UNIVERSITI TUNKU ABDUL RAHMAN

Faculty of Information and Communication Technology

50 marks

UCCA3234 DATABASE ADMINISTRATION

Individual Assignment

Lecturer and Practical Instructor: Dr. Ramesh Kumar Ayyasamy

Due Date: 15 September 2023 (Week 13)

To be filled by student:

Student ID Name Practical Programme

Group
19ACB03288 Wong Teng Wei P1 IA

To be filled by lecturer:

No Evaluation Criteria with Max Score Achieved Marks

1 Execution and Technical Skills (30 marks)
2 Results and Analysis (10 marks)

3 Documentation and Presentation (10 marks)

Total (50 marks)
 Table of Contents
Exercise 3 ............................................................................................................................................. 3

Exercise 3.1: Use SQL*Loader and External Tables ..................................................................... 3

Exercise 4 ........................................................................................................................................... 10

Exercise 4.1: Perform a Data Dump Export ................................................................................. 10

Exercise 5 ........................................................................................................................................... 16

Exercise 5.1: Create Users ............................................................................................................ 16

Exercise 5.2: Grant Direct Privileges ........................................................................................... 18

Exercise 5.3: Create and Grant Roles ........................................................................................... 23

Exercise 5.4: Create and Use Profiles .......................................................................................... 29

Exercise 5: Lab Question ........................................................................................................... 30

Exercise 6 ........................................................................................................................................... 37

Exercise 6.1: Remove Some Potentially Dangerous Privileges ................................................... 37

Exercise 6.2: Use Standard Database Auditing ............................................................................ 41

Exercise 6: Lab Question ................................................................................................................ 45

Exercise 7 ........................................................................................................................................... 50

Exercise 7.1: Querying V$ Views to Obtain Backup Information ............................................... 50

Exercise 7.2: Making User-Managed Backups of the Whole Database ....................................... 55

Exercise 7.3: Making User-Managed Backups of Tablespaces and Data Files ........................... 57
 UCCA3234 Database Administration Assignment

Exercise 3
Exercise 3.1: Use SQL*Loader and External Tables

The command create table name(first varchar2(10), last varchar2(10)); creates a new table
named "name" in the database with two columns: first and last. Both columns are designed to store
character strings, with a maximum length of 10 characters each.

The command in the names.ctl file instructs the database to load data from the names.txt file
into the names table. It specifies that the data fields in the input file are separated by commas. If any
records fail to load, they will be written to names.bad. The trailing nullcols option ensures any missing
columns at the end of a record are treated as null values.
3
 UCCA3234 Database Administration Assignment

After executing the sqlldr command in the Command Prompt with the provided control file
(names.ctl), the SQL*Loader utility loads data from the names.txt file into the names table in the
database. The messages "Commit point reached" indicate that data has been committed (i.e.,
permanently saved) to the table after certain logical record counts.
Subsequently, when entering the “select * from names;” command in SQL*Plus, the names
table is queried to retrieve and view all the records. The output should display the data from the
names.txt file, now successfully loaded into the names table in the database.

4
 UCCA3234 Database Administration Assignment

The names.log file is a log file that SQL*Loader creates after a data load operation. It provides a
summary and detailed report of the loading process, including any errors, warnings, and specific
operations performed. Here's what to look for in this log file:

1. Header Information: At the beginning of the log, there's typically information about the
SQL*Loader version, the date and time when the load started, and the control file used.
2. File Information: The log will show details about the input data file (names.txt in this case) and
other associated files such as bad records file (names.bad).
3. Table Information: The table being loaded (in this case, names) and its structure, matching
what's defined in the control file, will be displayed.
4. Load Summary: This section gives an overview of the number of records successfully loaded,
5
 UCCA3234 Database Administration Assignment

the number of records that were rejected or discarded, and any errors that occurred during the
load.
5. Row Processing Details: For each row (record) loaded, there might be details about any
transformations applied, whether the row was successfully loaded or rejected, and reasons for
rejections, if any.
6. Errors and Warnings: If there were any issues during the load process, detailed error messages
and warnings would appear in the log. Each error or warning will have an associated error code,
which can be looked up for more specific details.
7. Commit Points: Information about commit points, where data was permanently saved to the
database, will be shown. This aligns with the "Commit point reached" messages that were
observed.
8. End Summary: The log concludes with a summary of the loading process, including total time
taken, final commit points, and other pertinent details.

To truly understand the success or issues of the data load, it's important to review the names.log file
carefully, especially focusing on the Load Summary and Errors and Warnings sections. If any records
were rejected, they will be in the names.bad file, and the log will provide insights as to why they were
rejected.

