520 23.2 Privileges PRINCE originally granted the CREATE VIEW privilege to ARIEL. Revoked system privileges do not cause cascading revokes; only object priv- ilege revokes can do that. CREATE VIEW CA_ARTISTS AS SELECT * FROM MUSIC.ARTIST WHERE STATE_PROVINCE='CA'; We will now examine some rules about revoking privileges. Using graphic examples, here are some key points to remember about how revok- ing of privileges works. 23.2.2.1 Revoked System Privileges DO NOT Cascade When you revoke a system privilege, the revoke affects only the user you are naming and does not affect any objects or users created. For example, SYS- TEM grants the CREATE USER privilege WITH ADMIN OPTION to ASSISTANT. Then ASSISTANT creates a user named INTERN and grants her the CREATE USER privilege. Now, INTERN creates another user named JOE. Figure 23.10 illustrates these events. Figure 23.10 One New User Is Created by Each of These Users: SYSTEM, ASSISTANT, and INTERN. Chap23.fm Page 520 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 23.2 Privileges 521 Chapter 23 Now, as the DBA, you decide that your assistant does not need to create users at this point, so you revoke the CREATE USER privilege from ASSISTANT. ASSISTANT can no longer create users; however, the users she created still exist. And, INTERN, who received the system privilege CREATE USER from ASSISTANT, retains that privilege. Figure 23.11 illustrates this idea by showing that ASSISTANT cannot create a user, while INTERN can create a user. 23.2.2.2 Revoked Object Privileges DO Cascade Revoking an object privilege does result in a cascading set of revoked privi- leges. For example, imagine that SYSTEM grants SELECT on MUSIC.ARTIST to ASSISTANT using the WITH GRANT OPTION clause. Then ASSISTANT grants the same object privilege to INTERN who in turn grants the privilege (without the WITH GRANT OPTION) to JOE. Figure 23.12 shows the scenario. After careful thought, you decide that your assistant no longer requires the SELECT privilege on the MUSIC.ARTIST table, so you revoke the privilege. The revoke actually cascades and revokes the privilege from INTERN, and then it cascades again and revokes the privilege from JOE. Figure 23.11 ASSISTANT Failed to Create MATTHEW, but INTERN Created BETH. Chap23.fm Page 521 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 522 23.3 Grouping Privileges Using Roles Now, only SYSTEM can successfully query the MUSIC.ARTIST table. Figure 23.13 shows how this works. Remember that revoked system privileges do not cascade and revoked object privileges do cascade. One of the more repetitive DBA tasks is that of granting the proper privileges to new users and maintaining privileges for all existing users. Very often, a group of users has identical privileges. The next section shows you how to take advantage of this with roles. Roles allow groupings of privileges and subsequent granting of privilege groups with a single granting or revoke of a role. 23.3 Grouping Privileges Using Roles A role is a set or grouping of object and/or system privileges that is assigned a name. Once a role is established, you can grant the role instead of grant- ing all of the individual privileges to a user. This capability saves a great deal of time! Figure 23.12 SYSTEM, ASSISTANT, and INTERN Grant Object Privileges. Chap23.fm Page 522 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 23.3 Grouping Privileges Using Roles 523 Chapter 23 Note: PL/SQL code blocks may not recognize database access through roles. Explicit object privileges may be required for PL/SQL. PL/SQL is covered in Chapter 24. 23.3.1 Creating and Altering Roles Figure 23.14 shows the syntax of the CREATE ROLE and ALTER ROLE commands. Options are identical for both commands. Any user with the CREATE ROLE system privilege can create a role. The SYSTEM user, of course, has this privilege. The DBA often grants this privilege to users who own tables, so that users can create roles associated with their tables and grant those roles to other users. A role that will contain sensitive privileges can be assigned a password. Any user who wants to use that role must provide the password (except when the role is one of the user’s default roles). You will find out more about default roles later. At this stage, all we will