Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,190 --> 00:00:02,650 In this lesson, we're going to take 2 00:00:02,650 --> 00:00:07,770 a look at Oracle's schema based approach to user accounts. 3 00:00:07,770 --> 00:00:11,070 So traditionally, there are two classifications 4 00:00:11,070 --> 00:00:13,650 of database accounts, that is to say, 5 00:00:13,650 --> 00:00:16,660 accounts that are stored in the database. 6 00:00:16,660 --> 00:00:18,900 The first type is an object owner. 7 00:00:18,900 --> 00:00:21,630 So an object owner is going to be exactly what it 8 00:00:21,630 --> 00:00:23,070 would sound like. 9 00:00:23,070 --> 00:00:25,860 The account is the owner of objects. 10 00:00:25,860 --> 00:00:28,860 And, by objects, we mean things like tables, and indexes, 11 00:00:28,860 --> 00:00:31,740 and sequences, and synonyms. 12 00:00:31,740 --> 00:00:34,020 The second type of database account 13 00:00:34,020 --> 00:00:35,970 we have is an interactive user. 14 00:00:35,970 --> 00:00:39,090 And that's going to be a user that connects into the database 15 00:00:39,090 --> 00:00:40,200 and does work-- 16 00:00:40,200 --> 00:00:45,790 issues queries, creates tables, inserts data, deletes data. 17 00:00:45,790 --> 00:00:48,510 So even though there are those two classifications 18 00:00:48,510 --> 00:00:53,290 of database account, Oracle uses a slightly different approach. 19 00:00:53,290 --> 00:00:56,620 And it's called a schema based approach. 20 00:00:56,620 --> 00:00:58,860 And, in this approach, the two types 21 00:00:58,860 --> 00:01:02,700 of classifications that we've mentioned are one and the same. 22 00:01:02,700 --> 00:01:08,310 So a user is also an object owner or, at least, it can be. 23 00:01:08,310 --> 00:01:09,540 So let's take a look at this. 24 00:01:12,420 --> 00:01:15,150 So in Oracles, we have schemas. 25 00:01:15,150 --> 00:01:17,680 So let's say we have a user, Kara, 26 00:01:17,680 --> 00:01:19,460 who connects to the database. 27 00:01:19,460 --> 00:01:21,560 She can connect to the database and do 28 00:01:21,560 --> 00:01:25,460 whatever work she has the permissions and the rolls 29 00:01:25,460 --> 00:01:26,690 to do. 30 00:01:26,690 --> 00:01:31,700 But if Kara creates objects, such as an EMP table, a DEPT, 31 00:01:31,700 --> 00:01:34,730 or an IDx1 index, for instance, we 32 00:01:34,730 --> 00:01:37,970 say that Kara now has a schema. 33 00:01:37,970 --> 00:01:41,030 And so we say, this is Kara schema. 34 00:01:41,030 --> 00:01:44,180 We say the EMP table is in the Kara schema, 35 00:01:44,180 --> 00:01:47,900 and the IDx1 index is in the Kara schema. 36 00:01:47,900 --> 00:01:49,520 So this is the schema based approach. 37 00:01:52,100 --> 00:01:55,490 So there are a couple of problems with this. 38 00:01:55,490 --> 00:02:00,230 Generally, it's bad security to mix users and objects. 39 00:02:00,230 --> 00:02:02,150 And that's mainly because external accounts 40 00:02:02,150 --> 00:02:04,670 can be compromised. 41 00:02:04,670 --> 00:02:07,540 So let's say we have a development house where 42 00:02:07,540 --> 00:02:11,410 we develop applications, and part of those applications 43 00:02:11,410 --> 00:02:13,300 work with database data. 44 00:02:13,300 --> 00:02:15,920 If we have a developer that goes into the database, 45 00:02:15,920 --> 00:02:18,700 and creates tables and indexes, those 46 00:02:18,700 --> 00:02:21,560 will belong to that developer schema. 