Admin Users and Privileges

1. SYS & SYSTEM are the privileged database accounts

(auto created and granted DBA role) and schemas. Tables in
SYS schema are manipulated by the Oracle server software, no
one should directly create or modify any tables in this schema!
2. SYSMAN is an administrative account (aka super
administrator account) used to perform Oracle
Enterprise Manager administration tasks. DBSNMP account
is used by the management agent of EM to monitor and
manage the database.
3. SYSOPER & SYSDBA are system privileges that allow
access to a database instance even when the database is not
open. Control of these privileges is totally outside of the
database itself.
 SYSOPER permits STARTUP, SHUTDOWN, ALTER
DATABASE { OPEN | MOUNT | BACKUP | ARCHIVELOG |
RECOVER }, but does not give access to user data, and
allows only complete recovery. It also includes
RESTRICTED SESSION privilege.
 SYSDBA includes SYSOPER, permits CREATE
DATABASE, incomplete recovery, includes all system
privs with ADMIN OPTION.
User connected AS SYSDBA works in SYS schema.
User connected AS SYSOPER works in PUBLIC schema.

4. DBA usually means "database administrator". In Oracle it is

also a predefined role (auto created during installation) that
has the majority of database system privs (but not SYSDBA /
SYSOPER). This role should be granted to a user acting as a
database administrator. Avoid using SYS or SYSTEM, except
when this is explicitly specified.
5. PUBLIC is a special user group (all database users).
6. oracle is a Linux/Unix OS user account;
7. dba & oper are Linux/Unix OS groups;
8. ORA_DBA & ORA_OPER are Windows OS groups;

OS authentication of the privileged users

 Linux OS authentication for a database administrator typically
involves placing his (her) OS username (usually oracle) in a
special group (usually dba). Member of dba group gets SYSDBA
privilege. An optionally created group oper gives to its members
SYSOPER privilege. OS user oracle is sometimes called "Oracle
software owner".
Windows OS does not require a special user account for Oracle
database administration, Oracle files are owned by the OS Windows
built-in account SYSTEM (not related to Oracle Database SYSTEM).
By default, Linux root cannot neither startup / shutdown database,
nor use oracle applications due to lack of proper environment and
group membership. To startup / shutdown database, to perform
backup / recovery, etc, su - oracle and connect AS
SYSDBA or AS SYSOPER (see Startup and Shutdown).
Note!
The user / group names oracle, dba, oper are typical, but not
hard-coded, they can be changed during Oracle installation.
On a Windows Server a local group ORA_DBA is auto created during
Oracle installation, members of this group have SYSDBA privilege.
The installer (usually OS Windows Administrator) gets
membership automatically. This means that he can act as a database
administrator. ORA_OPER grp is optional. The Oracle-related
Windows registry keys:
HKLM -> SOFTWARE -> ORACLE -> HOME0
HKLM -> SYSTEM -> CurrentControlSet ->
Services -> Oracle

Password file authentication

The Oracle database uses password file (usually something like
$ORACLE_HOME/dbs/orapworcl) to keep track of database
users that have been granted SYSOPER and SYSDBA. If password
file is missing or ini param REMOTE_LOGIN_PASSWORDFILE =
NONE, then only OS-authenticated users can have SYSOPER and
SYSDBA.
 The password file can be created using orapwd utility:
orapwd file=orapworcl password=assm9dpk entries=8
The password param sets the password for SYS. If you later use
ALTER USER to change the SYS password, both the pass in the
data dict and the pass in the pass file are updated. The number of
password entries (which is, in fact, the max planned number of
privileged users) allocated is always a multiple of four.
When REMOTE_LOGIN_PASSWORDFILE = NONE, pass file is
ignored, and priv connections over non-secure lines are not allowed.
If REMOTE_LOGIN_PASSWORDFILE = SHARED, pass file can be
used by multiple databases running on the same server. However, in
this case you cannot change the password for SYS, or give SYSDBA
/ SYSOPER to new users, because a shared password file is read-
only. To bypass this problem, change the parameter temporarily to
EXCLUSIVE and make updates. Note! This param is static and
won't come into effect without database restart.
By default, REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE.
The exclusive pass file can be used with only one database. It allows
to add, modify, delete users, and change the SYS password.
To add a user to a password file:
SQL> GRANT SYSOPER TO appmgr;
To remove a user from a password file:
SQL> REVOKE SYSOPER FROM appmgr;
The operating system authentication takes precedence over
password file authentication. That is, if you are a member of dba
group and connect AS SYSDBA, you will be connected with this
privilege regardless of the username / password specified.
Warning!
In Oracle 10g passwords are always encrypted (AES algo) before
they are sent across the network. This is true for client / server and
server / server connections. However, it is not always true for the
previous Oracle versions (see DBLINK_ENCRYPT_LOGIN ini
param and ORA_ENCRYPT_LOGIN env variable in Oracle 9i). But!
The data is sent over the network unencrypted, unless you have
Oracle Enterprise Edition and a separately purchased Oracle
Advanced Security.