Oracle database DBA authority recovery operation reference

1. Basic operating instructions

1. View the current system ORACLE_SID (linux)

# su - oracle
$ cat /etc/oratab
orcl:/oracle/app/oracle/product/11.2.0/dbhome_1:N
crm:/oracle/app/oracle/product/11.2.0/dbhome_1:N

2. Check the current system ORACLE_SID (windows)
and then open [Control Panel]-[System Security]-[Management Tools]-[Services] to
find related services beginning with OracleService, such as OracleServiceORCL, OracleServiceCRM, etc. There are several such services. There are several examples
3. Switch ORACLE_SID (linux)

$ echo $ORACLE_SID
orcl
$ export ORACLE_SID=crm
$ echo $ORACLE_SID
crm
$ sqlplus / as sysdba

4. Switch ORACLE_SID (windows)

C:\Users\sqluser> sqlplus sys/passwd@crm as sysdba
或者
C:\Users\sqluser> set oracle_sid=crm
C:\Users\sqluser> sqlplus /nolog
SQL> connect /as sysdba  或 SQL> connect sys/passwd@crm as sysdba
SQL> select name from v$database;   或  SQL> select instance_name from v$instance;

2. Preparation for permission recovery

Remarks: first execute the following statement to filter whether users have DBA authority, if not (except sys/system users), the subsequent operations can be ignored.

SQL> select * from dba_role_privs where GRANTED_ROLE= 'DBA';
GRANTEE    GRANTED_ROLE        ADM DEF
------------------------------ ------------------------------ --- ---
SYS                DBA                YES YES
SYSTEM             DBA                YES YES

1. Count the users who are open to use under each instance

SQL> select username from dba_users where account_status='OPEN';
USERNAME
------------------------------
SYS
SYSTEM
ERP
3 rows selected.

2. Count which role permissions each user has (dba_role), pay attention to the user name to be capitalized, the user name ERP as an example is as follows

SQL> select * from dba_role_privs where GRANTEE= 'ERP';
GRANTEE                GRANTED_ROLE           ADM DEF
------------------------------ ------------------------------ --- ---
ERP                DBA                NO  YES
ERP                RESOURCE               NO  YES
ERP                CONNECT                NO  YES

3. Statistic which system permissions each user has (dba_sys), pay attention to the user name should be capitalized, the user name ERP as an example is as follows

SQL> select * from dba_sys_privs where GRANTEE='ERP';
GRANTEE                PRIVILEGE                ADM
------------------------------ ---------------------------------------- ---
ERP                CREATE ANY SYNONYM           NO
ERP                UNLIMITED TABLESPACE         NO
ERP                CREATE SESSION               NO

3. Operation reclaim DBA authority

1. Reclaim dba permissions

SQL> revoke dba from ERP;
Revoke succeeded

.

2. Reauthorize necessary permissions

SQL> grant connect,resource to ERP;
grant create view to ERP;
grant create public synonym to ERP;
grant drop public synonym to ERP;
grant unlimited tablespace to ERP;
Grant succeeded.

3. Confirm permissions

SQL> select * from dba_role_privs where GRANTEE= 'ERP';
GRANTEE                GRANTED_ROLE           ADM DEF
------------------------------ ------------------------------ --- ---
ERP            CONNECT                NO  YES
ERP            RESOURCE               NO  YES
SQL> select * from dba_sys_privs where GRANTEE='ERP';
GRANTEE                PRIVILEGE                ADM
------------------------------ ---------------------------------------- ---
ERP            CREATE VIEW              NO
ERP            DROP PUBLIC SYNONYM          NO
ERP            CREATE PUBLIC SYNONYM            NO
ERP            UNLIMITED TABLESPACE         NO

4. The recovery of other dangerous dba role permissions, especially permissions starting with DROP ANY, UPDATE ANY, ALTER ANY, and ADMINISTER, should be carefully judged and recovered according to the situation. Here is an example of DROP ANY TABLE

SQL> revoke DROP ANY TABLE from ERP;
Revoke succeeded.

4. Matters needing attention

Note: If the ADM column shows YES, it means that the authority has WITH ADMIN OPTION (for system authority) or WITH GRANT OPTION (for object authority), and its authority needs to be reclaimed and re-authorized.
Examples are as follows:

1. Query which role permissions the ERP user has (dba_role)

SQL> select * from dba_role_privs where GRANTEE='ERP';
GRANTEE                GRANTED_ROLE           ADM DEF
------------------------------ ------------------------------ --- ---
ERP                CONNECT                YES YES
ERP                AQ_USER_ROLE           YES YES
ERP                RESOURCE               NO  YES

2. Reclaim the permissions listed as YES by ADM and re-authorize

SQL> revoke connect from ERP;
Revoke succeeded.
SQL> revoke AQ_USER_ROLE from ERP;
Revoke succeeded.
SQL> grant connect to ERP;
Grant succeeded.

3. Confirm permissions

SQL> select * from dba_role_privs where GRANTEE='ERP';
GRANTEE                GRANTED_ROLE           ADM DEF
------------------------------ ------------------------------ --- ---
ERP                CONNECT                NO  YES
ERP                AQ_USER_ROLE           NO  YES
ERP                RESOURCE               NO  YES

4. Check if there is a dblink to avoid cross-database exceptions due to permission recovery

SQL> select * from dba_objects where object_type like '%LINK%';

5. End