Oracle7 Server Administrator's Guide

Contents Index Home Previous Next

Database Administrator Security and Privileges

To accomplish administrative tasks in Oracle7, you need extra privileges both within the database and possibly in the operating system of the server on which the database runs. Access to a database administrator's account should be tightly controlled.

This section includes the following topics:

See Also: "Administrator Security" [*].

The Database Administrator's Operating System Account

To perform many of the administrative duties for a database, you must be able to execute operating system commands. Depending on the operating system that executes Oracle7, you might need an operating system account or ID to gain access to the operating system. If so, your operating system account might require more operating system privileges or access rights than many database users require (for example, to perform Oracle7 software installation). Although you do not need the Oracle7 files to be stored in your account, you should have access to them.

In addition, the Server Manager program requires that your operating system account or ID be distinguished in some way to allow you to use operating system privileged Server Manager commands.

See Also: The method of distinguishing a database administrator's account is operating system-specific. See your operating system-specific Oracle documentation for information.

Database Administrator Usernames

Two user accounts are automatically created with the database and granted the DBA role. These two user accounts are:

These two usernames are described in the following sections.

Note: To prevent inappropriate access to the data dictionary tables, you must change the passwords for the SYS and SYSTEM usernames immediately after creating an Oracle7 database.

You will probably want to create at least one additional administrator username to use when performing daily administrative tasks.

SYS

When any database is created, the user SYS, identified by the password CHANGE_ON_INSTALL, is automatically created and granted the DBA role.

All of the base tables and views for the database's data dictionary are stored in the schema SYS. These base tables and views are critical for the operation of Oracle7. To maintain the integrity of the data dictionary, tables in the SYS schema are manipulated only by Oracle7; they should never be modified by any user or database administrator, and no one should create any tables in the schema of the user SYS. (However, you can change the storage parameters of the data dictionary settings if necessary.)

Most database users should never be able to connect using the SYS account. You can connect to the database using this account but should do so only when instructed by Oracle personnel or documentation.

SYSTEM

Also when a database is created, the user SYSTEM, identified by the password MANAGER, is automatically created and granted all system privileges for the database.

The SYSTEM username creates additional tables and views that display administrative information, and internal tables and views used by Oracle tools. Never create tables of interest to individual users in the SYSTEM schema.

See Also: "Altering Users" [*].

"Changing Storage Parameters for the Data Dictionary" [*].

"Administrator Security" [*].

The DBA Role

A predefined role, named "DBA", is automatically created with every Oracle7 database. This role contains all database system privileges. Therefore, it is very powerful and should only be granted to fully functional database administrators.


Contents Index Home Previous Next