RDBMSRealm and system user

Similar Messages

• SYS and SYSTEM user password expired

  My 11g2 database on Redhat 5 has sys and system user password expiredSQL> select username,account_status,EXPIRY_DATE
  from dba_users where username like 'SYS%';
    2
  USERNAME                       ACCOUNT_STATUS                   EXPIRY_DA
  SYSMAN                         OPEN
  SYSTEM                         OPEN                             15-FEB-11
  SYS                            OPEN                             15-FEB-11But I can still connect the databsae with t expired password.
  Do I need worry about the expiration of these user's password? For a normal user, I connot login with expired password

  Dear user13148231,
  Here is an illustration;
  SQL> alter user sys account lock;
  User altered.
  SQL> select username, account_status, lock_date, expiry_date from dba_users where USERNAME='SYS';
  USERNAME                      ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  SYS                                      LOCKED                           20-AUG-10      23-FEB-09
  SQL> host sqlplus sys/password@opttest as sysdba
  SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:25:43 2010
  Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
  Connected to:
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> exit
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> alter user sys identified by password password expire;
  User altered.
  SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';
  USERNAME                      ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  SYS                                EXPIRED & LOCKED                 20-AUG-10   20-AUG-10
  SQL> host sqlplus sys/password@opttest as sysdba
  SQL*Plus: Release 10.2.0.4.0 - Production on Fri Aug 20 12:27:02 2010
  Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
  Connected to:
  Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> exit
  Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL> alter user sys identified by password account unlock;
  SQL> select username, account_status, lock_date, expiry_date from dba_users where username='SYS';
  USERNAME                       ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  SYS                            OPENEven if it shows expired and locked it is OK to connect to the database for the SYS user.
  SQL> alter user ogan identified by password account lock password expire;
  User altered.
  SQL> select username, account_status, lock_date, expiry_date from dba_users where username='OGAN';
  USERNAME                       ACCOUNT_STATUS                   LOCK_DATE EXPIRY_DA
  OGAN                           EXPIRED & LOCKED                 20-AUG-10 20-AUG-10
  SQL> conn ogan/password
  ERROR:
  ORA-28000: the account is locked
  Warning: You are no longer connected to ORACLE.
  SQL> conn / as sysdba
  Connected.
  SQL> alter user ogan account unlock;
  User altered.
  SQL> conn ogan/password@opttest
  ERROR:
  ORA-28001: the password has expired
  Changing password for ogan
  New password:
  Retype new password:
  Password changed
  Connected.
  SQL>Ogan

• When creating application: SYS and SYSTEM users may not create applications

  Dear all,
  When i am performing the below mentioned operations
  1) Importing Application
  2) Create Application
  3) Create from Spreadsheet
  4) Demonstration Application
  am getting this error message
  "SYS and SYSTEM users may not create applications"
  Please do the needfull

  Create application using SYS or SYSTEM user is not good idea. Your objects will be created in SYSTEM tablespace, it's fatal option. Create new Workspace and create there your app.

• Locked SYS and SYSTEM user

  DB version: 11.2.0.2
  OS : Solaris 10
  In our production DBs , I've noticed that both SYS and SYSTEM users are locked
  $ sqlplus / as sysdba
  SQL*Plus: Release 11.2.0.2.0 Production on Thu Jan 19 14:21:34 2012
  Copyright (c) 1982, 2010, Oracle.  All rights reserved.
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.2.0.2.0 - 64bit Production
  With the Partitioning option
  SQL> select username, account_status from dba_users where username like 'SYS%';
  USERNAME                       ACCOUNT_STATUS
  SYSTEM                         LOCKED
  SYS                            LOCKED1. How can I log in to SYS account despite being locked. Is it because i logged in through external authentication?
  2. Is locking the SYS user a standard practise ? If so, why ?

  Hi;
  1. How can I log in to SYS account despite being locked. Is it because i logged in through external authentication?set ORACLE_HOME, ORACLE_SID than
  sqlplus "/as sysdba"
  alter user xx account unlock;
  2. Is locking the SYS user a standard practise ? If so, why ?
  SYS and SYSTEM are default users, created with the creation of the database. Although they have much power - as they are granted the DBA role - they're still ordinary users. Because SYS owns the data dictionary, (s)he is considered a bit more special than SYSTEM. But SYS has the SYSDBA privilege which SYSTEM doesn't. This makes it possible for SYS to become a very very powerful user. This is the case when (s)he connects as sys/password as SYSDBA or / as sysdba. The as sysdba phrase is a request to aqcuire the privileges associated wht the single SYSDBA system privileges (see here).
  Source:
  http://www.adp-gmbh.ch/ora/misc/sys_system_internal.html
  Regard
  Helios

• Lock sys and system user

  Dear all,
  We have 10.2.0.4 on solaris 10.
  Currently we had I.T audit on our environment and auditor commented to lock sys and system user and use one user with any name (not oracle generic name) and grant him sys and system privilege and to use this user for admin purposes. is this right ?.. is this recommended ?
  Please advise