The command “sqlldr userid=system/oracle control=names.ctl

external_table=generate_only” invokes the SQLLoader utility using the database user system with
the password oracle for authentication. It specifies the control file names.ctl to guide the data loading
process. However, with the external_table=generate_only option, instead of loading data, SQLLoader
is instructed to generate a SQL CREATE TABLE statement for an external table based on the
definitions in the control file. Thus, no actual data loading takes place, and only the DDL for an external
table is produced.

6
UCCA3234 Database Administration Assignment

The provided CREATE TABLE statement creates an external table in Oracle named
SYS_SQLLDR_X_EXT_NAMES. Here's a brief explanation:

• SYS_SQLLDR_X_EXT_NAMES: This is the name of the external table. External tables allow
you to query data in external sources as if it were in a table in the database.
• FIRST VARCHAR2(10), LAST VARCHAR2(10): These are columns in the table with their
data types. They will map to the data in the names.txt file.
• ORGANIZATION external: This specifies that the table is an external table.
• TYPE oracle_loader: This indicates the access method used to read from the external data
source. In this case, it's using Oracle's loader (typically used with SQL*Loader).
7
 UCCA3234 Database Administration Assignment

• DEFAULT DIRECTORY lang_external: This defines the directory object that points to the
physical location of the names.txt file. The directory object lang_external should be pre-defined
in the database and point to the directory where the names.txt file resides.
• ACCESS PARAMETERS (FIELDS TERMINATED BY ','): This section specifies how the
data in the external file is formatted. It tells Oracle that fields in the names.txt file are separated
by commas.
• location('names.txt'): This indicates the filename of the external data source. Oracle will look
for this file in the directory specified by the lang_external directory object.

In essence, the statement allows Oracle to treat the names.txt file as if it were a table in the database,
so you can query it using standard SQL, even though the data remains outside the database in a flat file.

8
 UCCA3234 Database Administration Assignment

The statements provided set up an external table in Oracle named SYS_SQLLDR_X_EXT_NAMES

that maps to a flat file (names.txt) located in 'C:\home\oracle'. Here's a brief explanation regarding
querying and DML operations on external tables:

• External Tables: They allow data in flat files to be treated as tables in Oracle. The data isn't
actually stored in the database, but is read from the external file on-the-fly when queried.
• Log Files on SELECT: When querying external tables, Oracle may generate log files to capture
any issues encountered while reading from the external file. For example, if there are format
discrepancies in the data file that don't match the external table's definition, these would be
logged.
• DML Restrictions: DML operations (like INSERT, UPDATE, or DELETE) are not permitted
on external tables. It makes sense since the data isn't actually in the database. Instead, it resides
in an external file. Oracle can read the file, but it can't modify it using DML statements.
Attempting to do so would result in an error.

In summary, the external table SYS_SQLLDR_X_EXT_NAMES provides a way to query data in

names.txt using SQL. However, the data is read-only in the context of the database, and any attempt to
modify it with DML statements isn't allowed. Also, every SELECT might produce a log file to record
issues during data reading.

9
 UCCA3234 Database Administration Assignment

Exercise 4

Exercise 4.1: Perform a Data Dump Export

The statement SQL>create table practical4 as select * from all_users; creates a new table named
practical4 in the database. The contents of this table are populated using the data fetched from the
all_users system view. As a result, practical4 will now hold a snapshot of the current data from all_users.
The structure of practical4 will mimic the column structure of all_users. However, it's worth noting that
practical4 is a static table; any future changes to all_users won't be automatically reflected in practical4
unless the data is refreshed or the table is recreated.

Connect to the database as user SYSTEM with Database Control. Navigate to the Export Wizard: take
the Data Movement tab from the database home page, then the Export To Export Files link in the Move
Row Data section. Select the radio button for Tables. Enter the operating system username and
password for host credentials (if these have not already been saved as preferred credentials) and click
10
 UCCA3234 Database Administration Assignment

Continue.

11
 UCCA3234 Database Administration Assignment

In the Export: Tables window, click Add and find the table SYSTEM.PRACTICAL4. Click Next.

In the Export: Export Options window, select the directory SYSTEM_DMP or DATA_FILE_DIR as
the Directory Object for Optional Files. Click Next.

In the Export: Files window, choose the directory SYSTEM_DMP or DATA_FILE_DIR and click
Next. After that, in the Export: Schedule window, give the job a name and click Next to run the job
immediately.
12
 UCCA3234 Database Administration Assignment

In the Review window, click Submit Job.

