Oracle Database System Privileges Accounts and Passwords
Review these system privileges accounts after installation in preparation for unlocking accounts and changing passwords.
All databases created by the Database Configuration Assistant (DBCA) include the SYS
, SYSTEM
, and DBSNMP
database accounts. In addition, Oracle Database provides several other administrative accounts. Before using these accounts, you must unlock them and reset their passwords.
Starting with Oracle Database 12c Release 2 (12.2), only the HR sample schema is automatically installed after a database installation. All sample schemas, including HR, are distributed on GitHub:
https://github.com/oracle/db-sample-schemas
Note:
This list contains some of the important system privileges user accounts, but it is not complete. Use Oracle Enterprise Manager Database Express 12c to view the complete list of database accounts.
Table 9-1 Partial List of Oracle Database System Privileges Accounts Locked After Installation
User Name | Description | For More Information |
---|---|---|
ANONYMOUS |
Enables HTTP access to Oracle XML DB. |
|
APEX_050100 |
The account that owns the Oracle Application Express schema and metadata. |
|
APEX_PUBLIC_USER |
The minimally privileged account used for Oracle Application Express configuration with Oracle Application Express Listener or Oracle HTTP Server and |
|
APPQOSSYS |
Used for storing and managing all data and metadata required by Oracle Quality of Service Management. |
None |
AUDSYS |
The account where the unified audit data trail resides. |
|
CTXSYS |
The Oracle Text account. |
|
DBSFWUSER |
The account used to run the DBMS_SFW_ACL_ADMIN package. |
|
DBSNMP |
The account used by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database. |
Oracle Enterprise Manager Cloud Control Administrator's Guide |
DIP |
The account used by the Directory Integration Platform (DIP) to synchronize the changes in Oracle Internet Directory with the applications in the database. |
None |
DVSYS |
There are two roles associated with this account. The Database Vault owner role manages the Database Vault roles and configurations. The Database Vault Account Manager is used to manage database user accounts. Note: Part of Oracle Database Vault user interface text is stored in database tables in the DVSYS schema. By default, only the English language is loaded into these tables. You can use the |
|
DVF |
The account owned by Database Vault that contains public functions to retrieve the Database Vault Factor values. |
|
FLOWS_FILES |
The account owns the Oracle Application Express uploaded files. |
|
GGSYS |
The internal account used by Oracle GoldenGate. It should not be unlocked or used for a database login. |
None |
GSMADMIN_INTERNAL |
The internal account that owns the Global Data Services schema. It should not be unlocked or used for a database login. |
Oracle Database Global Data Services Concepts and Administration Guide |
GSMCATUSER |
The account used by Global Service Manager to connect to the Global Data Services catalog. |
Oracle Database Global Data Services Concepts and Administration Guide |
GSMUSER |
The account used by Global Service Manager to connect to the database. |
Oracle Database Global Data Services Concepts and Administration Guide |
HR |
The account that owns the Human Resources schema included in the Oracle Sample Schemas. |
|
LBACSYS |
The Oracle Label Security administrator account. Starting with Oracle Database 18c, the LBACSYS user account is created as a schema-only account. |
|
MDDATA |
The schema used by Oracle Spatial and Graph for storing geocoder and router data. |
|
MDSYS |
The Oracle Spatial and Graph administrator account. |
|
OUTLN |
The account that supports plan stability. Plan stability enables you to maintain the same execution plans for the same SQL statements. OUTLN acts as a role to centrally manage metadata associated with stored outlines. |
None |
ORACLE_OCM |
This account contains the instrumentation for configuration collection used by the Oracle Configuration Manager. |
None |
REMOTE_SCHEDULER_AGENT |
The account to disable remote jobs on a database. This account is created during the remote scheduler agent configuration. You can disable the capability of a database to run remote jobs by dropping this user. |
|
SYS |
The account used to perform database administration tasks. |
|
SYSTEM |
Another account used to perform database administration tasks. |
|
SYSBACKUP |
The account used to perform backup and recovery tasks. |
|
SYSKM |
The account used to perform encryption key management. |
|
SYSDG |
The account used to administer and monitor Oracle Data Guard. |
|
SYSRAC |
The account used to administer Oracle Real Application Clusters (RAC). |
|
SYS$UMF |
The account used to administer Remote Management Framework, including the remote Automatic Workload Repository (AWR). |
|
WMSYS |
The account used to store the metadata information for Oracle Workspace Manager. |
|
XDB |
The account used for storing Oracle XML DB data and metadata. |
|
XS$NULL |
The internal account that represents the absence of a database schema user in a session, and indicates an application user session is in use. XS$NULL cannot be authenticated to a database, nor can it own any database schema objects, or possess any database privileges. |
Oracle Database Real Application Security Administrator's and Developer's Guide |
Except for the accounts provided with the Oracle Sample Schemas, most of these database accounts are locked by default and created without passwords as schema only. This prevents malicious users from logging into these accounts using the default password set during catalog creation. To find the status of an account, query the AUTHENTICATION_TYPE column of the DBA_USERS data dictionary view. If AUTHENTICATION_TYPE is schema only, then the status is NONE.
Many of these accounts are automatically created when you run standard scripts such as the various cat*.sql
scripts. To find user accounts that are created and maintained by Oracle, query the USERNAME
and ORACLE_MAINTAINED
columns of the ALL_USERS
data dictionary view. If the output for ORACLE_MAINTAINED
is Y
, then you must not modify the user account except by running the script that was used to create it.
Related Topics
Parent topic: Reviewing User Accounts and Passwords