0 evaluări0% au considerat acest document util (0 voturi)
20 vizualizări4 pagini
1. SYS and SYSTEM are privileged Oracle database accounts with DBA roles. SYSMAN and DBSNMP are administrative accounts used for Oracle Enterprise Manager administration and monitoring.
2. SYSDBA and SYSOPER are system privileges that allow database access even when closed. SYSDBA includes all system privileges while SYSOPER allows startup/shutdown but not data access.
3. DBA role should be granted to database administrators and includes most system privileges, but not SYSDBA/SYSOPER. PUBLIC is a user group for all database users.
1. SYS and SYSTEM are privileged Oracle database accounts with DBA roles. SYSMAN and DBSNMP are administrative accounts used for Oracle Enterprise Manager administration and monitoring.
2. SYSDBA and SYSOPER are system privileges that allow database access even when closed. SYSDBA includes all system privileges while SYSOPER allows startup/shutdown but not data access.
3. DBA role should be granted to database administrators and includes most system privileges, but not SYSDBA/SYSOPER. PUBLIC is a user group for all database users.
1. SYS and SYSTEM are privileged Oracle database accounts with DBA roles. SYSMAN and DBSNMP are administrative accounts used for Oracle Enterprise Manager administration and monitoring.
2. SYSDBA and SYSOPER are system privileges that allow database access even when closed. SYSDBA includes all system privileges while SYSOPER allows startup/shutdown but not data access.
3. DBA role should be granted to database administrators and includes most system privileges, but not SYSDBA/SYSOPER. PUBLIC is a user group for all database users.
1. SYS & SYSTEM are the privileged database accounts
(auto created and granted DBA role) and schemas. Tables in SYS schema are manipulated by the Oracle server software, no one should directly create or modify any tables in this schema! 2. SYSMAN is an administrative account (aka super administrator account) used to perform Oracle Enterprise Manager administration tasks. DBSNMP account is used by the management agent of EM to monitor and manage the database. 3. SYSOPER & SYSDBA are system privileges that allow access to a database instance even when the database is not open. Control of these privileges is totally outside of the database itself. SYSOPER permits STARTUP, SHUTDOWN, ALTER DATABASE { OPEN | MOUNT | BACKUP | ARCHIVELOG | RECOVER }, but does not give access to user data, and allows only complete recovery. It also includes RESTRICTED SESSION privilege. SYSDBA includes SYSOPER, permits CREATE DATABASE, incomplete recovery, includes all system privs with ADMIN OPTION. User connected AS SYSDBA works in SYS schema. User connected AS SYSOPER works in PUBLIC schema.
4. DBA usually means "database administrator". In Oracle it is
also a predefined role (auto created during installation) that has the majority of database system privs (but not SYSDBA / SYSOPER). This role should be granted to a user acting as a database administrator. Avoid using SYS or SYSTEM, except when this is explicitly specified. 5. PUBLIC is a special user group (all database users). 6. oracle is a Linux/Unix OS user account; 7. dba & oper are Linux/Unix OS groups; 8. ORA_DBA & ORA_OPER are Windows OS groups;
OS authentication of the privileged users
Linux OS authentication for a database administrator typically involves placing his (her) OS username (usually oracle) in a special group (usually dba). Member of dba group gets SYSDBA privilege. An optionally created group oper gives to its members SYSOPER privilege. OS user oracle is sometimes called "Oracle software owner". Windows OS does not require a special user account for Oracle database administration, Oracle files are owned by the OS Windows built-in account SYSTEM (not related to Oracle Database SYSTEM). By default, Linux root cannot neither startup / shutdown database, nor use oracle applications due to lack of proper environment and group membership. To startup / shutdown database, to perform backup / recovery, etc, su - oracle and connect AS SYSDBA or AS SYSOPER (see Startup and Shutdown). Note! The user / group names oracle, dba, oper are typical, but not hard-coded, they can be changed during Oracle installation. On a Windows Server a local group ORA_DBA is auto created during Oracle installation, members of this group have SYSDBA privilege. The installer (usually OS Windows Administrator) gets membership automatically. This means that he can act as a database administrator. ORA_OPER grp is optional. The Oracle-related Windows registry keys: HKLM -> SOFTWARE -> ORACLE -> HOME0 HKLM -> SYSTEM -> CurrentControlSet -> Services -> Oracle
Password file authentication
The Oracle database uses password file (usually something like $ORACLE_HOME/dbs/orapworcl) to keep track of database users that have been granted SYSOPER and SYSDBA. If password file is missing or ini param REMOTE_LOGIN_PASSWORDFILE = NONE, then only OS-authenticated users can have SYSOPER and SYSDBA. The password file can be created using orapwd utility: orapwd file=orapworcl password=assm9dpk entries=8 The password param sets the password for SYS. If you later use ALTER USER to change the SYS password, both the pass in the data dict and the pass in the pass file are updated. The number of password entries (which is, in fact, the max planned number of privileged users) allocated is always a multiple of four. When REMOTE_LOGIN_PASSWORDFILE = NONE, pass file is ignored, and priv connections over non-secure lines are not allowed. If REMOTE_LOGIN_PASSWORDFILE = SHARED, pass file can be used by multiple databases running on the same server. However, in this case you cannot change the password for SYS, or give SYSDBA / SYSOPER to new users, because a shared password file is read- only. To bypass this problem, change the parameter temporarily to EXCLUSIVE and make updates. Note! This param is static and won't come into effect without database restart. By default, REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE. The exclusive pass file can be used with only one database. It allows to add, modify, delete users, and change the SYS password. To add a user to a password file: SQL> GRANT SYSOPER TO appmgr; To remove a user from a password file: SQL> REVOKE SYSOPER FROM appmgr; The operating system authentication takes precedence over password file authentication. That is, if you are a member of dba group and connect AS SYSDBA, you will be connected with this privilege regardless of the username / password specified. Warning! In Oracle 10g passwords are always encrypted (AES algo) before they are sent across the network. This is true for client / server and server / server connections. However, it is not always true for the previous Oracle versions (see DBLINK_ENCRYPT_LOGIN ini param and ORA_ENCRYPT_LOGIN env variable in Oracle 9i). But! The data is sent over the network unencrypted, unless you have Oracle Enterprise Edition and a separately purchased Oracle Advanced Security.