Administration Database Users including Roles and Privileges on Multitenant

This topic describes how to create and manage a user in Multitenant database.

There are two types of users in Multitenant Database:

  • Common User: User exists in all containers (root container and all PDBS).
  • Local User: User exists on particular PDB only.

Similarly, Two types of role are available in Multitenant Database:

  • Common Role: Role exists in all containers (root container and all PDBS).
  • Local Role: Role exists on particular PDB only.

Note::: Common or Local User and Role are same way to create to manager.

Create Common User:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
4 SALESPDB MOUNTED
5 PDBTEST READ WRITE NO
7 PDBNODATA MOUNTED
SQL> show parameter common
NAME TYPE VALUE
------------------------------------ ----------- ------------------------------
common_user_prefix string C##
SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 4 SALESPDB MOUNTED 5 PDBTEST READ WRITE NO 7 PDBNODATA MOUNTED SQL> show parameter common NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ common_user_prefix string C##
SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         4 SALESPDB                       MOUNTED
         5 PDBTEST                        READ WRITE NO
         7 PDBNODATA                      MOUNTED

SQL> show parameter common

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
common_user_prefix                   string      C##

Note::: Grant privileges to common user using container=all for root as well as PDBs. If don’t use container=all then it will applicable for container root only.

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> create user c##usercon identified by oracle;
User created.
SQL> grant create session, connect, resource to c##usercon;
Grant succeeded.
SQL> conn c##usercon/oracle;
Connected.
SQL> show user
USER is "C##USERCON"
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> conn / as sysdba
Connected.
SQL> conn c##usercon/oracle@pdbtest
ERROR:
ORA-01045: user C##USERCON lacks CREATE SESSION privilege; logon denied
Warning: You are no longer connected to ORACLE.
SQL> grant connect, resource to c##usercon container=all;
Grant succeeded.
SQL> conn c##usercon/oracle@pdbtest
Connected.
SQL> show user
USER is "C##USERCON"
SQL> show con_name
CON_NAME
------------------------------
PDBTEST
SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> create user c##usercon identified by oracle; User created. SQL> grant create session, connect, resource to c##usercon; Grant succeeded. SQL> conn c##usercon/oracle; Connected. SQL> show user USER is "C##USERCON" SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> conn / as sysdba Connected. SQL> conn c##usercon/oracle@pdbtest ERROR: ORA-01045: user C##USERCON lacks CREATE SESSION privilege; logon denied Warning: You are no longer connected to ORACLE. SQL> grant connect, resource to c##usercon container=all; Grant succeeded. SQL> conn c##usercon/oracle@pdbtest Connected. SQL> show user USER is "C##USERCON" SQL> show con_name CON_NAME ------------------------------ PDBTEST
SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

SQL> create user c##usercon identified by oracle;

User created.

SQL> grant create session, connect, resource to c##usercon;

Grant succeeded.

SQL> conn c##usercon/oracle;
Connected.

SQL> show user
USER is "C##USERCON"

SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

SQL> conn / as sysdba
Connected.

SQL> conn c##usercon/oracle@pdbtest
ERROR:
ORA-01045: user C##USERCON lacks CREATE SESSION privilege; logon denied


Warning: You are no longer connected to ORACLE.

SQL> grant connect, resource to c##usercon container=all;

Grant succeeded.

SQL> conn c##usercon/oracle@pdbtest
Connected.

