rman备份用户的设置（尽可能避免使用SYS用户）

我在做wallet实验，为解决sys用户明文密码问题的时候，也在思考我们是不是可以压根就不使用sys用户呢？

从官方文档上查到相关资料，我通过做实验，验证了确实可以。新创建一个用户，赋予sysdba权限，就可以通过新用户进行备份操作，新用户虽然有sysdba权限，但是跟sys用户相比，安全级别完全不是一个等级。例如有很多视图就已经不能查询。当然，我觉得还 有必要进行优化，再细化。因为该用户依然有停止实例的权限。

尽可能少地使用SYS这样的超级用户去做常规操作，可以减少误操作的风险，给自己的db一个更加安全的Level。

我们在数据库技术上追求卓越，在数据库安全上面追求更高的水平面。

官方手册地址：

http://docs.oracle.com/cd/B28359_01/backup.111/b28270/rcmcnctg.htm#BRADV89391

测试过程：

dg-primary:/oracle/product/11gR2/db/network/admin> sqlplus / as sysdba


SQL*Plus: Release 11.2.0.3.0 Production on Sun Sep 22 23:03:31 2013


Copyright (c) 1982, 2011, Oracle.  All rights reserved.




Connected to:
Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options


SQL> CREATE USER rmantest  IDENTIFIED BY rmantestt
DEFAULT TABLESPACE users
TEMPORARY TABLESPACE  temp;  2    3


User created.


SQL>




SQL> GRANT CONNECT,RESOURCE TO rmantest;


Grant succeeded.


SQL> grant  SYSDBA to rmantest;


Grant succeeded.


SQL> REVOKE UNLIMITED TABLESPACE FROM rmantest;


Revoke succeeded.






dg-primary:/oracle/product/11gR2/db/network/admin> mkstore -wrl /oracle/product/11gR2/db/network/admin/wallet -createCredential rman_connect3 rmantest "rmantestt"
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:           5


Create credential oracle.security.client.connect_string3
dg-primary:/oracle/product/11gR2/db/network/admin> mkstore -wrl /oracle/product/11gR2/db/network/admin/wallet -listCredential
Oracle Secret Store Tool : Version 11.2.0.3.0 - Production
Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved.


Enter wallet password:      o


List credential (index: connect_string username)
3: rman_connect3 rmantest
2: rman_connect2 sys
1: rman_connect system
dg-primary:/oracle/product/11gR2/db/network/admin> vi tnsnames.ora
dg-primary:/oracle/product/11gR2/db/network/admin> sqlplus /nolog


SQL*Plus: Release 11.2.0.3.0 Production on Sun Sep 22 23:07:34 2013


Copyright (c) 1982, 2011, Oracle.  All rights reserved.


SQL> conn rmantest/rmantestt
Connected.
SQL> conn /@rman_connect3
Connected.
SQL> show user;
USER is "RMANTEST"
SQL> select name from v$datafile;
select name from v$datafile
                 *
ERROR at line 1:
ORA-00942: table or view does not exist




SQL> select * from tab;


no rows selected


SQL>


SQL> conn / as  sysdba
Connected.


SQL> select file_name from dba_data_files;


FILE_NAME
--------------------------------------------------------------------------------
/oracle/oradata/ebai/system01.dbf
/oracle/oradata/ebai/sysaux01.dbf
/oracle/oradata/ebai/undotbs01.dbf
/oracle/oradata/ebai/users01.dbf
/oracle/oradata/ebai/indx01.dbf
/oracle/oradata/ebai/users02.dbf
/oracle/oradata/ebai/users03.dbf


7 rows selected.


SQL> select name from v$datafile;


NAME
--------------------------------------------------------------------------------
/oracle/oradata/ebai/system01.dbf
/oracle/oradata/ebai/sysaux01.dbf
/oracle/oradata/ebai/undotbs01.dbf
/oracle/oradata/ebai/users01.dbf
/oracle/oradata/ebai/indx01.dbf
/oracle/oradata/ebai/users02.dbf
/oracle/oradata/ebai/users03.dbf


7 rows selected.






dg-primary:/oracle/product/11gR2/db/network/admin> rman target /@rman_connect3


Recovery Manager: Release 11.2.0.3.0 - Production on Sun Sep 22 23:17:16 2013


Copyright (c) 1982, 2011, Oracle and/or its affiliates.  All rights reserved.


connected to target database: EBAI (DBID=2009644852)


RMAN> backup current controlfile tag='bak_ctlfile' format='/oracle/rman/rmantest/ctl_file_%U_%T';


Starting backup at 22-SEP-13
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=1829 device type=DISK
allocated channel: ORA_DISK_2
channel ORA_DISK_2: SID=615 device type=DISK
allocated channel: ORA_DISK_3
channel ORA_DISK_3: SID=1221 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current control file in backup set
channel ORA_DISK_1: starting piece 1 at 22-SEP-13
channel ORA_DISK_1: finished piece 1 at 22-SEP-13
piece handle=/oracle/rman/rmantest/ctl_file_0jokhaf3_1_1_20130922 tag=BAK_CTLFILE comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:03
Finished backup at 22-SEP-13


Starting Control File and SPFILE Autobackup at 22-SEP-13
piece handle=/oracle/product/11gR2/db/dbs/c-2009644852-20130922-00 comment=NONE
Finished Control File and SPFILE Autobackup at 22-SEP-13




RMAN> backup spfile tag='spfile' format='/oracle/rman/rmantest/spfile_%U_%T';


Starting backup at 22-SEP-13
using channel ORA_DISK_1
using channel ORA_DISK_2
using channel ORA_DISK_3
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
including current SPFILE in backup set
channel ORA_DISK_1: starting piece 1 at 22-SEP-13
channel ORA_DISK_1: finished piece 1 at 22-SEP-13
piece handle=/oracle/rman/rmantest/spfile_0lokhai1_1_1_20130922 tag=SPFILE comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:01
Finished backup at 22-SEP-13


Starting Control File and SPFILE Autobackup at 22-SEP-13
piece handle=/oracle/product/11gR2/db/dbs/c-2009644852-20130922-01 comment=NONE
Finished Control File and SPFILE Autobackup at 22-SEP-13

___________________________________________________________________________________

版权所有，文章允许转载，但必须以链接方式注明源地址，否则追究法律责任!

Author:   laven54 (lurou)

Email:    laven54@163.com

Blog:      http://blog.csdn.net/laven54

QQ群： 164734649  可以到群里来提问，Oracle相关的问题我都很感兴趣