Re: SYSDBA access (newbie)

From: Frank <fvanbortel_at_netscape.net>
Date: Thu, 22 May 2003 21:26:08 +0200
Message-ID: <3ECD2450.4020008@netscape.net>

Paul Brewer wrote:

> "Frank" <fvanbortel_at_netscape.net> wrote in message
> news:3ECBD8CE.9050102_at_netscape.net...
> 

>>Howard J. Rogers wrote:
>>
>>>Please don't do what these two replies suggest!
>>>
>>>SYSTEM is a powerful account that can do everything that SYS can do,
>>

> with
> 

>>>the only exception being that privileged actions (startup, shutdown,
>>

> backup,
> 


>>>recover, create database) can only be done by SYS.

>>>

>>>And that's the way it should stay. SYSTEM should not ever be granted

>>>privileged action status.

>>>

>>>For [at least] one very good reason: anything granted by SYS, anything
>>>created by SYS, can never be exported. If you get into the habit of
>>

> logging
> 

>>>on as a privileged user (which is what would happen if you granted
>>

> SYSDBA to
> 

>>>SYSTEM) then you are going to create things and grant things which are
>>

> then
> 

>>>forever locked within that database, and not exportable. It's a severe
>>>compromise of database recoverability and portability, and you'd be
>>

> insane
> 


>>>to go for it.

>>>

>>>Use SYS to do startups and shutdowns (etc). And use SYSTEM for all other

>>>day-to-day database management. Use the accounts in the way they were

>>>designed... because they were designed that way for a reason.

>>>

>>>Regards

>>>HJR

>>>

>>>

>>>

>>>"Chief" <chiefgecko_at_mail.com> wrote in message

>>>news:71497b46.0305191323.62ef5e80_at_posting.google.com...

>>>

>>>

>>>>"John M" <bali1a_at_freemail.hu> wrote in message

>>>

>>>news:<bt9ya.7750$FJ4.81567_at_news.chello.at>...

>>>

>>>

>>>>>Hello,

>>>>>

>>>>>I have just installed an Oracle 8i. I want to use DBA Studio to connect

>>>>

>>>to

>>>

>>>

>>>>>my DB. I want to login as SYSDBA with the default system/manager login.

>>>>

>>>But

>>>

>>>

>>>>>I become a message:

>>>>>ORA-01031: insufficient privileges.

>>>>>I have installed this Oracle version to an other PC too, and there I
>>>>

> can
> 


>>>>>login.

>>>>>

>>>>>What can be the problem?

>>>>>

>>>>>Thanks!

>>>>

>>>>Connect to the 'sys' username using

>>>>sqlplus "/ as sysdba"

>>>>or

>>>>using DBA Studio connect to SYS using password with the "AS SYSDBA"

>>>>option.

>>>>

>>>>Then...

>>>>

>>>>execute the sql: GRANT SYSDBA TO SYSTEM

>>>>If this succeeds, then connect to the SYSTEM username using the "AS

>>>>SYSDBA" option. If you still get ORA-01031 post a reply and someone

>>>>can talk you through creating a password file and/or setting a

>>>>init.ora param.

>>>>

>>>>Ciao, Tim...

>>>

>>>
>>>
>>Sorry - Howard is right of course, I should have elaborated
>>on the "Not considered a Good Idea (tm), though..." as the
>>header stated newbe - which completely slipped through
>>
>>--
>>Regards, Frank van Bortel
>>

> 
> Well, I don't want to start a war here, but I'm not sure I entirely agree.
> 
> Whilst I concur entirely with the idea of not granting sysdba to system, and
> I completely agree with Howard about OS-authenticated 'sys as sysdba' for
> starting and stopping, I'm not sure I'm convinced that the system account
> should be for day-to-day use.
> 

As the granting of sysdba was the subject of my thread, I should have elaborated. Howard pointed out the dangers of such action, whilst I merely commented that is not considered a good idea.

As to dropping DBA and other oracle default roles, that has been the subject of a thread some time ago. It was stated (HJR, iirc) that these roles should be deleted as soon as the database was created, and only those system privileges granted to users that are needed.

-- 
Regards, Frank van Bortel

Received on Thu May 22 2003 - 14:26:08 CDT