ORACLE 参数 O7_DICTIONARY_ACCESSIBILITY

该参数是ORACLE的一个安全机制, 目的就是为了防止非sysdba访问系统关键数据字典,让sys用户成为sysdba, 不能以普通用户登陆


MOS文档: What is O7_DICTIONARY_ACCESSIBILITY and how should it be set ? (文档 ID 206795.1)


中提到:

Versions PRIOR to Oracle 9i:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The default of this parameter is TRUE.


Oracle 9i:
~~~~~~~~~~
The default of this parameter in 9i is FALSE.
The FALSE setting requires login with AS SYSDBA to read the data dictionary, or
to be given explicit object grants.


从9i开始, Oracle明确限定该参数的值为FALSE, 强烈不推荐用户更改该参数

该参数限定了sys用户必须以sysdba 的身份进行登陆

或许有些很奇葩的需求,例如某位领导说: 我任性,我必须要用sys用户以普通身份就能登陆,

那么更改该参数,满足领导吧...


附录:

该MOS的全文:

QUESTIONS:

What does the init.ora parameter named O7_Dictionary_Accessibility do?
How does it affect my database, and how should it be set? 

ANSWERS:

The parameter O7_Dictionary_Accessibility can be set to TRUE or FALSE.
The affect on your database is different depending on whether you are
using Oracle 9i or a version previous to Oracle 9i.


Versions PRIOR to Oracle 9i:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The default of this parameter is TRUE.

The dictionary protection mechanism in Oracle 8 prevents unauthorized users 
from accessing dictionary objects.

Access to dictionary objects is restricted to the users with the system 
privileges SYSDBA and SYSOPER.

System privileges providing access to objects in other schemas do not give 
access to dictionary objects.
For example, the SELECT ANY TABLE privilege enables access to views and tables
in other schemas, but it does not enable you to select dictionary objects.

If the parameter is set to TRUE, which is the default, access to objects in 
SYS schema is enabled (Oracle 7 behavior).

If this parameter is set to FALSE, system privileges that allow access to 
objects in other schemas do not allow access to objects in the dictionary 
schema.

For example, if O7_DICTIONARY_ACCESSIBILITY=FALSE, then the SELECT ANY TABLE 
statement enables access to views or tables in any schema except SYS schema. 
The system privilege, EXECUTE ANY PROCEDURE enables access on the procedures 
in any other schema except in SYS schema.

Oracle 9i:
~~~~~~~~~~
The default of this parameter in 9i is FALSE.
The FALSE setting requires login with AS SYSDBA to read the data dictionary, or
to be given explicit object grants.


Warning:
~~~~~~~~
Oracle has changed from versions 9.0.1 and beyond the default of this parameter
to FALSE, and strongly recommends that you do not change back the parameter.
In the process of turning Oracle Server secure out of the box, this was one of
the reasons we decide to change the parameter.
This way, you can't login with a "regular" SYS connection anymore to look up
data dictionary.
Instead, you should set your own dba accounts with appropriate privileges and
passwords.


References:
~~~~~~~~~~~
Oracle University, Oracle 9i New Features For Adminstrators, Chapter 1, Oracle
Server Security, Page 1-5

Oracle University, Oracle 8: Database Administration, Chapter 19, Managing 
Privileges, Page 19-15



你可能感兴趣的:(Oracle)