Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Usenet -> c.d.o.server -> Re: OK to revoke privileges from SYS or DBA?
"DA Morgan" <damorgan_at_x.washington.edu> wrote in message
news:1102272986.366416_at_yasure...
> Tom wrote:
>
>> I'm working on a project to secure a database for the government, and
>> one of the recommendations from an analysis tool is to remove some
>> privileges from SYS or DBA, namely privileges granted with the ADMIN
>> option.
>>
>> Is it safe to change any of the privileges associated with the SYS
>> user or DBA role? Is this supported by Oracle?
>>
>> Thanks,
>>
>> Tom
>
> I'd drop the DBA role completely as that is what Oracle advises. It
> exists, like CONNECT and RESOURCE solely for demonstration purposes
> just as does SCOTT/TIGER.
>
> Dropping privs from SYS, if it is possible, is preposterous on its
> face as anyone logged on as SYS could always grant them again at will.
> If you want fool-proof security this is not the way to achieve it.
> You can contact me off-line if you wish and are a U.S. person.
> --
> Daniel A. Morgan
> University of Washington
> damorgan_at_x.washington.edu
> (replace 'x' with 'u' to respond)
can you provide a link as to where oracle advise dropping the dba role Received on Sun Dec 05 2004 - 15:05:08 CST