When the job has completed, study the log file that will have been created in the operating directory
mapped onto the Oracle directory SYSTEM_DMP or DATA_FILE_DIR

13
 UCCA3234 Database Administration Assignment

The provided content details the steps and outcome of an Oracle database export job. Here's a brief
explanation of the results:

• The job with the name EXERCISE2, under the SYSTEM user, was initially stopped by a user
request. This could mean someone paused or interrupted the process intentionally.
• The job was then restarted. Oracle provided an estimate for the amount of data to be exported
using the BLOCKS method. This estimation method calculates the size based on the number of
database blocks the data occupies.
• The estimation suggested that the table SYSTEM.PRACTICAL4 would take up around 64 KB
in the export file.
• The job then began processing the data. It first handled the table structure
(TABLE_EXPORT/TABLE/TABLE) and then the actual data
(TABLE_EXPORT/TABLE/TABLE_DATA).
• The table SYSTEM.PRACTICAL4 was successfully exported. It contained 31 rows and took
up 6.546 KB of space in the export file.
• Once the data was exported, the job's metadata and control information were managed in the
Master table SYSTEM.EXERCISE2.

14
 UCCA3234 Database Administration Assignment

• The dump file, which is the result of the export operation, was saved in the directory C:\oracle\
with the filename EXPDAT01.DMP.
• The entire export job, SYSTEM.EXERCISE2, successfully concluded at 17:57:57.

In essence, the SYSTEM.PRACTICAL4 table, with its structure and 31 rows of data, was successfully
exported to a dump file located at C:\oracle\EXPDAT01.DMP.

15
 UCCA3234 Database Administration Assignment

Exercise 5
Exercise 5.1: Create Users

The first command creates a user named alois with the password alois. The user's default
tablespace, where their data will be primarily stored, is set to users. Additionally, upon the first login,
the user alois will be prompted to change their password, as the password expire clause is specified.
The second command creates a user named afra with the password oracle. This user's default
tablespace is also set to users. However, unlike the first user, afra has been granted an unlimited quota
on the users tablespace, meaning they can consume as much space as available in that tablespace
without any restrictions.
The third command creates a user named anja with the password oracle. This user's attributes
and privileges are set to the Oracle default values, as no additional parameters, like tablespace or quota,
are specified in the command.

16
 UCCA3234 Database Administration Assignment

The provided table displays the account status of three Oracle database users:
• User AFRA has an account status of OPEN, which means the user account is active and can log
into the database without any restrictions.
• User ALOIS has an account status of EXPIRED. This indicates that the password for this user
account has expired, and the user will need to set a new password upon their next login attempt.
• User ANJA also has an account status of OPEN, meaning this user, like AFRA, can access the
database normally.
In summary, both AFRA and ANJA have active accounts, while ALOIS needs to update their password
due to its expired status.

From SQL*Plus, attempt to connect as user ALOIS.

When prompted, select a new password (such as “oracle”). But it won’t get you anywhere, because
ALOIS does not have the CREATE SESSION privilege.
17
 UCCA3234 Database Administration Assignment

Refresh the Database Control window, and note that the status of the ALOIS account is no longer
EXPIRED but OPEN, because his password has been changed.

Exercise 5.2: Grant Direct Privileges

After connecting as the system user, the CREATE SESSION privilege was granted to alois, allowing
alois to log into the database. However, when alois attempts to create a table named t1, an error ORA-
01031: insufficient privileges is returned. This is because the CREATE SESSION privilege only allows
a user to connect to the database; it doesn't grant the ability to create tables. For alois to create tables,
the CREATE TABLE privilege must also be granted to him. Without this specific privilege, alois
encounters the error due to lacking the necessary rights to create a table.

18
 UCCA3234 Database Administration Assignment

After the system user granted the CREATE TABLE privilege to alois, alois should technically
have the ability to create tables. However, when attempting to create a table, an error ORA-01950: no
privileges on tablespace 'USERS' is encountered.
The error indicates that while alois has the privilege to create tables, he doesn't have the
necessary quota or permission on the USERS tablespace to actually store the table data. In Oracle,
simply having the CREATE TABLE privilege isn't enough. The user also needs to have a quota on a
tablespace or be granted specific permission to use a particular tablespace for creating objects.

After connecting as the system user, a quota of 1MB on the USERS tablespace was granted to
alois using the command alter user alois quota 1m on users;. This means that alois now has the
permission to use up to 1MB of storage in the USERS tablespace for creating and storing objects.
When alois attempts to create a table t1 afterward, the operation is successful because, in
addition to having the CREATE TABLE privilege, alois also has sufficient quota on the USERS
tablespace to allocate space for the table.
In summary, alois can create the table now because he has both the necessary privilege to create
tables and a quota on the tablespace where the table data will be stored.

19
 UCCA3234 Database Administration Assignment

After connecting to the database as the user alois, two privilege grants are made on the table t1:
• “grant all on t1 to afra;”: This command grants all privileges on the table t1 to the user afra.
This means afra can perform various operations on the table, such as selecting, inserting,
updating, and deleting rows, among others.
• “grant select on t1 to anja;”: This command grants only the SELECT privilege on the table t1
to the user anja. This means anja can query the table to view its data but cannot modify it.
In summary, alois is granting different levels of access to the table t1 to two users: full access to afra
and read-only access to anja.

