Administration Database Users including Roles and Privileges on Multitenant

This topic describes how to create and manage a user in Multitenant database.

There are two types of users in Multitenant Database:

Common User: User exists in all containers (root container and all PDBS).
Local User: User exists on particular PDB only.

Similarly, Two types of role are available in Multitenant Database:

Common Role: Role exists in all containers (root container and all PDBS).
Local Role: Role exists on particular PDB only.

Note::: Common or Local User and Role are same way to create to manager.

Create Common User:

SQL> show pdbs

CON_ID CON_NAME OPEN MODE RESTRICTED

---------- ------------------------------ ---------- ----------

2 PDB$SEED READ ONLY NO

4 SALESPDB MOUNTED

5 PDBTEST READ WRITE NO

7 PDBNODATA MOUNTED

SQL> show parameter common

NAME TYPE VALUE

------------------------------------ ----------- ------------------------------

common_user_prefix string C##

SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 4 SALESPDB MOUNTED 5 PDBTEST READ WRITE NO 7 PDBNODATA MOUNTED SQL> show parameter common NAME TYPE VALUE ------------------------------------ ----------- ------------------------------ common_user_prefix string C##

SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         4 SALESPDB                       MOUNTED
         5 PDBTEST                        READ WRITE NO
         7 PDBNODATA                      MOUNTED

SQL> show parameter common

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
common_user_prefix                   string      C##

Note::: Grant privileges to common user using container=all for root as well as PDBs. If don’t use container=all then it will applicable for container root only.

SQL> show con_name

CON_NAME

------------------------------

CDB$ROOT

SQL> create user c##usercon identified by oracle;

User created.

SQL> grant create session, connect, resource to c##usercon;

Grant succeeded.

SQL> conn c##usercon/oracle;

Connected.

SQL> show user

USER is "C##USERCON"

SQL> show con_name

CON_NAME

------------------------------

CDB$ROOT

SQL> conn / as sysdba

Connected.

SQL> conn c##usercon/oracle@pdbtest

ERROR:

ORA-01045: user C##USERCON lacks CREATE SESSION privilege; logon denied

Warning: You are no longer connected to ORACLE.

SQL> grant connect, resource to c##usercon container=all;

Grant succeeded.

SQL> conn c##usercon/oracle@pdbtest

Connected.

SQL> show user

USER is "C##USERCON"

SQL> show con_name

CON_NAME

------------------------------

PDBTEST

SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> create user c##usercon identified by oracle; User created. SQL> grant create session, connect, resource to c##usercon; Grant succeeded. SQL> conn c##usercon/oracle; Connected. SQL> show user USER is "C##USERCON" SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> conn / as sysdba Connected. SQL> conn c##usercon/oracle@pdbtest ERROR: ORA-01045: user C##USERCON lacks CREATE SESSION privilege; logon denied Warning: You are no longer connected to ORACLE. SQL> grant connect, resource to c##usercon container=all; Grant succeeded. SQL> conn c##usercon/oracle@pdbtest Connected. SQL> show user USER is "C##USERCON" SQL> show con_name CON_NAME ------------------------------ PDBTEST

SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

SQL> create user c##usercon identified by oracle;

User created.

SQL> grant create session, connect, resource to c##usercon;

Grant succeeded.

SQL> conn c##usercon/oracle;
Connected.

SQL> show user
USER is "C##USERCON"

SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT

SQL> conn / as sysdba
Connected.

SQL> conn c##usercon/oracle@pdbtest
ERROR:
ORA-01045: user C##USERCON lacks CREATE SESSION privilege; logon denied


Warning: You are no longer connected to ORACLE.

SQL> grant connect, resource to c##usercon container=all;

Grant succeeded.

SQL> conn c##usercon/oracle@pdbtest
Connected.

