SYSDBA & SYSOPER privileges

Upon database creation, user SYS is created with the SYSDBA system privilege and user SYSTEM is created with the SYSOPER system privilege. It is possible to grant the privilege to other users as long as you are logged in as SYS AS SYSDBA. The problem is that before my arrival to my company someone went in and revoked the SYSDBA privilege from SYS and the SYSOPER privilege from SYSTEM. No user within the database holds these privileges anymore. Is it possible to regain the SYSDBA & SYSOPER privilege for SYS without having to recreate the database??? The SYSDBA privilege is not even possible to grant to SYS since I obviously have to log in as SYS AS SYSDBA but can't since the privilege was revoked. Any ideas???

Michael, lets start from scratch here b/c some of your assumption are off. SYS and SYSTEM are not granted SYSDBA or SYSOPER by default.
You can "connect internal" which gives you SYSDBA privs. Set up a password file using the "orapwd" executable and in the init.ora file set remote_login_passwordfile = exclusive. When you connect you will become SYS in the database and have the SYSDBA privilege.
Or simple connect to the operating system with a unix user that is in the group designated as "OSDBA" - the name of the UNIX group is probably "dba". Then you can "connect internal" or "connect / as sysdba". When you connect you will become SYS in the database and have the SYSDBA privilege.
HTH,
Aaron Newman
Database Security Consultant

Similar Messages

Missing SYSDBA & SYSOPER System Privileges in EM checkbox lists

I created a brand new user called USER1.
When edit the USER1 using Eneterprise Manager, System Privileges, both the SYSDBA and SYSOPER are missing from the system privileges check box listing.
Why it is like that?
I am using Oracle 10g R2 and HPUX.
Thank you,
Smith

It seems that the user you have used to login to EM doesn't have permissions to grant sysdba, sysoper privileges, please connect to em AS sysdba
Oded
[www.dbsnaps.com]
[www.orbiumsoftware.com]

Create a new user for oracle 10G ASM instance with sysdba system privilege

Hi,
In our Golden Gate Project, we require the SYS user credential to connect to the Oracle 10g ASM instance to read the database transaction logs.But our client is not providing the SYS user credential to connnect to ASM instance.
I'm getting the error message "ORA-01109: database not open",When I tried to create a new user using the below the steps in oracle 10g ASM instance
1. Login using "sqlplus / as sysdba"
2. Create user <username> identified by <password>;
But in oracle 11g ASM instance, I'm able to create new user by connecting the ASM instance with SYSASM role without issues.
Is there is any workaround to create a new user with sysdba system privilege in oracle 10g ASM instance?.
Thanks in advance .

Hi,
Recreate the password file for the ASM instance as follows:
Unix:
orapwd file=<ORACLE_HOME>/dbs/PWD<SID> password=<sys_password>
Windows:
orapwd file=<ORACLE_HOME>/database/PWD<SID>.ora password=<sys_password>
Now sys password is reset, we are ready to use sys for ASM management. I decided to create another user ASMDBA as I tried above.
SQL> create user ASMDBA identified by test01;
User created.
SQL> grant SYSASM, SYSOPER to ASMDBA;
Grant succeeded.
SQL> select * from v$pwfile_users;
USERNAME SYSDBA SYSOPE SYSASM
SYS TRUE TRUE TRUE
ASMDBA FALSE TRUE TRUE
Please see this link : http://orachat.com/how-to-change-asm-sys-password-creating-sysasm-user-11g/
Thank you

Sys as sysdba/sysoper

Hi there
Can any body explain me, why SYS user should always connect to the database as SYSDBA/SYSOPER only?
Why he cannot login without as a SYSDBA/SYSOPER.
TIA
Aqueel.

Though you should understand the implications of making this change. Here's the excerpt from the Oracle docs.
"O7_DICTIONARY_ACCESSIBILITY is intended for use when you migrate from Oracle7 to Oracle9i. It controls restrictions on SYSTEM privileges. If the parameter is set to true, access to objects in the SYS schema is allowed (Oracle7 behavior). The default setting of false ensures that system privileges that allow access to objects in "any schema" do not allow access to objects in SYS schema.
For example, if O7_DICTIONARY_ACCESSIBILITY = false, then the SELECT ANY TABLE privilege allows access to views or tables in any schema except the SYS schema (data dictionary tables cannot be accessed). The system privilege EXECUTE ANY PROCEDURE allows access on the procedures in any schema except the SYS schema.
If this parameter is set to false and you need to access objects in the SYS schema, then you must be granted explicit object privilege. Also, the following roles, which can be granted to the database administrator, also allow access to dictionary objects: SELECT_CATALOG_ROLE, EXECUTE_CATALOG_ROLE, and DELETE_CATALOG_ROLE."