SQL> show user
USER is "C##USERCON"

SQL> show con_name

CON_NAME
------------------------------
PDBTEST

Common user will be created in all PDBs automatically:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> show pdbs
CON_ID CON_NAME OPEN MODE RESTRICTED
---------- ------------------------------ ---------- ----------
2 PDB$SEED READ ONLY NO
4 SALESPDB MOUNTED
5 PDBTEST READ WRITE NO
7 PDBNODATA MOUNTED
SQL> col USERNAME for A20
SQL> set linesize 100
SQL> SELECT username, b.name, user_id, a.con_id
FROM cdb_users a, v$containers b
WHERE a.con_id = b.con_id AND username = 'C##USERCON';
USERNAME NAME USER_ID CON_ID
-------------------- ------------------------------ ---------- ----------
C##USERCON PDBTEST 105 5
C##USERCON CDB$ROOT 102 1
SQL> alter pluggable database pdbnodata open;
Pluggable database altered.
SQL> SELECT username, b.name, user_id, a.con_id
FROM cdb_users a, v$containers b
WHERE a.con_id = b.con_id AND username = 'C##USERCON';
USERNAME NAME USER_ID CON_ID
-------------------- ------------------------------ ---------- ----------
C##USERCON PDBTEST 105 5
C##USERCON CDB$ROOT 102 1
C##USERCON PDBNODATA 105 7
SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 4 SALESPDB MOUNTED 5 PDBTEST READ WRITE NO 7 PDBNODATA MOUNTED SQL> col USERNAME for A20 SQL> set linesize 100 SQL> SELECT username, b.name, user_id, a.con_id FROM cdb_users a, v$containers b WHERE a.con_id = b.con_id AND username = 'C##USERCON'; USERNAME NAME USER_ID CON_ID -------------------- ------------------------------ ---------- ---------- C##USERCON PDBTEST 105 5 C##USERCON CDB$ROOT 102 1 SQL> alter pluggable database pdbnodata open; Pluggable database altered. SQL> SELECT username, b.name, user_id, a.con_id FROM cdb_users a, v$containers b WHERE a.con_id = b.con_id AND username = 'C##USERCON'; USERNAME NAME USER_ID CON_ID -------------------- ------------------------------ ---------- ---------- C##USERCON PDBTEST 105 5 C##USERCON CDB$ROOT 102 1 C##USERCON PDBNODATA 105 7
SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         4 SALESPDB                       MOUNTED
         5 PDBTEST                        READ WRITE NO
         7 PDBNODATA                      MOUNTED

SQL> col USERNAME for A20
SQL> set linesize 100
SQL> SELECT username, b.name, user_id, a.con_id
FROM cdb_users a, v$containers b
WHERE a.con_id = b.con_id AND username = 'C##USERCON';  

USERNAME             NAME                              USER_ID     CON_ID
-------------------- ------------------------------ ---------- ----------
C##USERCON           PDBTEST                               105          5
C##USERCON           CDB$ROOT                              102          1

SQL> alter pluggable database pdbnodata open;

Pluggable database altered.

SQL> SELECT username, b.name, user_id, a.con_id
FROM cdb_users a, v$containers b
WHERE a.con_id = b.con_id AND username = 'C##USERCON';  

USERNAME             NAME                              USER_ID     CON_ID
-------------------- ------------------------------ ---------- ----------
C##USERCON           PDBTEST                               105          5
C##USERCON           CDB$ROOT                              102          1
C##USERCON           PDBNODATA                             105          7

Common user can be created only from root container:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> alter session set container=PDBTEST;
Session altered.
SQL> show user
USER is "SYS"
SQL> create user c##usercon01 identified by oracle;
create user c##usercon01 identified by oracle
*
ERROR at line 1:
ORA-65094: invalid local user or role name
SQL> alter session set container=PDBTEST; Session altered. SQL> show user USER is "SYS" SQL> create user c##usercon01 identified by oracle; create user c##usercon01 identified by oracle * ERROR at line 1: ORA-65094: invalid local user or role name
SQL> alter session set container=PDBTEST;

Session altered.

