Very useful OEM information
Kimathi Njeru, July 12, 2001 - 8:34 pm UTC
This answers a lot of questions about Console and OEM. Precise and to the point.
OEM console
raghunath, November 27, 2001 - 8:18 am UTC
very good solved a problem
Grant sysdba priviliges to users
Lior, February 24, 2002 - 1:43 am UTC
Despite of your detail explenaion I still cannot grant
sysdba to users.
I do not get errors after the grant statement ,
but when I try to export a tablespace with wxport utility
I get error that this can be done only with sysdba privilages .
February 24, 2002 - 9:31 am UTC
I assume you mean TRANSPORT the tablespace.
Are they in fact CONNECTING as SYSDBA:
$ exp tables=scott.emp
Export: Release 8.1.7.2.0 - Production on Sun Feb 24 09:30:58 2002
(c) Copyright 2000 Oracle Corporation. All rights reserved.
Username: / as sysdba
Connected to: Oracle8i Enterprise Edition Release 8.1.7.2.0 - Production
With the Partitioning option
JServer Release 8.1.7.2.0 - Production
Export done in US7ASCII character set and WE8ISO8859P1 NCHAR character set
server uses WE8ISO8859P1 character set (possible charset conversion)
About to export specified tables via Conventional Path ...
Current user changed to SCOTT
. . exporting table EMP 14 rows exported
Export terminated successfully without warnings.
Grant sysdba priviliges to users
Lior, February 24, 2002 - 1:43 am UTC
Despite of your detail explenaion I still cannot grant
sysdba to users.
I do not get errors after the grant statement ,
but when I try to export a tablespace with wxport utility
I get error that this can be done only with sysdba privilages .
Authentication error
Abdal-Rahman Agha, July 10, 2002 - 9:21 am UTC
Hi Tom,
What do you mean by:
"3. If the OMS is in a different NT domain, verify the domains can communicate."
I checked all the steps you inform, but still the above error appears. Please help.
July 10, 2002 - 12:23 pm UTC
Please contact support for configuration and installation assistance on this one. Not a big OEM user personally (especially on windows)
Ora-00439 can not connect as sysdba
Oct, July 10, 2002 - 11:08 pm UTC
Hi Tom,
Thanks for all previous help.
I am trying to connect as sysdba through sqlplus from Win98 client m/c ,but can not. error ora-00439.
Data base O9i standard edition.
Connected to:
Oracle9i Release 9.0.1.1.1 - Production
JServer Release 9.0.1.1.1 - Production
SQL> connect scott as sysdba
Enter password: **********
ERROR: ORA-00439: feature not enabled: Enterprise User Security
Whats wrong.
Thanks
Oct
July 11, 2002 - 7:31 am UTC
New one on me.
Is the database local (if not, you are missing @database). Since only PE is on win98, I am tending to think that the database is remote.
and have you truly granted SYSDBA to scott (not really a brilliant idea)
and is remote_login_passwordfile setup properly in the database
Email me if still....
Sikandar Hayat Awan, July 11, 2002 - 7:08 am UTC
Hi OP if still u can't solve the problem then email me at sikandar_h@hotmail.com instead disturbing TOM again and again. So I will try to solve ur problem.
ora-00439
Mark A. Williams, July 11, 2002 - 11:13 am UTC
There is a short discussion on MetaLink about the ora-00439 and 'Enterprise User Security' with a couple of suggestions. It may be relevant to your case. If you have access to MetaLink the doc id is: 218182.996
- Mark
System Privileges v/s Object Privileges
Reader, October 22, 2003 - 8:30 am UTC
Hello,
Why is System Priv and Object Priv treated differently when it comes to revoking the priviliges given in a chain. That's A granting to B 'with admin' for System and Object. Then B grants to C. And When A revokes B's the C's does nt get revoked in System but gets in Object ?
October 22, 2003 - 12:01 pm UTC
thats the way it works -- I don't know what the "justification" is, it is the way it has always worked.
