As a DBA, you often perform special operations such as shutting down or starting up a database. Because only a DBA should perform these operations, the database administrator user names require a secure authentication scheme.
Administrative Privileges
Administrative privileges that are required for an administrator to perform basic database operations are granted through special system privileges.
Operations Authorized by Administrative Privileges
Each administrative privilege authorizes a specific set of operations.
Authentication Methods for Database Administrators
Database administrators can be authenticated with account passwords, operating system (OS) authentication, password files, or strong authentication with a directory-based authentication service, such as Oracle Internet Directory.
Using Operating System Authentication
Membership in special operating system groups enables a DBA to authenticate to the database through the operating system rather than with a database user name and password. This is known as operating system authentication.
Using Password File Authentication
You can use password file authentication for an Oracle database instance and for an Oracle Automatic Storage Management (Oracle ASM) instance. The password file for an Oracle database is called a database password file, and the password file for Oracle ASM is called an Oracle ASM password file.
Parent topic: Getting Started with Database Administration
1.7.1 Administrative Privileges
Administrative privileges that are required for an administrator to perform basic database operations are granted through special system privileges.
These privileges are:
SYSDBA
SYSOPER
SYSBACKUP
SYSDG
SYSKM
SYSRAC
Excluding the SYSRAC privilege, grant these privileges to users depending upon the level of authorization they require. The SYSRAC privilege cannot be granted to users because it is used only by the Oracle agent of Oracle Clusterware to connect to the database using operating system authentication.
Starting with Oracle Database 12c Release 1 (12.1), the SYSBACKUP, SYSDG, and SYSKM administrative privileges are available. Starting with Oracle Database 12c Release 2 (12.2), the SYSRAC administrative privilege is available. Each new administrative privilege grants the minimum required privileges to complete tasks in each area of administration. The new administrative privileges enable you to avoid granting SYSDBA administrative privilege for many common tasks.
Note:These administrative privileges allow access to a database instance even when the database is not open. Control of these privileges is totally outside of the database itself. Methods for authenticating database administrators with these privileges include operating system (OS) authentication, password files, and strong authentication with a directory-based authentication service.
These privileges can also be thought of as types of connections that enable you to perform certain database operations for which privileges cannot be granted in any other fashion. For example, if you have the SYSDBA privilege, then you can connect to the database by specifying the AS SYSDBA clause in the CONNECT command and perform STARTUP and SHUTDOWN operations. See “Authentication Methods for Database Administrators”.
Parent topic: Database Administrator Authentication
1.7.2 Operations Authorized by Administrative Privileges
Each administrative privilege authorizes a specific set of operations.
The following table lists the operations that are authorized by each administrative privilege:
Administrative Privilege Operations Authorized
SYSDBA
Perform STARTUP and SHUTDOWN operations
ALTER DATABASE: open, mount, back up, or change character set
CREATE DATABASE
DROP DATABASE
CREATE SPFILE
ALTER DATABASE ARCHIVELOG
ALTER DATABASE RECOVER
Includes the RESTRICTED SESSION privilege
This administrative privilege allows most operations, including the ability to view user data. It is the most powerful administrative privilege.
SYSOPER
Perform STARTUP and SHUTDOWN operations
CREATE SPFILE
ALTER DATABASE: open, mount, or back up
ALTER DATABASE ARCHIVELOG
ALTER DATABASE RECOVER (Complete recovery only. Any form of incomplete recovery, such as UNTIL TIME|CHANGE|CANCEL|CONTROLFILE requires connecting as SYSDBA.)
Includes the RESTRICTED SESSION privilege
This privilege allows a user to perform basic operational tasks, but without the ability to view user data.
SYSBACKUP
This privilege allows a user to perform backup and recovery operations either from Oracle Recovery Manager (RMAN) or SQL*Plus.
See Oracle Database Security Guide for the full list of operations allowed by this administrative privilege.
SYSDG
This privilege allows a user to perform Data Guard operations. You can use this privilege with either Data Guard Broker or the DGMGRL command-line interface.
See Oracle Database Security Guide for the full list of operations allowed by this administrative privilege.
SYSKM
This privilege allows a user to perform Transparent Data Encryption keystore operations.
See Oracle Database Security Guide for the full list of operations allowed by this administrative privilege.
SYSRAC
This privilege allows the Oracle agent of Oracle Clusterware to perform Oracle Real Application Clusters (Oracle RAC) operations.
See Oracle Database Security Guide for the full list of operations allowed by this administrative privilege.
The manner in which you are authorized to use these privileges depends upon the method of authentication that you use.
When you connect with an administrative privilege, you connect with a current schema that is not generally associated with your username. For SYSDBA, the current schema is SYS. For SYSOPER, the current schema is PUBLIC. For SYSBACKUP, SYSDG, and SYSRAC, the current schema is SYS for name resolution purposes. However, the current schema for SYSKM is SYSKM.
Also, when you connect with an administrative privilege, you connect with a specific session user. When you connect as SYSDBA, the session user is SYS. For SYSOPER, the session user is PUBLIC. For SYSBACKUP, SYSDG, SYSKM, and SYSRAC, the session user is SYSBACKUP, SYSDG, SYSKM, and SYSRAC, respectively.
