Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.server -> Re: OK to revoke privileges from SYS or DBA?

Re: OK to revoke privileges from SYS or DBA?

From: Howard J. Rogers <hjr_at_dizwell.com>
Date: Tue, 07 Dec 2004 11:23:46 +1100
Message-ID: <41b4f813$0$17883$afc38c87@news.optusnet.com.au> 





hpuxrac wrote:


> DA Morgan wrote:

> 

> snip

> 

> 


>>I'd drop the DBA role completely as that is what Oracle advises. It
>>exists, like CONNECT and RESOURCE solely for demonstration purposes
>>just as does SCOTT/TIGER.




> 

> 

> I disagree.  Securing access to oracle provided roles is one thing,

> recommending dropping the roles is another thing altogether.

> 

> I for one have never heard anyone from oracle advising the DBA role

> should be dropped.  I don't think that I would consider dropping

> connect or resource role either.

> 

> Where does this recommendation come from exactly?

> 

> Is this something someone has done on a production system and why?

> What were the ramifications?

> 

> This advice seems to me to be somewhat seat of the pants and highly

> questionable.  Willing to have it proven otherwise of course.

> 

> John

> 





It actually doesn't say to drop them anywhere in the Oracle 
documentation as far as I can tell. It says they're there for backwards 
compatibility reasons... which rather implies they have a use and a 
function, and should therefore be left alone.



I notice their 9i Fundamentals II course notes, when they discuss 
setting up an RMAN catalog, says to create an 'RMAN User' to own the 
catalog... and then shows how to grant connect and resource to the new user.



You could well argue that this is merely sloppy courseware writing, but 
it's a fairly good indication too that Oracle still sees a continuing 
use for these things, so that dropping them would not be a particularly 
wise move.



A quick search in the 9i official documentation also yields this quote:



"It is suggested that you create at least one additional administrator 
user, and grant that user the DBA role, to use when performing daily 
administrative tasks. It is recommended that you do not use SYS and 
SYSTEM for these purposes."



That's from 


http://download-west.oracle.com/docs/cd/B10501_01/server.920/a96521/dba.htm



Regards


HJR

Received on Mon Dec 06 2004 - 18:23:46 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US