SYS
- Automatically created when Oracle database is installed
- Automatically granted the
DBA
role
- Has a default password:
CHANGE_ON_INSTALL
(make sure you change it)
- Owns the base tables and views for the database data dictionary
- The default schema when you connect as
SYSDBA
Tables in the SYS
schema are manipulated only by the database. They should never be modified by any user or database administrator, and no one should create any tables in the schema of user SYS
. Database users should not connect to the Oracle database using the SYS
account.
SYSTEM
- Automatically created when Oracle database is installed
- Automatically granted the
DBA
role
- Has a default password:
MANAGER
(make sure you change it)
- Used to create additional tables and views that display administrative information
- Used to create internal tables and views used by various Oracle database options and tools
Never use the SYSTEM
schema to store tables of interest to non-administrative users.
/via
The script creates certain objects, and it will put them in the current schema. Oracle wishes that these objects be created on SYSTEM schema, hence the requirement.
There are two Oracle schemas, SYS and SYSTEM, because they have two purposes. In short, SYS truly is the "special" user in respect to database internals, while SYSTEM works normally.
The SYS is the owner of the database, the only user with access to X$ tables, the only user which acts as SYSDBA (internally), that bypasses logon triggers, and that, for some obscure reason, cannot obtain read-consistent view of data. As a schema it holds crucial Oracle stuff, mainly the data dictionary.
The SYSTEM is fairly normal schema with DBA privilege (database administrator, not the same as SYSDBA), only that it is built-in and contains some additional (but also quite important) Oracle stuff. You shouldn't put your own stuff in this schema, if not instructed so by Oracle.
Best Answer
SYSTEM
can be locked without any difficulties.SYS
is different though. You can't lock it, even if you can, you can't.You can disable remote
SYS
logins by settingremote_login_passwordfile
tonone
, so only local logins are allowed. This will prevent using Data Guard though for example.You can also prevent
'/ as sysdba'
by settingSQLNET.AUTHENTICATION_SERVICES=(none)
insqlnet.ora
.Finally, you can completely lock yourself out by combining the above with deleting the password file from
$ORACLE_HOME/dbs
. This way you will not be able to log in asSYSDBA
orSYSOPER
at all. But even still,SYS
user will not be really locked, its just that you can not be authenticated. If you recreate the passwordfile, you will be able to get in again.