Tyring to get a better understanding of ORACLE admin accounts

Posted on

Question :

In reviewing some configuration information for an ORACLE 12C server, I see that the only user assigned the DBA role appears to be SYS account. Also, the only user shown with SYSDBA and SYSOPER privileges appears to be SYS account. My understanding is that these are built in accounts that can perform all administrative functions. Absent other user accounts, it seems to indicate that the SYS account is used to perform day to days admin functions. Shouldn’t there be a “named” user with appropriately assigned privileges,versus using the SYS account?

Answer :

Yes, there should be. Even the documentation mentions that:

Administrative User Accounts

Create at least one additional administrative user and grant to that
user an appropriate administrative role to use when performing daily
administrative tasks. Do not use SYS and SYSTEM for these purposes.

But the database can not force you to do this. It is a discipline that some companies follow, while other companies ignore.

named OS users assigned to the ORA_DBA (windows) or DBA (*nix) groups are not accounts that are in the database and would not show up in any data dictionary view. from a persistence basis, they are unknown to the database. They are authenticated when they connect, using ‘os authentication’. If a given OS user is a member of the requisite and os-specific’dba’ group, they can connect with any username/password. As long as they specify ‘as sysdba’ their OS account will be checked against the members of the DBA group and they will be connected to the database as ‘sys’. Try it for yourself.

SQL> connect fubar/snafu as sysdba
SQL> show user

Leave a Reply

Your email address will not be published. Required fields are marked *