For a while now, Oracle has been moving its security model toward a more differentiated set of privileges than just SYSDBA and SYSOPER. We saw this in 11g with the SYSASM privilege. This is in response to the growing number of DBA shops that delineate permissions at a more granular level, even among DBAs. Rather than saying, “Here’s my DBA team, everyone has SYSDBA,” more and more IT shops are defining DBA job roles at a lower level. If an application DBA never has the job responsibility to shutdown or backup a database, then maybe they don’t need SYSDBA. However, the lines aren’t always that clear, so Oracle has been adding new levels of admin privileges. In 12c, they’ve added several.
The SYSBACKUP privilege allows a user to connect to the target database and run RMAN commands, without requiring SYSDBA. Here’s what it looks like.
Recovery Manager: Release 18.104.22.168.0 - Production on Tue Aug 13 14:57:41 2013
Copyright (c) 1982, 2013, Oracle and/or its affiliates. All rights reserved.
RMAN> connect target "altdotoracle@test1 as sysbackup"
target database Password:
connected to target database: TEST1 (DBID=1787845942)
RMAN> select user from dual;
using target database control file instead of recovery catalog
RMAN> backup tablespace users;
Starting backup at 13-AUG-13
allocated channel: ORA_DISK_1
Finished backup at 13-AUG-13
In truth, SYSBACKUP has a lot more rights than just those needed to do something like a hot backup, including startup and shutdown, creating tables and tablespaces and executing a number of supplied packages. So from that perspective, I’m not exactly sure they hit the mark on this one. Nevertheless, it does differentiate SYSBACKUP from the god-like SYSDBA admin privilege to some degree. There are also the new admin privileges SYSDG, for administering Data Guard, and SYSKM to do Transparent Data Encryption (TDE) administration. Consequently, there are new columns in v$pwfile_users to reflect these new privs.
SQL> desc v$pwfile_users
Name Null? Type
--------------------------- -------- ---------------
If we examine the view itself, we see this in action.
SQL> select * from v$pwfile_users;
USERNAME SYSDB SYSOP SYSAS SYSBA SYSDG SYSKM CON_ID
----------------- ----- ----- ----- ----- ----- ----- ----------
SYS TRUE TRUE FALSE FALSE FALSE FALSE 0
SYSDG FALSE FALSE FALSE FALSE TRUE FALSE 0
SYSBACKUP FALSE FALSE FALSE TRUE FALSE FALSE 0
SYSKM FALSE FALSE FALSE FALSE FALSE TRUE 0
ALTDOTORACLE FALSE FALSE FALSE TRUE FALSE FALSE 0