Friday, 3 July 2015




  'ALTER SYSTEM' privilege too high- Oracle Database



In production databases no user except default Oracle users should have ALTER SYSTEM privilege.
You should automate or update your alert generation system if any users other than Oracle database default users having ALTER SYSTEM privilege you will be notified.

Following is the way you can check if  any user's other than Oracle database default users having ALTER SYSTEM privilege. If you find any user revoke his privilege after confirming your organization policy:


SQL> desc DBA_SYS_PRIVS;
 Name                                      Null?    Type
 ----------------------------------------- -------- ----------------------------
 GRANTEE                                   NOT NULL VARCHAR2(30)
 PRIVILEGE                                 NOT NULL VARCHAR2(40)
 ADMIN_OPTION                                       VARCHAR2(3)

SQL> select GRANTEE,PRIVILEGE from DBA_SYS_PRIVS where PRIVILEGE = 'ALTER SYSTEM';

GRANTEE                        PRIVILEGE
------------------------------ ----------------------------------------
SYS                            ALTER SYSTEM
DBA                            ALTER SYSTEM
APEX_030200                    ALTER SYSTEM

SQL> select USERNAME,PROFILE from dba_users where USERNAME = 'APEX_030200';

USERNAME                       PROFILE
------------------------------ ------------------------------
APEX_030200                    DEFAULT
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)