAULT ROLE NON</TT>--Specifies that no default roles are given.
</UL>

<P>As you can see, the privileges are mostly assigned to user accounts via the use
of a role. Where privileges are given via the role, limitations on the user are typically
assigned via the profile. In the next section of this lesson, you will look at the
profiles and the roles, how to create them, and what they mean.
<H2><FONT COLOR="#000077"><B>Managing Profiles</B></FONT></H2>
<P>Profiles are created as an easier way of setting limitations on users. Instead
of setting individual limits on users, you can set up a profile for each type of
user. For example, you can set up the following types of users:

<UL>
	<LI>Administrators--These users are given unlimited resources.
	<P>
	<LI>Developers--These users have an unlimited number of sessions but a limited number
	of CPU cycles/sessions.
	<P>
	<LI>Other--Perhaps you have other types of users with special needs. By defining
	your own set of special profiles, you can easily assign users with like attributes
	the same privileges.
</UL>

<P>By creating profiles for each type of user, you can simplify the security-management
task. You can have as many profiles as you want, but a user can only be assigned
one profile, unlike roles.</P>
<P>Profiles can be created, removed, and modified in several ways. You can manage
profiles graphically with both Enterprise Manager and Security Manager and via scripts
on the command line by using the <TT>CREATE PROFILE</TT> and <TT>ALTER PROFILE</TT>
commands. I present all three ways in the following sections.
<H3><FONT COLOR="#000077"><B>Managing Profiles with Enterprise Manager</B></FONT></H3>
<P>Profiles can be created graphically with Enterprise Manager. After you have invoked
Enterprise Manager and have drilled down into the database that you want to modify,
right-click the Profiles entry and choose Create, as shown in Figure 10.9.</P>
<P>Another way to create a profile is by right-clicking a profile that already exists
and choosing Create Like.</P>
<P><A NAME="09"></A><A HREF="09.htm"><B>Figure 10.9.</B></A></P>
<P><I>Choosing Create to create a profile.</I></P>
<P>Depending on whether you're creating an all-new profile or basing a new one on
an existing profile, you will be presented with either the Create Profile screen
or the Create Like screen. These screens are identical, except that with Create Like,
the values are already set to the values of the selected profile. The Create Like
screen is shown in Figure 10.10.</P>
<P><A NAME="10"></A><A HREF="10.htm"><B>Figure 10.10.</B></A></P>
<P><I>The Create Like screen.</I></P>
<P>Through this screen you can enter or change a number of values for the profile
in both the General and Password tabs. To switch to the Password screen, simply click
the Password tab. The Password screen is shown in Figure 10.11.</P>
<P><A NAME="11"></A><A HREF="11.htm"><B>Figure 10.11.</B></A></P>
<P><I>The Profile Password screen allows you to change password attributes.</I></P>
<P>The General screen has quite a few options that can be set or changed. These options
are split into Details and Database Services items. The parameters for the Details
section are

<UL>
	<LI>CPU/Session (Sec/100)--Specifies the amount of time, in hundredths of seconds,
	that a session can use.
	<P>
	<LI>CPU/Call (Sec/100)--Specifies the amount of time, in hundredths of seconds, that
	a session can use per call.
	<P>
	<LI>Connect Time (Min)--The total connect time allowed for a session.
	<P>
	<LI>Idle Time (Min)--The total idle time allowed before the session is disconnected.
</UL>

<P>For the Database Services portion, the parameters are

<UL>
	<LI>Concurrent Sessions (Per User)--The number of concurrent sessions allotted for
	this user ID.
	<P>
	<LI>Reads/Session (Blocks)--The number of blocks that this session can read. This
	includes blocks both from disk and from the buffer cache.
	<P>
	<LI>Reads/Call (Blocks)--The maximum number of blocks that can be read per call.
	<P>
	<LI>Private SGA (KBytes)--The maximum size of the session's SGA.
	<P>
	<LI>Composite Limit (Service Units)--A composite limit composed of the preceding
	limits.
</UL>

<P>On the Password tab, the parameters that can be set or changed are

<UL>
	<LI>Expire Password--Specifies how long a password is valid before it must be changed.
	<P>
	<LI>Keep Password History--Keeps a number of older passwords and does not let you
	reuse the past passwords.
	<P>
	<LI>Enforce Password Complexity--Requires passwords to be complex.
	<P>
	<LI>Lock Account on Failed Logon--Limits the number of failed logon attempts before
	the account is locked.
</UL>

<P>As you can see, you can change a lot of items in the profile. This can be quite
useful for setting limits if necessary. The <TT>DEFAULT</TT> profile sets all these
values to <TT>UNLIMITED</TT> as the default.</P>
<P>To modify a profile with Enterprise Manager, right-click the profile that you
want to alter and select Quick Edit. This will bring up the Quick Edit Profile screen,
as shown in Figure 10.12.</P>
<P><A NAME="12"></A><A HREF="12.htm"><B>Figure 10.12.</B></A></P>
<P><I>The Quick Edit Profile screen allows you to change quota limits.</I></P>
<P>From this screen, you can edit the properties of that profile. To remove a profile,
right-click the profile and select Remove from the pop-up menu. This will permanently
remove the profile from the system.
<H3><FONT COLOR="#000077"><B>Managing Profiles with Security Manager</B></FONT></H3>
<P>With Security Manager you can essentially perform the same operations as with
Enterprise Manager, but with a few more options. When you drill down into the profile
using Security Manager, you will see not only the profiles but the users assigned
to each of those profiles.</P>
<P>Right-click the Profile entry and you will be presented with a list of options,
as shown in Figure 10.13.</P>
<P><A NAME="13"></A><A HREF="13.htm"><B>Figure 10.13.</B></A></P>
<P><I>Use the Security Manager option to create a new profile.</I></P>