Re: Simple Security Questions

From: Steve Howard <>
Date: Wed, 15 Oct 2008 06:58:48 -0700 (PDT)
Message-ID: <>

On Oct 14, 6:04 pm, Palooka <> wrote:

> Can I safely lock the following accounts (
> None of these ever log in, according to DBA_AUDIT_TRAIL. I have session
> auditing on.

This is an interesting question. Most shops advocate not using SYSTEM on a regular basis, but I also have never heard a suggestion to lock it, either. I would defer to being conservative and not locking it, though. My guess is Oracle wouldn't even support it, but that is exactly that...a guess.

OUTLN I think is already locked by default. For MGMT_VIEW I have no clue. It doesn't look like it is locked by default, though. The following may be of interest...

> Also, should I create a new role, with various system privileges, to
> replace the "burned in" DBA role, and grant that to myself rather than DBA?

I think the new role is a good idea. We did this some time ago by reverse engineering the existing DBA role and extracting from it what we actually used.

> For information, we are using the database, OEM and RMAN. No RAC, no
> Oracle Applications, no ASM, no DataGuard.
> Jobs are scheduled with the newer database scheduler, not DBMS_JOB. Is
> it therefore OK to set JOB_QUEUE_PROCESSES to zero?

JOB_QUEUE_PROCESSES is still used for materialized views updates and I think streams queues. Received on Wed Oct 15 2008 - 08:58:48 CDT

Original text of this message