Disabling "SYS" id in 9i [message #167010] |
Mon, 10 April 2006 18:16 |
chomug123
Messages: 6 Registered: April 2006 Location: Los Angeles
|
Junior Member |
|
|
Hi all,
I was wondering if disabling "SYS" would restrict DBAs from performing daily work at all or would even prevent them from logging into "SYS"?
Also, I was wondering if a DBA could create his/her own individual account with all the SYS privileges for auditing purposes for our auditors to keep tabs on?
Basically ... my management is wanting to use a "firecall" procedure to keep track of exactly who uses the "SYS" account, and to appease the auditors, disable "SYS" unless the account is needed. Is this possible? I've read on some posts that disabling "SYS" would not do anything at all and you could still log in as "SYS".
Any thoughts, suggestions, or comments would be appreciated.
- Arthur
|
|
|
|
Re: Disabling "SYS" id in 9i [message #167014 is a reply to message #167010] |
Mon, 10 April 2006 18:53 |
chomug123
Messages: 6 Registered: April 2006 Location: Los Angeles
|
Junior Member |
|
|
Thanks for the response!
Ahh I see ... hmm... how about that Firecall procedure idea? Would changing the SYS password and storing it away somewhere except for emergencies work (and changing the password again after its used) in terms of limiting the use of the SYS account?
Also, is it possible for IT to restrict the use of SYS ID outside of just limiting knowledge of the account and password (meaning, can this account be disabled and individual accounts created in its place - with same level of authority)?
Any thoughts, suggestions, or comments would be appreciated!
Thanks!
- Arthur
|
|
|
|
Re: Disabling "SYS" id in 9i [message #167017 is a reply to message #167010] |
Mon, 10 April 2006 19:10 |
chomug123
Messages: 6 Registered: April 2006 Location: Los Angeles
|
Junior Member |
|
|
Haha yes yes that is very true.
So I guess for my second question on my reply was if it possible for IT to restrict the use of SYS ID outside of just limiting knowledge of the account and password (meaning, can this account be disabled and individual accounts created in its place - with same level of authority)?
Is that possible? In order to appease auditors that we're "restricting" sys access?
Thanks for all the input!
- Arthur
|
|
|
|
Re: Disabling "SYS" id in 9i [message #167551 is a reply to message #167010] |
Thu, 13 April 2006 15:54 |
chomug123
Messages: 6 Registered: April 2006 Location: Los Angeles
|
Junior Member |
|
|
Would it be possible to have the SYS id not be used at all (even if it was not disabled)? Or do DBAs still have a need to occasionally use the SYS id? And if so, for what reasons? Thanks for all the help guys!
- Arthur
|
|
|
|
Re: Disabling "SYS" id in 9i [message #167558 is a reply to message #167010] |
Thu, 13 April 2006 20:00 |
chomug123
Messages: 6 Registered: April 2006 Location: Los Angeles
|
Junior Member |
|
|
Interesting ... so SYS should be used for creating tables n' such whenever they are needed. What are some other instances when someone would use the SYS id? Thanks!
- Arthur
|
|
|
|
Re: Disabling "SYS" id in 9i [message #167562 is a reply to message #167010] |
Thu, 13 April 2006 20:23 |
chomug123
Messages: 6 Registered: April 2006 Location: Los Angeles
|
Junior Member |
|
|
I see ... so SYS is mainly used when installing a database and creating the data dictionary. I think I mixed up the SYSDBA and SYS ids when reading the guides. What other instances would the SYS account be used? Thanks!
- Arthur
|
|
|
|
Re: Disabling "SYS" id in 9i [message #167564 is a reply to message #167563] |
Thu, 13 April 2006 20:40 |
|
Mahesh Rajendran
Messages: 10707 Registered: March 2002 Location: oracleDocoVille
|
Senior Member Account Moderator |
|
|
In simple analogy,
SYS is like the PRESIDENT of a company/organization.
SYS is the absolute owner/big boss for the whole database.
You cannot lock/disable/drop SYS account.
In an organization, will PRESIDENT/CEO do all the managerial stuff in all departments? NO. Not Possible. Right? For ease of administration there might be several MANAGERS doing several ADMINISTRATIVE jobs. You agree? Similarly the database will need DBA'S (a regular user granted with DBA ROLE) to do the regular jobs (backup/tuning/schedule jobs/everything). But SYS is the absolute owner of the database and is the SUPERUSER.
|
|
|