CREATE ROLE PurchaseQueryRole;
GRANT SELECT ON TABLE Part TO PurchaseQueryRole; GRANT SELECT ON TABLE Supplier TO PurchaseQueryRole; GRANT SELECT ON TABLE PartSupp TO PurchaseQueryRole;
CREATE ROLE SaleQueryRole;
GRANT SELECT ON TABLE Order TO SaleQueryRole; GRANT SELECT ON TABLE Lineitem TO SaleQueryRole;
CREATE ROLE CustomerQueryRole;
GRANT SELECT ON TABLE Customer TO CustomerQueryRole; GRANT SELECT ON TABLE Nation TO CustomerQueryRole; GRANT SELECT ON TABLE Region TO CustomerQueryRole;
2为各个部门分别创建一个职员角色,对本部门信息具有查看、插入权限。 ○
CREATE ROLE PurchaseEmployeeRole;
GRANT SELECT,INSERT ON TABLE Part TO PurchaseEmployeeRole; GRANT SELECT,INSERT ON TABLE Supplier TO PurchaseEmployeeRole; GRANT SELECT,INSERT ON TABLE PartSupp TO PurchaseEmployeeRole;
CREATE ROLE SaleEmployeeRole;
GRANT SELECT,INSERT ON TABLE Order TO SaleEmployeeRole; GRANT SELECT,INSERT ON TABLE Lineitem TO SaleEmployeeRole;
CREATE ROLE CustomerEmployeeRole;
GRANT SELECT,INSERT ON TABLE Customer TO CustomerEmployeeRole; GRANT SELECT,INSERT ON TABLE Nation TO CustomerEmployeeRole; GRANT SELECT,INSERT ON TABLE Region TO CustomerEmployeeRole; 3为各个部门创建一个经理角色,相应角色对本部门的信息具有完全控制权限,○
对其他部门的信息具有查询权。经理有权给本部门资源分配权限。 CREATE ROLE PurchaseManagerRole WITH CREATEROLE; GRANT ALL ON TABLE Part TO PurchaseManagerRole; GRANT ALL ON TABLE Supplier TO PurchaseManagerRole; GRANT ALL ON TABLE PartSupp TO PurchaseManagerRole; GRANT SaleQueryRole TO PurchaseManagerRole;
GRANT CustomerQueryRole TO PurchaseManagerRole;
CREATE ROLE SaleManagerRole WITH CREATEROLE; GRANT ALL ON TABLE Order TO SaleManagerRole GRANT ALL ON TABLE Lineitem TO SaleManagerRole GRANT SaleQueryRole TO SaleManagerRole GRANT PurchaseQueryRole TO SaleManagerRole
CREATE ROLE CustomerManagerRole WITH CREATEROLE; GRANT ALL ON TABLE Customer TO CustomerManagerRole GRANT ALL ON TABLE Nation TO CustomerManagerRole GRANT ALL ON TABLE Region TO CustomerManagerRole GRANT SaleQueryRole TO CustomerManagerRole GRANT PurchaseQueryRole TO CustomerManagerRole (3)给用户分配权限 1给部门经理分配权限。 ○
GRANT PurchaseManagerRole TO David WITH ADMIN OPTION; GRANT SaleManagerRole TO Tom WITH ADMIN OPTION;
GRANT CustomerManagerRole TO Kathy WITH ADMIN OPTION; 2给各部门职员分配权限 ○
GRANT PurchaseEmployeeRole TO Jeffery; GRANT SaleEmployeeRole TO Jane;
GRANT CustomerEmployeeRole TO Mike; (4)回收角色或用户权限
1收回客户经理角色的销售信息查看权限。 ○
REVOKE SaleQueryRole FROM CustomerManagerRole; 2回收MIKE的客户部门职员权限。 ○
REVOKE CustomerEmployeeRole FROM Mike; (5)验证权限分配正确性
1以David用户名登录数据库,验证采购部门经理的权限 ○
SELECT * FROM Part; DELETE * FROM Order;
2回收MIKE的客户部门职员权限 ○
SELECT * FROM Customer; SELECT * FROM Part; 2、审计实验 (1)审计开关
1显示当前审计开关状态 ○
SHOW AUDIT_TRAIL; 2打开审计开关 ○
SET AUDIT_TRAIL TO ON; (2)数据库操作审计
1对客户信息表上的删除操作设置审计。 ○
AUDIT DELETE ON Sales.Customer BY ACCESS; 2以普通用户登录,执行sql语句。 ○
DELETE Sales.Customer WHERE custkey=1011;
3查看数据库对象审计信息,验证审计设置是否生效。 ○
SELECT * FROM SYS_AUDIT_OBJECT; (3)语句级审计
1对表定义的更改语句ALTER设置审计 ○
AUDIT ALTER TABLE BY ACCESS;
2查看所有数据库所有语句级审计设置,验证审计设置是否生效 ○
SELECT * FROM SYS_STMT_AUDIT_OPTS;
3以普通用户登录,执行sql语句,验证审计设置是否生效 ○
ALTER TABLE Customer ADD COLUMN tt INT; 4查看所有审计信息 ○
SELECT * FROM SYS_AUDIT_TRAIL;
四、实验心得
通过本次实验,知道了定义用户、角色,分配权限给用户、角色,回收权限,并以相应的用户名登陆数据库验证权限分配是否正确的方法。并且知道了数据库审计的目的和方法。做实验的同时,对sql语句有了更熟练的运用。
实验项目名称:完整性语言实验 实验学时: 2 同组学生姓名: 孟陈、陈晓雪、季佰军 实验地点: 1318 实验日期: 6.2 实验成绩: 批改教师: 批改时间: