Re: oracle 9i connection string with SYS account

Knut Talman wrote:

> "Bertus Dam" <b.dam_at_gmx.net> schrieb im Newsbeitrag
> news:3cfc9fe0_at_news.mhogaming.com...
> >
> > I'm trying to create a connectionstring in my application to an oracle 9i
> > database.
> > I can't get it to work though. This is what I try:
> >
> > Provider=OraOLEDB.Oracle;Data Source=svr;User
> > ID=SYS;Password=change_on_install;
> >
> > Errormessage:
> >
> > Message: "ORA-28009: connection to sys should be as sysdba or sysoper"
> >
> > How can I fix this? Or how do I create a connectionstring which uses
> > integrated O/S security?
>
> Do not use SYS, create a new user. If the user needs access to sys objects
> grant dba to the new user.
>
> Regards,
>
> Knut

I would argue that you should never grant DBA to any user. DBA is just a package of privileges that have no relationship to anything but are a great way to compromise system security. If you need to grant access to all tables then GRANT SELECT ANY TABLE though it would be better to grant SELECT on specific objects on an as-needed basis.

And don't get me started about CONNECT. I think Oracle should rethink the entire concept of the CONNECT role and preferably dump it. The first thing I do to a new database after changing the SYS and SYSTEM passwords is drop CONNECT and create a role that actually provides appropriate access. To many people think CONNECT is the privilege to connect to the database and that just isn't the case.

Daniel Morgan Received on Tue Jun 04 2002 - 10:04:27 CDT