Re: sys password

Hi Anurag,
Here's the story: the connect, resource and dba privileges in Oracle 6 were replaced by connect, resource and dba roles (containing much more granular privileges) in Oracle 7.
They were retained for backwards compatibility and officially they are obsolete.
But .... everyone still uses them.
The problem here is the alter user privilege, that has been granted to the connect role (from the top of my head). This can be used to change any password including that of sys. Why on earth Oracle allows that I don't know.
Morale: The only option is to get away from connect, resource, and dba and grant the more granular privileges
like create any table, create any procedure etc only. Obviously, I too would like to know why an user with alter user privilege can change the sys password, which can result in sys loosing it's sysdba privileges (if remote_login_passwordfile = shared in init.ora and the sys password and the internal password differ, then sys is unable to connect as sysdba)

Hth,

Sybrand Bakker, Oracle DBA

Anurag Minocha <anurag_at_synergy-infotech.com> wrote in message news:378DB801.E60B8340_at_synergy-infotech.com...
> Hi,
> I have a user with dba,resource and connect roles. The problem is that
> he is able to change the sys password. How can i prevent this. Is this
> because of the dba role.If yes then why is the sys called the super user
> if the password can be changed fromn dba.
>
>
> anurag
>
Received on Thu Jul 15 1999 - 07:23:17 CDT