do is lay some groundwork for later and create two roles, substitute strings where appropriate. Figure 23.13 Revoking an Object Privilege Cascades to Other Users to whom the Revokee Granted the Same Object Privilege. Chap23.fm Page 523 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 524 23.3 Grouping Privileges Using Roles CONNECT SYSTEM/password@OLTP; CREATE ROLE MINIDBA; CREATE ROLE MUSIC_ACCESS; The MINIDBA role will be a highly privileged role, thus I am using the ALTER ROLE command to restrict access using a pass- word. ALTER ROLE MINIDBA IDENTIFIED BY DBA#9876; Note: The password is the only portion of a role that can be altered. You can add, change, or remove the password on a role. If you want to change the name of a role, you must drop and then re-create it with the changed name. Once roles are created, privileges can be granted to them as if they are users. Then roles can be granted to users. Once a user has a role granted, he or she inherits all of the privileges assigned to that role. 23.3.2 Granting and Revoking Privileges on Roles Granting privileges to a role is exactly the same (syntax-wise) as granting privileges to a user. Figures 23.5 and 23.9 show the syntax of granting and revoking privileges to and from roles. Roles can be granted to a user, a role, or PUBLIC. Let’s grant some privileges. First connect to the SYSTEM user. Figure 23.14 A New Role Does Not Contain Any Privileges at First. Chap23.fm Page 524 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 23.3 Grouping Privileges Using Roles 525 Chapter 23 CONNECT SYSTEM/password@OLTP; Now we give the MINIDBA role three system privileges that you wish to delegate to an assistant DBA. GRANT CREATE USER, CREATE SESSION, CREATE ROLE TO MINIDBA; Connect to the MUSIC user to grant some object privileges to the other role. CONNECT MUSIC/MUSIC@OLTP; Let’s say that you are the designer for the MUSIC schema’s application and you know that all users need to be able to change and query some tables and only query other tables. GRANT SELECT ON ARTIST TO MUSIC_ACCESS; GRANT SELECT ON SONG TO MUSIC_ACCESS; GRANT SELECT ON MUSICCD TO MUSIC_ACCESS; GRANT SELECT, INSERT, UPDATE, DELETE ON STUDIOTIME TO MUSIC_ACCESS; GRANT SELECT, INSERT, UPDATE, DELETE ON GUESTAPPEARANCE TO MUSIC_ACCESS; Now that roles are configured, we should now grant the roles to users. Granting a role to a user uses the same syntax as granting a system privilege. Refer to Figures 23.5 and 23.9 again. Notice that you can grant a system privilege, a role, or ALL PRIVILEGES. A role can even be granted to another role! This can be useful when you have subsets of privileges that can be logically grouped together under a single role. So we have added privileges to both roles and now wish to grant roles to users. The MUSIC user did not create any roles and does not have the GRANT ANY ROLE system privilege. We have to connect to SYSTEM again. CONNECT SYSTEM/password@OLTP; Chap23.fm Page 525 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 526 23.3 Grouping Privileges Using Roles Let’s say that you want PRINCE to be allowed to use the MUSIC appli- cation. In addition, PRINCE will be allowed to grant the role to other users. Grant the appropriate role to PRINCE using this command: GRANT MUSIC_ACCESS TO PRINCE WITH ADMIN OPTION; Granting a role to a user has the same syntax as granting system privi- leges; therefore, you use the WITH ADMIN OPTION when you want the user to be able to grant the role to others. We also decide that the MINIDBA role should have all privileges granted to the MUSIC_ACCESS role in addition to the system privileges already granted to it. Grant the MUSIC_ACCESS role to the MINIDBA role. GRANT MUSIC_ACCESS TO MINIDBA; Now, grant the MINIDBA role to ARIEL. GRANT MINIDBA TO ARIEL; ARIEL has all privileges from both roles. Connect to PRINCE. CONNECT PRINCE/CHARMING@OLTP; PRINCE is allowed to grant the MUSIC_ACCESS role. He grants it to ARIEL. GRANT MUSIC_ACCESS TO ARIEL; After doing this, we realize that ARIEL already has the MUSIC_ACCESS role because it is included in the MINIDBA role. So PRINCE can revoke the redundant role. REVOKE MUSIC_ACCESS FROM ARIEL; Chap23.fm Page 526 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 23.3 Grouping Privileges Using Roles 527 Chapter 23 Note: Roles can be granted to other roles, establishing groups of groupings of privileges. 