SQL> show user
USER is "C##USERCON"

SQL> show con_name

CON_NAME
------------------------------
PDBTEST

Common user will be created in all PDBs automatically:

SQL> show pdbs

CON_ID CON_NAME OPEN MODE RESTRICTED

---------- ------------------------------ ---------- ----------

2 PDB$SEED READ ONLY NO

4 SALESPDB MOUNTED

5 PDBTEST READ WRITE NO

7 PDBNODATA MOUNTED

SQL> col USERNAME for A20

SQL> set linesize 100

SQL> SELECT username, b.name, user_id, a.con_id

FROM cdb_users a, v$containers b

WHERE a.con_id = b.con_id AND username = 'C##USERCON';

USERNAME NAME USER_ID CON_ID

-------------------- ------------------------------ ---------- ----------

C##USERCON PDBTEST 105 5

C##USERCON CDB$ROOT 102 1

SQL> alter pluggable database pdbnodata open;

Pluggable database altered.

SQL> SELECT username, b.name, user_id, a.con_id

FROM cdb_users a, v$containers b

WHERE a.con_id = b.con_id AND username = 'C##USERCON';

USERNAME NAME USER_ID CON_ID

-------------------- ------------------------------ ---------- ----------

C##USERCON PDBTEST 105 5

C##USERCON CDB$ROOT 102 1

C##USERCON PDBNODATA 105 7

SQL> show pdbs CON_ID CON_NAME OPEN MODE RESTRICTED ---------- ------------------------------ ---------- ---------- 2 PDB$SEED READ ONLY NO 4 SALESPDB MOUNTED 5 PDBTEST READ WRITE NO 7 PDBNODATA MOUNTED SQL> col USERNAME for A20 SQL> set linesize 100 SQL> SELECT username, b.name, user_id, a.con_id FROM cdb_users a, v$containers b WHERE a.con_id = b.con_id AND username = 'C##USERCON'; USERNAME NAME USER_ID CON_ID -------------------- ------------------------------ ---------- ---------- C##USERCON PDBTEST 105 5 C##USERCON CDB$ROOT 102 1 SQL> alter pluggable database pdbnodata open; Pluggable database altered. SQL> SELECT username, b.name, user_id, a.con_id FROM cdb_users a, v$containers b WHERE a.con_id = b.con_id AND username = 'C##USERCON'; USERNAME NAME USER_ID CON_ID -------------------- ------------------------------ ---------- ---------- C##USERCON PDBTEST 105 5 C##USERCON CDB$ROOT 102 1 C##USERCON PDBNODATA 105 7

SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         4 SALESPDB                       MOUNTED
         5 PDBTEST                        READ WRITE NO
         7 PDBNODATA                      MOUNTED

SQL> col USERNAME for A20
SQL> set linesize 100
SQL> SELECT username, b.name, user_id, a.con_id
FROM cdb_users a, v$containers b
WHERE a.con_id = b.con_id AND username = 'C##USERCON';  

USERNAME             NAME                              USER_ID     CON_ID
-------------------- ------------------------------ ---------- ----------
C##USERCON           PDBTEST                               105          5
C##USERCON           CDB$ROOT                              102          1

SQL> alter pluggable database pdbnodata open;

Pluggable database altered.

SQL> SELECT username, b.name, user_id, a.con_id
FROM cdb_users a, v$containers b
WHERE a.con_id = b.con_id AND username = 'C##USERCON';  

USERNAME             NAME                              USER_ID     CON_ID
-------------------- ------------------------------ ---------- ----------
C##USERCON           PDBTEST                               105          5
C##USERCON           CDB$ROOT                              102          1
C##USERCON           PDBNODATA                             105          7

Common user can be created only from root container:

SQL> alter session set container=PDBTEST;

Session altered.

SQL> show user

USER is "SYS"

SQL> create user c##usercon01 identified by oracle;

create user c##usercon01 identified by oracle

ERROR at line 1:

ORA-65094: invalid local user or role name

SQL> alter session set container=PDBTEST; Session altered. SQL> show user USER is "SYS" SQL> create user c##usercon01 identified by oracle; create user c##usercon01 identified by oracle * ERROR at line 1: ORA-65094: invalid local user or role name

SQL> alter session set container=PDBTEST;

Session altered.

SQL> show user
USER is "SYS"

SQL> create user c##usercon01 identified by oracle;
create user c##usercon01 identified by oracle
            *
ERROR at line 1:
ORA-65094: invalid local user or role name

Create Local User:

SQL> alter session set container=PDBTEST;

Session altered.

