Create and manage users, roles, and privileges
Overview
Create and manage users, roles, and privileges
References
- Oracle® 12.1 Database Reference
- Oracle® 12.1 Database Security Guide
- Oracle® 12.1 Database SQL Language Reference
Notes
Create Users
Common Users Supplied by Oracle
Although the standard is for common usernames to be prefixed by 'C##', those supplied by Oracle do not follow this standard as revealed by the following script:
SELECT
username
FROM
dba_users
WHERE
common = 'YES'
AND
oracle_maintained = 'Y'
ORDER BY 1;
The result is:
Manage Users
Create Common User
Use the following commands to create a common user.
- Must be in the root container (CDB$ROOT)
- CONTAINER=ALL is the default for the root container.
ALTER SESSION
SET CONTAINER=cdb$root;
CREATE USER
"C##DOUG"
PROFILE "DEFAULT"
IDENTIFIED BY "&PW."
DEFAULT TABLESPACE "USERS"
TEMPORARY TABLESPACE "TEMP"
QUOTA UNLIMITED ON "USERS"
ACCOUNT UNLOCK
CONTAINER=ALL;
Manage Privileges
Use the following commands to allow a common user to connect to all containers.
- Must be in the root container (CDB$ROOT)
- CONTAINER=ALL is the default for the root container.
ALTER SESSION SET CONTAINER=cdb$root; GRANT "CONNECT" TO "C##DOUG" CONTAINER=ALL;
Use the following commands to allow a common user to see some dynamic views.
- Must be in the root container (CDB$ROOT)
- ADD CONTAINER_DATA requires CONTAINER = CURRENT
ALTER SESSION
SET CONTAINER=cdb$root;
ALTER USER
"C##DOUG" ADD CONTAINER_DATA = ( "PLUM" ) CONTAINER = CURRENT;
The dynamic views available to C##DOUG on PLUM are:
This table was generated by the following query:
WITH
gv_views AS (
SELECT
view_name,
substr(view_name,4)
AS stub
FROM
all_views
WHERE
owner = 'SYS'
AND
regexp_like(view_name,'^gv_\$','i')
),
v_views AS (
SELECT
view_name,
substr(view_name,3)
AS stub
FROM
all_views
WHERE
owner = 'SYS'
AND
regexp_like(view_name,'^v_\$','i')
)
SELECT
v_views.view_name
AS v_view_name,
gv_views.view_name
AS gv_view_name
FROM
gv_views
FULL OUTER JOIN
v_views
USING (
stub
)
ORDER BY
v_view_name
;
Isolate Common User to a Single PDB
To isolate a common user to a single PDB, run the following SQL*Plus commands:
ALTER SESSION
SET CONTAINER=plum;
GRANT
CREATE SESSION TO "C##FRED" CONTAINER=CURRENT;
This is confirmed through the following SQL:
SELECT * FROM cdb_sys_privs WHERE grantee = 'C##FRED';
The output is:
CDB_SYS_PRIVS has the same columns as DBA_SYS_PRIVS.
Manage Roles
Grant Role to Common User in the Current Container
Create and grant role, C##YAOCM, to common user, C##DOUG, in the current container, CDB$ROOT, using the following SQL:
Display role privileges for common user using the following SQL:
SELECT * FROM cdb_role_privs WHERE grantee = 'C##DOUG'
;
The output is:
CDB_ROLE_PRIVS has the same columns as DBA_ROLE_PRIVS.
Grant Role to Common User in All Containers
Use the following SQL to grant the C##YAOCM to the user, C##DOUG in all containers:
ALTER SESSION
SET CONTAINER=cdb$root;
GRANT
c##yaocm TO c##doug CONTAINER=ALL;
Display role privileges for common user using the following SQL:
SELECT * FROM cdb_role_privs WHERE grantee = 'C##DOUG';
The output is:
CDB_ROLE_PRIVS has the same columns as DBA_ROLE_PRIVS.
The new rows are highlighted in PINK.