链接:http://download.oracle.com/docs/cd/B19306_01/server.102/b14231/dba.htm#i1006444
文档下载地址:
http://www.oracle.com/technology/global/cn/documentation/database10gr2.html
(需要注册一个OTN帐号,但是是免费的)
以下是摘选内容:
Database Administrator Security and Privileges
To perform. the administrative tasks of an Oracle Database DBA, you need specific privileges within the database and possibly in the operating system of the server on which the database runs. Access to a database administrator's account should be tightly controlled.
This section contains the following topics:
The Database Administrator's Operating System Account
To perform. many of the administrative duties for a database, you must be able to execute operating system commands. Depending on the operating system on which Oracle Database is running, you might need an operating system account or ID to gain access to the operating system. If so, your operating system account might require operating system privileges or access rights that other database users do not require (for example, to perform. Oracle Database software installation). Although you do not need the Oracle Database files to be stored in your account, you should have access to them.
See Also:
Your operating system specific Oracle documentation. The method of creating the account of the database administrator is specific to the operating system.Database Administrator Usernames
Two user accounts are automatically created when Oracle Database is installed:
-
SYSTEM (default password: MANAGER)
Note:
Both Oracle Universal Installer (OUI) and Database Configuration Assistant (DBCA) now prompt for SYS and SYSTEM passwords and do not accept the default passwords "change_on_install" or "manager", respectively.If you create the database manually, Oracle strongly recommends that you specify passwords for SYS and SYSTEM at database creation time, rather than using these default passwords. Please refer to "Protecting Your Database: Specifying Passwords for Users SYS and SYSTEM" for more information.
Create at least one additional administrative user and grant to that user an appropriate administrative role to use when performing daily administrative tasks. Do not use SYS and SYSTEM for these purposes.
Note Regarding Security Enhancements:
In this release of Oracle Database and in subsequent releases, several enhancements are being made to ensure the security of default database user accounts. You can find a security checklist for this release in Oracle Database Security Guide. Oracle recommends that you read this checklist and configure your database accordingly.SYS
When you create an Oracle Database, the user SYS is automatically created and granted the DBA role.
All of the base tables and views for the database data dictionary are stored in the schema SYS. These base tables and views are critical for the operation of Oracle Database. To maintain the integrity of the data dictionary, tables in the SYS schema are manipulated only by the database. They should never be modified by any user or database administrator, and no one should create any tables in the schema of user SYS. (However, you can change the storage parameters of the data dictionary settings if necessary.)
Ensure that most database users are never able to connect to Oracle Database using the SYS account.
SYSTEM
When you create an Oracle Database, the user SYSTEM is also automatically created and granted the DBA role.
The SYSTEM username is used to create additional tables and views that display administrative information, and internal tables and views used by various Oracle Database options and tools. Never use the SYSTEM schema to store tables of interest to non-administrative users.
The DBA Role
A predefined DBA role is automatically created with every Oracle Database installation. This role contains most database system privileges. Therefore, the DBA role should be granted only to actual database administrators.
Note:
The DBA role does not include the SYSDBA or SYSOPER system privileges. These are special administrative privileges that allow an administrator to perform. basic database administration tasks, such as creating the database and instance startup and shutdown. These system privileges are discussed in "Administrative Privileges".Database Administrator Authentication
As a DBA, you often perform. special operations such as shutting down or starting up a database. Because only a DBA should perform. these operations, the database administrator usernames require a secure authentication scheme.
This section contains the following topics:
Administrative Privileges
Administrative privileges that are required for an administrator to perform. basic database operations are granted through two special system privileges, SYSDBA and SYSOPER. You must have one of these privileges granted to you, depending upon the level of authorization you require.
Note:
The SYSDBA and SYSOPER system privileges allow access to a database instance even when the database is not open. Control of these privileges is totally outside of the database itself.The SYSDBA and SYSOPER privileges can also be thought of as types of connections that enable you to perform. certain database operations for which privileges cannot be granted in any other fashion. For example, you if you have the SYSDBA privilege, you can connect to the database by specifying CONNECT AS SYSDBA.
SYSDBA and SYSOPER
The following operations are authorized by the SYSDBA and SYSOPER system privileges:
| System Privilege | Operations Authorized |
|---|---|
| SYSDBA |
Effectively, this system privilege allows a user to connect as user SYS. |
| SYSOPER |
This privilege allows a user to perform. basic operational tasks, but without the ability to look at user data. |
The manner in which you are authorized to use these privileges depends upon the method of authentication that you use.
When you connect with SYSDBA or SYSOPER privileges, you connect with a default schema, not with the schema that is generally associated with your username. For SYSDBA this schema is SYS; for SYSOPER the schema is PUBLIC.
Connecting with Administrative Privileges: Example
This example illustrates that a user is assigned another schema (SYS) when connecting with the SYSDBA system privilege. Assume that the sample user oe has been granted the SYSDBA system privilege and has issued the following statements:
CONNECT oe/oe
CREATE TABLE admin_test(name VARCHAR2(20));
Later, user oe issues these statements:
CONNECT oe/oe AS SYSDBA
SELECT * FROM admin_test;
User oe now receives the following error:
ORA-00942: table or view does not exist
Having connected as SYSDBA, user oe now references the SYS schema, but the table was created in the oe schema.
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/23230551/viewspace-662601/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/23230551/viewspace-662601/
5725
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
