An interesting but undocumented Oracle feature lets you temporarily log in as another user. Logging in as another user is helpful when troubleshooting privilege-related problems. To use this technique you do not even need to know the other user's password. For example, say that you are the
SYSTEM
user, and that you need to log in as the
COIN_ADMIN
user. The first thing to do is to retrieve the
COIN_ADMIN
user's password. This example shows how to do that:
SQL> SELECT password
2 FROM dba_users
3 WHERE username='COIN_ADMIN';
PASSWORD
------------------------------
B1DB09EA3F74189C
Hexadecimal Representation of the encrypted Password:
The value that you get for the password when you query
DBA_USER
is the
hexadecimal representation of the encrypted password. You cannot use it to log in. Just save this value so that later you can restore it. The next task is to temporarily change the
COIN_ADMIN
user's password:
SQL> ALTER USER coin_admin IDENTIFIED BY temp;
User altered.
Now you can log in as
COIN_ADMIN/TEMP
SQL> CONNECT coin_admin/temp@coin
Connected
Once you are logged in as the
COIN_ADMIN
user, you can change the password back to its original value by issuing this command:
hexadecimal: A base-16 numbering system often used to display an exact representation of data in memory. Hexadecimal numbering goes from 1-9, and then from A-F. The hexadecimal A is equivilant to the decimal value 10. After F, the next hexadecimal value is 10, which is equivilant to the decimal value 16. Hexadecimal digits each represent exactly four binary bits, making hexadecimal a convenient alternative to writing long strings of 1s and 0s.
SQL> ALTER USER coin_admin
2 IDENTIFIED BY VALUES 'B1DB09EA3F74189C';
User altered.
Notice that the hexadecimal string that you saved earlier was used to reset the password back to its original state. The keyword
VALUES
is an undocumented feature that allows you to store an already encrypted password directly.
An Oracle password file is a file within the Oracle administrative or software directory structure on disk used to authenticate Oracle system administrators for tasks such as creating a database or starting up and shutting down the database. The privileges granted through this file are the 1) SYSDBA and 2) SYSOPER privileges. Authenticating any other type of user is done within the database itself. Because the database may be shut down or not mounted, another form of administrator authentication is necessary in these cases. The Oracle command-line utility orapwd creates a password file if one does not exist or is damaged. Because of the extremely high privileges granted via this file, it should be stored in a secure directory location that is not available to anyone except for DBAs and operating system administrators. Once this file is created, the initialization parameter REMOTE_LOGIN_PASSWORDFILE should be set to EXCLUSIVE to allow users other than SYS to use the password file.
Also, the password file must be in the $ORACLE_HOME/dbs directory.
TIP: Create at least one user other than SYS or SYSTEM who has DBA privileges for daily administrative tasks. If there is more than one DBA administering a database, each DBA should have their own account with DBA privileges.
[1]database link: In Oracle, a database link is a named object in one database that allows you to access and manipulate data in another database. This other database can be either another Oracle database or a database from a different vendor, as long as Oracle supports it through Heterogeneous Services.