Question Regarding System Privilege SYSDBA
Olga Cornejo, March 27, 2004 - 2:17 pm UTC
Hi Tom:
When you said:
"2. Verify the OS permission 'Logon as a Batch Job' has been granted to the OS (NODE) user stored in the EM Console's Preferred Credentials section."
You said that I can enter a WNT user in this NODE?
I have the same problem with the authentication error when I try to do a backup of data, and is very important to do, because I need to recreate a new database (in production) with this developer data.
Thanks for your help,
Olga
March 27, 2004 - 5:14 pm UTC
not really sure what "wnt" might be meaning there. probably windows nt - if so, sorry, but I don't really have access to that OS in an admin role (no command lines, too hard to work with). Sooo -- I'll have to refer you to support on that one. most of this was a cut/paste of a metalink support note (especially the windows stuff)
sysdba, sysoper
John, May 26, 2004 - 7:33 am UTC
Tom,
If i grant sysdba and sysoper privileges to an user,will any entry be written to the password file.
why i am asking this question is, i read like
"Set the REMOTE_LOGIN_PASSWORDFILE parameter to EXCLUSIVE where:
EXCLUSIVE indicates that only one instance can use the
password file and that the password file
contains names other than SYS and
INTERNAL"
when this password file
contains names other than SYS and
INTERNAL? is it when we grant somebody with sysdba , sysoper privileges?
May 26, 2004 - 8:50 am UTC
yes, when you grant they will be registered in there. so we can authenticate them without the database actually being up. SYS is in there as well.
Oracle Mgt Server
Thiru, July 07, 2004 - 9:00 am UTC
Hi Tom,
Can you please outline the steps to connect to Oracle Mgt server from the enterprise manager console. And what is the main purpose of using mgt server? Do we need a separate database for the purpose?
Thanks
July 07, 2004 - 9:06 am UTC
thats a good topic for documentation......
have you read it?
otn.oracle.com has all of it.
Avoid connect / as sysdba
David Pujol, October 25, 2004 - 6:01 pm UTC
Hi Tom, I've a production database very critical and it contains a lot of company confidencial data. Actually, we're building a standby database for this system in a remote machine. I'd like to know if exists any way to "disable" connect / as sysdba in this machine.
A lot of thanks
David Pujol
October 25, 2004 - 7:46 pm UTC
how would you start it up, shut it down, manage it?
You can however control WHO HAS the ability to connect as sysdba -- don't let them use that account that is allowed to connect / as sysdba -- lock down the OS account.
Oracle Consultant
Dawar, December 17, 2004 - 11:51 am UTC
Hello Tom,
We have Oracle Release 10.1.0.2.0 running on Linux Server.
I have no security for my sysdba role.
If I used and any thing as sysdba on my user name prompt its allow me to login without any password.
Important thing is that I can enter any word/number/alphabet as sysdba not necessary any existing user name.
a as sysdba will work.
12 as sysdba will work.
Please note: there is no username called a or 12.
oracle@wits:~/product/10.1.0/db_1/rdbms/admin> sqlplus
SQL*Plus: Release 10.1.0.2.0 - Production on Fri Dec. 17 08:32:27 2004
Copyright (c) 1982, 2004, Oracle. All rights reserved.
Enter user-name: sys as sysdba
Enter password: ( I do not need any password to logon) I pressed enter and its work.
Any help will be appreciated.
Regards,
Dawar
December 17, 2004 - 2:48 pm UTC
you control this by controlling access to the sysdba group.
when you installed, you said "anyone in this group can connect as sysdba locally without a password"
it is, will and always has worked that way.
So, using your OS utilities, remove everyone you don't want to have that ability from that group.
Understand the problem
Dawar, December 17, 2004 - 1:59 pm UTC
Tom,
I think I undrstand the problem.
My OS user Oracle is using the "dba' group.
I have installed oracle DB on this username.