23.3.3 Setting User Roles A role, once assigned to a user, can be either enabled or disabled in the user’s session. By default, any role assigned to a user is enabled. The DBA can adjust which roles are enabled by default for each user when that user logs in, using the ALTER USER command. In addition, a user can enable a role using the SET ROLE command. The ALTER USER command syntax is shown in Figure 23.15. The ALTER USER command has many other uses. Figure 23.15 shows only portions of syntax catering to user default roles. When a user starts a session (connects to a database), roles are enabled according to settings made by the DBA using the ALTER USER command. A user can modify his or her session and change the enabled role set using the SET ROLE command. Figure 23.16 shows the syntax for the SET ROLE command. Let’s show some use of role allocation. First, reconnect to SYSTEM using this command: CONNECT SYSTEM/password@OLTP; Figure 23.15 Modify a User’s Default Roles with ALTER USER. Chap23.fm Page 527 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 528 23.3 Grouping Privileges Using Roles All roles assigned to a user start out enabled by default, including roles with passwords. If you want the user to be required to use the password before enabling the role, you must remove the role from the user’s list of default roles. The MINIDBA role has a password and has been granted to ARIEL. Remove this role from ARIEL’s default roles. ALTER USER ARIEL DEFAULT ROLE ALL EXCEPT MINIDBA; Now connect to ARIEL replacing the variable as usual. CONNECT ARIEL/MERMAID@OLTP; ARIEL cannot perform any tasks that need the system privileges found in the MINIDBA role (such as creating new users), because the role is dis- abled. She enables the MINIDBA role by using the SET ROLE command, including the appropriate password. SET ROLE MINIDBA IDENTIFIED BY DBA#9876; Note: Be careful to include all of the roles you wish to enable in your SET ROLE command. Figure 23.16 Users Can Only Enable Roles Previously Granted to Them. Chap23.fm Page 528 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 23.3 Grouping Privileges Using Roles 529 Chapter 23 Roles not included in the SET ROLE command become disabled. For example, let’s say you have three roles enabled by default (VIEWMUSIC, UPDATEMUSIC, and DELETEMUSIC) and one role (INSERTMUSIC) disabled by default. If the command SET ROLE INSERTMUSIC is exe- cuted, you will enable the INSERTMUSIC role and disable the VIEW- MUSIC, UPDATEMUSIC, and DELETEMUSIC roles. Oracle Database 10g provides some predefined roles you can use if you wish. There are many predefined roles. Some of them are listed as follows:  CONNECT. System privileges needed to log on and work as a data- base developer. Privileges include CREATE TABLE, CREATE VIEW, CREATE SESSION, CREATE CLUSTER, and so on. Each operating system has a slightly different group of privileges, but gen- erally, you have all you need to do basic database work.  RESOURCE. System privileges needed for other database develop- ment, such as creating types. Privileges include CREATE TYPE and CREATE PROCEDURE. Like the CONNECT role, the exact priv- ileges vary from system to system.  SELECT_CATALOG_ROLE. Allows access to data dictionary metadata and performance views, the catalog. Use these to help you get started in administering your database. Oracle recommends, however, that you study the underlying privileges and create your own roles for most tasks. The CONNECT and RESOURCE roles may not be created automatically in future releases of Oracle. 23.3.4 Dropping Roles This final section on roles involves removing roles. Whenever you remove a role, it is revoked from all users who currently have the role. Syntax for the DROP ROLE command is shown in Figure 23.17. Roles are an excellent way to consolidate privileges needed for running applications. Figure 23.17 Dropping a Role Also Revokes the Role from Users. Chap23.fm Page 529 Thursday, July 29, 2004 10:15 PM Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... PL /SQL a Programming Language? PL /SQL extends SQL with programming controls and features such as procedures, variables, and control structures Let’s begin the meat of this chapter by asking: Why is PL /SQL classified as a programming language? 