8.4 Controlling Access to Mining Models and Data
Understand how to create a Data Mining user and grant necessary privileges.
8.4.1 Creating a Data Mining User
Explains how to create a Data Mining user.
A Data Mining user is a database user account that has privileges for performing data mining activities. Example 8-6 shows how to create a database user. Example 8-7 shows how to assign data mining privileges to the user.
Example 8-6 Creating a Database User in SQL*Plus
-
Log in to SQL*Plus with system privileges.
Enter user-name: sys as sysdba Enter password: password -
To create a user named
dmuser, type these commands. Specify a password of your choosing.CREATE USER dmuser IDENTIFIED BY password DEFAULT TABLESPACE USERS TEMPORARY TABLESPACE TEMP QUOTA UNLIMITED ON USERS; Commit;The
USERSandTEMPtablespace are included in the pre-configured database that Oracle ships with the database media.USERSis used mostly by demo users; it is appropriate for running the sample programs described in "The Data Mining Sample Programs".TEMPis the temporary tablespace that is shared by most database users.Note:
Tablespaces for Data Mining users must be assigned according to standard DBA practices, depending on system load and system resources.
-
To login as
dmuser, type the following.CONNECT dmuser Enter password:password
Related Topics
See Also:
Oracle Database SQL Language Reference for the complete syntax of the CREATE USER statement
8.4.1.1 Granting Privileges for Data Mining
You must have the CREATE MINING MODEL privilege to create models in your own schema. You can perform any operation on models that you own. This includes applying the model, adding a cost matrix, renaming the model, and dropping the model.
The GRANT statements in the following example assign a set of basic data mining privileges to the dmuser account. Some of these privileges are not required for all mining activities, however it is prudent to grant them all as a group.
Additional system and object privileges are required for enabling or restricting specific mining activities.
Example 8-7 Privileges Required for Data Mining
GRANT CREATE MINING MODEL TO dmuser; GRANT CREATE SESSION TO dmuser; GRANT CREATE TABLE TO dmuser; GRANT CREATE VIEW TO dmuser; GRANT EXECUTE ON CTXSYS.CTX_DDL TO dmuser;
READ or SELECT privileges are required for data that is not in your schema. For example, the following statement grants SELECT access to the sh.customers table.
GRANT SELECT ON sh.customers TO dmuser;
8.4.2 System Privileges for Data Mining
Learn different privileges to control operations on mining models.
A system privilege confers the right to perform a particular action in the database or to perform an action on a type of schema objects. For example, the privileges to create tablespaces and to delete the rows of any table in a database are system privileges.
You can perform specific operations on mining models in other schemas if you have the appropriate system privileges. For example, CREATE ANY MINING MODEL enables you to create models in other schemas. SELECT ANY MINING MODEL enables you to apply models that reside in other schemas. You can add comments to models if you have the COMMENT ANY MINING MODEL privilege.
To grant a system privilege, you must either have been granted the system privilege with the ADMIN OPTION or have been granted the GRANT ANY PRIVILEGE system privilege.
The system privileges listed in the following table control operations on mining models.
Table 8-2 System Privileges for Data Mining
Example 8-8 Grant System Privileges for Data Mining
The following statements allow dmuser to score data and view model details in any schema as long as SELECT access has been granted to the data. However, dmuser can only create models in the dmuser schema.
GRANT CREATE MINING MODEL TO dmuser; GRANT SELECT ANY MINING MODEL TO dmuser;
The following statement revokes the privilege of scoring or viewing model details in other schemas. When this statement is executed, dmuser can only perform data mining activities in the dmuser schema.
REVOKE SELECT ANY MINING MODEL FROM dmuser;
Related Topics
8.4.3 Object Privileges for Mining Models
An object privilege confers the right to perform a particular action on a specific schema object. For example, the privilege to delete rows from the SH.PRODUCTS table is an example of an object privilege.
You automatically have all object privileges for schema objects in your own schema. You can grant object privilege on objects in your own schema to other users or roles.
The object privileges listed in the following table control operations on specific mining models.
Table 8-3 Object Privileges for Mining Models
Example 8-9 Grant Object Privileges on Mining Models
The following statements allow dmuser to apply the model testmodel to the sales table, specifying different cost matrixes with each apply. The user dmuser can also rename the model testmodel. The testmodel model and sales table are in the sh schema, not in the dmuser schema.
GRANT SELECT ON MINING MODEL sh.testmodel TO dmuser; GRANT ALTER ON MINING MODEL sh.testmodel TO dmuser; GRANT SELECT ON sh.sales TO dmuser;
The following statement prevents dmuser from renaming or changing the cost matrix of testmodel. However, dmuser can still apply testmodel to the sales table.
REVOKE ALTER ON MINING MODEL sh.testmodel FROM dmuser;