But now I have to create new user.
How can I create new OS user which can access to Oracle.
Please note: This user should not a memebr of dba group.
My OS is SuSE Linux Enterprise Server 8.
My Oracle DB version is 10.1.0.2.0.
Regards,
Dawar
December 17, 2004 - 3:14 pm UTC
ask your system admin to create a new user for you.
bollox
A reader, December 21, 2004 - 11:12 am UTC
complete bollox
December 21, 2004 - 1:17 pm UTC
hmm, fascinating. I totally see your point. Well said -- I agree.
not.
grant sysdba previlege
PhiDi Tran, January 11, 2005 - 4:37 pm UTC
Hi;
I want to switch a database to archive mode. First thing to do is to shutdown the database.
1. I issued the command:
SQL> shutdown
ORA-01031: insufficient privileges
How to set the previlege to execute the above command?
Thanks,
PhiDi Tran
January 11, 2005 - 4:47 pm UTC
you need to connect "as sysdba" or "as sysoper" to shutdown.
connect u/p as sysdba
Standby database to switchover
PhiDi Tran, January 13, 2005 - 5:18 pm UTC
Hi Tom:
I have the Oracle9i standard edition installed on both primary and the standby hosts with 3 identical database installed on both machine.
I turn on the the archive mode on the primary and "INSERT ..." some new data to on of the table. I check the table, new data are added but I did not see the the size of the size of the .ARC file as well as the corresponding redo log changes and date of modification has not changes at all. Did I do any thing wrong?
2.How the the .arc file and redo log works when changes made into some database?
3. I have a program to replication all the redo logs and .arc log from the the primary host to the standby host in realtime. What SQL statement I should run to execute to update the database on the standby when the primary goes down? Should I schedule for the standby to be updated on regular basic?
Thanks a lot Tom. Your answers are very helpful.
PhiDi Tran
January 13, 2005 - 6:36 pm UTC
1) archives will not change in size.
you will see new archives created over time as we flip through logs.
I have no idea how often or when windows modifies timestamps files, rest assured however, if you insert a row and commit -- the data is in the redo log file.
2) concepts guide would be a good starting place for you. If you have access to "Expert one on one Oracle" -- i cover this in lots of detail as well.
3) no you don't. you can only copy ARCHIVES (redo -- nope, not going to happen, quite impossible for you to do that). Your "do it yourself standby" will ALWAYS lag behind by at least a redo log file -- always. You will lose the contents of the current online redo log file in the case of a catastrophic failure of your primary (in fact, probably more than that).
see
</code>
http://asktom.oracle.com/pls/asktom/f?p=100:11:::::P11_QUESTION_ID:1374203344882#29442885510752 <code>
get Niall's presentation/scripts. He's set this all up using SE.
archived redo log not generated
A reader, January 14, 2005 - 11:53 am UTC
Hi Tom:
Thank you very much for your previous responses. could you direct me to your "one on one oracle" site.
I have other questions:
1. I have 3 database, they're all installed with noarchive by default. I change to archived mode and check it using this.
SQL> select group#, archived from sys.v$log;
GROUP# ARC
---------- ---
1 NO
2 YES
3 YES
SQL> archive log list
Database log mode Archive Mode
Automatic archival Enabled
Archive destination C:\oracle\ora92\database\archive
Oldest online log sequence 2
Next log sequence to archive 4
Current log sequence 4
======
1. why GROUP 1 ARC NO ?
2. It looks like the archive mode set. I made some change to the database, I can see the redo logs updated but the archived log (.arc) is not generated at all?
Please help.
Thanks,
PhiDi Tran
January 14, 2005 - 7:58 pm UTC
"Expert one on one Oracle" is a book -- see the homepage.
1) maybe it is not archived, for example. it could be current, it could be "not used as yet"
2) you haven't switched logs perhaps. v$database will tell you the archive log mode of the database.
SQLPlus
Faisal Patel, February 09, 2005 - 12:31 am UTC
1- How to add a new SQLplus user permission (New user name - new password )?
February 09, 2005 - 2:11 pm UTC
sqlplus is a command line interface.
sqlplus doesn't have "users"
the database -- it has uses and you use the create user command (documented in the SQL reference, available on line at otn.oracle.com) to do that.
Limitation of an user granted with SYSDBA privilege
Murali, February 10, 2005 - 12:29 pm UTC
Hi Tom,
Is it possible that SYSDBA cannot grant rights to a role, ie -
as sysdba:
grant insert on <SCHEMA>.documents to dept_update_role
gives insufficient privileges error.
Thanks,
Murali
February 11, 2005 - 6:55 pm UTC
yes, depending on the release.
you would need to have "insert on schema.documents WITH GRANT OPTION" prior to 9ir2 (when you can grant the ability to grant on other schemas).
so, you probably don't have with grant option.
followup on System Privileges v/s Object Privileges
bhavani rao, March 14, 2005 - 6:05 pm UTC
This is regarding the previous question on "System Privileges v/s Object Privileges".
Is there any work arounbd for this problem.
Is there any way to retain the privileges granted to C while revoking from B.
March 14, 2005 - 7:59 pm UTC
not that I can think of.
Connecting as sysdba
Ishwar B Goudar, May 30, 2005 - 4:45 am UTC
My application is using an Oracle9i database. now i have to execute many scripts(written in Unix). when i try to run the script in Toad appl. i am getting error as "Insufficent Previlege" for a line "Connecting to Sys/change_on_install as Sysdba" statement. i don't know how to grant a user as sysdba.
i need immediate response for this.
Tahanking you.
with regards
Ishwar
May 30, 2005 - 8:52 am UTC
You don't have the privilege to connect as SYSDBA (and probably shouldn't, most people shouldn't, not too many scripts should even come close to needing it and those that do would be run and scheduled by the DBA, not run in toad)
this is something your DBA would have to provide to you (and I wouldn't give it out myself so don't be surprised when they say "no")
Connecting to sys/manager as sysdba
Ishwar B Goudar, May 30, 2005 - 4:52 am UTC
When i try to connect as "sys/manager as sysdba" through my user (which is having dba role) it is giving the following error:
ORA-12560: TNS:protocol adapter error
then
Warning: You are no longer connected to ORACLE.
after that i am unable transact or query through my user.
Why it is like that?
help me resolve this.
May 30, 2005 - 8:58 am UTC
insufficient data.
the DBA role is not relevant here, SYSDBA is the "role" you need and you'd get that via the operating system in this case (not using the network). So the OS account you are using isn't setup correctly to connect as sysdba.
The 12560 means (assuming windows) that the service behind the database isn't running.
C:\Documents and Settings\tkyte>sqlplus "/ as sysdba"
SQL*Plus: Release 8.1.7.0.0 - Production on Mon May 30 08:56:24 2005
(c) Copyright 2000 Oracle Corporation. All rights reserved.
<b>ERROR:
ORA-12560: TNS:protocol adapter error</b>
C:\Documents and Settings\tkyte> net start OracleServiceORA8IW
The OracleServiceORA8IW service is starting...........
The OracleServiceORA8IW service was started successfully.
C:\Documents and Settings\tkyte>sqlplus "/ as sysdba"
SQL*Plus: Release 8.1.7.0.0 - Production on Mon May 30 08:56:52 2005
(c) Copyright 2000 Oracle Corporation. All rights reserved.
Connected to:
Oracle8i Enterprise Edition Release 8.1.7.4.1 - Production
With the Partitioning option
JServer Release 8.1.7.4.1 - Production
SQL>
Granting 'Any' System Privileges
denni50, June 27, 2005 - 10:57 am UTC
Tom
I've decided to take you up on your offer.