Connect to Database Control as user SYSTEM. Confirm that the object privileges have been granted.
The navigation path from the database home page is: on the Schema tab click the Tables link in the
20
 UCCA3234 Database Administration Assignment

Database Objects section. Enter ALOIS as the Schema and T1 as the Table and click the Go button. In
the Actions drop-down box, select Object Privileges. As shown in the next illustration, ANJA has only
SELECT, but AFRA has everything. Note that the window also shows by whom the privileges were
granted, and that none of them were granted WITH GRANT OPTION.

With Database Control, confirm which privileges have granted to ALOIS. The navigation path
from the database home page is: on the Server tab click the Users link in the Security section. Select
the radio button for ALOIS and click the View button. You will see that he has two system privileges
(CREATE SESSION and CREATE TABLE) without the ADMIN OPTION, a 1MB quota and USERS,
and nothing else.

21
 UCCA3234 Database Administration Assignment

This command retrieves information about table-level privileges granted on the table T1 owned by user
ALOIS. The columns being fetched are:
• grantee: The user or role to whom the privilege has been granted.
• privilege: The specific type of privilege granted (e.g., SELECT, INSERT, UPDATE).
• grantor: The user who granted the privilege.
• grantable: Indicates if the granted privilege can be further granted by the grantee to other users
or roles (commonly YES or NO).

22
 UCCA3234 Database Administration Assignment

This command fetches information about system-level privileges granted to the user ALOIS. System
privileges allow users to perform specific actions in the database, such as creating tables (CREATE
TABLE), creating sessions (CREATE SESSION), and so forth. The returned result will list out all the
system-level privileges that ALOIS has been granted.

Exercise 5.3: Create and Grant Roles

After connecting to the database as the system user, several actions related to role creation and privilege
granting are performed:
• create role usr_role;: A role named usr_role is created. Roles are used to simplify the process
of granting and managing privileges by grouping them together under a single name.
• create role mgr_role;: Another role named mgr_role is created.
• grant create session to usr_role;: The usr_role is granted the CREATE SESSION privilege. This
allows any user assigned this role to connect to the database.
• grant select on alois.t1 to usr_role;: The usr_role is granted the SELECT privilege on the table
t1 owned by alois. This allows any user with this role to query and view data from this table.

23
 UCCA3234 Database Administration Assignment

• grant usr_role to mgr_role with admin option;: The mgr_role is granted the usr_role, which
means anyone with mgr_role also gets the privileges associated with usr_role. Additionally, the
with admin option clause allows any user with the mgr_role to further grant or revoke the
usr_role from other users.
• grant all on alois.t1 to mgr_role;: The mgr_role is granted all privileges (like SELECT,
INSERT, UPDATE, DELETE, etc.) on the table t1 owned by alois.
In summary, two roles are created (usr_role and mgr_role). The usr_role is given specific privileges to
connect to the database and query a particular table. The mgr_role is given broader privileges on the
same table, and it is also granted the usr_role with the ability to administer it to others.

The command “grant mgr_role to AFRA;” grants the mgr_role to the user AFRA. This means
that AFRA will inherit all the privileges that have been assigned to the mgr_role. If mgr_role has been
given certain permissions on tables, system privileges, or even other roles, AFRA will now have access
to those permissions by virtue of having the mgr_role role.

While connected as AFRA, the usr_role is granted to the user anja. This means anja will now have the
privileges that are associated with the usr_role. For AFRA to be able to grant the usr_role, the role must
have been granted to AFRA with the admin option (as was done previously with mgr_role). Then, a
new record is inserted into the t1 table owned by alois. The value being inserted is the current date and
time (sysdate).By executing commit statement, this ensures that the insert operation is finalized and the
data is permanently saved in the table. It ends the current transaction and makes all changes made
during the transaction permanent.

24
 UCCA3234 Database Administration Assignment

After connecting to the database as anja, an attempt is made to insert a record into the t1 table owned
by alois. The error "insufficient privileges" arises because anja does not have the INSERT privilege on
alois.t1. While anja has the SELECT privilege to view data in the table, she lacks the necessary rights
to modify or add data to it.

The connect role, which is a predefined Oracle role, is granted to the user anja. This role provides basic
privileges for a user to connect to a database. Next, the default role of anja is set to connect, which
means that whenever anja logs into the database, the connect role will be automatically activated for
her session, granting her the privileges associated with that role.

Anja activates the usr_role. If anja has been granted this role and it provides additional privileges on
alois.t1, then those privileges will be available for the duration of the session (or until the role is unset).
After setting the role, anja attempts to retrieve all the records from alois.t1 again. If usr_role provides
the required SELECT privilege on this table, and if the previous attempt failed due to insufficient
privileges, this attempt should be successful.

