Re: Oracle Enterprise Manager 12c - SYSDBA privs profile

I think the first point that needs to be cleared up is that you don't need access to the OS to connect as SYSDBA, therefore there would be no reason to connect to the OS at all.

The second point is that any user with membership to the OSDBA group can connect as SYSDBA so sudo access is not necessary in any case.

Finally, there is no query that requires SYSDBA. Permission to query any object in the database can be given granularly. All queries can be audited.

Your apprehension to grant OS or SYSDBA access is well founded. Nothing you have described here requires either.

You will probably have to find out what exactly it is your customer wants to do and then find an existing role or create one that allows them to do just that and grant it to that user. Auditing can then be set up for that role or user specifically.

Seth Miller

On Tue, Jan 12, 2016 at 11:59 AM, Apps DBA <dbaorapps_at_gmail.com> wrote:

> Hi Gurus,
>
> I have a requirement from my customer DBAs to create a DBA profile or
> access to production environment where in they wants to have access to
> check database health and run queries for tuning or any level of SYSDBA
> access but there is a limitation as per contract to not to have PROD sudo
> level OS access. Is there anyway to accomplish this through OEM profile
> creation for set of users or individuals who are DBA's? What are the audit
> risks involved just am afraid it is a production instance? Please advise
> and share your ideas.
>
> Thanks,
> Shankar
>

--
http://www.freelists.org/webpage/oracle-l