The email I replied to stated that all users that required privs (such as DBA)
would be given the necessary roles. That's fine for many things, but some
accounts still need the SYSDBA priv.
The one thing you get from that is accountability, if the database is 9i or
later and sysdba can be audited, and if anyone with access to the account
is not smart enough or knowledgable enough to cover his tracks, then
you might be able to establish a trail.
In the case of something like RMAN, you may rarely need to use that
account interactively. One solution at times suggested is to lock the
password away in safe, usually under the auspices of a manager.
This implies that the mgr is somehow more trustworthy, or less likely
to muck about in a system using the forbidden account. That just
seems naive to me.
Jared
| David Wagoner <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED] 11/12/2003 12:44 PM
|
To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]> cc: Subject: RE: Stop using SYS, SYSTEM? |
Jared,
I followed Robert Freeman's advice and created an RMAN user in all my DBs called backup_admin with SYSDBA privilege so that RMAN doesn't use SYS or SYSTEM. This allows you to change system passwords at will and not interfere with backups. Works just fine.
Is this what you were talking about? Perhaps I misunderstood.
Best regards,
David B. Wagoner
Database Administrator
Arsenal Digital Solutions
Web: http://www.arsenaldigital.com
"the most trusted source for
STORAGE MANAGEMENT SERVICES"
The contents of this e-mail message may be privileged and/or confidential. If you are not the intended recipient, any review, dissemination, copying, distribution or other use of the contents of this message or any attachment by you is strictly prohibited. If you receive this communication in error, please notify us immediately by return e-mail or by telephone (919-466-6700), and please delete this message and all attachments from your system.
Thank you.
-----Original Message-----
We are being asked by Auditing to stop using the SYS, and SYSTEM Thanks! Fat City Network Services -- 858-538-5051 http://www.fatcity.com
Sent: Wednesday, November 12, 2003 3:05 PM
To: Multiple recipients of list ORACLE-L
accounts. They would like for us to create an Oracle Role with the same
permissions a SYS and SYSTEM, then grant the role to each of the DBA's.
Don't ask me why. Nothing is being audited in 99% of the databases.
They just say it in a paper some where so they said we shouldn't use it.
This seems like it would cause lots of problems with exports, imports,
installs, etc... Has anyone had to deal with this type of request? Any
potential problems with making the change?
Ron Smith
--
Please see the official ORACLE-L FAQ: http://www.orafaq.net
--
Author: Smith, Ron L.
INET: [EMAIL PROTECTED]
San Diego, California -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