47 00:02:21,560 --> 00:02:24,250 So, if Kara, for instance, is a developer 48 00:02:24,250 --> 00:02:27,730 and she goes in, logs in, and creates some of the application 49 00:02:27,730 --> 00:02:31,690 tables, indexes, sequences, so on and so forth, 50 00:02:31,690 --> 00:02:34,180 those are going to belong in her schema. 51 00:02:34,180 --> 00:02:38,950 Now, it is possible to go ahead and make that workable. 52 00:02:38,950 --> 00:02:42,010 The application would just need to connect to Kara's schema. 53 00:02:42,010 --> 00:02:44,800 However, it's generally bad security because, 54 00:02:44,800 --> 00:02:48,460 if Kara's account is compromised and she's 55 00:02:48,460 --> 00:02:50,770 using it to connect into the database, 56 00:02:50,770 --> 00:02:53,530 then the attacker could have access 57 00:02:53,530 --> 00:02:58,240 to all of that data that's stored in her schema. 58 00:02:58,240 --> 00:02:59,980 So Oracle allows us with the schema 59 00:02:59,980 --> 00:03:05,680 based approach the flexibility to be either very secure or not 60 00:03:05,680 --> 00:03:06,880 very secure. 61 00:03:06,880 --> 00:03:09,100 And really the choice is up to us. 62 00:03:09,100 --> 00:03:12,280 So, in the previous example, that's not very secure, 63 00:03:12,280 --> 00:03:15,850 having a user with an interactive account that 64 00:03:15,850 --> 00:03:17,770 also owns objects. 65 00:03:17,770 --> 00:03:20,170 But Oracle's schema based approach 66 00:03:20,170 --> 00:03:23,500 does allow for a separation of user accounts. 67 00:03:23,500 --> 00:03:26,110 Object owners and database users, we just 68 00:03:26,110 --> 00:03:28,430 have to build it that way. 69 00:03:28,430 --> 00:03:32,890 So let's say we have object owners, such as HR for Human 70 00:03:32,890 --> 00:03:36,790 Resources, FIN for Finance, OE for Order Entry, 71 00:03:36,790 --> 00:03:40,030 and each one of those schemas has objects in it. 72 00:03:40,030 --> 00:03:44,350 So EMP and bonus in the HR schema, account and receivable 73 00:03:44,350 --> 00:03:47,690 in the finance scheme, so on and so forth. 74 00:03:47,690 --> 00:03:50,920 We can allow those users HR, OE, and FIN 75 00:03:50,920 --> 00:03:54,340 to be object owners and nothing else, 76 00:03:54,340 --> 00:03:57,880 and then we can create database users such as Kara, Lee, 77 00:03:57,880 --> 00:04:00,880 and Saul, and those users will connect 78 00:04:00,880 --> 00:04:04,870 in given the proper privileges and use those schemas 79 00:04:04,870 --> 00:04:08,780 or, rather, the objects in those schemas. 80 00:04:08,780 --> 00:04:12,570 What we can then do is lock the object owner accounts. 81 00:04:12,570 --> 00:04:14,030 So those accounts would actually be 82 00:04:14,030 --> 00:04:17,540 locked so that, even if you did know the password, 83 00:04:17,540 --> 00:04:19,550 the account will need a password, 84 00:04:19,550 --> 00:04:21,410 but even if you know the password, 85 00:04:21,410 --> 00:04:24,080 you couldn't log in with that account. 86 00:04:24,080 --> 00:04:27,110 So object owners are locked out so 87 00:04:27,110 --> 00:04:30,890 that no one can connect directly into the object schema 88 00:04:30,890 --> 00:04:32,490 and see the data. 89 00:04:32,490 --> 00:04:34,640 So each one of these database users 90 00:04:34,640 --> 00:04:37,310 must have the given permissions to be 91 00:04:37,310 --> 00:04:39,590 able to look at these objects. 92 00:04:39,590 --> 00:04:42,590 And, in doing so, we can use Oracle schema based 93 00:04:42,590 --> 00:04:45,660 approach for greater security. 7508