Oper account not created but how can i get sysoper privilege

Hello Everyone ;
Hello Everyone ;
When installing oracle i did not create oper account.
now i am checking my personal database;
SQL> show user;
USER is "SYS"
SQL> select * from system_privilege_map where name like '%SYS%';
PRIVILEGE NAME      PROPERTY
-3    ALTERSYSTEM    0
-4    AUDIT SYSTEM 0
-83    SYSDBA        0
-84    SYSOPER 0
SQL> select count(*) from session_privs;
COUNT(*)
166
>> Connecting as sysoper
I   can connect SYS /as SYSOPER but this session has only 3 privilegs - why ?
SQL> conn /as sysoper
Connected.
SQL> select count(*) from session_privs;
COUNT(*)
3
SQL> select * from system_privilege_map where name like '% SYS%';
PRIVILEGE NAME PROPERTY
-3 ALTER SYSTEM 0
-4 AUDIT SYSTEM 0
SQL> select * from session_privs;
PRIVILEGE
CREATE SESSION
RESTRICTED SESSION
SYSOPER
SQL> show user;
USER is "PUBLIC"
SQL> shut immediate;
Database closed.
Database dismounted.
ORACLE instance shut down.
Even i did NOT create oper account for sys user then how can i get all sysoper privilege for public user.

Thanks for quick response;
http://asktom.oracle.com/pls/asktom/f?p=100:11:0::::P11_QUESTION_ID:2659418700346202574
sysoper is another role, if you connect as sysoper, you'll be in a schema "public" a
i am getting confused from given link and your answer.
because system is displaying USER is "PUBLIC" .
when i review (See $ORACLE_HOME/rdbms/lib/config.c in your installation).
/* SS_DBA_GRP defines the UNIX group ID for sqldba adminstrative access. */
/* Refer to the Installation and User's Guide for further information. */
#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "dba"
char *ss_dba_grp[] = {SS_DBA_GRP, SS_OPER_GRP};
~
I am sorry for comparing both replies.
please clarify little more.

Error Usage: CONNECT username [AS SYSDBA|SYSOPER]

Hi,
I am running a request set which starts of with unix shell script.
I get this error:
Invalid option.
Usage: CONNECT <username> [AS SYSDBA|SYSOPER]
Invalid option.
Usage: CONNECT <username> [AS SYSDBA|SYSOPER]
Invalid option.
Usage: CONNECT <username> [AS SYSDBA|SYSOPER]
unable to CONNECT to ORACLE after 3 attempts, exiting SQL*Plus
Can anyone tell me why this is happening/
thanks
Ash

This is the unix script which is used:
Please let me know where is goin wrong:
#!/usr/bin/ksh
##sqlplus -s apps/w0rkin <<-ENDSQL
logi=`echo $1|awk '{print $3 }'`
login=`echo $logi|awk -F'=' '{ print $2 }'|sed 's/"//g'`
org_id=`echo $1|awk '{print $9 }'`
sqlplus -s $login <<ENDSQL
set serveroutput on size 1000000 verify off
define xxdata=${XXDATA}
variable xxdatav varchar2(100)
var status_out NUMBER;
define org=$org_id
DECLARE
v_xxdata_path1 Varchar2(100);
v_xxdata_path2 Varchar2(100);
v_errbuf Varchar2(100);
v_retstat Number;
v_org VARCHAR2(20);
BEGIN
--v_xxdata_path1 := '&xxdata'||'/ont/outbound';
v_xxdata_path1 := '&xxdata'||'/ont/oraout';
v_xxdata_path2 := '${XXDATA}';
dbms_output.put_line('1. XXDATA ='||v_xxdata_path1);
dbms_output.put_line('2. Organization Id ='||'&org');
select decode('&org','""','-1',null,'-1','&org')
into v_org
from dual;
dbms_output.put_line('v_org='||v_org);
xxont_bt_outbound_pkg.create_outbound_btfile(v_xxdata_path1,to_number(v_org),
v_errbuf,v_retstat);
dbms_output.put_line('v_retstat='||v_retstat);
:status_out := v_retstat;
--dbms_output.put_line('2. XXDATA ='||v_xxdata_path2);
:xxdatav := '${XXDATA}';
END;
print :status_out
exit :status_out
ENDSQL
if [ $? -ne 0 ]
then
echo "Outbound file creation failed!!!"
exit 1
else
exit 0
fi

Connecting as sysdba / sysoper

Hi Guys, If I do this
connect / as sysdba
connect / as sysoper
I am connected but how do I ensure that it prompts me for a sysdba / sysoper password before it connects me.
Thank you.

and the exact to connect would be
$sqlplus "/ as sysdba"
or
$sqlplus
username:/ as sysdba
password:yourwish/nopassword/anything
or
$sqlplus /nolog
sql> conn / as sysdba
But for all these things you need to set up ORACLE_SID,ORACLE_HOME,PATH varibales
but dont use OS authentication

SP2-0306:Invalid option.Usage:CONN[ECT][logon][AS{SYSDBA|SYSOPER}]where log

Hi
Anyone can help me with the following error we are getting
SP2-0306:Invalid option.Usage:CONN[ECT][logon][AS{SYSDBA|SYSOPER}]where<logon>::=<username>[<password>][@<connect_identifier>]|/
We just upgrated to R12 and the shell script that we run is returning the above error message.
Below is the script
# Determine employee ID of send-to
echo "Determine employee ID of send-to"
if [ $8 ]
then
EID=`echo "${CONNECT} \n
set heading off \n
set feedback off \n
select employee_id from FND_USER where upper(user_name) = '${USRNAME}';" |
${ORACLE_HOME}/bin/sqlplus -s`
echo "CONNECT values " ${CONNECT}
echo "Connected to DB " $EID
echo "employee fax "
# employee fax
EFAX=${11}`echo "${CONNECT} \n
set heading off \n
set feedback off \n
select fax_number from POS_PO_EMPLOYEE_DETAILS_V where employee_id=${EID};" |
${ORACLE_HOME}/bin/sqlplus -s |
sed s/-//g`%[email protected]
echo "Employee Fax "$EFAX
EFAX2=`echo $EFAX|sed s/' '/'%91'/`
EFAX=$EFAX2
# employee email
EEMAIL=`echo "${CONNECT} \n
set heading off \n
set feedback off \n
select email_address from HR_EMPLOYEES_ALL_V where employee_id=${EID};" |
${ORACLE_HOME}/bin/sqlplus -s`
EEMAIL2=`echo $EEMAIL|sed s/' '//g`
EEMAIL=$EEMAIL2
echo "Employee Email "$EEMAIL
fi
thank you

I ended up rewriting the shell script and it works fine now
if [ $8 ]
then
EID=`${ORACLE_HOME}/bin/sqlplus -s ${CONNECT} <<EOF
set heading off;
set feedback off;
select employee_id from FND_USER where upper(user_name) = '${USRNAME}';
exit;
EOF`
echo "Connected to DB " $EID
echo "employee fax "
# employee fax
EFAX=${11}`${ORACLE_HOME}/bin/sqlplus -s ${CONNECT} <<EOF
set heading off;
set feedback off;
select replace(fax_number,'-') from POS_PO_EMPLOYEE_DETAILS_V where employee_id=${EID};
exit;
EOF`%[email protected]
echo "Employee Fax "$EFAX
EFAX2=`echo $EFAX|sed s/' '/'%91'/`
EFAX=$EFAX2
# employee email
EEMAIL=`${ORACLE_HOME}/bin/sqlplus -s ${CONNECT} <<EOF
set heading off;
set feedback off;
select email_address from HR_EMPLOYEES_ALL_V where employee_id=${EID};
exit;
EOF`
EEMAIL2=`echo $EEMAIL|sed s/' '//g`
EEMAIL=$EEMAIL2
echo "Employee Email "$EEMAIL
fi
thank you for your help!
Edited by: user618218 on May 20, 2013 2:39 PM

