To give users access to your database, you must create user accounts and assign the appropriate database access permissions to those accounts.A user account is identified by a user name and defines user attributes, including the following:
-
authentication method
-
Database authentication password
-
Standard tablespaces for permanent and temporary data storage
-
table space quota
-
Account status (locked or unlocked)
-
Password status (expired or not)
When creating a user account, in addition to assigning a username, password, and default tablespace, you must do the following:
-
Grant the appropriate system privileges, object privileges, and roles to the account.
-
If the user is creating database objects, assign the user account a space usage quota for each tablespace in which the object will be created.
Oracle recommends that you grant each user just enough privileges to do their job, and no more. For example, database application developers need permission to create and modify tables, indexes, views, and stored procedures, but do not need (and should not be given) permission to drop (drop) tablespaces or restore databases. You can create user accounts for database administration and grant those accounts only a subset of administrative privileges.
Additionally, you may want to create user accounts that will only be used by the application. That is, nobody logs in with those accounts; instead, the application uses these accounts to connect to the database, and users log into the application. This type of user account prevents application users from directly logging into the database, where they could inadvertently cause harm. Check“About user permissions and roles“know more information.
When you create a user account, you implicitly create a schema for that user. AShemaIt is a logical container for user-created database objects such as tables, views, triggers, and so on. The schema name is equal to the user name and can be used to unambiguously refer to objects owned by the user. For example,HR staffSee the form abovestafffrom the insidesatplan. (fromstaffthe table belongssat.) conditiondatabase objectexistschema objectThey can be used interchangeably.
When you delete a user, you must also delete all schema objects for that user, or you must first delete the schema objects in a separate operation.
predefined user accounts
In addition to the user accounts you create, the database contains several user accounts that are automatically created during installation.
All databases contain administrative accountsSystem,System, existDBSNMP.manage your accountis a highly privileged account and is only needed by individuals authorized to perform administrative tasks such as starting and stopping databases, managing database memory and storage, creating and managing database users, and so on. You log on to Oracle Enterprise Manager Database Express (EM Express) using the commandSystemfromSystem.You assign passwords to these accounts when you create a database using the Oracle Database Configuration Assistant (DBCA). You may not delete or rename these accounts.
All databases also containinternal account, which are created automatically so that each Oracle Database feature or component (such as Oracle Application Express) can have its own schema. To protect these accounts from unauthorized access, they are initially locked and their passwords are expired. (Afreeze bank accountis an account to which login is disabled. ) You cannot delete internal accounts or use them to log into the database.
Your database may also containSample schedule, if you selected the option to create a sample schema in the database when installing the database. A sample schema is a series of interrelated schemas that Oracle documentation and reference material can use to illustrate common database tasks. These modes also give you a way to experiment without affecting production data.
Each sample plan has an associated user account. For examplesatuser account hassatA schema that contains a simple set of tables for an HR application. The trial mode account is also initially locked and the password has expired. As the database administrator, you are responsible for unlocking these accounts and assigning passwords to these accounts.
See also:
-
“Locking and unlocking user accounts“
-
“About managing accounts and permissions“
-
“SYS and SYSTEM users“Information on recommended alternatives for use
SystemResponsible for daily administrative tasks -
“Database user account management“
-
An example of an Oracle database schemaMore information on sample layout
(Video) 29 Creating and Managing User Accounts Windows Server 2016 -
Oracle Database ConceptsDatabase security overview
7.1.1On commonality in CDBs
In a multi-tenant container database (CDB), this is a fundamental principle of generalityThe common occurrence is the same in every existing and future tank.In CDB, "common" means "common to all containers".Local phenomena, on the other hand, are limited to one existing container.
This is a consequence of the principle of communityOnly ordinary users can change the existence of ordinary phenomena.Specifically, only normal users connected to root can create, destroy, or modify CDB-scoped attributes for normal users or roles.
See also:
-
Oracle Multitenant Administrator's GuideUnderstanding CDB and PDB
-
Oracle Multitenant Administrator's GuideInformation on running CDB and PDB
7.1.1.1Regular users in CDB
A normal user is a database user with the same root identity in every existing and future pluggable database (PDB). Any normal user can connect and perform operations in root and any PDB that normal users have access to.
Each normal user is either provisioned by Oracle or created by the user himself. Examples of common users provided by Oracle areSystemexistSystem.
Ordinary users have the following characteristics:
-
Ordinary users can log into any container (including
CDB $ROOT) where there iscreate a sessionprivilege.Regular users do not need to have the same permissions in each container. For example
c##dbaA user can have permissions to create sessions in root and one PDB, but not in other PDBs. Because normal users with appropriate permissions can switch between containers, normal users can manage PDBs in the root directory. -
The name of each user-created global user must begin with characters
C##fromC##. (Oracle's generic usernames do not have this restriction.)Local usernames cannot begin with a character
C##fromC##. -
Common usernames must contain only ASCII or EBCDIC characters.
-
Each normal user has a unique name in all containers.
Shared users reside in the root directory, but must be able to connect to any PDB with the same identity.
-
Regular user schedules may vary from container to container.
For example
c##dbais a normal user with access to multiple containers, thereforec##dbaSchemas in each container can contain multiple objects.
See also:
-
Oracle Multitenant Administrator's GuideMore information about common users in the multi-user container database (CDB)
-
Oracle Database Security GuideLearn more about public and local accounts
7.1.1.2Local users in CDB
Local users are non-standard users that can only work within a single plug-in database (PDB).Local users have the following characteristics:
-
Local users are specific to a particular PDB and their own schemas in that PDB.
-
Local users cannot be created in root.
-
A local user on one PDB cannot log on to another PDB or root.
-
Local usernames cannot begin with a character
C##fromC##. -
A local user's name must be unique only within its PDB.
-
A username and the PDB containing that user's schema define a unique local user. For example, local user and named user
to representcan exist inHR database.Completely separate local users and naming schemesto representcan exist insales database. -
Whether local users can access objects in the shared schema depends on their user permissions.
For example
c##dbaOrdinary users canc##dbaarranged inHR databaseVOB. Unless c##dba grants the necessary privileges locallysatusers of this table,satI can't reach it.
See also:
-
Oracle Multitenant Administrator's GuideMore information about local users
-
Oracle Multitenant Administrator's GuideFor the scenario where the local user is in two VOBs
(Video) Manage User Accounts and Passwords in PCC EHR -
Oracle Database Security GuideLearn more about local accounts
FAQs
What will be the best way to handle user accounts? ›
Adopt a strong authentication mechanism, such as two-factor authentication, for user accounts that handle sensitive data. Use different passwords for different accounts, in particular those for handling private and sensitive data. Change your password immediately if you believe that it has been compromised.
How to manage secure user account to access the operating system? ›- Limiting user account access.
- Implementing secure password policies.
- Restricting user permissions.
- Implementing network security.
- Logging events, monitoring access, and auditing systems.
- Never reveal your passwords to others. ...
- Use different passwords for different accounts. ...
- Use multi-factor authentication (MFA). ...
- Length trumps complexity. ...
- Make passwords that are hard to guess but easy to remember.
- Complexity still counts. ...
- Use a password manager.
User management is a system to handle activities related to individuals' access to devices, software, and services. It focuses on managing permissions for access and actions as well as monitoring usage. Functions of user management include: Providing users with authenticated access.