SQL> show con_name

CON_NAME

------------------------------

PDBTEST

SQL> create user user_pdb identified by oracle;

User created.

SQL> grant create session, connect, resource to user_pdb;

Grant succeeded.

SQL> conn user_pdb/oracle@pdbtest

Connected.

SQL> show con_name

CON_NAME

------------------------------

PDBTEST

SQL> show user

USER is "USER_PDB"

SQL> alter session set container=PDBTEST; Session altered. SQL> show con_name CON_NAME ------------------------------ PDBTEST SQL> create user user_pdb identified by oracle; User created. SQL> grant create session, connect, resource to user_pdb; Grant succeeded. SQL> conn user_pdb/oracle@pdbtest Connected. SQL> show con_name CON_NAME ------------------------------ PDBTEST SQL> show user USER is "USER_PDB"

SQL> alter session set container=PDBTEST;

Session altered.

SQL> show con_name

CON_NAME
------------------------------
PDBTEST

SQL> create user user_pdb identified by oracle;

User created.

SQL> grant create session, connect, resource to user_pdb;

Grant succeeded.

SQL> conn user_pdb/oracle@pdbtest
Connected.

SQL> show con_name

CON_NAME
------------------------------
PDBTEST

SQL> show user
USER is "USER_PDB"

Local user can be created from PDB only but not from root container:

SQL> show user

USER is "SYS"

SQL> show con_name

CON_NAME

------------------------------

CDB$ROOT

SQL> create user user_pdb identified by oracle;

create user user_pdb identified by oracle

ERROR at line 1:

ORA-65096: invalid common user or role name

SQL> show user USER is "SYS" SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> create user user_pdb identified by oracle; create user user_pdb identified by oracle * ERROR at line 1: ORA-65096: invalid common user or role name

SQL> show user
USER is "SYS"
SQL> show con_name

CON_NAME
------------------------------
CDB$ROOT
SQL> create user user_pdb identified by oracle;
create user user_pdb identified by oracle
            *
ERROR at line 1:
ORA-65096: invalid common user or role name

Common Role:

Common role has to be created same way like Common user.

Role Name should be starting with C##
Creates from root container.
Can be assigned to common user as well as local users any PDBs.
Common Role name is unique for entire database (CDB + PDBs).

SQL> create role c##role_hr;

Role created.

SQL> grant create session to c##role_hr;

Grant succeeded.

SQL> grant c##role_hr to c##usercon;

Grant succeeded.

SQL> grant c##role_hr to user_pdb;

grant c##role_hr to user_pdb

ERROR at line 1:

ORA-01917: user or role 'USER_PDB' does not exist

SQL> alter session set container=pdbtest;

Session altered.

SQL> grant c##role_hr to user_pdb;

Grant succeeded.

SQL> create role c##role_hr; Role created. SQL> grant create session to c##role_hr; Grant succeeded. SQL> grant c##role_hr to c##usercon; Grant succeeded. SQL> grant c##role_hr to user_pdb; grant c##role_hr to user_pdb * ERROR at line 1: ORA-01917: user or role 'USER_PDB' does not exist SQL> alter session set container=pdbtest; Session altered. SQL> grant c##role_hr to user_pdb; Grant succeeded.

SQL> create role c##role_hr;

Role created.

SQL> grant create session to c##role_hr;

Grant succeeded.

SQL> grant c##role_hr to c##usercon;

Grant succeeded.

SQL> grant c##role_hr to user_pdb;
grant c##role_hr to user_pdb
                    *
ERROR at line 1:
ORA-01917: user or role 'USER_PDB' does not exist

SQL> alter session set container=pdbtest;

Session altered.

SQL> grant c##role_hr to user_pdb;

Grant succeeded.

Local Role:

Role Name should not starting with C##.
Creates from a PDB.
Can be assigned to local user of the PDB only.
Local Role name is unique for a PDB.

SQL> create role role_local;

Role created.

SQL> grant create session, select any table to role_local;

Grant succeeded.

SQL> grant role_local to user_pdb;

Grant succeeded.

SQL> grant role_local to c##usercon;

Grant succeeded.

SQL> create role role_local; Role created. SQL> grant create session, select any table to role_local; Grant succeeded. SQL> grant role_local to user_pdb; Grant succeeded. SQL> grant role_local to c##usercon; Grant succeeded.

