|Lesson 8||Operating System Authentication |
|Objective||Let your operating system authenticate database users |
Operating System Authentication
In the previous lesson, you created a user account that requires the user to supply a password in order to connect to the database.
You also can create an account that relies on the operating system to authenticate the user.
The user is accepted as a valid database user by virtue of the fact that he or she was able to log into the computer.
To create an operating system authenticated user, you issue a
statement that includes the keywords
These replace the
clause where the password is usually set.
You also need to give the username a prefix of "
." So if you had an operating system user named
, you would create an operating system authenticated account like this:
CREATE USER OPS$COIN_ADMIN IDENTIFIED EXTERNALLY
DEFAULT TABLESPACE users
The rest of the
CREATE command would be exactly like that shown in the previous lesson. Because the prefix OPS$ is used, these accounts are commonly referred to by DBAs as OPS$ ("ops-dollar") accounts.
Connecting to an OPS$ Account
If you were a user logged into the operating system as
, and an externally authenticated database user named
existed, you could connect to the database by supplying a forward-slash instead of a username and password.
Because a password is not needed, OPS$ accounts are often used in UNIX environments where cron jobs
are used to run database related scripts. They free you from having to write database passwords into UNIX shell scripts, thus enhancing security.
Changing the OPS$ Prefix
OS_AUTHENT_PREFIX initialization parameter controls the prefix used for operating system authentication.
You set this parameter in the database initialization parameter file. The default value, if the parameter is not set in the parameter file, is "
You can specify
OS_AUTHENT_PREFIX="" if you do not want a prefix, or you can specify any other prefix that you like.
Unattended batch jobs that are scheduled with the Unix cron utility.