Module 13: Security & User Management - Users, Roles, Privileges, FGAC

👤 User Management

Creating Users

CREATE USER username
  IDENTIFIED BY password
  [DEFAULT TABLESPACE tablespace_name]
  [TEMPORARY TABLESPACE temp_tablespace]
  [QUOTA size ON tablespace_name];

-- Example: Create application user
CREATE USER app_user
  IDENTIFIED BY SecurePass123
  DEFAULT TABLESPACE users
  TEMPORARY TABLESPACE temp
  QUOTA 100M ON users;

-- Create user with password expiration
CREATE USER secure_user
  IDENTIFIED BY password
  PASSWORD EXPIRE;

User Management Operations

-- Alter user password
ALTER USER username IDENTIFIED BY new_password;

-- Lock/Unlock user account
ALTER USER username ACCOUNT LOCK;
ALTER USER username ACCOUNT UNLOCK;

-- Set password expiration
ALTER USER username PASSWORD EXPIRE;

-- Drop user
DROP USER username [CASCADE];

-- View user information
SELECT username, account_status, lock_date
FROM dba_users;

👥 Roles and Privileges

Create and Manage Roles

-- Create a custom role
CREATE ROLE reporting_analyst;

-- Create role with password protection
CREATE ROLE secure_role IDENTIFIED BY role_password;

-- Grant privileges to role
GRANT CREATE SESSION TO reporting_analyst;
GRANT SELECT ON employees TO reporting_analyst;

-- Assign role to user
GRANT reporting_analyst TO app_user;

-- Drop role
DROP ROLE role_name;

System vs Object Privileges

Privilege Type	Scope	Examples
System	Database-wide	CREATE USER, CREATE TABLE, CREATE SESSION
Object	Specific object	SELECT, INSERT, UPDATE, DELETE, EXECUTE

Granting Privileges

-- Grant system privilege
GRANT CREATE TABLE TO app_user;
GRANT UNLIMITED TABLESPACE TO app_user;

-- Grant object privilege
GRANT SELECT, INSERT, UPDATE 
  ON employees 
  TO app_user;

-- Grant with ADMIN OPTION (can grant others)
GRANT CREATE TABLE TO app_user 
  WITH ADMIN OPTION;

-- Revoke privilege
REVOKE SELECT ON employees FROM app_user;

-- View user privileges
SELECT grantee, privilege
FROM dba_sys_privs
WHERE grantee = 'APP_USER';

🔒 Fine-Grained Access Control (FGAC)

Row-Level Security with VPD

-- Create VPD policy function
CREATE OR REPLACE FUNCTION emp_security_policy(
  schema_name IN VARCHAR2,
  table_name IN VARCHAR2
) RETURN VARCHAR2 AS
  v_department_id NUMBER;
BEGIN
  SELECT NVL(department_id, 0)
  INTO v_department_id
  FROM user_profile
  WHERE username = USER;
  
  RETURN 'department_id = ' || v_department_id;
EXCEPTION
  WHEN NO_DATA_FOUND THEN
    RETURN '1=0'; -- No access
END emp_security_policy;
/

-- Add policy to table
BEGIN
  DBMS_RLS.ADD_POLICY(
    object_schema => 'HR',
    object_name => 'EMPLOYEES',
    policy_name => 'emp_dept_policy',
    function_schema => 'HR',
    policy_function => 'emp_security_policy',
    statement_types => 'SELECT,UPDATE,DELETE'
  );
END;
/

Security Best Practices

Strong Passwords: Enforce complex password policies
Least Privilege: Grant minimum required permissions only
Regular Audits: Monitor user access and privilege changes
Role-based Access: Use roles instead of direct privilege grants
VPD/FGAC: Implement row-level security for sensitive data
Account Lockout: Lock unused or suspicious accounts
Encryption: Use password encryption and SSL/TLS for connections

                💡 Tip: Always use IDENTIFIED BY for passwords. Grant privileges sparingly. Use roles to manage groups of privileges efficiently. Audit privilege changes regularly with DBA_AUDIT_TRAIL.
            

✓ Learning Checklist - Module 13

Create and manage database users

Create and assign roles

Grant system and object privileges

Implement row-level security with VPD

Revoke privileges appropriately

Follow security best practices