Separation of Duty for Administering Oracle Real Application Clusters.
Starting with Oracle Database 12c Release 2, Oracle Database provides support for separation of duty best practices when administering Oracle RAC by introducing the SYSRAC administrative privilege for the clusterware agent. This feature removes the need to use the powerful SYSDBA administrative privilege for Oracle RAC.
SYSRAC, like SYSDG, SYSBACKUP and SYSKM, helps enforce separation of duties and reduce reliance on the use of SYSDBA on production systems. This administrative privilege is the default mode for connecting to the database by the clusterware agent on behalf of the Oracle RAC utilities, such as SRVCTL.
The SYSRAC administrative privilege is the default mode of connecting to the database by the Oracle Clusterware agent on behalf of Oracle RAC utilities, such as SRVCTL, meaning that no SYSDBA connections to the database are necessary for the everyday administration of Oracle RAC database clusters.
Summary:
– Separation of duty best practices when administering Oracle RAC is supported by the SYSRAC administrative privilege.
– This feature eliminates the need to use the powerful SYSDBA administrative privilege for Oracle RAC.
– SYSRAC is the default mode for connecting to the database by the clusterware agent on behalf of RAC utilities, like SRVCTL.
– No SYSDBA connections to the database are necessary for the everyday administration of Oracle RAC database clusters.
– Connecting as SYSRAC:
SQL> CONNECT / AS SYSRAC SQL> CONNECT /@db1 as SYSRAC SQL> CONNECT /@db2 as SYSRAC