Oracle® Database 2 Day DBA 11g Release 1 (11.1) Part Number B28301-01 |
|
|
View PDF |
For users to access your database, you must create user accounts and grant appropriate database access privileges to those accounts. A user account is identified by a user name and defines the attributes of the user, including the following:
Authentication method
Password (encrypted) for database authentication
Default tablespaces for permanent and temporary data storage
Tablespace quotas
Account status (locked or unlocked)
Password status (expired or not)
When you create a user account, you must not only assign a user name, a password, and default tablespaces for the account, but you must also do the following:
Grant the appropriate system privileges, object privileges, and roles to the account.
If the user will be creating database objects, give the user account a space usage quota on each tablespace in which the objects will be created.
Oracle recommends that you grant each user just enough privileges to perform his job, and no more. For example, a database application developer needs privileges to create and modify tables, indexes, views, and stored procedures, but does not need (and should not be granted) privileges to drop (delete) tablespaces or recover the database. You can create user accounts for database administration, and grant only a subset of administrative privileges to those accounts. In addition, you may want to create user accounts that are used by applications only. That is, nobody logs in with these accounts; instead, applications use these accounts to connect to the database, and users log in to the applications. This avoids giving application users the ability to log in to the database directly, where they could unintentionally cause damage. See "About User Privileges and Roles" for more information.
When you create a user account, you are also implicitly creating a schema for that user. A schema is a logical container for the database objects (such as tables, views, triggers, and so on) that the user creates. The schema name is the same as the user name, and can be used to unambiguously refer to objects owned by the user. For example, hr.employees
refers to the table named employees
in the hr
schema. (The employees
table is owned by hr
.) The terms database object and schema object are used interchangeably.
When you delete a user, you must either simultaneously delete all schema objects of that user, or you must have previously deleted the schema objects in separate operations.
Predefined User Accounts
In addition to the user accounts that you create, the database includes a number of user accounts that are automatically created upon installation.
All databases include the administrative accounts SYS
, SYSTEM
, SYSMAN
, and DBSNMP
. Administrative accounts are highly privileged accounts, and should be used only by individuals authorized to perform administrative tasks such as starting and stopping the database, managing database memory and storage, creating and managing database users, and so on. You log in to Oracle Enterprise Manager Database Control (Database Control) with SYS
, SYSTEM
, or SYSMAN
. The Management Agent of Database Control uses the DBSNMP
account to monitor and manage the database. You assign the passwords for these accounts when you create the database with Oracle Database Configuration Assistant (DBCA). You must not delete these accounts.
All databases also include internal accounts, which are automatically created so that individual Oracle Database features or components can have their own schemas. An example is the WKSYS
account, which is used by Oracle Ultra Search. All Oracle Ultra Search database objects are installed in the WKSYS
schema. To protect these accounts from unauthorized access, they are initially locked and their passwords are expired. (A locked account is an account for which login is disabled.) You must not delete internal accounts, and you must not use them to log in to the database.
Your database may also include sample schemas, which are a set of interlinked schemas that enable Oracle documentation and Oracle instructional materials to illustrate common database tasks. These schemas also provide a way for you to experiment without endangering production data. Each sample schema has a user account associated with it. For example, the hr
user account owns the hr
schema, which contains a set of simple tables for a human resources application. The sample schema accounts are also initially locked and have an expired password. As the database administrator, you are responsible for unlocking these accounts and assigning passwords to these accounts.
See Also: