Re: changing pswds of standard accounts

On Aug 7, 2:12 pm, Niall Litchfield <niall.litchfi..._at_dial.pipex.com> wrote:
> EdStevens wrote:
> > Already done that, but there is a management requirement that I may
> > not be able to negotiate away. This is a government system, and often
> > there are security requirements that have to be adhered to whether
> > they make sense or not. You and I know a locked account cannot be
> > accessed, but try explaining that to the bureaucrat that wrote the
> > regulation, or the ones charged with enforcing it.
>
> Depends on what you mean by accessed. It could be unlocked and logged
> into, procedures or views owned by it could be accessed from other
> schemas and so on. The best thing to do with truly unused schemas is not
> to lock them but to drop them, subject to normal change and backup etc.
> I'd be siding with the bureaucrat on this one.
>
> --
> Niall Litchfield
> Oracle DBAhttp://www.orawin.info/services

" Depends on what you mean by accessed."

Or what the meaning of the word "is" is ..... ;-)

I see your point. By 'accessed' I meant to connect to the database using that account - mostly by some procedure (loose use of the term 'procedure').

Most of the accounts like DIP, WMSYS, etc. have always been expired and locked. Understandably, nobody (including agents, daemons, procedures, scripts, etc) ever actually connects using those accounts; they exist simply to hold a specific schema. In those cases, it obviously does not harm to simply ALTER USER ... IDENTIFIED BY and go on your merry way. Obviously, DBSNMP and SYSMAN *are* used for connections and require additional work to change.

I would like to remove the unused extra features and their supporting schemas, but will have to move very carefully on that. In the mean time, I still have to certify that I have changed all the passwords. Received on Tue Aug 07 2007 - 15:22:37 CDT