  Hello,
  I think it's not a right way to lock SYS.
  More over, if you connect as OS Administrator (root for Unix/linux) on the server and use
  OS Authentification then, you can connect on SYS AS SYSDBA anyway.
  So, in fact, it's not possible to lock out SYS even if you execute the following:
  ALTER USER SYS ACCOUNT LOCK;If you want to prevent access on SYS you should set a complex and long password and
  apply the same rule for the Administrator / root OS user.
  These passwords must be known by very few and well - identified people and written nowhere
  (in any files or scripts).
  More over, you should limit DBA roles to SYS and SYSTEM and remove this powerful Role
  from other Oracle Users.
  Then, you may enable session AUDIT so as to control the connexion on the database and,
  create a LOGON TRIGGER so as to check the login, workstation, program of the end users
  who connect to the database.
  On 10g, EM DBConsole shows an alert everytime a User is connected with SYS.
  Please, find enclosed, an interesting document written by Pete Finigan on this topic:
  http://www.insight.co.uk/files/presentations/Hacking%20and%20securing%20Oracle.pdf
  Hope this help.
  Best regards,
  Jean-Valentin

• Profiles apply to SYS and SYSTEM users

  dear all.
  is possible configure the security policies (profiles), i mean password length, history, failed login attempts for SYS and SYSTEM users in oracle 10g.
  What will happen if both users blocked ?? the service would be affected ???
  what would you recommend me ?
  thanks for your answers and apologize my english, is not very well.

  Check here:
  SYS account cannot be locked out by setting the failed_login_attempts limit in the profile.
  is it possible to lock out SYS using FAILED_LOGIN_ATTEMPTS in a profile
  http://www.petefinnigan.com/ramblings/failed_login_attempts.htm
  -Anantha

• SAP user licensing - service users and system users

  Hello,
  In SAP licensing process, will it count service users and system users for the license.
  (or licensing occurs only to the dialog users)
  In the license agreement , it is not mentioned.
  (Mentioned as 500 user license only)
  regards,
  zerandib.

  Hi Zerandib,
  This forum is for SAP Business One users only. I think your question is related to R/3. Please close your thread and post on a proper forum.
  Thanks,
  Gordon

• Difference between Communication and System User

  Hello All,
  I would like to know the difference between the Communication User and System User.
  Definition wise, Yes, I know what they are for?
  But My doubt is, why do we need a communication user type for RFC connections when we can use a System user.
  Why did SAP designed these two types of users?

  It's okay in my books for people to experience the internet as it is and not the way it was individually intended
  SU01Solution already solved the problem actually, but there are some very fine peripheral differences still between the user types.
  That is why asking a specific question and discussing it's merits / pro's and con's is the best approach and SAP also benefits from it.
  Another obvious difference if you do a simple search is that SYSTEM type users cannot issue SAP logon tickets.
  There are a few more but as I said these are peripheral and very use-case dependent... so SU01Solution needs to ask a proper and realistic question.
  ps: ST01 is not the answer here either...
  Cheers,
  Julius

• Difference between SYS and SYSTEM user

  Hi,
  Well, one of my colleagues have asked me the difference between SYS and SYSTEM user .. Normally these are the users which will be under the monitoring of the DBA .. So, how could I know the difference between these two users ..
  Please assist me
  Regards

  SYS is the owner of the database and the owner of the data dictionary.
  The objects belonging to SYS cannot be exported. But SYS has the SYSDBA privilege which SYSTEM doesn't.
  SYSTEM is a privileged administration user, and typically owns Oracle provided tables other than the dictionary.
  SYSDBA is not a role, it is a privilege. You'll find it in system_privilege_map, not in dba_roles.

• Forgotten Sys and System user passwords

  In the case of forgetting the Sys and the System user passwords, is there anyway of logging on with privilages to be able to change these passwords, if not, are there any other solutions?
  Thanks,
  Nick

  In order for "/ as sysdba" to work, you need to run
  the password file creation utility (orapwd).
  No, it has nothing to do with the password file. In order for "connect / as sysdba" to succeed, it is necessary to have an operating system account which is a member of the "osdba group". In Windows, this OS group is : "ORA_DBA". Any member of this group can and has privileges to connect "/ as sysdba". Again, it has nothing to do with password file.
  In Windows there is another condition for it to work :
  The file %ORACLE_HOME%\network\admin\sqlnet.ora must have the following line :
  SQLNET.AUTHENTICATION_SERVICES= (NTS)
  In Unix systems, the osdba group is configured at installation and is conventionally named "dba".

• BackUp on Windows Server 2008R2 (Both OS, apps and system users)

  Hi all,
  I am a new users on Windows server 2008R2 now. And I am about to backup the OS. So, may I know if i used Window Server Backup function, will the operation be backing up not only OS and apps but also the system users?
  If the backup service can't backup the system users, is there any exclusive way to backup users list?
  I'm fresh in using Windows Server 2008R2, please help me out. Thanks in advance....

  Hi,
  When you do a "system state" backup, the Local Users and Groups are also backup. For more detailed information, please refer to the thread below：
  How do I manually export the Local User Accounts Database? Standalone Windows Server 2008 R2
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/4012d976-ffae-4563-bd22-dec5e9a86d61/how-do-i-manually-export-the-local-user-accounts-database-standalone-windows-server-2008-r2?forum=winservergen
  Regards,
  Mandy
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Grants from SYS and SYSTEM user

  Hi All,
  Please help me to understand this problem.
  I have some schema named maps_ref where I am creating a view.( table abc ,view abc01).
  Here I have granted the create view,create any view privs to maps_ref by connecting SYS as SYSDBA.
  It alllowed me to create the view.
  Just as a try, I revoked the privs by connecting as SYSTEM and it revoked the privs granted by SYS as SYSDBA.
  Later obviously I could not create the view.
  Does it mean that grants given by SYS as SYSDBA can be taken back from SYSTEM though SYSDBA is more powerful then SYSTEM?
  I am little bit confused how it worked? Please explain.
  Rgds,
  Aashish

  Hi,
  SYS isnt normal user and you are not able to connect without clause SYSDBA.
  sqlplus sys@test
  SQL*Plus: Release 11.1.0.7.0 - Production on Wed Apr 8 09:48:37 2009
  Copyright (c) 1982, 2008, Oracle. All rights reserved.
  Enter password:
  ERROR:
  ORA-28009: connection as SYS should be as SYSDBA or SYSOPER
  Enter user-name:
  sqlplus sys@test as sysdba
  SQL*Plus: Release 11.1.0.7.0 - Production on Wed Apr 8 09:48:55 2009
  Copyright (c) 1982, 2008, Oracle. All rights reserved.
  Enter password:
  Connected to:
  Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - 64bit Production
  With the Partitioning, OLAP, Data Mining and Real Application Testing options
  SQL>
  Regards,
  Tom
  http://oracledba.cz

• Prevent imports to sys and system users

  I work at a company who develops an Application the uses an Oracle database. Many times we receive a full system export. I want to prevent my users from importing all the schema's, and just import from the schema that contains our data. Since the user name of the export is different from the user that does the import, I have granted them the IMP_FULL_DATABASE right. Almost all our customers use the same name for the schema, so if we want to look at the data of more then one customer, we need to import to another schema.
  I am running two test servers, one for Oracle 10 and one for Oracle 11 on Oracle Linux. And I am already using one separate account to let them import and export the data, and to create the user.
  Is there a way to prevent users from importing to the system, sys and other oracle schema's, without limiting schema imports of other Oracle servers?

  If you know which schema data you want to import into your database from the export dump , you can use shema leavel import . Also if you are using datapump you can use remap schema option.
  Thanks and Regards,
  Satish.G.S
  http://gssdba.wordpress.com

• Communicating with LMS and System Users

  Thanks in advance for your help. I am looking for a solution and wondering if my request is even possible. Our training module needs to be able to communicate with our clients LMS and determine whether a user has taken our course previously or not. This functionality should guide the user to a specific path depending on their history. Is this even possible!? if so PLEASE HELP! Thanks again in advance!
  Hines,

  If you manage to get the LMS to send this information in the form of a URL variable (e.g. www.mycourse.com?userName=Fred&doneCourseBefore=1) then there are ways to get that information from the URL via Javascript and then ActionScript into the course.
  I think Jim Lechlitner wrote a post on something similar a while back on these forums.  He's the JavaScript guru around here. I couldn't find the exact post, but here's one that should get you some useful info about using JS with Captivate: http://forums.adobe.com/message/3645857#3645857

• Transactional access to Communications and System ID

  Hello Experts,
  Can the communications Id execute transactions in SAP other than performing RFC execution?
  Is it a suggested solution to let these non-dialog id's have transactional access from Audit perspective?
  Appreciate your inputs.
  Regards,
  Sandeep

  Sandeep,
  Communication users and system users are both non-interactive accounts. I
  consistently use system accounts. I found that communication accounts need to have their password changed on first logon, which is somewhat cumbersome with a non-dialog account....
  If you notice RFC user profiles, they usually have SAP_ALL ,SAP_NEW. __There are able to execute the transactions_.
  There are reasons for denying SAP_ALL in PS environment.
  no-one should have this in any system. SAP_ALL enables you to 'jump'
  systems using - for example - tx. SM59. they might in this way also jump to
  your PRD system AND -depending on the authorizations of the SM59 user- might then have another SAP_ALL again. this is not to be tolerated.
  If you are giving SAP_ALL in production for RFC users,then u need to convenice the aduitors.
  other Options for SAP_ALL is _firefighter role
  Communication
    For this kind of users:-
    GUI login is not possible.
    Users are allowed to change password through some software in middle tier.
    Usage:- These are used for login to system through external systems like web application
  System :
  GUI login is not possible.
    Initial password and expiration of passowrd are not checked.
    Usage:- These are used for internal use in system like background jobs.
  Service:
  GUI login is possible.
    Initial password and expiration of passowrd are not checked.
    Multiple logins are allowed.
    Users are not allowed to change the password. Only admin can change the password
    Usage:- These are used for anonymous users. This type of users should be given minimum authorization.
  dialog & service both are same,only difference in service user type is No password expiry.
  still user is able to logon thry GUI.
  Thanks,
  Sri