Join David Yahalom for an in-depth discussion in this video Introduction to database roles, part of Oracle Database 12c: Security.
- [Instructor] Roles in the Oracle Database are used to group several privileges together so that these privileges can be granted to and revoked from users simultaneously. You can think of roles in the context of an Oracle Database as buckets of permissions. You assign permissions or database privileges to roles, and then you can grant the role to any user account in your database.
By inheritance, the user account will hold all of the permissions that were assigned to the role. Imagine a scenario where you have multiple users in your database that need privileges to certain database objects that might share something in common, such as objects which are part of your sales application. Using database roles, you can create a dedicated sales role in your database, grant the required permissions on all of the various sales objects to the role, this could be multiple permissions, and then grant the role itself instead of all of the individual permissions to your database users.
As you can see, this greatly simplifies the process of assigning or granting multiple permissions to multiple users in your database. In addition to the custom roles that you can create manually, for which we'll see a demo in our next video, Oracle also comes with several built-in roles that are created during database installation. These pre-defined roles can help simplify database administration. While we don't have time to go over all of the individual roles that are built in to the Oracle Database, some of the most important ones include the Connect role which includes several permissions as you can see on your screen now.
The Resource role which includes another set of built-in permissions also presented in your screen. The DBA role which is a special role that includes all system privileges with the Admin option. We'll see what that means in a moment. This role is mostly used for backward compatibility with older Oracle versions, and in Oracle 12c, you should use the PDB_DBA and CDB_DBA roles instead. We also have a built-in PDB_DBA role which is granted automatically to the local user that is created when you create a new PDB from the seed PDB.
No privileges are provided for this role by default. The bottom line is only grant a DBA role to super users in your database, users that need full control over all tables, objects, and other users in your database. This is a very powerful role and granting it should be made with extreme caution. Also, while you can use the Connect and Resource roles or any of the other built-in roles in your database, they might contain excessive permissions that you might not want your users to hold, so it's always a best idea to create and assign custom roles by yourself instead of using the ones built in to the Oracle Database.
For a full list of built-in roles that come as part of the Oracle Database, please consult the Oracle documentation.
Learn how to identify the major risks and security threats, and review general best practices for properly protecting and "hardening" any production database. Then, dive into hands-on demos that show how to set up user accounts, the connection between users and schemas, database object and system permissions, and roles in a multitenant environment, as well as encrypt data, audit user actions, and access to sensitive information. Plus, find out how to enable data-at-rest security via the Oracle Transparent Data Encryption and backup encryption options.
- Core concepts of Oracle database security
- Potential threats to Oracle database security
- Authentication and authorization
- Auditing access
- Data encryption
- Users and permissions
- Database roles