Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Re: Stop using SYS, SYSTEM?

Re: Stop using SYS, SYSTEM?

From: Nuno Pinto do Souto <>
Date: Wed, 12 Nov 2003 15:44:24 -0800
Message-ID: <>

 ('binary' encoding is not supported, stored as-is)

> Smith, Ron L. <> wrote:
> We are being asked by Auditing to stop using the SYS, and SYSTEM
> accounts. They would like for us to create an Oracle Role with the
> same
> permissions a SYS and SYSTEM, then grant the role to each of the
> DBA's.
> Don't ask me why. Nothing is being audited in 99% of the databases.
> They just say it in a paper some where so they said we shouldn't use
> it.
> This seems like it would cause lots of problems with exports,
> imports,
> installs, etc... Has anyone had to deal with this type of request?
> Any
> potential problems with making the change?

Quite a few potential problems. This is typical security jackass kneejerk reaction, pure and simple. A DBA needs DBA access to the system. Oracle provides this via SYS and SYSTEM. Period. The rest is just hazy, unprovable, half-cooked "security" bullshit from people who read this and that everywhere and are by default considered experts by even less competent damagement.

Granting all rights of user SYS and SYSTEM to a role and then granting that role to a DBA user reeks of sheer stupidity. If the issue is auditing, then use auditing. That's what it's there for. If the issue is use of DBA access, then get rid of the DBAs. (see how long that lasts...).

This sort of thing reminds me of the time I used to work at a very secure site back in the early 90s. Where we had to request a security officer to give us the password for SYS and SYSTEM in order to do our job. The officer changed the password before passing it on to us verbally. He then proceeded to watch us type on the screen, then watched us log out and then changed the password again on the spot. Very secure, very procedural, very formal.

Except the officer was not a DBA, knew zilch about SQL and couldn't discern if we were copying the entire main accounts table to a non-secure area if his life depended on it.

Great security! No wonder it got exposed a few years later in a well known incident.

The issue of course is that what these people needed was auditing, not security. But try as we might, we could not make their "experts" understand the diff...

Nuno Souto

Please see the official ORACLE-L FAQ:
Author: Nuno Pinto do Souto

Fat City Network Services    -- 858-538-5051
San Diego, California        -- Mailing list and web hosting services
To REMOVE yourself from this mailing list, send an E-Mail message
to: (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Wed Nov 12 2003 - 17:44:24 CST

Original text of this message