Q about SYSDBA and SYSOPER privileges

Was surprised to see that session_roles for super user sys was empty but of course this user has all the privileges that go into the standart set of roles that are typically created with a new database anyway. But, does anyone know why session_privs dosen't show the privileges SYSDBA or SYSOPER. I am aware that these two privileges cannot be granted to roles since roles are not available before databse startup but don't see why they should not be listed in session_privs for the super user.
Regds
Gus

SYSDBA
A special database administration role that contains every system privilege with ADMIN OPTION, and SYSOPER system privilege. SYSDBA also permits CREATE DATABASE actions and time-based recovery.
SYSOPER
A special database administration role that permits a database administrator to perform STARTUP, SHUTDOWN, ALTER DATABASE OPEN/MOUNT, ALTER DATABASE BACKUP, ARCHIVE LOG, and RECOVER, and includes RESTRICTED SESSION privilege.
SESSION_PRIVS
SESSION_PRIVS lists the privileges that are currently available to the user.
Column Datatype NULL Description
PRIVILEGE
VARCHAR2(40)
NOT NULL
Name of the privilege
Oracle hide some information belonged to it. Administrators can not see all to 100%.
Joel P�rez

Error logging in as sysdba - "insufficient privileges"

Hi,
I have AS10.1.2.0.2 installed on my linux box.
i have infrastructure as well as midtier both installed in the same machine on different oracle homes.
after installing everything worked fine and brought down the system just to test it.
and upon restarting the system, i started the listener first, and then i tried to enter sqlplus using
"connect sys/pwd@asdb as sysdba"
but when i used this login i got message saying "insufficient privileges"
i wanted to login as sysdba and give a "startup" command.
Can someone explain why this error.
Thanks,
Philip.

Hi Philip,
Just set your environement variable well.
example:
export ORACLE_HOME= your oracle home where you have installed your infra.
export ORACLE_SID= (the name of your Metadata)
cd $ORACLE_HOME/bin
sqlplus /nolog
conn sys/ as sysdba
You 'll be connected to you DB.
then
SQL>startup
Cheers,
Hamdy

CONNECT INTERNAL 시 SYS에 PASSWORD 걸기(SYSDBA, SYSOPER)

제품 : ORACLE SERVER
작성날짜 : 1997-03-31
SYS user 에 passwd 거는 방법
===========================
이를 걸게 되면 connect internal 접속 시 passwd를 물어보게 되며 DBA group이
아닌 다른 user에서도 sys user와 똑같이 작업할 수 있다.
1) initSID.ora 화일에
REMOTE_OS_AUTHENT = TRUE
REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE
2) ?/dbs 에서
orapwd file=orapwSID password=my_password entries=10
(이 때의 SID는 실제의 ORACLE_SID 를 적어주어야 함.)
3) connect internal 후
grant sysdba to scott
grant sysoper to scott 를 부여한다.
이를 부여하면 sys의 passwd를 알지 못해도
SVRMGR> connect internal;
SVRMGR> passwd ? :
만약 passwd 를 모르면
SVRMGR> connect scott/tiger as sysoper ;
SVRMGR> startup 이 가능하다.
참고) 이의 효과를 위해 /etc/group 화일에 oracle os user가 DBA group 이
아니어야 하며 일반 user에서도 위의 작업을 똑같이 실행하려면 configSID.ora
화일을 oracle user 아닌 다른 user에도 실행이 가능할 수 있도록 실행 MODE가
4755 이어야 한다.

If you want to connect a new user as SYSDBA or SYSOPER, you must first create a repository. Check some document for creating a repository with seperate tablespace.

Error in 12c Admin Guide

Page 38-38 Oracle Database Administrator's Guide
About Unplugging a PDB
In this section, the manual says "To unplug a PDB, connect to the root and use the ALTER PLUGGABLE DATABASE statement"
However, on the next page, under The following prerequisites must be met:, it says: "The current user must have SYSDBA or SYSOPER administrative privilege, and the privilege must be either commonly granted or locally granted in the PDB. The user must exercise the privilege using AS SYSDBA or AS SYSOPER at connect time."
If you have to be connected to the root, I am pretty sure that you can't be using a SYSDBA/SYSOPER privilege granted in the PDB.
These same basic statements are repeated in the following section on Dropping a PDB.

Mac Medic ([email protected]) wrote:
That must have been updated in iOS 4.2.x
Check out the new remodeled MacOSG website! 24-hour Apple-related news & support.
 MacOSG: An Apple User Group  iTunes: MacOSG Podcast  Follow us on Twitter: MacOSG
The iPad had no folders prior to 4.2.

DBA_PRIV_AUDIT_OPTS on 10g R2

If auditing is enabled in the databaes, Does DBA_PRIV_AUDIT_OPTS capture Autdit information about SYSDBA and SYSOPER privileges?
Thanks,
R

Rich V wrote:
Sorry. I should have been clearer. What I meant, if Auditing is enabled for SYSDBA/SYSOPER privileges, is the view DBA_PRIV_AUDIT_OPTS a right view that would capture info about these privileges.
Thanks,RYes you can view this ,for example:
C:\Documents and Settings\chinar>sqlplus "sys/sm as sysdba"
SQL*Plus: Release 10.2.0.2.0 - Production on Fri Jun 11 10:06:39 2010
Copyright (c) 1982, 2005, Oracle. All Rights Reserved.
Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.2.0 - Production
With the Partitioning, OLAP and Data Mining options
SQL> alter database mount;
Database altered.
SQL> alter database open;
Database altered.
SQL> audit sysdba ;
Audit succeeded.
SQL> grant sysdba to test;
Grant succeeded.
SQL> select PRIVILEGE,SUCCESS from DBA_PRIV_AUDIT_OPTS;
PRIVILEGE SUCCESS
SYSDBA BY ACCESS
SQL>also you can enable AUDIT_SYS_OPERATIONS(value is boolean) init parameter and you can audit connecting "as sysdba"(also SYSOPER ) privileges including sys user.But this case audit records are written to the operating system's audit trail.

Restricting SYS connection without password

Normally, if we want to connect to the SYS user of an oracle database from the server side we can connect it without giving a password and like this:
cmd> sqlplus /nolog
SQL> conn / as sysdba;
This will connect the database as SYS user. Also from the client side or even from the server side connecting to SYS user can be done like :
cmd> sqlplus /nolog
SQL> conn sys@db_name as sysdba;
This connection will prompt password of SYS user.
Now my requirement is that wherever any one wants to connect to the database as SYSDBA/SYSOPER privileged user s/he must have to input the password that means s/he can't connect to the database using: CONN / AS SYSDBA but can connect using like CONN SYS@DB_NAME AS SYSDBA which will require password to authenticate.
So is there any way to restrict the SYS user connection from server side using CONN / AS SYSDBA.
--Bazlur

@ emre baransel: Thanks for the solution!. This solution I have used in previous time also. It disables the OS authentication through SQL> conn / as sysdba. Changing to the SQLNET.ora file with SQLNET.AUTHENTICATION_SERVICES=(NONE) disable the OS authentication.
But the situation is that the SYSADMIN who will have the root user password can easily the SQLNET.ora file and can change this file causing again the OS authentication enabled.
If we are the owner of both the products and system ourselves and we are running the system ourselves then we might make faith with our employees who are SYSADMIN and DBA.
But we are the vendor and we are implementing our solution to the customer side where the owner of the platform is customer but as a vendor we have to restrict access to database from the customer. That means, customer will have access to platform as a system admin but we have to protect accessing to our database which is installed there.
@ asifkabirdba: Thanks for the reference but I need the above solution.
@ damorgan: Database: Oracle 11g Enterprise Edition Release 1 Linux x86 64 bit
OS: Redhat Enterprise Linux AS 5
--Bazlur

SYSDBA privilege

DB:11.2.0.3
I have given sysdba privilege to one of the user "TEST" in primary database. To connect to the physical standby database using TEST user remotely, do i need to use the same password as sys or can i store the TEST password in the password file.

Standby Database can be connected by using SYSDBA or SYSOPER privilege.
If you use SYSDBA, the user you login will be SYS user.
If you use SYSOPER, the user you login will be PUBLIC user.
So there is no need to create a new user in Primary and Assign SYSDBA privilege to login standby database. You can use SYS user to login to the STANDBY database.
SYS Password for Primary & Standby Database should be same. Best option is to ftp the primary Password File and Put in Standby database Location.
Please Mark you Post as Answered or Helpful, if it served your needs.
Thanks & Regards,
SID
(StepIntoOracleDBA)
Email : [email protected]
http://stepintooracledba.blogspot.in/

SYSDBA & SYSOPER privileges

Similar Messages

Maybe you are looking for