SQL> create role role_local;

Role created.

SQL> grant create session, select any table to role_local;

Grant succeeded.

SQL> grant role_local to user_pdb;

Grant succeeded.

SQL> grant role_local to c##usercon;

Grant succeeded.

Create an object from common user:

Can be created an object (like Table or View etc) with same name on CDB and PDBs from common user.

Table create on a CDB using common user:

SQL> show con_name

CON_NAME

------------------------------

CDB$ROOT

SQL> show user

USER is "C##USERCON"

SQL> Create table root_test (id number);

Table created.

SQL> show con_name CON_NAME ------------------------------ CDB$ROOT SQL> show user USER is "C##USERCON" SQL> Create table root_test (id number); Table created.

SQL> show con_name
CON_NAME
------------------------------
CDB$ROOT
SQL> show user
USER is "C##USERCON"

SQL> Create table root_test (id number);

Table created.

Table create on a PDB using common user:

SQL> show con_name

CON_NAME

------------------------------

PDBNODATA

SQL> show user

USER is "C##USERCON"

SQL> create table C##USERCON.root_test (id number);

Table created.

SQL> show con_name CON_NAME ------------------------------ PDBNODATA SQL> show user USER is "C##USERCON" SQL> create table C##USERCON.root_test (id number); Table created.

SQL> show con_name
CON_NAME
------------------------------
PDBNODATA

SQL> show user
USER is "C##USERCON"

SQL> create table C##USERCON.root_test (id number);

Table created.

Table create on a PDB using common user:

SQL> show con_name

CON_NAME

------------------------------

PDBTEST

SQL> show user

USER is "C##USERCON"

SQL> create table C##USERCON.root_test (id number);

Table created.

SQL> show con_name CON_NAME ------------------------------ PDBTEST SQL> show user USER is "C##USERCON" SQL> create table C##USERCON.root_test (id number); Table created.

SQL> show con_name
CON_NAME
------------------------------
PDBTEST

SQL> show user
USER is "C##USERCON"

SQL> create table C##USERCON.root_test (id number);

Table created.

Table with same name on all PDBs and Container for a common user:

col OWNER for A20

col OBJECT_NAME for A20

set linesize 100

SQL> SELECT a.con_id, b.name, owner, object_name, object_id

FROM cdb_objects a, v$containers b

WHERE a.con_id = b.con_id AND a.object_name = 'ROOT_TEST';

CON_ID NAME OWNER OBJECT_NAME OBJECT_ID

---------- ------------------------------ -------------------- -------------------- ----------

7 PDBNODATA C##USERCON ROOT_TEST 91941

5 PDBTEST C##USERCON ROOT_TEST 91823

1 CDB$ROOT C##USERCON ROOT_TEST 92447

col OWNER for A20 col OBJECT_NAME for A20 set linesize 100 SQL> SELECT a.con_id, b.name, owner, object_name, object_id FROM cdb_objects a, v$containers b WHERE a.con_id = b.con_id AND a.object_name = 'ROOT_TEST'; CON_ID NAME OWNER OBJECT_NAME OBJECT_ID ---------- ------------------------------ -------------------- -------------------- ---------- 7 PDBNODATA C##USERCON ROOT_TEST 91941 5 PDBTEST C##USERCON ROOT_TEST 91823 1 CDB$ROOT C##USERCON ROOT_TEST 92447

col OWNER for A20
col OBJECT_NAME for A20
set linesize 100

SQL> SELECT a.con_id, b.name, owner, object_name, object_id
FROM cdb_objects a, v$containers b
WHERE a.con_id = b.con_id AND a.object_name = 'ROOT_TEST';

    CON_ID NAME                           OWNER                OBJECT_NAME           OBJECT_ID
---------- ------------------------------ -------------------- -------------------- ----------
         7 PDBNODATA                      C##USERCON           ROOT_TEST                 91941
         5 PDBTEST                        C##USERCON           ROOT_TEST                 91823
         1 CDB$ROOT                       C##USERCON           ROOT_TEST                 92447

Administration Database Users including Roles and Privileges on Multitenant

About Me

Categories

Archives

VISITORS