控制用户alter user 修改密码的两种办法 dbv and triggers

Applies To

All Users Gen 1 Exadata Cloud at Customer (Oracle Exadata Database Cloud Machine) - Version N/A and later

Oracle Cloud Infrastructure - Database Service - Version N/A and later

Oracle Database Backup Service - Version N/A and later

Oracle Database Cloud Exadata Service - Version N/A and later

Oracle Database Cloud Schema Service - Version N/A and later

Oracle Database Cloud Service - Version N/A and later

Oracle Database Exadata Express Cloud Service - Version N/A and later

Summary

How to prevent a user being granted the ALTER USER privilege from changing the SYS and SYSTEM users' password ?

Solution

This can be achieved with two methods:

  • Database Vault

  • Triggers

Database Vault

Oracle Database Vault can provide out-of-the-box separation of duties, separating database administrator activity from database user creation and maintenance. Database Vault creates roles that separate actions.

For example, if you wanted to create or alter a user, you would be required to have the DV_ACCTMGR role.

This separation applies to SYS and SYSTEM accounts as well.

Because Database Vault utilizes roles for this separation, if you wanted to grant a user the ability to create or maintain users, you would simply grant the user the DV_ACCTMGR role and they would have the privileges again.

This would all be done without triggers.

Triggers

To prevent this situation you can use event triggers:

复制代码

SQL> conn / as sysdba

Connected.

SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass

BEFORE ALTER on <USER1>.schema

BEGIN

IF ora_sysevent='ALTER' and ora_dict_obj_type = 'USER' and

(ora_dict_obj_name = 'SYSTEM' or ora_dict_obj_name = 'SYS')

THEN

RAISE_APPLICATION_ERROR(-20003,

'You are not allowed to alter SYSTEM/SYS user.');

END IF;

END;

/

Trigger created.

Example :


SQL> conn <USER1>/<pwd>

Connected.

SQL>alter user SYSTEM identified by <pwd2>;

alter user SYSTEM identified by <pwd2>

*

ERROR at line 1:

ORA-00604: error occurred at recursive SQL level 1

ORA-20003: You are not allowed to alter SYSTEM/SYS user.

ORA-06512: at line 5

SQL> alter user sys identified by <pwd3>;

alter user sys identified by <pwd3>

*

ERROR at line 1:

ORA-00604: error occurred at recursive SQL level 1

ORA-20003: You are not allowed to alter SYSTEM/SYS user.

ORA-06512: at line 5

SQL> alter user dbsnmp identified by <pwd5>;

User altered.

相关推荐
倔强的石头_13 小时前
《Kingbase护城河》——猎捕慢查询:执行计划的微观解析与索引调优实战
数据库
SelectDB15 小时前
Apache Doris Python UDF:让 SQL 直接调用 Python 生态,支撑 Agent 时代复杂业务逻辑
大数据·数据库·python
jiayou642 天前
KingbaseES 表级与列级加密完全指南
数据库·后端
GBASE3 天前
G术时刻 |GBase 8s数据库事务并发控制之封锁技术介绍(下)
数据库
xiezhr3 天前
逛GitHub发现了一款免费的带AI功能的数据库管理工具
数据库·ai编程·dba
吃糖的小孩4 天前
给 QQ AI 机器人设计“可控记忆”:会话摘要、手动长期记忆与角色卡边界
数据库
笃行3505 天前
金仓数据库数据安全双防线:静态存储加密与传输加密实战
数据库
笃行3505 天前
金仓数据库物理备份实战:sys_rman 全流程演练与误覆盖抢救
数据库
笃行3505 天前
金仓数据库逻辑备份实战:从全库导出到 Schema 替换的完整闭环
数据库