why a non-dba user can log in as sysdba? - oracle

in my oracle instance, I have a user called xxx, I remembered I just grant resource and connect role to xxx, but now the user can log in as sysdba(via pl/sql developer), even after executing revoke dba from xxx through sys account, the user xxx can still log in as sysdba, so why? What should I do to revoke his dba role?
PS: now I execute revoke dba from xxx, it reports an error: dba role is not granted to xxx

the DBA role and SYSDBA roles are different.
revoke sysdba from xxx;
Read here about Administrative Privileges

Related

ORA-01017 Invalid Username/Password when connecting to new non-SYSDBA user

I'm pretty new to Oracle, I've been trying to logon with a newly created non-SYSDBA user for a while without success.
I'm using Oracle 19c (Oracle Database 19c Standard Edition 2 Release 19.0.0.0.0 - Production)
I connect to my pdb (orclpdb) as sys with the SYSDBA role
CREATE USER USER1 IDENTIFIED BY PASSWORD;
GRANT CONNECT TO USER1;
I'm using an uppercase user name and password to avoid any doubt.
Then when I try to log as this new user with any role and the correct password I receive ORA-01017
But then if I connect back to the pdb and
GRANT SYSDBA TO USER1;
Now I can log as this new user with the sysdba role:
If I try to connect with any other role or with the wrong password I then receive ORA-01017 Invalid Username/Password
-- Create the common user using the CONTAINER clause.
CREATE USER c##test_user1 IDENTIFIED BY password1 CONTAINER=ALL;
GRANT CREATE SESSION TO c##test_user1 CONTAINER=ALL;
https://oracle-base.com/articles/12c/multitenant-manage-users-and-privileges-for-cdb-and-pdb-12cr1
OR
connect to cdb sqlplus "/as sysdba"
to switch pdb: ALTER SESSION SET CONTAINER = orclpdb;
to check use: SHOW CON_NAME
CREATE USER USER1 IDENTIFIED BY PASSWORD;
GRANT CREATE SESSION TO USER1 container=current;

How to create user and give access to a database

How do I create a new user and give him access to ORCL database in oracle 10 g (TOAD/SQL Developer/SQL Plus). I tried to do this in SQL Developer, but when I try to login with the newly created user, it says "Insufficient privileges"
I think you might be confused between database and schema. Also, remember, user and schema are synonymous. A schema contains the set of objects owned by the user. Other than that, they are similar.
What you need to do is:
SQL> create user test_new identified by test_new;
User created.
SQL> grant create session to test_new;
Grant succeeded.
SQL> conn test_new/test_new#pdborcl;
Connected.
SQL> show user
USER is "TEST_NEW"
Above example shows how to create a user, grant create session privilege just to make sure user is at least able to connect. You would obviously need more privileges for the user to do further tasks.
Usually, you would create roles and grant required privileges to the roles. And then assign the role to a user.
UPDATE
Per the comments, OP is unable to connect via SQL*Developer.
but when I try to login into the SQLDeveloper i get error message Insufficient privileges when Role is set to SysDba
You should not use SYSDBA for a normal user other than SYS.
ORA-01017: invalid username/password; logon denied
Either your username or the password is incorrect. In SQL*Developer you need to correctly provide the
username
password
hostname
port
service_name
Test the connection, if it is success, start using it.

Oracle : System privileges, create user and grant privilages

I have the following connection properties.
Connection Name: MyConnection
UserName : Scott
password : password
Now I want to create a user using the above connection. The query I tried to execute was,
CREATE USER demo IDENTIFIED BY demo;
but I got the error stating that
"insufficient privileges".
An attempt was made to change the current username or password
without the appropriate privilege.
May I know how to create the user.
To create a new user, you should connect as a account with DBA privileges, or the System user if there isn't a named DBA user.

Unable to Grant session to a user

I used yesterday the sqlplus on ubuntu 14.04LTS normally but today when I open it I connect to the System :
SQL> connect system
Enter Password :
Connected.
Then I want to connect to my account which I created yesterday :
SQL> connect slim/slimhmidi;
Connected.
when I want to create as session I had this error:
SQL> grant session to slim;
grant session to slim
*
ERROR at line 1:
ORA-01919: role ' SESSION ' does not exist
I tried to create a session but no vain:
SQL> grant create session to slim;
grant create session to slim
*
ERROR at line 1:
ORA-01031: insufficient privileges
Also I have this error :
SQL> grant connect to slim;
grant connect to slim
*
ERROR at line 1:
ORA-01932: admin option not granted for role ' CONNECT'
However I didn't have these problems yesterday.
ORA-01919: role ' SESSION ' does not exist
You are trying to grant the privilege to user slim while you are already connected to slim. So, the grantor and grantee are same here.
ORA-01932: admin option not granted for role ' CONNECT
As I said, you are already connected as user slim, it means the user already has the CONNECT privilege.
To grant create session to the user, you could do it as SYS user or any other user which has the privilege to grant.
See this link to documentation http://docs.oracle.com/cd/B19306_01/network.102/b14266/admusers.htm#DBSEG10000
Update Per OP's comments
To give the select privilege on the table to a user:
GRANT SELECT ON table_name TO slim;

Why can my new user login as sysdba in oracle?

I just installed Oracle 11g R2 on windows 7 machine. I am able to login using my sys as sysdba account.
Using the sys account I created a user as follows
create user testuser identified by testuser;
When I try to connect to database with testuser as Normal user it says that 'user testuser lacks CREATE SESSION privilege; logon denied' which is understandable since I have not granted any permissions so far to testuser.
But when I try to login to database using testuser as sysdba, it allows me to connect to database and the selected schema seems to me as SYS schema.
Is there something I am missing because I think user testuser should not be able to even login let alone login to SYS schema. I have also found that I can connect as sysdba with any username regardless of if it is present in the database.
How can I create a regular oracle user which does not have access to any other schema?
Your windows user is part of the dba group (oradba). It uses Windows authentification to connect as sysdba. See this thread on AskTom:
"as sysdba" is extremely powerful, it uses OS AUTHENTICATION, it does
not require database authentication (it is used to login before there
is a "database" or even an "instance"!)
As a member of the dba group, you can login as sysdba with any database user. You can even login without a user: sqlplus / as sysdba.
This is how I would normally create a new user:
create user &1
identified by &2
default tablespace &3
temporary tablespace &4;
grant connect, resource to &1;
grant alter session to &1;
** get the picture; also include other default privileges like "create ... " : sequence, synonym, table, view, database link select_catalog_role etc.

Resources