CP0907 – Security concerns surrounding use of Oracle SYS user

Formal title: Security concerns surrounding use of Oracle SYS user

Summary

The current approach to upgrades of the NHHDA & EAC/AA software requires user organisations to log on as the Oracle SYS user raising implications from an IT security & controls perspective. The approach to upgrades of the Pool software requires the user organization to log on as the Oracle SYS user. Connecting to an Oracle database as SYS allows the user to manipulate the data contained in the data dictionary tables- the comprehensive set of tables and views internal to Oracle. These provide a vital source of information for the RDBMS itself, and are used internally by Oracle to manage all objects contained in the database. In the event of an uncontrolled error being experienced during upgrade, user organizations upgrading as SYS run the risk of corrupting the data dictionary. If this was to occur a full database recovery would be required which could take several hours to complete.