In order to support segregation of duties requirements, Oracle 12c has introduced new administrative roles to conform to the principle of access to the least privilege. Three new user SYSBACKUP, SYSDG and SYSKM are created in support of this, when the database is created, with their account in the “EXPIRED & LOCKED” status. A equivalent administrative privilege with the same name as the user is created as well.
SQL>SELECT username , account_status
FROM dba_users
ORDER BY created;
USERNAME ACCOUNT_STATUS
---------------------- ------------------
SYS OPEN
SYSTEM OPEN
SYSKM EXPIRED & LOCKED
SYSDG EXPIRED & LOCKED
SYSBACKUP EXPIRED & LOCKED
These new accounts have been provisioned for use with the appropriate privileges.
SQL>SELECT *
FROM V$pwfile_users;
USERNAME SYSDB SYSOP SYSAS SYSBA SYSDG SYSKM CON_ID
------------------------------ ----- ----- ----- ----- ----- ----- ----------
SYS TRUE TRUE FALSE FALSE FALSE FALSE 0
SYSDG FALSE FALSE FALSE FALSE TRUE FALSE 1
SYSBACKUP FALSE FALSE FALSE TRUE FALSE FALSE 1
SYSKM FALSE FALSE FALSE FALSE FALSE TRUE 1
SQL>SELECT *
FROM V$pwfile_users;
USERNAME SYSDB SYSOP SYSAS SYSBA SYSDG SYSKM CON_ID
------------------------------ ----- ----- ----- ----- ----- ----- ----------
SYS TRUE TRUE FALSE FALSE FALSE FALSE 0
SYSDG FALSE FALSE FALSE FALSE TRUE FALSE 1
SYSBACKUP FALSE FALSE FALSE TRUE FALSE FALSE 1
SYSKM FALSE FALSE FALSE FALSE FALSE TRUE 1
SYSBACKUP will be used to perform all backup and recovery related operations either via RMAN or SQL*PLUS.
SYSDG is in place to separate the Data Guard related operations from other activities.
SYSKM will be responsible for all TDE (Transparent Data Encryption) and Data Vault related administrative operations.
None of these new database roles can be dropped. They have enough privileges that using them user can connect to database even if it is closed. Also all these roles are incorporated into the Oracle database Vault. Actions performed using these privilege can be audited if AUDIT_SYS_OPERATIONS is set to true.
Add New Privileges to Password File
When a user needs to connect to the database using the SYSBACKUP, SYSDG or SYSKM adminstrative privilege the user must me be added to the password file with the appropriate user privilege flag. The option to include these new privileges has been added to the orapwd utility.
orapwd file=[fname] entries=[users] force=[y/n] asm=[y/n] dbuniquename=[dbname] format=[legacy/12] sysbackup=[y/n] sysdg=[y/n] syskm=[y/n] delete=[y/n] input_file=[input-fname]
orapwd FILE='$ORACLE_HOME/dbs/orapwvstdb01' ENTRIES=10 SYSBACKUP=y
When a user is connected using any of these admin privileges, the schema that they are assigned to is the SYS schema and the session name corresponds to the privilege name that they are using.
SQL> conn syskm as syskm
Enter password:
Connected.
SQL> select sys_context('userenv', 'current_schema') current_schema, sys_context('userenv', 'session_user')
session_user from dual;
CURRENT_SCHEMA SESSION_USER
------------------------------ ------------------------------
SYSKM SYSKM
orapwd file=[fname] entries=[users] force=[y/n] asm=[y/n] dbuniquename=[dbname] format=[legacy/12] sysbackup=[y/n] sysdg=[y/n] syskm=[y/n] delete=[y/n] input_file=[input-fname]
orapwd FILE='$ORACLE_HOME/dbs/orapwvstdb01' ENTRIES=10 SYSBACKUP=y
When a user is connected using any of these admin privileges, the schema that they are assigned to is the SYS schema and the session name corresponds to the privilege name that they are using.
SQL> conn syskm as syskm
Enter password:
Connected.
SQL> select sys_context('userenv', 'current_schema') current_schema, sys_context('userenv', 'session_user')
session_user from dual;
CURRENT_SCHEMA SESSION_USER
------------------------------ ------------------------------
SYSKM SYSKM
No comments:
Post a Comment