Question:  How do I use the 12c DBA duty security model?

Answer:  Prior to Oracle 12c, the SYSDBA (and SYSOPER) had many non-specific DBA privileges and there was no segregation of duties among Oracle DBA job duties.  There are now six different system-level roles fr the DBA, segregated along job duty lines:

•  SYSDBA ROLE: User name SYS/PUBLIC - This is the same full DBA system operations and privileges as in release 11g and earlier.

• SYSOPER Role:  user name SYS/PUBLIC - This is the same same system operations and privileges for release 11g and earlier.

12c Data Security Model users and roles:

• SYSASM Role:  - user name SYS - The SYSSM role gives privileges for administering an Automatic Storage Management (ASM) instance.

• SYSBACKUP Role: User name SYSBACKUP - The SYSBACKUP role gives the ability to perform RMAN backup and recovery commands both from SQL*Plus (SQL Developer) and RMAN command line.   In a nutshell, the sysbackup privilege allows the DBA to perform RMAN backup command without additional DBA privileges. 

• SYSDG Role:  User name SYSDG - The SYSDG role gives the ability to perform Data Guard operations with Data Guard Broker or the DGMGRL command line.

• SYSKM Role:  Username SYSKM - The SYSKM role gives the ability to manage the encryption keys for Transparent Data Encryption.
  

Role                           Privileges

SYSBACKUP	ALTER DATABASE ALTER SYSTEM CREATE SESSION ALTER SESSION ALTER TABLESPACE DROP TABLESPACE UNLIMITED TABLESPACE RESUMABLE CREATE ANY DICTIONARY CREATE ANY TABLE AUDIT ANY SELECT ANY DICTIONARY SELECT ANY TRANSACTION SELECT X$TABLES, V$VIEWS EXECUTE SYS.DBMS_BACKUP_RESTORE EXECUTE SYS.DBMS_RCVMAN EXECUTE SYS.DBMS_TR EXECUTE SYS.DBMS_TTS EXECUTE SYS.DBMS_TDB EXECUTE SYS.DBMS_PLUGTS EXECUTE SYS.DBMS_PLUGTSP CREATE PFILE CREATE SPFILE CREATE CONTROLFILE DROP DATABASE STARTUP SHUTDOWN CREATE RESTORE POINT DROP RESTORE POINT FLASHBACK_DATABASE SELECT_CATALOG_ROLE HS_ADMIN_SELECT_ROLE ABLE TO CONFIRM TABLE EXISTENCE BUT NOT QUERY DATA
SYSDG	CREATE SESSION ALTER SYSTEM ALTER SESSION ALTER DATABASE SELECT ANY DICTIONARY SELECT X$TABLES, V$VIEWS DELETE/SELECT ON APPQOSSYS.WLM_CLASSIFIER_PLAN EXECUTE SYS.DBMS_DRS STARTUP SHUTDOWN CREATE RESTORE POINT DROP RESTORE POINT FLASHBACK DATABASE ABLE TO CONFIRM TABLE EXISTENCE BUT NOT QUERY DATA
SYSKM	CREATE SESSION ADMINISTER KEY MANAGEMENT SELECT SYS.V$WALLET SELECT SYS.V$ENCRYPTION_WALLET SELECT SYS.V$ENCRYPTED_TABLESPACES NO ACCESS TO APPLICATION DATA

Oracle Training from Don Burleson  The best on site "Oracle training classes" are just a phone call away! You can get personalized Oracle training by Donald Burleson, right at your shop!

Burleson is the American Team Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum. Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications. Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:   and include the URL for the page.                      Burleson Consulting The Oracle of Database Support Oracle Performance Tuning Remote DBA Services   Copyright © 1996 -  2020 All rights reserved by Burleson Oracle ® is the registered trademark of Oracle Corporation.