Note 168243 - Assigning sysdba and sysoper authorizations

Version / Date 6 / 2002-03-15
Priority Recommendations/additional info
Category Installation information
Primary Component BC-DB-ORA Oracle
Secondary Components
Summary
Symptom
Setting up sysoper/sysdba authorization for a user
Other terms
connect internal
sysoper
sysdba
Reason and Prerequisites
As of Version Oracle 9I, the function of the user is changed 'internally'.With this release, you can no longer perform an internal connect without a password.The sole membership to the operating system group 'DBA' no longer provides an authorization to log on to the database without a password.
A 'proper' database user with a user name/password is required to log on to the database.
User name/password is stored directly in the internal ABAP Dictionary of the database.
If the database is not started, these authorizations cannot be read directly in the database.
You therefore require a mechanism which allows you to assign authorization to start and stop the database EXTERNALLY, WITHOUT having to verify the user name/password.

We advise AGAINST using this mechanism for Releases 7.3.X and 8.0.X as it can result in breaches in security.
These problems have only been corrected as of Oracle Release 8.1.5.
Solution
The functions for allocating sysoper/sysdba authorization was already supplied by Oracle with Version 7.X.
With a
connect <username>/<password> as sysoper;
connect <username>/<password> as sysdba;
This works as soon as the OS user that you used to log on to the system belongs to the OPER (for sysoper) or dba (for sysdba) group. Wfor Windows platforms: The OS user must belong the ORA_DBA or ORA_<SID>_DBA (for sysdba) or ORA_OPER or ORA_<SID>_OPER (for sysoper) group.
You must create a password file if you need to start/stop the system with an OS user who is NOT a member of the aforementioned groups , or if a connect as sysdba or sysoper from a remote machine is required (for example, split mirror backups).
    1. Enter the following parameter in your $ORACLE_HOME/dbs/init<SID>.ora:
    2. REMOTE_LOGIN_PASSWORDFILE=EXCLUSIVE
    3. Execute the following command on the operating system level:
    4. orapwd file=$ORACLE_HOME/dbs/orapw password=<passwd> entries=10
    5. Restart your database
    6. Execute the following command for THE Oracle users who are to get sysdba/sysoper authorization
    7. connect sys/<passwd> as sysdba;
    8. grant sysoper to <username>;

No comments: