About Database Administrator Security and Privileges
Published by : Obay Salah , November 17, 2024
To perform the tasks of a database administrator (DBA), you need specific privileges and permissions, especially on the databases and perhaps on the operating system of the server on which the databases run, and you must ensure that access to the database administrator account is tightly controlled.
The Database Administrator's Operating System Account:
To perform many tasks for a database administrator, I must be able to execute commands on the operating system, and this depends on the operating system on which the databases run. You may need to know your account on the operating system, and your account on the operating system may require some privileges or access rights that a normal database user does not need. For access, you need permissions during the installation of the database on the server to store database files on the operating system.
Administrative User Accounts:
Oracle database provides many users responsible for managing the database associated with special privileges.
About Administrative User Accounts:
Database administrator accounts have special privileges required to administer the database, such as:
CREATE ANY TABLE
ALTER SESSION
EXECUTE privilege on packages owned by the SYS schema
The following administrative users are created during Oracle Database installation:
SYS
SYSTEM
SYSBACKUP
SYSDG
SYSKM
SYSRAC
Oracle recommends that you create at least one additional administrative user and grant him/her the appropriate privileges to perform daily administrative tasks, do not use (SYS & SYSTEM) for these tasks.
SYS:
When you create an Oracle database, the SYS user is automatically created with full privileges and permissions, and all the basic tables and views of the Data Dictionary are stored in the schema.
These basic tables and views are essential to the operation of the database, and to maintain these tables and objects, these tables and views in the SYS Schema are processed by the database only. They should not be modified by any user or database administrator, and no user should create tables or objects on the SYS Schema.
Make sure that most database users are not able to connect to the database through the SYS user.
SYSTEM:
When creating an Oracle database, the SYSTEM user is automatically created and granted the DBA Role. The SYSTEM user is also used to store additional tables and views that contain administrative information. Do not use the SYSTEM user to store tables and objects that are of interest to non-administrative users.
SYSBACKUP, SYSDG, SYSKM, and SYSRAC:
When creating an Oracle database, a number of administrative users are automatically created in order to facilitate the separation of duties for database administrators:
SYSBACKUP: To facilitate backup and recovery operations (Backup & Recovery) via the administration (RMAN) or even via SQL*Plus.
SYSDG: To facilitate Data Guard operations.
SYSKM: Facilitates data encryption operations and storing encryption keys.
SYSRAC: Facilitates Oracle Real Application Clusters (Oracle RAC) operations. It should be noted that SYSRAC is not supported by the Password File and is only used by the Oracle agent of Oracle Clusterware to connect to the database and is verified by the operating system.
All these Administrative User Accounts provide administrative privileges and with the same name, specifically the user SYSBACKUP is provided for the SYSBACKUP privilege and also the user SYSDG is provided for the SYSDG administrative privilege and also the user SYSKM is provided for the SYSKM administrative privilege.
To use one of these administrative features, the user must specify this while connecting to the database. For example:
AS SYSBACKUP
AS SYSDG
AS SYSKM
If the connection is authenticated, the user will connect to the database through the user privilege. For example, if the user BACKUP is granted the SYSBACKUP permission and the user BACKUP connects to the database through this AS SYSBACKUP privilege, the user will connect to the database through the user SYSBACKUP.
These administrative accounts cannot be deleted, as they are also Schema Only Accounts, meaning that they are created without a password. You can then add a password to them whenever you want.
The DBA Role: The DBA Role is created during the installation of the database and is a set of administrative privileges that most database administrators need. It should only be granted to actual database administrators and should not be granted to regular database users. The DBA Role does not contain the privileges (SYSDBA & SYSBACKUP & SYSDG & SYSKM & SYSRAC) as these administrative privileges allow administrators to perform certain tasks based on the privilege granted to them.
Comments
no comment yet!