Oracle admin accounts can be disabled

oracle

Are there any undesirable effects if I disable all oracle admin accounts (sys, sysman..) and use new admin accounts? I'm afraid oracle itself might use such default admin accounts for processing?

Thanks.

Best Answer

You can't lock/disable SYSDBA accounts (e.g., SYS), due to the fact that they don't authenticate to the database in the same way. Here's a little test I ran on a regular user that I granted SYSDBA to, then locked the account. The user can still get in as SYSDBA, just not as a normal user:

C:\>sqlplus test@testdb as sysdba

SQL*Plus: Release 10.2.0.1.0 - Production on Mon Apr 26 10:14:42 2010

Copyright (c) 1982, 2005, Oracle.  All rights reserved.

Enter password:

Connected to:
Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

SQL> quit
Disconnected from Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options

C:\>sqlplus test@testdb

SQL*Plus: Release 10.2.0.1.0 - Production on Mon Apr 26 10:23:43 2010

Copyright (c) 1982, 2005, Oracle.  All rights reserved.

Enter password:
ERROR:
ORA-28000: the account is locked


Enter user-name:
C:\>

Of course, if I can get in as a SYSDBA user, then I can just unlock my account and get in as a normal user again.

I'm not sure why you would actually want to do this. It doesn't seem like a good idea. If you could actually lock the SYSDBA accounts, you could render your database inaccessible. Aside from SYS and SYSTEM, all accounts created by Oracle when the database is created are locked by default anyway. What are you trying to accomplish?

EDIT:

Here is the only scenario in which SYSDBA's could get locked out:

  1. Remove the password file for the instance (usually pwd.ora
  2. Make your SQLNET.AUTHENTICATION_SERVICES= (NONE) (require password access for SYSDBA)
  3. Forget your oracle DBA OS account password so you can't recreate the pwd.ora file
  4. Forget your OS administrator passwords so you can't unlock or create new DBA accounts.

This scenario means you're pretty much screwed anyway. It also assumes you can't modify the sqlnet.ora file where the authentication_services parameter is defined, else you could set it back to NTS to allow OS authentication (assumes windows).

Related Topic