Oracle FAQ | Your Portal to the Oracle Knowledge Grid |
Home -> Community -> Mailing Lists -> Oracle-L -> RE: SYS vs SYSTEM
Bill,
Roles created by a user never go away. They are not attached to the user. They belong to the system (I just tried this in 816 - created a user, granted CREATE_ROLE to that user, connected as that user, created a role and dropped the user - the role still exists).
Likewise grants to database objects. Once they are established, they exist on their own. Dropping the user who granted the access has nothing to do with the grant itself (unless it is to objects that existed in the dropped users account, because these objects go away).
I never user the SYS or SYSTEM accounts to create accounts, roles or perform grants. I use SYS (or internal) for db startup and shutdown and Rman backups only.
I create a DBA account (which owns the schema for the database) to do all of the create account, roles and object grants. I actually don't even know the System account password - if I really need to get into it, I alter the password to a new string and connect to it.
I'm not saying that you are doing anything wrong. Every DBA has their own way of doing things, and your way is perfectly fine (not that you are asking for approval! :) ). At least you are not using the SYS or SYSTEM account for schema objects. I saw this happen once!
Hope this helps!
Tom Mercadante
Oracle Certified Professional
-----Original Message-----
Sent: Friday, June 15, 2001 9:31 AM
To: Multiple recipients of list ORACLE-L
What account I use depends on what I am doing. For example to set up roles, grant rights, and create users I use the SYSTEM account. For anything else, I use my DBA account. The reason is that if I ever leave and my account is removed, all those rights that I granted and all the roles that I created would go away. The SYSTEM account will never be removed. We learned this the hard way because we had a DBA leave and we removed his user id.
>>> guy.hammond_at_avt.co.uk 06/15/01 05:55AM >>>
Hi all,
I generally use SYSTEM rather than SYS for DBA work, and would like to discourage the use of SYS as much as possible. Partly because it bypasses auditing and the profile, and also because I tend to regard SYS as being for Oracle-specific things (like running scripts from $ORACLE_HOME/rdbms/admin) and SYSTEM for doing the day-to-day tasks (like administering storage, performance monitoring etc).
Does this reasoning make sense? And, what would be a good way to explain it to developers who've gotten used to writing app installation scripts than run as SYS (for example, they might refer to AQ$_AGENT rather than SYS.AQ$_AGENT)? Thanks,
g.
-- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Guy Hammond INET: guy.hammond_at_avt.co.uk Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: William Beilstein INET: BeilstWH_at_obg.com Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). -- Please see the official ORACLE-L FAQ: http://www.orafaq.com -- Author: Mercadante, Thomas F INET: NDATFM_at_labor.state.ny.us Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051 San Diego, California -- Public Internet access / Mailing Lists -------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).Received on Fri Jun 15 2001 - 09:16:59 CDT