Oracle Database System Privileges Accounts and Passwords

Review these system privileges accounts after installation in preparation for unlocking accounts and changing passwords.

All databases created by the Database Configuration Assistant (DBCA) include the SYS, SYSTEM, and DBSNMP database accounts. In addition, Oracle Database provides several other administrative accounts. Before using these accounts, you must unlock them and reset their passwords.

Starting with Oracle Database 12c Release 2 (12.2), only the HR sample schema is automatically installed after a database installation. All sample schemas, including HR, are distributed on GitHub:

https://github.com/oracle/db-sample-schemas

Note:

This list contains some of the important system privileges user accounts, but it is not complete. Use Oracle Enterprise Manager Database Express 12c to view the complete list of database accounts.

Table 9-1 Partial List of Oracle Database System Privileges Accounts Locked After Installation

User Name Description For More Information

ANONYMOUS

Enables HTTP access to Oracle XML DB.

Oracle XML DB Developer's Guide

APEX_050100

The account that owns the Oracle Application Express schema and metadata.

Oracle Application Express App Builder User’s Guide

APEX_PUBLIC_USER

The minimally privileged account used for Oracle Application Express configuration with Oracle Application Express Listener or Oracle HTTP Server and mod_plsql.

Oracle Application Express App Builder User’s Guide

APPQOSSYS

Used for storing and managing all data and metadata required by Oracle Quality of Service Management.

None

AUDSYS

The account where the unified audit data trail resides.

Oracle Database Security Guide

CTXSYS

The Oracle Text account.

Oracle Text Application Developer's Guide

DBSFWUSER

The account used to run the DBMS_SFW_ACL_ADMIN package.

Oracle Database PL/SQL Packages and Types Reference

DBSNMP

The account used by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database.

Oracle Enterprise Manager Cloud Control Administrator's Guide

DIP

The account used by the Directory Integration Platform (DIP) to synchronize the changes in Oracle Internet Directory with the applications in the database.

None

DVSYS

There are two roles associated with this account. The Database Vault owner role manages the Database Vault roles and configurations. The Database Vault Account Manager is used to manage database user accounts.

Note: Part of Oracle Database Vault user interface text is stored in database tables in the DVSYS schema. By default, only the English language is loaded into these tables. You can use the DVSYS.DBMS_MACADM.ADD_NLS_DATA procedure to add other languages to Oracle Database Vault.

Oracle Database Vault Administrator's Guide

DVF

The account owned by Database Vault that contains public functions to retrieve the Database Vault Factor values.

Oracle Database Vault Administrator's Guide

FLOWS_FILES

The account owns the Oracle Application Express uploaded files.

Oracle Application Express App Builder User’s Guide

GGSYS

The internal account used by Oracle GoldenGate. It should not be unlocked or used for a database login.

None

GSMADMIN_INTERNAL

The internal account that owns the Global Data Services schema. It should not be unlocked or used for a database login.

Oracle Database Global Data Services Concepts and Administration Guide

GSMCATUSER

The account used by Global Service Manager to connect to the Global Data Services catalog.

Oracle Database Global Data Services Concepts and Administration Guide

GSMUSER

The account used by Global Service Manager to connect to the database.

Oracle Database Global Data Services Concepts and Administration Guide

HR

The account that owns the Human Resources schema included in the Oracle Sample Schemas.

Oracle Database Sample Schemas

LBACSYS

The Oracle Label Security administrator account. Starting with Oracle Database 18c, the LBACSYS user account is created as a schema-only account.

Oracle Label Security Administrator’s Guide

MDDATA

The schema used by Oracle Spatial and Graph for storing geocoder and router data.

Oracle Spatial and Graph Developer's Guide

MDSYS

The Oracle Spatial and Graph administrator account.

Oracle Spatial and Graph Developer's Guide

OUTLN

The account that supports plan stability. Plan stability enables you to maintain the same execution plans for the same SQL statements. OUTLN acts as a role to centrally manage metadata associated with stored outlines.

None

ORACLE_OCM

This account contains the instrumentation for configuration collection used by the Oracle Configuration Manager.

None

REMOTE_SCHEDULER_AGENT

The account to disable remote jobs on a database. This account is created during the remote scheduler agent configuration. You can disable the capability of a database to run remote jobs by dropping this user.

Oracle Database Administrator’s Guide

SYS

The account used to perform database administration tasks.

Oracle Database Administrator’s Guide

SYSTEM

Another account used to perform database administration tasks.

Oracle Database Administrator’s Guide

SYSBACKUP

The account used to perform backup and recovery tasks.

Oracle Database Administrator’s Guide

SYSKM

The account used to perform encryption key management.

Oracle Database Administrator’s Guide

SYSDG

The account used to administer and monitor Oracle Data Guard.

Oracle Database Administrator’s Guide

SYSRAC

The account used to administer Oracle Real Application Clusters (RAC).

Oracle Database Administrator’s Guide

SYS$UMF

The account used to administer Remote Management Framework, including the remote Automatic Workload Repository (AWR).

Oracle Database Performance Tuning Guide

WMSYS

The account used to store the metadata information for Oracle Workspace Manager.

Oracle Database Workspace Manager Developer's Guide

XDB

The account used for storing Oracle XML DB data and metadata.

Oracle XML DB Developer’s Guide

XS$NULL

The internal account that represents the absence of a database schema user in a session, and indicates an application user session is in use. XS$NULL cannot be authenticated to a database, nor can it own any database schema objects, or possess any database privileges.

Oracle Database Real Application Security Administrator's and Developer's Guide

Except for the accounts provided with the Oracle Sample Schemas, most of these database accounts are locked by default and created without passwords as schema only. This prevents malicious users from logging into these accounts using the default password set during catalog creation. To find the status of an account, query the AUTHENTICATION_TYPE column of the DBA_USERS data dictionary view. If AUTHENTICATION_TYPE is schema only, then the status is NONE.

Many of these accounts are automatically created when you run standard scripts such as the various cat*.sql scripts. To find user accounts that are created and maintained by Oracle, query the USERNAME and ORACLE_MAINTAINED columns of the ALL_USERS data dictionary view. If the output for ORACLE_MAINTAINED is Y, then you must not modify the user account except by running the script that was used to create it.