25
 UCCA3234 Database Administration Assignment

Use Database Control to inspect the roles. The navigation path from the database home page is: on the Server
tab click the Roles link in the Security section. Click the links for the two new roles to see their privileges. This
illustration shows the MGR_ROLE and USR_ROLE:

26
 UCCA3234 Database Administration Assignment

To see to whom a role has been granted, in the Actions drop-down box shown in the preceding
illustration, select Show Grantees and click the Go button. This illustration shows the result for
MGR_ROLE and USR_ROLE:

The query above retrieves all the users and roles that have been granted either USR_ROLE or
MGR_ROLE. It provides details about which users or roles have these roles assigned.

27
 UCCA3234 Database Administration Assignment

The second query is a combination of two different queries merged using the UNION ALL operator:
• The first part fetches details about table-specific privileges (like SELECT, INSERT, etc.)
granted to USR_ROLE or MGR_ROLE.
• The second part fetches system-wide privileges (like CREATE SESSION, ALTER USER, etc.)
granted to USR_ROLE or MGR_ROLE.
The combined result will show both types of privileges for these roles in one list. It organizes the output
by the grantee (which in this context is either USR_ROLE or MGR_ROLE).

28
 UCCA3234 Database Administration Assignment

Exercise 5.4: Create and Use Profiles

The account is locked because a profile named two_wrong was created that limits the number of failed
login attempts to 2. The user alois was then assigned this profile. After trying to enter the wrong
password more than the allowed limit of 2 times, the Oracle system enforced the profile constraint and
locked the alois account as a security measure.

The command “alter user alois account unlock;” is used to unlock the alois account. After unlocking,
connecting with the correct credentials, as demonstrated by connect alois/oracle, allows successful
authentication and access to the database.

29
 UCCA3234 Database Administration Assignment

Exercise 5: Lab Question

Create a user BERND, and give him the necessary permissions to log on to the database with password
authentication and create tables in his own schema. Test this by connecting as BERND and creating a
table DATETAB, with a single column of type DATE. Insert a row into DATETAB, and commit the
insert.

30
 UCCA3234 Database Administration Assignment

Create a user CHRISTA. Give her these privileges: “CREATE SESSION”, “SELECT ON
BERND.DATETAB”, and “ALL ON BERND.DATETAB”.

Connect as CHRISTA, and check that she can read BERND.DATETAB. Revoke her SELECT
privilege, and confirm that she can no longer select from BERND.DATETAB, though she can (perhaps
oddly) insert rows into it.

31
 UCCA3234 Database Administration Assignment

Run queries against DBA_TAB_PRIVS at all stages to understand what is happening.

32
 UCCA3234 Database Administration Assignment

Why can christa insert rows but not select them?

When you grant the ALL privilege on a table, it grants all actions such as SELECT, INSERT, UPDATE,
DELETE, etc. But when you explicitly revoke a specific privilege, like SELECT, it will be taken away
from that user. However, all the other privileges (INSERT, UPDATE, etc.) remain intact. So, christa
can still INSERT rows because she retains the INSERT privilege.

Create a user DORIS, and grant privileges as follows:

• SELECT ON BERND.DATETAB to DORIS
• SELECT ON BERND.DATETAB to PUBLIC
• SELECT ANY TABLE to DORIS
• DBA to DORIS

33
UCCA3234 Database Administration Assignment

Confirm that DORIS can now read BERND.DATETAB.

34
 UCCA3234 Database Administration Assignment

To prevent DORIS from being able to see BERND.DATETAB, you'll need to revoke multiple
privileges:

But Doris still can access BERND.DATETAB

The Tricky Part: If you want to prevent DORIS from accessing the table via the DBA role, you have a
challenge. Revoking the DBA role from DORIS would also remove many other privileges that might
be essential for her work. If you're certain you want to remove it:

If DORIS can still read from BERND.DATETAB after the direct and system privileges have been
revoked, there might because of the Public Privileges. You granted SELECT on BERND.DATETAB
to PUBLIC. This means any user in the database, including DORIS, can select from this table. After
revoked it, DORIS will not able to access the BERND.DATETAB anymore.

35
 UCCA3234 Database Administration Assignment

Result:

Tidy up

36
 UCCA3234 Database Administration Assignment

Exercise 6
Exercise 6.1: Remove Some Potentially Dangerous Privileges

The command “spool c:\Users\user\clear_public_privs.sql” is used in SQL*Plus to begin

recording (or spooling) everything displayed on the screen to a file named "clear_public_privs.sql"
located in the path C:\Users\user\.
Everything executed in SQL*Plus after this command will be saved to that file until the spooling
is turned off using the command spool off. The generated file can be used later as a SQL script or for
documentation purposes.

