今天在某论坛有看到一个帖子,讨论“ORACLE的sysdba删不了一个用户的job”问题。立即跟帖回复,说明dbms_ijob Package可以使用sysdba权限操作其他用户的job。发完帖子,觉得有必要跟各位DBA新手说明Oracle的权限哲学。以下权限哲学,在日常IT运维中,同样适用。如Linux/MySQL中的root用户,Windows中的Administrator用户,要在有限的范围内谨慎使用。

Oracle的权限哲学

能用普通用户执行的操作,尽量不用SYS/SYSDBA来执行;

只有普通用户执行不了的操作,才用SYS/SYSDBA执行。

一般的,SYS/SYSDBA的操作仅用于startup,shutdown,backup和recover等。

引用某论坛的说法

  • Never ever use SYS (or SYSDBA) but for maintenance purpose (startup, shutdown, backup, recover)

  • SYS/SYSDBA is special

  • SYS/SYSDBA is Oracle proprietary (try to open a SR/TAR starting with "i did that with SYS/SYSDBA" and you'll see the immediate answer)

  • SYS/SYSDBA does not act like any other user

  • When you use SYS/SYSDBA Oracle deactivates some code path and activates others

  • Whatever you do with SYS/SYSDBA will neither validate nor invalidate the same thing with any other user.

NEVER EVER use SYS/SYSDBA for anything that can be done by another user.

Use SYS/SYSDBA ONLY for something that can't be done by someone else.