Access Control Functionalities - Run unprivileged

hi,

for Oracle, can a user or process within Oracle can run in unprivileged manner?
LVL 1
marrowyungSenior Technical architecture (Data)Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mark GeerlingsDatabase AdministratorCommented:
In an Oracle database, any interactive user or user process can only do the actions that user has explicit grants or system privileges for, that have either been granted directly to the user, or to a role that was then granted to the user.

I don't know if this answers your question, or not.  If not, we will need some more explanation or clarification from you on exactly what you are asking about.  For example, do you see things happening in Oracle that you believe shouldn't be happening?  Or, are you prevented from doing things that you believe you should be allowed to do.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
marrowyungSenior Technical architecture (Data)Author Commented:
hi,

"In an Oracle database, any interactive user or user process can only do the actions that user has explicit grants or system privileges for, that have either been granted directly to the user, or to a role that was then granted to the user."

is that mean, once Oracle installed, no one can access except root user ? and after that we have to grant EACH user to the system one by one ?
0
Mark GeerlingsDatabase AdministratorCommented:
Database access and operating system access are two different things.  In a Linux system, the root user has access to the entire operating system.  However, in an Oracle database running in a Linux system, security and access are *NOT* controlled by the O/S.  So, the root user doesn't have privileges inside Oracle.  In Oracle, the DBA accounts (SYS or SYSTEM) are used to create other Oracle user accounts and to give them privileges.  These are database user accounts that usually do not have accounts in the operating system.  These database user accounts are what Oracle-based applications use to interact with the database.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

marrowyungSenior Technical architecture (Data)Author Commented:
" So, the root user doesn't have privileges inside Oracle.  In Oracle, the DBA accounts (SYS or SYSTEM) are used to create other Oracle user accounts and to give them privileges.  "

yes, knew.
0
marrowyungSenior Technical architecture (Data)Author Commented:
tks.
0
slightwv (䄆 Netminder) Commented:
>>So, the root user doesn't have privileges inside Oracle.

Clarifying that statement:  root can "su" to oracle which has access.

This can be mitigated using Advanced Security options like Transparent Data Encryption.
0
marrowyungSenior Technical architecture (Data)Author Commented:
"Clarifying that statement:  root can "su" to oracle which has access."

sorry, how? what is the command ?

"This can be mitigated using Advanced Security options like Transparent Data Encryption."

you mean encrypt the whole DB ?
0
Mark GeerlingsDatabase AdministratorCommented:
In a Linux system, the "su" command allows root to log into any other Linux user's account, then do or run whatever that user can normally do.  So, if your Oracle database runs in a Linux system (we don't know if that is true for you, or not) the root user has access to everything that the Oracle database software owner has.

If your Oracle database does not run in Linux (or a similar O/S) then you don 't need to worry about the "su" command.
0
slightwv (䄆 Netminder) Commented:
As Mark pointed out:  su and root are Unix concerns.  Please tell us what OS you are needing help with.

If you are on Windows the system administrator can add themselves to the ORA_DBA group (dba group on linux) and probably still get access.

In a nutshell:  You have to trust someone sometime with the keys to the kingdom.

>>you mean encrypt the whole DB ?

Specific tablespaces or columns and don't give the system administrators access to the Wallet or certificates to connect.  You can even keep your DBAs out of the data if you want to.
0
marrowyungSenior Technical architecture (Data)Author Commented:
Mark Geerlings,

"In a Linux system, the "su" command allows root to log into any other Linux user's account, then do or run whatever that user can normally do.  So, if your Oracle database runs in a Linux system (we don't know if that is true for you, or not) the root user has access to everything that the Oracle database software owner has"

in our case,  the direction is reverse. we login as a normal user then su as a root, then we install SW / login to MySQL

"If your Oracle database does not run in Linux (or a similar O/S) then you don 't need to worry about the "su" command."

Unix don't use su ?

slightwv,

"As Mark pointed out:  su and root are Unix concerns. "

it seems linux concern.

"Specific tablespaces or columns and don't give the system administrators access to the Wallet or certificates to connect.  You can even keep your DBAs out of the data if you want to."

wait, this is about ACL but not encryption, right ?
0
slightwv (䄆 Netminder) Commented:
>>wait, this is about ACL but not encryption, right ?

No.  It is about Transparent Data Encryption (TDE).

>>Unix don't use su ?

Unix/Linux/any variation uses "su".

>> then we install SW / login to MySQL

Then why are you asking about Oracle?

>>the direction is reverse. we login as a normal user then su as a root

It doesn't matter what order you do things.  Once you are "root", you can become any user you want to become.
0
marrowyungSenior Technical architecture (Data)Author Commented:
">> then we install SW / login to MySQL

Then why are you asking about Oracle?
"

I mean this is one of our case. the way we use it as we use MySQL on LINUX

"It doesn't matter what order you do things.  Once you are "root", you can become any user you want to become."

I mean is that mean we can login to oracle without DBA role or login ?
0
slightwv (䄆 Netminder) Commented:
The oracle user can almost always connect to the database or they have the ability to give them the ability to connect to the database.  So does root since root can edit any config file on the system.
0
Mark GeerlingsDatabase AdministratorCommented:
Slightwv and I are still trying to understand exactly what your question is.  Are you asking about operating system users and privileges, or privileges inside the database, or both?  Also, I thought your question was limited to Oracle since you posted it in the Oracle section of this site.  But now you mention MySQL.  So, I'm certainly not clear on what your question is.  And, it looks to me like slightwv is also uncertain of what you are asking about.
0
marrowyungSenior Technical architecture (Data)Author Commented:
tks a lot anyway.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Oracle Database

From novice to tech pro — start learning today.