37
 UCCA3234 Database Administration Assignment

This query will generate a list of SQL statements that, when executed, will revoke the
EXECUTE privilege on all tables (which usually refer to PL/SQL packages, procedures, and functions
in this context) that have names starting with "UTL_" and where the privilege was granted to the
PUBLIC role.
The purpose is likely to tighten security by ensuring that publicly available utilities (often
system-level packages) aren't unnecessarily exposed to all database users. If the generated SQL
statements are executed, they will revoke the access privileges to those specific utilities from every user
in the Oracle database, as the PUBLIC role includes everyone.

38
 UCCA3234 Database Administration Assignment

after executing the spool command followed by the select statement that generates the REVOKE SQL
statements for utilities starting with "UTL_", the file clear_public_privs.sql will contain:
• Any SQLPlus headers, prompts, or other metadata that SQLPlus typically outputs. This may
include connection information, the SQL statement itself, etc., depending on your SQL*Plus
settings.
• The list of SQL REVOKE commands generated by your query.

39
 UCCA3234 Database Administration Assignment

After edit / removed

40
 UCCA3234 Database Administration Assignment

Exercise 6.2: Use Standard Database Auditing

After executing these queries, a new user named sabine is created with the password 'oracle'.
Next, a table called jobs2 is established within the system schema by copying data from the all_users
view. The user sabine is then endowed with the ability to connect to the database and retrieve data from
any table. Additionally, sabine receives explicit permission to read data from the jobs table.

“AUDIT SELECT ANY TABLE BY ACCESS;” This command initiates the auditing of any SELECT
operation on any table by any user. Whenever a user executes a SELECT on any table in the database,
Oracle will capture and store this access information.
“AUDIT ALL ON JOBS BY ACCESS;” This command begins the auditing for all DML operations
(like SELECT, INSERT, UPDATE, and DELETE) performed on the JOBS table. Any access to the
JOBS table will be captured and recorded by Oracle.

41
 UCCA3234 Database Administration Assignment

The “ALTER SYSTEM SET AUDIT_TRAIL='DB_EXTENDED'” SCOPE=SPFILE;

command modifies the AUDIT_TRAIL parameter to record both the SQL statements that are audited
and the SQL bind values in the database's audit trail. Setting SCOPE=SPFILE indicates that this change
should be written to the server parameter file, ensuring it persists across database restarts.
The ALTER SYSTEM SET AUDIT_SYS_OPERATIONS=TRUE SCOPE=SPFILE;
command ensures that audit records are generated for operations issued by the user SYS, and other
users connecting with SYSDBA or SYSOPER privileges.
After changing these parameters in the SPFILE, the database needs to be restarted for the
changes to take effect. Hence, the SHUTDOWN IMMEDIATE command is used to shut down the
database immediately, and the STARTUP command is used to start it back up with the new settings in
effect.

42
 UCCA3234 Database Administration Assignment

The command SELECT COUNT(*) FROM system.jobs2; is querying the number of rows
present in the jobs2 table located in the system schema. The result will be a single value indicating the
total count of rows in that table.
The command SELECT VALUE FROM V$PARAMETER WHERE name='audit_file_dest'; is
used to retrieve the directory path where Oracle's audit trail files are stored on the server. The view
V$PARAMETER contains information about the system parameters, and the query specifically fetches
the value of the audit_file_dest parameter, which indicates the OS directory path for the audit trail files.

Upon connecting to the database as the user SABINE and running the queries, the results for the two
SELECT COUNT(*) queries are 32 and 0, respectively. This means:
• The SYSTEM.JOBS table has 32 rows. This indicates that there are 32 entries or records in the
JOBS table within the SYSTEM schema at the time the query was executed.
• The system.product_user_profile table has no rows. This indicates that the product_user_profile
table within the SYSTEM schema is currently empty, with no records or entries.
The specific reasons for these counts would be based on the state of the database and the actions taken
43
 UCCA3234 Database Administration Assignment

prior to this point. In general, the JOBS table might contain scheduled jobs or tasks, while the
product_user_profile is used for product-level security and might be empty if no specific product-level
security profiles have been defined.

The query run by the SYSTEM user fetches the audit trail for the actions taken by the user
SABINE. The results of the query provide insights into the operations performed by SABINE and the
privileges used.
1. CREATE SESSION || || LOGOFF: This entry indicates that SABINE successfully created a
session and subsequently logged off. No specific privilege (PRIV_USED) is mentioned here
since CREATE SESSION is a fundamental privilege for connecting to the database.
2. select count(*) from system.jobs2 || || SELECT: This indicates that SABINE executed a
SELECT operation on the system.jobs2 table. The empty PRIV_USED field signifies that the
access was through an object-level privilege, specifically the object privilege granted to
SABINE to access the jobs table.
3. select count(*) from system.product_user_profile || SELECT ANY TABLE || SELECT: For this
SELECT operation on the system.product_user_profile table, SABINE utilized the SELECT
ANY TABLE system privilege. This is because SABINE didn't have a direct object privilege
on product_user_profile, so she relied on the more powerful system privilege to access the table.
In summary, the audit trail reveals that SABINE uses the appropriate privilege level required for each
operation. For accessing the JOBS table, she leveraged her specific object privilege, whereas for the
PRODUCT_USER_PROFILE table, she had to resort to the broader SELECT ANY TABLE system
privilege. The latter illustrates the power and potential risk of system privileges, as they can bypass
more granular object-level permissions.