24.2 Why Is PL /SQL a Programming Language? PL /SQL is a programming language because, unlike SQL, it allows dependencies to exist between multiple SQL commands, within... PL /SQL In this chapter: What is PL /SQL? What are variables and PL /SQL datatypes? What are procedures, functions, triggers, and packages? How is data retrieved from the database using PL /SQL? What programming control structures exist in PL /SQL? What is dynamic or generic SQL? This chapter covers basic reference material and examples on how to write programs in PL /SQL It should be noted that the PL /SQL. .. command to execute a DDL command inside a PL /SQL block All DDL commands executed from within a PL /SQL block should be executed using the EXECUTE IMMEDIATE command BEGIN EXECUTE IMMEDIATE 'ALTER INDEX XUK_ARTIST_NAME REBUILD'; END; / Note: Previous versions of Oracle used a provided package called DBMS _SQL to execute dynamic SQL code inside PL /SQL blocks DBMS _SQL can still be used, but the recommended... Is PL /SQL a Programming Language? Figure 24.3 Executing a Named, Stored Procedure from within SQL EXCEPTION WHEN OTHERS THEN DBMS_OUTPUT.PUT_LINE(SQLERRM(SQLCODE)); RAISE; END; / CREATE OR REPLACE TRIGGER uARTIST AFTER UPDATE OF NAME ON ARTIST FOR EACH ROW BEGIN DBMS_OUTPUT.PUT_LINE('Artist changed from ' ||:OLD.NAME||' to '||:NEW.NAME); EXCEPTION WHEN OTHERS THEN DBMS_OUTPUT.PUT_LINE(SQLERRM(SQLCODE));... purchase PDF Split-Merge on www.verypdf.com to remove this watermark 24.6 Dynamic SQL 551 The DBMS _SQL package This option is out of date, and the EXECUTE IMMEDIATE command is now recommended The command EXECUTE IMMEDIATE is used to submit a string value as an Oracle SQL command to the Oracle SQL parser from inside a PL /SQL block In this example, you are creating a stored procedure named GETROWS that... PL /SQL It should be noted that the PL /SQL is a wrapper extension of Oracle SQL in that its original purpose was that of database access only However, in recent years, PL /SQL has been expanded voluminously to become more of a programming language 24.1 What is PL /SQL? PL /SQL is an acronym for Programming Language /SQL Structured Query Language (SQL) is a scripting language A scripting language usually does... PL /SQL 545 Figure 24.6 Using an Explicit Cursor Following are three example PL /SQL anonymous blocks: the first contains INSERT and UPDATE statements, the second a SELECT … INTO statement, and the third a cursor FOR loop 24.4.2.1 The Internal SQL Implicit Cursor The results of the most recently executed implicit cursor are stored in an internal Oracle cursor called SQL Note how the first example uses SQL% NOTFOUND... purchase PDF Split-Merge on www.verypdf.com to remove this watermark 24.5 Changing Data in PL /SQL 549 Figure 24.9 An Implicit Cursor FOR Loop Now let’s describe some small facts about changing data from within PL /SQL blocks 24.5 Changing Data in PL /SQL Not only can data in tables be changed from within PL /SQL blocks, but there are some small additions making coding a little easier and more efficient... within the same block of code In Oracle SQL, each SQL statement cannot pass a result on to another SQL statement or control structure, but PL /SQL can Also, perhaps more important, a programming language block structure allows one procedure to call another, allowing for a modular, compartmentalized, or perhaps even pseudo-object hierarchical programming structure Therefore, PL /SQL is a programming language... go into any further detail 24.4.2 Implicit Cursors Every SQL statement both in SQL and inside a PL /SQL block not declared explicitly as a cursor is an implicit cursor An implicit cursor is opened and closed by SQL or PL /SQL and is used to process INSERT, UPDATE, DELETE, and SELECT statements A special type of implicit cursor exclusive to PL /SQL is called a cursor FOR loop A cursor FOR loop is an implicit . exist between multiple SQL commands, within the same block of code. In Oracle SQL, each SQL statement cannot pass a result on to another SQL statement or control. examples on how to write programs in PL /SQL. It should be noted that the PL /SQL is a wrap- per extension of Oracle SQL in that its original purpose was that