TOAD User Over Use of SYSDBA

I made a comment a few days back about TOAD users connecting too often to their
databases using SYSDBA or SYSOPER – i.e. connect username/password as
SYSDBA.

So today I received an excellent email from Don Burleson on this very topic:
http://www.dba-oracle.com/t_oracle_sysdba.htm

When you connect as SYSDBA it’s the same as in days past connecting as
INTERNAL. Other than a few well defined circumstances when this is absolutely
needed, there is really no reason to connect as SYSDBA. TOAD does not require
SYSDBA to do 98% of DBA type work or tasks. For example if you will be using
TOAD’s Instance Manager screen to stop and start databases – then
it’s needed and justified.

Hi Bert,

I made a comment a few days back about TOAD users connecting
too often to their databases using SYSDBA or SYSOPER - i.e.
connect username/password as SYSDBA.
I agree! None of my Toad connections are as sysdba. If I need as sysdba
I have to be on the server thanks to the password files. Best way in my
opinion.

So today I received an excellent email from Don Burleson on
this very topic: Oracle SYSDBA tips
Hmmm.

Well, this is wrong for a start:

root> sqlplus /
SQL> connect myuser as sysdba password mypass

Because if you run the command "sqlplus /" as displayed on the web page,
you get the following output & errors:

sqlplus /

SQL*Plus: Release 9.2.0.8.0 - Production on Thu Dec 30 14:14:15 2010
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
ERROR:
ORA-01017: invalid username/password; logon denied
Enter user-name:

I suspect what Don meant to type was:

root> sqlplus /nolog
SQL> connect myuser as sysdba password mypass

As that allows the SQL> prompt to be displayed without the error.

Just picking nits! :wink:

Cheers,
Norm.[TeamT]

Information in this message may be confidential and may be legally privileged. If you have received this message by mistake, please notify the sender immediately, delete it and do not copy it to anyone else.

We have checked this email and its attachments for viruses. But you should still check any attachment before opening it.
We may have to make this message and any reply to it public if asked to under the Freedom of Information Act, Data Protection Act or for litigation. Email messages and attachments sent to or from any Environment Agency address may also be accessed by someone other than the sender or recipient, for business purposes.

If we have sent you information and you wish to use it please read our terms and conditions which you can get by calling us on 08708 506 506. Find out more about the Environment Agency at www.environment-agency.gov.uk

Thanks for the confirmation – and yes there are some nit picks to be had
both in his and my quick notes. But the concept is sound – and
that’s what’s important J

HAPPY NEW YEAR!!!

Hi Bert,

Thanks for the confirmation - and yes there are some nit
picks to be had both in his and my quick notes. But the
concept is sound - and that's what's important J
Indeed. Just because you can, doesn't mean that you have to! (Login as
sysdba.)

HAPPY NEW YEAR!!!!!!
Thanks. And reciprocal greetings to you to.

Happy New Year.

Cheers,
Norm. [TeamT]

Information in this message may be confidential and may be legally privileged. If you have received this message by mistake, please notify the sender immediately, delete it and do not copy it to anyone else.

We have checked this email and its attachments for viruses. But you should still check any attachment before opening it.
We may have to make this message and any reply to it public if asked to under the Freedom of Information Act, Data Protection Act or for litigation. Email messages and attachments sent to or from any Environment Agency address may also be accessed by someone other than the sender or recipient, for business purposes.

If we have sent you information and you wish to use it please read our terms and conditions which you can get by calling us on 08708 506 506. Find out more about the Environment Agency at www.environment-agency.gov.uk

root> sqlplus /nolog

Now, see… that’s the kind of advice people don’t pay much
attention to. The reason being is that it’s contradictory.

If’n I’m reading that prompt right, he’s logging in to Unix as
the root account then suggesting you don’t use a god-type account unless
absolutely necessary.

I’m thinking that’s an ooops on his part. I’m sure he could
have just as easily used the sysdba example without logging in to Unix as
root… unless, I suppose, his security setup has the sysdba account tied to
the root account somehow.

From a security perspective, I’d think having the two accounts tied like
that is asking for trouble… basic separation of duties concepts and all
that.

I’ve always found it best that when a person gives advice, they actually
follow it themselves :slight_smile:

Roger S.