SQL> show user
USER is "SYS"

SQL> create user c##usercon01 identified by oracle;
create user c##usercon01 identified by oracle
            *
ERROR at line 1:
ORA-65094: invalid local user or role name

Create Local User:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> alter session set container=PDBTEST;
Session altered.
SQL> show con_name
CON_NAME
------------------------------
PDBTEST
SQL> create user user_pdb identified by oracle;
User created.
SQL> grant create session, connect, resource to user_pdb;
Grant succeeded.
SQL> conn user_pdb/oracle@pdbtest
Connected.
SQL> show con_name
CON_NAME
------------------------------
PDBTEST
SQL> show user
USER is "USER_PDB"
SQL> alter session set container=PDBTEST; Session altered. SQL> show con_name CON_NAME ------------------------------ PDBTEST SQL> create user user_pdb identified by oracle; User created. SQL> grant create session, connect, resource to user_pdb; Grant succeeded. SQL> conn user_pdb/oracle@pdbtest Connected. SQL> show con_name CON_NAME ------------------------------ PDBTEST SQL> show user USER is "USER_PDB"
SQL> alter session set container=PDBTEST;

Session altered.

SQL> show con_name

CON_NAME
------------------------------
PDBTEST

SQL> create user user_pdb identified by oracle;

User created.

SQL> grant create session, connect, resource to user_pdb;

Grant succeeded.

SQL> conn user_pdb/oracle@pdbtest
Connected.

SQL> show con_name

CON_NAME
------------------------------
PDBTEST

SQL> show user
USER is "USER_PDB"

Local user can be created from PDB only but not from root container:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> show user
USER is "SYS"
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> create user user_pdb identified by oracle;
create user user_pdb identified by oracle
*
ERROR at line 1:
ORA-65096: invalid common user or role name
SQL> show user USER is "SYS" SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> create user user_pdb identified by oracle; create user user_pdb identified by oracle * ERROR at line 1: ORA-65096: invalid common user or role name
SQL> show user
USER is "SYS"
SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT
SQL> create user user_pdb identified by oracle;
create user user_pdb identified by oracle
            *
ERROR at line 1:
ORA-65096: invalid common user or role name

Common Role:

Common role has to be created same way like Common user.

  • Role Name should be starting with C##
  • Creates from root container.
  • Can be assigned to common user as well as local users any PDBs.
  • Common Role name is unique for entire database (CDB + PDBs).
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> create role c##role_hr;
Role created.
SQL> grant create session to c##role_hr;
Grant succeeded.
SQL> grant c##role_hr to c##usercon;
Grant succeeded.
SQL> grant c##role_hr to user_pdb;
grant c##role_hr to user_pdb
*
ERROR at line 1:
ORA-01917: user or role 'USER_PDB' does not exist
SQL> alter session set container=pdbtest;
Session altered.
SQL> grant c##role_hr to user_pdb;
Grant succeeded.
SQL> create role c##role_hr; Role created. SQL> grant create session to c##role_hr; Grant succeeded. SQL> grant c##role_hr to c##usercon; Grant succeeded. SQL> grant c##role_hr to user_pdb; grant c##role_hr to user_pdb * ERROR at line 1: ORA-01917: user or role 'USER_PDB' does not exist SQL> alter session set container=pdbtest; Session altered. SQL> grant c##role_hr to user_pdb; Grant succeeded.
SQL> create role c##role_hr;

Role created.

SQL> grant create session to c##role_hr;

Grant succeeded.

SQL> grant c##role_hr to c##usercon;

Grant succeeded.

SQL> grant c##role_hr to user_pdb;
grant c##role_hr to user_pdb
                    *
ERROR at line 1:
ORA-01917: user or role 'USER_PDB' does not exist

SQL> alter session set container=pdbtest;

Session altered.

SQL> grant c##role_hr to user_pdb;

Grant succeeded.

Local Role:

  • Role Name should not starting with C##.
  • Creates from a PDB.
  • Can be assigned to local user of the PDB only.
  • Local Role name is unique for a PDB.
Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> create role role_local;
Role created.
SQL> grant create session, select any table to role_local;
Grant succeeded.
SQL> grant role_local to user_pdb;
Grant succeeded.
SQL> grant role_local to c##usercon;
Grant succeeded.
SQL> create role role_local; Role created. SQL> grant create session, select any table to role_local; Grant succeeded. SQL> grant role_local to user_pdb; Grant succeeded. SQL> grant role_local to c##usercon; Grant succeeded.
SQL> create role role_local;

Role created.

