How to retrict 'Connect as sysdba' to anyone other than sysdba ?

Ora9iR2 for win2k installed, I found that I can use any username/password (user is not a member of ORA_DBA group or no such user) to run sqlplus by "sqlplus /nolog" and "connect as sysdba". as below
---------------------------------
C:\Documents and Settings\user>sqlplus /nolog
SQL*Plus: Release 9.2.0.1.0 - Production on Tue Mar 4 11:21:45 2003
Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
SQL> connect as sysdba
Enter user-name: 123
Enter password:
Connected.
SQL>
----------------------------------

Somw questions,
1. How to retrict the unknown user to run "sqlplus /nolog" and "connect as sysdba" ?

2. What database/tablespace does user(sysdba) access after "connect as sysdba" complete ?

Thanks,
joehuangAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

DatamonkeyCommented:
it's not the database user that you restrict, it's the OS user.
If your OS user is part of the ORA_DBA group you can log on 'as sysdba', otherwise you can't
if you connect as sysdba you basicaly use the SYS schema
0
joehuangAuthor Commented:
As you see from the output below, there is no such user 123 and 456 as OS user or part of the ORA_DBA, and they can logon
-----------------------------------
C:\Documents and Settings\user>sqlplus /nolog
SQL*Plus: Release 9.2.0.1.0 - Production on Tue Mar 4 12:19:14 2003
Copyright (c) 1982, 2002, Oracle Corporation.  All rights reserved.
SQL> connect 123/456 as sysdba
Connected.
SQL> connect 456/789 as sysdba
Connected.
SQL>
------------------------------

Any thought ?

Thanks,





0
DatamonkeyCommented:
But the user you're logged on to the OS with is part of the ORA_DBA group, that's what is important.
so if you start windows and log on as 'joehuang' (or whatever), it's that user that is part of the ORA_DBA group. As long as that is the case you can log on 'as sysdba' to oracle, the username you give oracle is not important because the 'as sysdba' gives you the sys schema anyway.
0
joehuangAuthor Commented:
Well, It make sense with the local logon users. In the other word, the non- ORA_DBA user won't gain access from the remote pc by connect string. Please advise, If I am wrong.
0
DatamonkeyCommented:
indeed, the only users that can use this are the ones that are part of the ORA_DBA group with their Windows account on the server
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Oracle Database

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.