44
 UCCA3234 Database Administration Assignment

Exercise 6: Lab Question

The result DB_EXTENDED for the AUDIT_TRAIL parameter indicates that standard database
auditing is currently enabled, and the audit records will capture both the SQL statement that triggered
the audit as well as the values of bind variables used in the statement (if any). This provides detailed
information about the audited actions.

The command AUDIT SELECT,INSERT,UPDATE,DELETE ON SCOTT.emp BY ACCESS; enables

the auditing of all SELECT, INSERT, UPDATE, and DELETE statements executed against the
SCOTT.EMP table. Any user who executes a SELECT, INSERT, UPDATE, or DELETE statement on
the SCOTT.EMP table will have that action recorded in the audit trail. This provides a means for
database administrators to monitor and review actions performed on this specific table. If any
unauthorized or unexpected activity occurs, it can be traced back to the specific user and action from
the audit logs.

The provided code sets up a Fine-Grained Auditing (FGA) policy for the SAL column of the EMP table
in the SCOTT schema. Fine-Grained Auditing provides more specific auditing capabilities than
standard Oracle auditing and is used to capture SQL statements based on certain conditions or specific
columns.

45
 UCCA3234 Database Administration Assignment

Here's a breakdown of what this code does:

• dbms_fga.add_policy(): This is a procedure from the dbms_fga package used to add an FGA
policy.
• object_schema=>'SCOTT', object_name=>'EMP': This specifies that the EMP table in the
SCOTT schema is the object you want to audit.
• policy_name=>'SCOTT_EMP_SUID': Names the FGA policy as "SCOTT_EMP_SUID".
• audit_column=>'SAL': This sets the policy to audit only the actions that involve the SAL
(SALARY) column.
• audit_condition=>NULL: No specific condition is set, so all operations on the SAL column will
be audited regardless of the data values or the context in which they are accessed.
• audit_trail=>DBMS_FGA.DB_EXTENDED: This directs the audit records to be stored in the
database with extended information. This means that the full SQL text and bind variables, if
any, are captured.
• enable=>TRUE: This ensures that the policy is enabled immediately after creation.
• statement_types=>'SELECT,INSERT,UPDATE,DELETE': This means the policy will capture
SELECT, INSERT, UPDATE, and DELETE SQL statements that involve the SAL column.
Effect:
With this policy in place, anytime someone performs a SELECT, INSERT, UPDATE, or DELETE
operation that involves the SAL column in the EMP table of the SCOTT schema, a detailed audit record
will be generated and stored in the audit trail in the database. This provides granular control to track
and monitor specific column-level access or modifications, particularly useful when dealing with
sensitive or regulated data.

Remove all existing audit records by using SYS account.

46
 UCCA3234 Database Administration Assignment

connect to scott account first, then run the command below

47
 UCCA3234 Database Administration Assignment

When the queries against dba_audit_trail and dba_fga_audit_trail are executed, here's what will be
observed:
• For the dba_audit_trail: There will be records showing that the user SCOTT performed a
SELECT and DELETE operation on the EMP table. The exact SQL commands executed, such
as select sal from emp and delete from emp where sal = 800, will also be displayed with their
respective timestamps.

• For the dba_fga_audit_trail: Records will reveal that SCOTT accessed the SAL column of the
EMP table. This trail captures finer details because of the Fine-Grained Auditing policy set
specifically on the SAL column. The executed SQL commands and their timestamps will be
visible, reflecting actions like selecting and deleting based on the SAL column values.

48
 UCCA3234 Database Administration Assignment

The command retrieves information from the dba_common_audit_trail view for actions taken on the
EMP table. Specifically, it will show the database user who executed the SQL statement, the name of
the object 'EMP', and the actual SQL command that was executed on the EMP table. This query is
designed to provide a consolidated view of audit records related to the EMP table. Any actions on the
EMP table that have been audited, either due to standard database auditing or Fine-Grained Auditing
(FGA), will be displayed in the results.

49
 UCCA3234 Database Administration Assignment

Exercise 7

Exercise 7.1: Querying V$ Views to Obtain Backup Information

Step 1: Listing Database Files before a Backup

Start SQL*Plus and query V$DATAFILE to obtain a list of data files by using these 2 methods:

Method 1:

Method 2:

50
 UCCA3234 Database Administration Assignment

Obtain the filenames of online redo log files by querying the V$LOGFILE view

Obtain the file names of the current control files by querying the V$CONTROLFILE view.

