Is there harm in applying passwords to built-in Oracle Roles like DBA, Connect, etc

Posted on

Question :

First, thanks for any help you may be able to provide. Oracle on Windows x64

Is there any harm in applying passwords (for example: alter role connect identified by “my_password”) to all built-in roles? I ask as an audit is complaining that these built-in roles (such as connect, dba, java_admin, etc.) by default have no password requirement.

I’ve checked documentation and cannot find any information as to what subtle or not so subtle repercussions may occur if I do password protect these roles. Again thanks for any help you can provide.

Answer :

These are roles required to function as those roles. However, users cannot just use those roles. They are granted to users by a DBA as required. What they should be auditing is who has the role and should they have them. To do that they will need to understand what the purpose of the role is.

Many of the roles will be granted to few, if any, non-standard users. But some such as connect will be granted to almost all users.

It may help them if you document those roles granted to not non-standard users. Include the reasons they would/should be granted to a user. It is not uncommon to create local roles to simplify granting access. Theses should also be documented and identified as local. Having such a document should make dealing with the auditors easier as it will show that roles are being managed.

You have to consider the following,
If you protect all the built-in roles in the DB, what about all the background jobs, executed by EM, scheduler, maintenance task, statistic gathering etc.. which are using DBSNMP, sysman,sysaux..ect account?
for example If you protect the connect role how can you issue the set role command without connecting to the DB?
You have to think about every script executed automatically, and behavior of other programs which are executing assuming that they have those built in roles.
I don’t recommend to this.

Leave a Reply

Your email address will not be published. Required fields are marked *