This is from your blog:
<you wrote>
Any privilege that has ANY in it is dangerous. (really, think 500 times before granting it. Here is a promise if you are a DBA asked to grant an ANY privilege, you can pick any page on asktom and ask me why might I think twice before granting this. I dont care what page it is, Ill answer it).
Give me EXECUTE ANY PROCEDURE (please!). Ill wreak havoc on your database. Give me CREATE ANY PROCEDURE and Ill be really dangerous (can you spell Trojan Horse or worse?).
<end>
Why is this dangerous?
I have made a user of myself that is technically a 'super user' and have granted myself many system priviledges:
Alter Any Table
Analyze Any
Create Any Table
Execute Any Procedure..on and on.
Since I am the only one with these priviledges I want to make certain that I have all rights and permissions to do the things I need to do...naturally exercising great care, caution and responsibility.
thanks
June 27, 2005 - 11:08 am UTC
You are the DBA, so you are OK with it (wield that power carefully)
The point was if someone else asks you, the keeper of the ANY privs, to grant them an ANY priv -- stop, think, ask.
For you -- as someone who can be SYSDBA anyway, you already have all of the ANY's.
But a developer, should not have any of the ANYs. Not without a really utterly good reason (and I'm hard pressed to think of any :) all pun intended.
ora-01994
Devarshi, April 25, 2006 - 2:59 am UTC
We have oracle 8.1.7 on unix platform unix_svr5 7.1.1.After connecting to oracle as sys/*** as sysdba i tried to grant sysdba to another user abc. I get the error ORA-01994: GRANT failed: cannot add users to public password file .
What could be the problem ?
April 25, 2006 - 5:38 am UTC
$ oerr ora 1994
01994, 00000, "GRANT failed: password file missing or disabled"
// *Cause: The operation failed either because the INIT.ORA parameter
// REMOTE_LOGIN_PASSWORDFILE was set to NONE or else because the
// password file was missing.
// *Action: Create the password file using the orapwd tool and set the
// INIT.ORA parameter REMOTE_LOGIN_PASSWORDFILE to EXCLUSIVE.
How to restrict sys to login in oracle without password
Amit Mukherjee, September 20, 2007 - 3:04 am UTC
Dear Tom,
I have a production database in windows platform.clients are login in oracle as a sysdba without giving password and do unnecessary work such as dropping datafile, tablespace e.t.c so please help me how to restrict them. I can't remove the user from dba group or cant modify SQLNET.ORA file with SQLNET.AUTHENTICATION_SERVICES = (NONE)
I want whenever any user login in oracle as sysdba they must put the password which is in passwordfile.
September 24, 2007 - 7:08 am UTC
you can remove them from the DBA group, you really can.
Because you know what - if you don't, well, you won't be very successful meeting your goal.
Look - you gave the privs at the OS level and you tell Oracle "hey, do this os authentication thing"
what do you expect?
Behaviour of SYSDBA
Nag, July 01, 2009 - 12:48 am UTC
Hello Tom,
I came across something like the below, when i tried to connect to DB:
SQL> conn sys/dingdong as sysdba
Connected.
SQL> conn sys/nags123 as sysdba
Connected.
SQL> conn sys/password as sysdba
Connected.
SQL> conn sys/testing as sysdba
Connected.
SQL> conn sys/password
ERROR:
ORA-01017: invalid username/password; logon denied
The sys login seems to accept any password when conencted with sysdba privs, otherwise not. Could you shed some light on this behavior of the sysdba? I have checked with the versions of 9i & 10g running under UNIX.
I am not sure whether its been discussed before, pl let me know the reference should it be made already.
Regards,
Nag
July 06, 2009 - 7:00 pm UTC
connect anything/you_want as sysdba
is the same as
connect / as sysdba
"as sysdba" is the bit that is relevant, we us the OS to authenticate that. "as sysdba" is not remotely the same as connect as "sys/password"
as sysdba
is like connecting as 'root' on unix. And we use the OS to authenticate.