Oracle Security in CDBs and PDBs - OCP: Oracle Database 12c Administrator Certified Professional

Database Reference

In-Depth Information

If the new PDB contains common user accounts that are locked because the common

user has not been created in the root, you can shut down the new PDB, connect to the root,

create common users with the same name as the new PDB common users, and then reopen

the new PDB. There's no impact to the privileges and roles that were granted locally to the

common users.

The Local Users in a CDB

The local user is not a common user but is local to a specific PDB and can operate in only

a single PDB. A user who has the CREATE USER role or greater within a PDB, including

common users, can create local users. A local user has the following characteristics:

The username may not begin with the characters c## or C## .

■

The local user is unique in a particular PDB and owns a schema in the same PDB.

■

The local user can't be created in the root.

■

The local user can't log on to another PDB or to the root.

■

If granted privileges, the local user can access objects in a common-user schema in the

same PDB.

■

If given appropriate privileges, the local user may execute an ALTER PLUGGABLE

DATABASE command.

■

Chapter 12, “Managing Oracle Multitenant Databases,” introduces the

concepts of the common and local users, and setting the current container

for a session.

The CONTAINER Clause

When you create a new user, the CONTAINER clause differentiates the local user from the

common user. If you want to create a common user, make sure your current container is

CDB$ROOT and use CONTAINER=ALL when issuing the CREATE USER statement. This is the

default if you're logged into CDB$ROOT .

If you want to create a local user in a PDB, set your current container to the PDB and

use the CONTAINER=CURRENT clause. This is the default if you're logged into a PDB.

You do not have the option to name a PDB in the CONTAINER clause; it's named either

CURRENT or ALL .

When creating a common user, the DEFAULT TABLESPACE , TEMPORARY TABLESPACE ,

QUOTA , and PROFILE specified must exist in all the containers belonging to the CDB.

The current container is where the current session is running, and each session can

have only one current container at any point in time. It can be the root for common users

or a PDB for local and common users. Each container has a separate data dictionary,

so the current container data dictionary is used for privilege authorization and name

resolution.

Search WWH ::

Custom Search

Home