- Oracle Database 12c Security Cookbook
- Zoran Pavlovi? Maja Veselica
- 637字
- 2021-07-02 16:43:13
The sysbackup privilege – how, when, and why should you use it?
It is recommended that you use the sysbackup administrative privilege instead of the sysdba administrative privilege to perform operations related to backup and recovery tasks.
Getting ready
For this recipe, you'll need:
- An existing database user (for example,
tom) and a password file in 12c format, if you want to complete it using a password-authenticated user - An existing OS user (for example,
john), who belongs to thebackupdbaOS group, in order to connect to the database using OS authentication
How to do it...
Instructions are given in the Database authentication and OS authentication sections.
The instructions for database authentication are as follows:
- Connect to the database as
sysdba(or another user that can grant thesysbackupprivilege):sqlplus / as sysdba - Grant the
sysbackupprivilege to usertom:grant sysbackup to tom; - Verify that there is an entry in the password file that grants user
tomthesysbackupadministrative privilege. Select data from thev$pwfile_usersview:select * from v$pwfile_users;The following table is the result of the preceding command:
- Test the connection using
RMAN:rman target '"tom/oracle_123 as sysbackup"'
How it works...
You can use either Oracle Recovery Manager (RMAN) or SQL*Plus to perform the operations. When you connect to the database as sysbackup, you are connected as a predefined user sysbackup. If you want to check this, run the following statement:
SQL> select user from dual;
Otherwise, the following statement:
SQL> show user
Using the sysbackup privilege, you can connect to the database even when it is not open. This privilege enables better separation of duties and the implementation of the least privilege principle.
To view the list of privileges a user can exercise when connected to the database using sysbackup privilege, you can create a user (for example, tom) and grant the user only sysbackup privileges. The next step is to connect to the database as user tom, using the sysbackup privilege and the execute statement:
select * from session_privs;
These privileges are shown in the following table:
This is how you can check enabled roles:
SQL> select * from session_roles; ROLE ------------------- SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE
If you want to view the roles and privileges granted to sysbackup, you can query DBA_ROLE_PRIVS and DBA_SYS_PRIVS:
SQL> select * from dba_role_privs where grantee='SYSBACKUP'; SQL> select * from dba_sys_privs where grantee='SYSBACKUP';
Also, this new administrative privilege enables you to select, insert, delete, execute, and perform operations:
There's more...
You can't drop user sysbackup. In a multitenant environment, you can restrict a user to be able to perform backups only for the PDB it can connect to. You can accomplish that by creating a local user in the PDB and granting the sysbackup privilege to the user. When you are connected to the database as the sysbackup, you are connected as sysbackup user to SYS schema:
SQL> connect / as sysbackup Connected. SQL> show user USER is "SYSBACKUP" SQL> select sys_context( 'userenv', 'current_schema' ) from dual; SYS_CONTEXT('USERENV','CURRENT_SCHEMA')---------------------------------------SYS
See also
- Creating password-authenticated users
- Creating and using OS-authenticated users
- Modular Programming with Python
- Mobile Web Performance Optimization
- Getting started with Google Guava
- Mastering SVG
- React Native Cookbook
- UI智能化與前端智能化:工程技術、實現方法與編程思想
- 單片機應用技術
- 征服RIA
- Android系統(tǒng)原理及開發(fā)要點詳解
- Nagios Core Administration Cookbook(Second Edition)
- Java 從入門到項目實踐(超值版)
- 軟件測試技術
- Java自然語言處理(原書第2版)
- 從零開始學算法:基于Python
- Learning TypeScript