One thing I noticed is SYSTEM can do about 95% of the things SYS can do.
There isn't a whole lot you cannot do with SYSTEM. But there is some.
Using another account is sound advice as your less likely to own important
objects, and less likely to drop them as you would never prepend SYS. in a
drop statement unless you absolutely wanted to. I have seen dictionary
objects dropped many times from someone running DROPOBJ.SQL or something
similar under SYS/SYSTEM.
"Walking on water and developing software from a specification are easy if
both are frozen."
Christopher R. Spence
Oracle DBA
Fuelspot
-----Original Message-----
Sent: Friday, June 15, 2001 7:25 AM
To: Multiple recipients of list ORACLE-L
Guy:
Maybe I'm too conservative, but I don't even use SYSTEM unless necessary and
I hardly ever use SYS. I will usually create my own account and grant it DBA
privileges. IMHO, your reasoning here is sound. SYS, as you point out, can
do absolutely anything. Therefore, my reasoning is "don't use any more
privileges than you have to." That way, you can't get into trouble later. I
also feel that this provides a more appropriate security model: everyone has
their own account, including DBAs, so privileges can be granted/revoked per
user. Also, it saves on having to change the SYS and SYSTEM passwords every
time someone leaves the shop or changes roles. For me, it would be like
always logging in to a UNIX box as root. More privileges than necessary
usually leads to more problems than necessary.
Does that make sense?
--
Jon Walthour, OCDBA
Oracle DBA
Computer Horizons
Cincinnati, Ohio
> From: "Guy Hammond" <[EMAIL PROTECTED]>
> Organization: Fat City Network Services, San Diego, California
> Reply-To: [EMAIL PROTECTED]
> Date: Fri, 15 Jun 2001 01:55:43 -0800
> To: Multiple recipients of list ORACLE-L <[EMAIL PROTECTED]>
> Subject: SYS vs SYSTEM
>
> Hi all,
>
> I generally use SYSTEM rather than SYS for DBA work, and would like to
> discourage the use of SYS as much as possible. Partly because it
> bypasses auditing and the profile, and also because I tend to regard SYS
> as being for Oracle-specific things (like running scripts from
> $ORACLE_HOME/rdbms/admin) and SYSTEM for doing the day-to-day tasks
> (like administering storage, performance monitoring etc).
>
> Does this reasoning make sense? And, what would be a good way to explain
> it to developers who've gotten used to writing app installation scripts
> than run as SYS (for example, they might refer to AQ$_AGENT rather than
> SYS.AQ$_AGENT)?
>
> Thanks,
>
> g.
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Guy Hammond
> INET: [EMAIL PROTECTED]
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
> (or the name of mailing list you want to be removed from). You may
> also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Jon Walthour
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Christopher Spence
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
