In Linux and Unix, Oracle has deliberately set things to support SetGID. And they further have built-in checks inside the executables to verify that the person is in the appropriate group.
Anyone who has an operating system account that is a member of 'SYSDBA' (usually 'dba') can perform *ALL* routine database maintenance except those operations that involve the Oracle Inventory.
In 12c, this idea is dramatically extended, and *general use of SYSDBA* is 'deprecated' in favour of SYSDG, SYSBACKUP and SYSKM and SYSOPER
There is almost NO reason, except to apply patches and new s/w, for people to log on to the 'oracle' user. Using appropriate management in ORAPW, each person should be able to access the database as needed using "sqlplus / as sysbackup" (or variant) from their own *nx userid. All privileged access is audited,
su/login and even sudo to 'oracle' for any routine database operations should largely be a thing of the past.
And really - how often do you need to apply patches (to one DB environment)? This can be controlled and scheduled.
/Hans On 01/08/2014 9:41 AM, Freeman, Donald G. CTR (ABL) wrote:
Good practice in Oracle is for all privileged users to have their own accounts. I'm having an argument over whether or not you can determine who takes an action on the database using a shared account logging in to the Oracle OS account on a server and then logging in as / as SYSDBA. If a sudo'ers group is not used then privileged users share the Oracle account password. I think the proper way to do it is through individual OS accounts, membership in the DBA group, inclusion in a sudo'ers group to protect the Oracle password, and granting of sysdba privilege to somebody who has an individual dba account on the database. I would think this would create complete, unambiguous audit records. Am I missing something? Shared accounts may make things 'easier' for privileged users but cause a problem when it comes to auditing. Can shared account usage be audited at all, or is it just hard? Thanks,
-- //www.freelists.org/webpage/oracle-l
