1. Basic operating instructions
1. View the current system ORACLE_SID (linux)
# su - oracle
$ cat /etc/oratab
orcl:/oracle/app/oracle/product/11.2.0/dbhome_1:N
crm:/oracle/app/oracle/product/11.2.0/dbhome_1:N
2. Check the current system ORACLE_SID (windows)
and then open [Control Panel]-[System Security]-[Management Tools]-[Services] to
find related services beginning with OracleService, such as OracleServiceORCL, OracleServiceCRM, etc. There are several such services. There are several examples
3. Switch ORACLE_SID (linux)
$ echo $ORACLE_SID
orcl
$ export ORACLE_SID=crm
$ echo $ORACLE_SID
crm
$ sqlplus / as sysdba
4. Switch ORACLE_SID (windows)
C:\Users\sqluser> sqlplus sys/passwd@crm as sysdba
或者
C:\Users\sqluser> set oracle_sid=crm
C:\Users\sqluser> sqlplus /nolog
SQL> connect /as sysdba 或 SQL> connect sys/passwd@crm as sysdba
SQL> select name from v$database; 或 SQL> select instance_name from v$instance;
2. Preparation for permission recovery
Remarks: first execute the following statement to filter whether users have DBA authority, if not (except sys/system users), the subsequent operations can be ignored.
SQL> select * from dba_role_privs where GRANTED_ROLE= 'DBA';
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
SYS DBA YES YES
SYSTEM DBA YES YES
1. Count the users who are open to use under each instance
SQL> select username from dba_users where account_status='OPEN';
USERNAME
------------------------------
SYS
SYSTEM
ERP
3 rows selected.
2. Count which role permissions each user has (dba_role), pay attention to the user name to be capitalized, the user name ERP as an example is as follows
SQL> select * from dba_role_privs where GRANTEE= 'ERP';
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
ERP DBA NO YES
ERP RESOURCE NO YES
ERP CONNECT NO YES
3. Statistic which system permissions each user has (dba_sys), pay attention to the user name should be capitalized, the user name ERP as an example is as follows
SQL> select * from dba_sys_privs where GRANTEE='ERP';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
ERP CREATE ANY SYNONYM NO
ERP UNLIMITED TABLESPACE NO
ERP CREATE SESSION NO
3. Operation reclaim DBA authority
1. Reclaim dba permissions
SQL> revoke dba from ERP;
Revoke succeeded
.
- Reauthorize necessary permissions
SQL> grant connect,resource to ERP;
grant create view to ERP;
grant create public synonym to ERP;
grant drop public synonym to ERP;
grant unlimited tablespace to ERP;
Grant succeeded.
3. Confirm permissions
SQL> select * from dba_role_privs where GRANTEE= 'ERP';
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
ERP CONNECT NO YES
ERP RESOURCE NO YES
SQL> select * from dba_sys_privs where GRANTEE='ERP';
GRANTEE PRIVILEGE ADM
------------------------------ ---------------------------------------- ---
ERP CREATE VIEW NO
ERP DROP PUBLIC SYNONYM NO
ERP CREATE PUBLIC SYNONYM NO
ERP UNLIMITED TABLESPACE NO
4. The recovery of other dangerous dba role permissions, especially permissions starting with DROP ANY, UPDATE ANY, ALTER ANY, and ADMINISTER, should be carefully judged and recovered according to the situation. Here is an example of DROP ANY TABLE
SQL> revoke DROP ANY TABLE from ERP;
Revoke succeeded.
4. Matters needing attention
Note: If the ADM column shows YES, it means that the authority has WITH ADMIN OPTION (for system authority) or WITH GRANT OPTION (for object authority), and its authority needs to be reclaimed and re-authorized.
Examples are as follows:
1. Query which role permissions the ERP user has (dba_role)
SQL> select * from dba_role_privs where GRANTEE='ERP';
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
ERP CONNECT YES YES
ERP AQ_USER_ROLE YES YES
ERP RESOURCE NO YES
2. Reclaim the permissions listed as YES by ADM and re-authorize
SQL> revoke connect from ERP;
Revoke succeeded.
SQL> revoke AQ_USER_ROLE from ERP;
Revoke succeeded.
SQL> grant connect to ERP;
Grant succeeded.
3. Confirm permissions
SQL> select * from dba_role_privs where GRANTEE='ERP';
GRANTEE GRANTED_ROLE ADM DEF
------------------------------ ------------------------------ --- ---
ERP CONNECT NO YES
ERP AQ_USER_ROLE NO YES
ERP RESOURCE NO YES
4. Check if there is a dblink to avoid cross-database exceptions due to permission recovery
SQL> select * from dba_objects where object_type like '%LINK%';