Step 2: Determining Data File Status for Online Tablespace Backups

The query retrieves information about tablespaces and their associated datafiles that are currently in
backup mode (ACTIVE status). Specifically, it provides the tablespace name, datafile number, and
datafile name for any datafiles in backup mode.
However, the result indicates that there are no datafiles currently in backup mode (ACTIVE
status). This means that no backups (like those initiated with the ALTER TABLESPACE BEGIN
BACKUP command) are currently in progress for these datafiles. Instead, they are in their usual
operational state, which is INACTIVE in the context of this query.
In other words, all of the tablespaces and datafiles in the database are operating under normal
conditions and none are being backed up at this moment.

51
 UCCA3234 Database Administration Assignment

The command above proved that the files is not currently in backup mode, which the status is showing
“NOT ACTIVE”.

52
 UCCA3234 Database Administration Assignment

After executing those commands, the database goes through several states:
• SHUTDOWN IMMEDIATE; - This command gracefully shuts down the Oracle instance after
ensuring that no user sessions remain connected. It also waits for any ongoing transactions to
complete.
• STARTUP MOUNT; - This command starts the Oracle instance and mounts the database but
does not open it for user access. In this state, no regular database operations can occur, but
administrative tasks, such as enabling the archive log mode, can be done.
• ALTER DATABASE ARCHIVELOG; - This command sets the database in archive log mode,
which means that redo log files will be archived once they are filled, allowing for point-in-time
recovery.
• ALTER DATABASE OPEN; - This opens the database for regular operations, making it
accessible to users.
• ALTER DATABASE BEGIN BACKUP; - With this command, the database is informed that a
cold or offline backup is about to be taken. This causes the database to temporarily halt
checkpointing. While in this state, the database continues its operations, but you should ideally
refrain from making significant data changes until you finish the backup.
53
 UCCA3234 Database Administration Assignment

By running the select * from V$BACKUP; command, you'd see the effect of the backup mode on the
data files. The V$BACKUP view provides information about which data files are currently in backup
mode. The status column for the relevant files should show ACTIVE, indicating they are in backup
mode.

54
 UCCA3234 Database Administration Assignment

Exercise 7.2: Making User-Managed Backups of the Whole Database

By shutting down the Database (SHUTDOWN IMMEDIATE), this ensures that the database is in a
consistent state, with no ongoing transactions. Databases must be shut down cleanly to ensure that
backups taken are consistent and can be used for recovery. An immediate shutdown ensures that all
sessions are disconnected, and any ongoing transactions are rolled back, bringing the database to a
consistent state.

Copying Database Files (COPY command): All the physical data files (with the .dbf extension) of the
database are copied from their original location to the backup directory (C:\backup). These files include

55
 UCCA3234 Database Administration Assignment

the SYSTEM and SYSAUX tablespaces, user data files, undo tablespace, and the temporary tablespace.

Copying Archived Redo Logs (COPY command): The archived redo logs are copied to the backup
location. Redo logs are crucial for database recovery as they contain a record of all changes made to
the database.

Startup the Database (startup command): After the backup, the database is started up, making it
available for regular operations.

By shutting down the database before the backup, this is ensuring that the data files and system
are in a consistent state, making the backup reliable for any future recovery needs. If you were to copy
files while the database was running, you risk having an inconsistent backup due to ongoing
transactions or changes not yet written from the cache to the data files.

56
 UCCA3234 Database Administration Assignment

Exercise 7.3: Making User-Managed Backups of Tablespaces and Data Files

This SQL statement queries the DBA_DATA_FILES view to retrieve the names of data files associated
with the USERS tablespace. The DBA_DATA_FILES view provides information about each data file
in the database, including its size, the tablespace to which it belongs, its status, and its physical location
on disk.
By running this query, this can identify the exact file paths of the data files that belong to the
USERS tablespace. Knowing these paths is crucial if you're planning to perform a backup of the
tablespace, as it tells you which files need to be backed up to save all the data and structures stored in
that specific tablespace.

The command “alter tablespace users offline normal;” takes the USERS tablespace offline in a
controlled manner. When "normal" is specified while taking the tablespace offline, Oracle ensures that
all the database transactions affecting the tablespace complete and that any cached data from the
tablespace is written to disk. After executing this command, no further transactions can access the
USERS tablespace until it is brought back online. Taking a tablespace offline is typically done for
maintenance tasks, such as backing up a specific tablespace or relocating its data files.

57
 UCCA3234 Database Administration Assignment

After successfully backing up the data file, the administrator runs the command alter tablespace
users online; in SQL*Plus to bring the USERS tablespace back online, making it accessible for database
transactions again. This process allows for the backup of individual tablespace data files without
shutting down the entire database or interrupting operations on other tablespaces.

58