SQL> grant create session, select any table to role_local;

Grant succeeded.

SQL> grant role_local to user_pdb;

Grant succeeded.

SQL> grant role_local to c##usercon;

Grant succeeded.

Create an object from common user:

Can be created an object (like Table or View etc) with same name on CDB and PDBs from common user.

Table create on a CDB using common user:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> show user
USER is "C##USERCON"
SQL> Create table root_test (id number);
Table created.
SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> show user USER is "C##USERCON" SQL> Create table root_test (id number); Table created.
SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> show user
USER is "C##USERCON"

SQL> Create table root_test (id number);

Table created.

Table create on a PDB using common user:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> show con_name
CON_NAME
------------------------------
PDBNODATA
SQL> show user
USER is "C##USERCON"
SQL> create table C##USERCON.root_test (id number);
Table created.
SQL> show con_name CON_NAME ------------------------------ PDBNODATA SQL> show user USER is "C##USERCON" SQL> create table C##USERCON.root_test (id number); Table created.
SQL> show con_name
CON_NAME
------------------------------
PDBNODATA

SQL> show user
USER is "C##USERCON"

SQL> create table C##USERCON.root_test (id number);

Table created.

Table create on a PDB using common user:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
SQL> show con_name
CON_NAME
------------------------------
PDBTEST
SQL> show user
USER is "C##USERCON"
SQL> create table C##USERCON.root_test (id number);
Table created.
SQL> show con_name CON_NAME ------------------------------ PDBTEST SQL> show user USER is "C##USERCON" SQL> create table C##USERCON.root_test (id number); Table created.
SQL> show con_name
CON_NAME
------------------------------
PDBTEST

SQL> show user
USER is "C##USERCON"

SQL> create table C##USERCON.root_test (id number);

Table created.

Table with same name on all PDBs and Container for a common user:

Plain text
Copy to clipboard
Open code in new window
EnlighterJS 3 Syntax Highlighter
col OWNER for A20
col OBJECT_NAME for A20
set linesize 100
SQL> SELECT a.con_id, b.name, owner, object_name, object_id
FROM cdb_objects a, v$containers b
WHERE a.con_id = b.con_id AND a.object_name = 'ROOT_TEST';
CON_ID NAME OWNER OBJECT_NAME OBJECT_ID
---------- ------------------------------ -------------------- -------------------- ----------
7 PDBNODATA C##USERCON ROOT_TEST 91941
5 PDBTEST C##USERCON ROOT_TEST 91823
1 CDB$ROOT C##USERCON ROOT_TEST 92447
col OWNER for A20 col OBJECT_NAME for A20 set linesize 100 SQL> SELECT a.con_id, b.name, owner, object_name, object_id FROM cdb_objects a, v$containers b WHERE a.con_id = b.con_id AND a.object_name = 'ROOT_TEST'; CON_ID NAME OWNER OBJECT_NAME OBJECT_ID ---------- ------------------------------ -------------------- -------------------- ---------- 7 PDBNODATA C##USERCON ROOT_TEST 91941 5 PDBTEST C##USERCON ROOT_TEST 91823 1 CDB$ROOT C##USERCON ROOT_TEST 92447
col OWNER for A20
col OBJECT_NAME for A20
set linesize 100

SQL> SELECT a.con_id, b.name, owner, object_name, object_id
FROM cdb_objects a, v$containers b
WHERE a.con_id = b.con_id AND a.object_name = 'ROOT_TEST';

    CON_ID NAME                           OWNER                OBJECT_NAME           OBJECT_ID
---------- ------------------------------ -------------------- -------------------- ----------
         7 PDBNODATA                      C##USERCON           ROOT_TEST                 91941
         5 PDBTEST                        C##USERCON           ROOT_TEST                 91823
         1 CDB$ROOT                       C##USERCON           ROOT_TEST                 92447