What are the differences between the Oracle SYS and SYSTEM built in accounts?
Edit: Apart from 3 letters!
The SYS user is granted the SYSDBA privilege, which enables a user to perform high-level administrative tasks such as backup and recovery. SYSTEM. This account can perform all administrative functions except the following: Backup and recovery. Database upgrade.
sys is a filename extension used in MS-DOS applications and Microsoft Windows operating systems. They are system files that contain device drivers or hardware configurations for the system. Most DOS . sys files are real mode device drivers. Certain files using this extension are not, however: MSDOS.
SYS can connect AS SYSDBA , SYSTEM cannot. SYSDBA privilege is required to perform certain administrative tasks, like CREATE DATABASE and DROP DATABASE , and query any tables despite GRANT 'ed permissions on them. In fact, whenever you connect as SYSDBA , you become a SYS .
SYS is different though. You can't lock it, even if you can, you can't. You can disable remote SYS logins by setting remote_login_passwordfile to none , so only local logins are allowed.
SYS
can connect AS SYSDBA
, SYSTEM
cannot.
SYSDBA
privilege is required to perform certain administrative tasks, like CREATE DATABASE
and DROP DATABASE
, and query any tables despite GRANT
'ed permissions on them.
In fact, whenever you connect as SYSDBA
, you become a SYS
.
SYS owns the oracle data dictionary. Every object in the database (tables, views, packages, procedures, etc. ) all have a single owner. For the database dictionary, and a whole lot of special tables (performance views and the like) are all owned by the SYS user.
The SYSTEM user is supposed to be the master DBA user, with access to all of these object. This reflects an early, and long time, Oracle security design philosophy. You build the application using one user, then create a second with access (select, update, delete) but not drop privileges. This gives you a "super-user" access to your schema without being able to destroy it accidentally. Over the years, thing have been added to the SYSTEM account that may have needed to be in the SYS account. But very few people want to give out access to their SYS account if they don't have to.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With