·
The Oracle orapwd utility assists the DBA with
granting SYSDBA and SYSOPER privileges to other users.
·
By default, the user SYS is the only user that has
these privileges. Creating a password file via orapwd enables remote
users to connect with administrative privileges through SQL*Net.
·
SYSDBA privilege allows the DBA to perform general
database maintenance without viewing user data. It provides the ability to
do everything, unrestricted.
If ‘orapwd’ has
not yet been executed, attempting to grant SYSDBA or SYSOPER privileges will
result in the following error:
SQL> grant sysdba to
john;
ORA-01994: GRANT failed: cannot add users to public password file
ORA-01994: GRANT failed: cannot add users to public password file
The
following steps can be performed to grant other users these privileges:
1. Create the password file by executing the following command:
$ orapwd file=filename password=password entries=max_users
·
The
filename is the name of the file that will hold the password information.
·
The
max_users is the number of database users that can be granted SYSDBA or
SYSOPER.
Note:
-
The
contents of the file are encrypted and are unreadable.
-
The
file location will default to the current directory unless the full path is
specified.
2.
Edit the init.ora file and set the parameter
“remote_login_passwordfile”.
This parameter must be set to
either SHARED or EXCLUSIVE.
·
When
set to SHARED, the password file can be used by multiple databases, yet
only the SYS user is recognized.
·
When
set to EXCLUSIVE, the file can be used by only one database, yet
multiple users can exist in the file.
The
parameter setting can be confirmed by:
SQL> show parameter password
NAME TYPE VALUE
----------------------------- ----------- ----------
remote_login_passwordfile string EXCLUSIVE
3.
Grant SYSDBA or SYSOPER to users. When SYSDBA or SYSOPER privileges are
granted to a user, that user's name and privilege information are added to the
password file.
SQL> grant sysdba to john;
Grant succeeded.
4.
Confirm that the user is listed in the password file using the following View.
SQL> select * from v$pwfile_users;
USERNAME SYSDBA SYSOPER
------------------------------ ------ -------
SYS TRUE TRUE
JOHN TRUE FALSE
Now
the user SCOTT can connect as SYSDBA. Administrative users can be
connected and authenticated to a local or remote database by using the SQL*Plus
connect command. They must connect using their username and password, and
with the AS SYSDBA or AS SYSOPER clause:
SQL>
connect john/john as sysdba;
The
DBA utilizes the orapwd utility to grant SYSDBA and SYSOPER privileges to other
database users. The SYS password should never be shared and should be
highly classified.
No comments:
Post a Comment