目的:
Can "ALTER SYSTEM" privilege can be revokved from SYSRAC?
处理方法:
SYSRAC is an administrative user used by CRS to connect to the database and administer it instead of using highly privileged user SYS.
Oracle does not recommend to revoke ALTER SYSTEM privilege to be revoked from SYSRAC user. Because this privilege is necessary for the user to administer the DB.
-bash-4.1$ more catadmprvs.sql
Rem
Rem $Header: rdbms/admin/catadmprvs.sql /main/12 2015/02/25 16:47:32 yulcho Exp $
Rem
Rem catadmprvs.sql
Rem
Rem Copyright (c) 2011, 2015, Oracle and/or its affiliates.
Rem All rights reserved.
Rem
Rem NAME
Rem catadmprvs.sql - Grant privileges to administrative users
Rem
Rem DESCRIPTION
Rem This script grants the required privileges to the following
Rem administrative users:
Rem 1. SYSBACKUP
Rem 2. SYSDG
Rem 3. SYSKM
Rem
Rem NOTES
Rem Must be run connecting as SYS.
---------
-- SYSRAC
---------
-- To be used by CRS agent to administer DB instances.
GRANT alter database TO sysrac;
GRANT alter session TO sysrac;
GRANT alter system TO sysrac;
GRANT select on sys.cdb_service$ TO sysrac;
GRANT select on sys.dba_services TO sysrac;
GRANT select on sys.dba_procedures TO sysrac;
GRANT execute on sys.dbms_drs TO sysrac;
GRANT execute on sys.dbms_service TO sysrac;
GRANT execute on sys.dbms_service_prvt TO sysrac;
GRANT execute on sys.dbms_session TO sysrac;
GRANT execute on sys.dbms_ha_alerts_prvt TO sysrac;
GRANT execute on sys.dbms_server_alert TO sysrac;
GRANT execute on sys.sys$rlbtyp TO sysrac;
GRANT read on sys.recent_resource_incarnations$ TO sysrac;
GRANT aq_administrator_role TO sysrac;
@?/rdbms/admin/sqlsessend.sql
-bash-4.1$
As we can see the above privileges are important for the user SYSRAC to function if you revoke privileges which are granted by default by oracle scripts then this user will become unusable.
Reference:
##########
Bug 19467969 : SYSRAC ADMINISTRATIVE USER NEEDS MORE PRIVILEGES