Oracle Password Change – Required Privileges for SYS Account

oracleoracle-19cpasswordsys

Our identity management tool wants to change the sys password regularly. It fails with the ORA-01031. What privileges or roles do I need to grant the identity management tool user to be able to change the sys password?

Best Answer

You'll need to be connected as a user with the SYSDBA privilege. Even "alter any user" will not be enough.

SQL> select *
  2  from   session_privs
  3  where  privilege like 'ALTER ANY%';

PRIVILEGE
----------------------------------------
ALTER ANY TABLE
ALTER ANY CLUSTER
ALTER ANY INDEX
ALTER ANY SEQUENCE
ALTER ANY ROLE
ALTER ANY PROCEDURE
ALTER ANY TRIGGER
ALTER ANY MATERIALIZED VIEW
ALTER ANY TYPE
ALTER ANY LIBRARY
ALTER ANY OPERATOR
ALTER ANY INDEXTYPE
ALTER ANY DIMENSION
ALTER ANY OUTLINE
ALTER ANY EVALUATION CONTEXT
ALTER ANY RULE SET
ALTER ANY RULE
ALTER ANY SQL PROFILE
ALTER ANY EDITION
ALTER ANY ASSEMBLY
ALTER ANY MINING MODEL
ALTER ANY CUBE DIMENSION
ALTER ANY CUBE
ALTER ANY SQL TRANSLATION PROFILE
ALTER ANY MEASURE FOLDER
ALTER ANY CUBE BUILD PROCESS
ALTER ANY ATTRIBUTE DIMENSION
ALTER ANY HIERARCHY
ALTER ANY ANALYTIC VIEW

29 rows selected.

SQL> alter user sys identified by newpass;
alter user sys identified by newpass
*
ERROR at line 1:
ORA-01031: insufficient privileges

Related Solutions

Oracle start database with incorrect password

When your OS user is from a DBA group, you can connect AS SYSDBA with OS authentication:

Two special operating system groups control database administrator connections when using operating system authentication. These groups are generically referred to as OSDBA and OSOPER. The groups are created and assigned specific names as part of the database installation process. [..]

Membership in the OSDBA or OSOPER group affects your connection to the database in the following ways:

If you are a member of the OSDBA group and you specify AS SYSDBA when you connect to the database, then you connect to the database with the SYSDBA system privilege.

If you are a member of the OSOPER group and you specify AS SYSOPER when you connect to the database, then you connect to the database with the SYSOPER system privilege.

You can then use CONNECT / AS SYSDBA or even CONNECT FOO/ANYTHING AS SYSDBA, the DB will ignore the user/password.

Oracle – How Does the SYS User Get SYSDBA Privilege?

From the 12c docs:

The SYS user is automatically granted the SYSDBA privilege upon installation. When you log in as user SYS, you must connect to the database as SYSDBA or SYSOPER. Connecting as a SYSDBA user invokes the SYSDBA privilege; connecting as SYSOPER invokes the SYSOPER privilege. Oracle Enterprise Manager Database Control does not permit you to log in as user SYS without connecting as SYSDBA or SYSOPER.

And you cannot revoke it:

SQL> revoke sysdba from sys;
revoke sysdba from sys
*
ERROR at line 1:
ORA-01998: REVOKE failed: user SYS always has SYSOPER
and SYSDBA

More information from the docs:

These administrative privileges allow access to a database instance even when the database is not open. Control of these privileges is totally outside of the database itself. Methods for authenticating database administrators with these privileges include operating system (OS) authentication, password files, and strong authentication with a directory-based authentication service.

These privileges can also be thought of as types of connections that enable you to perform certain database operations for which privileges cannot be granted in any other fashion.

and:

When you grant SYSDBA, SYSOPER, SYSBACKUP, SYSDG, or SYSKM administrative privilege to a user, that user's name and privilege information are added to the database password file. A user's name remains in the password file only as long as that user has at least one of these privileges. If you revoke all of these privileges, Oracle Database removes the user from the password file.

Best Answer

Related Solutions

Oracle start database with incorrect password

Oracle – How Does the SYS User Get SYSDBA Privilege?

Related Question