RelationalDBDesign RelationalDBDesign

Password Files   «Prev  Next»
Lesson 12

Managing Password File Conclusion

This module discussed how to manage password files and you have learned why Oracle needs them.
You now should be comfortable performing the following tasks:
  1. Using the orapwd utility to create a new password file
  2. Connecting to a database as a SYSDBA or SYSOPER
  3. Granting the SYSDBA and SYSOPER privileges to DBAs
  4. Configuring a database to use a password file
  5. Rebuilding a password file
  6. Selecting from v$pwfile_users to see who has SYSDBA or SYSOPER privileges roles

Password Files

An Oracle password file is a file within the Oracle administrative or software directory structure on disk used to authenticate Oracle system administrators for tasks such as creating a database or starting up and shutting down the database. The privileges granted through this file are the SYSDBA and SYSOPER privileges. Authenticating any other type of user is done within the database itself; because the database may be shut down or not mounted, another form of administrator authentication is necessary in these cases. The Oracle command-line utility orapwd creates a password file if one does not exist or is damaged. Because of the extremely high privileges granted by means of this file, it should be stored in a secure directory location that is not available to anyone except for DBAs and operating system administrators. Once this file is created, the initialization parameter REMOTE_LOGIN_PASSWORDFILE should be set to EXCLUSIVE to allow users other than SYS to use the password file. Also, the password file must be in the $ORACLE_HOME/dbs directory.
Note:Create at least one user other than SYS or SYSTEM who has DBA privileges for daily administrative tasks. If there is more than one DBA administering a database, each DBA should have their own account with DBA privileges.
Alternatively, authentication for the SYSDBA and SYSOPER privileges can be done with OS authentication. When using this technique, a password file does not have to be created, and the initialization parameter REMOTE_LOGIN_PASSWORDFILE is set to NONE.


This module introduced you to the following terms:
  1. SYSDBA: A special type of privilege that allows the holder to administer an Oracle database. A user logged in as SYSDBA can do anything, including starting, stopping, and recovering the database.
  2. SYSOPER: A special type of privilege that allows the holder to perform several routine administrative tasks against an Oracle database.
    A user logged in as SYSOPER is limited to starting the database, stopping the database, certain types of recovery, and a few other routine chores.
  3. REMOTE_LOGIN_PASSWORDFILE: Specifies how Oracle uses password files. Required for RAC.