| Logging in as SYS [message #596642] |
Wed, 25 September 2013 06:16  |
gazzag
Messages: 1118
Registered: November 2010
Location: Bedwas, UK
|
Senior Member |
|
|
Hi,
I've been an Oracle DBA for almost twenty years. In that time I have worked in various organisations - sometimes as a "permanent" employee (although nothing is permanent these days  ) and other times as a contractor. I have been in my current role for the last six months since being made redundant from my last position.
In this organisation we support a lot of Oracle databases on many different servers spanning various networks. There are two DBAs who have been here for several years and for whom I was recruited to help with the workload.
However, they are both in the habit of logging in as SYSDBA for everything. They find it amusing that I refuse to do so for daily administration as I know that this is bad practice. Import and exports are even taken as SYS. Whenever I mention that it's bad practice they shrug it off saying that they've been doing it for years with no problems.
So I have been scouring Tahiti and Metalink looking for a definitive document from Oracle that states just why this is such bad practice. I would imagine that an import as SYS could have catastrophic consequences for the data dictionary if you're not careful, but I can't think of much else.
We've all seen Michel's default "just don't do it" message whenever a poster mentions that they have done something as SYS. But I was wondering if anyone has found anything official other than the documentation recommending that it should not be done.
I look forward to your replies.
Regards,
-g
[Edit: Typo]
[Updated on: Wed, 25 September 2013 07:05] Report message to a moderator |
|
|
|
|
|
| Re: Logging in as SYS [message #596648 is a reply to message #596644] |
Wed, 25 September 2013 07:26  |
gazzag
Messages: 1118
Registered: November 2010
Location: Bedwas, UK
|
Senior Member |
|
|
Quote:
SYS is like root for us. It holds the data dictionary, it is special (it physically works differently from other accounts - no flashback query for it, no read only transactions, no triggers, etc)
Hi Mahesh. That's exactly the sort if thing I was after. Michel has hinted at "code paths changing" but that's more specific. Thanks.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Re: Logging in as SYS [message #597191 is a reply to message #596910] |
Tue, 01 October 2013 08:44 |
gazzag
Messages: 1118
Registered: November 2010
Location: Bedwas, UK
|
Senior Member |
|
|
Thanks for all of your replies. So, the upshot of this little discussion is that
I've managed to make a case for changing our Datapump regime. The solution that
I've proposed is to use an O/S authenticated account with the EXP_FULL_DATABASE
privilege (you also need to grant CREATE SESSION and CREATE TABLE in
10.2.0.4 as they are not included in the EXP_FULL_DATABASE role). This has the
advantage of not requiring hard-coded passwords in the relevant scripts.
Incidentally, we DataPump our environments as well as RMAN-ing them. This allows
us to more quickly restore any objects in our Dev environment that may have been
accidentally dropped or trashed by a developer.
Ed, apologies for the oxymoron; I should have more accurately said "has anyone
found anything official other than the documentation's vague recommendation
of not doing it" as Roachcoach correctly inferred.
Once again, thanks all.
|
|
|
|
] 
Blog
Search
Help
Members
Register
Login
Home
