Oracle-L: RE: Stop using SYS, SYSTEM?

From: <Jared.Still_at_radisys.com>
Date: Wed, 12 Nov 2003 15:49:25 -0800
Message-ID: <F001.005D6751.20031112154925@fatcity.com>

The email I replied to stated that all users that required privs (such as DBA)
would be given the necessary roles. That's fine for many things, but some

accounts still need the SYSDBA priv.

The one thing you get from that is accountability, if the database is 9i or
later and sysdba can be audited, and if anyone with access to the account is not smart enough or knowledgable enough to cover his tracks, then you might be able to establish a trail.

In the case of something like RMAN, you may rarely need to use that account interactively. One solution at times suggested is to lock the password away in safe, usually under the auspices of a manager.

This implies that the mgr is somehow more trustworthy, or less likely to muck about in a system using the forbidden account. That just seems naive to me.

Jared

David Wagoner <dwagoner_at_arsenaldigital.com> Sent by: ml-errors_at_fatcity.com
11/12/2003 12:44 PM
Please respond to ORACLE-L

        To:     Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>
        cc: 
        Subject:        RE: Stop using SYS, SYSTEM?

Jared,
I followed Robert Freeman's advice and created an RMAN user in all my DBs called backup_admin with SYSDBA privilege so that RMAN doesn't use SYS or SYSTEM. This allows you to change system passwords at will and not interfere with backups. Works just fine. Is this what you were talking about? Perhaps I misunderstood.

Best regards,
David B. Wagoner
Database Administrator
Arsenal Digital Solutions
Web: http://www.arsenaldigital.com
"the most trusted source for

STORAGE MANAGEMENT SERVICES" The contents of this e-mail message may be privileged and/or confidential. If you are not the intended recipient, any review, dissemination, copying, distribution or other use of the contents of this message or any attachment by you is strictly prohibited. If you receive this communication in error, please notify us immediately by return e-mail or by telephone (919-466-6700), and please delete this message and all attachments from your system.
Thank you.

-----Original Message-----
Sent: Wednesday, November 12, 2003 3:05 PM To: Multiple recipients of list ORACLE-L

We are being asked by Auditing to stop using the SYS, and SYSTEM accounts. They would like for us to create an Oracle Role with the same permissions a SYS and SYSTEM, then grant the role to each of the DBA's. Don't ask me why. Nothing is being audited in 99% of the databases. They just say it in a paper some where so they said we shouldn't use it. This seems like it would cause lots of problems with exports, imports, installs, etc... Has anyone had to deal with this type of request? Any potential problems with making the change? Thanks!
Ron Smith
--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author: Smith, Ron L.
INET: rlsmith_at_kmg.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com 
San Diego, California        -- Mailing list and web hosting services 
---------------------------------------------------------------------

To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).

--

Please see the official ORACLE-L FAQ: http://www.orafaq.net
--

Author:
INET: Jared.Still_at_radisys.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------