Lock OEM SYSMAN Console Login – Security Tip 1

Keep “SYSMAN” user locked for general use in Oracle Enterprise Manager.

Sometimes, you may wish to prevent SYSMAN from logging into the OEM console. This is one of the good practices which I follow in my organization. I make sure that OEM administrators login using their own individual accounts to perform daily operations rather than using SYSMAN account. Also If required I make them Super Administrator than regular Administrator which gives them some extra permissions to perform admin operations.  However, Super Administrator privilege should be limited to users who truly need all the permissions that Super Administrator gives them.

Having Multiple Super Administrators accounts reduces the need for SYSMAN access. SYSMAN is the schema owner and is more privileged than Enterprise Manager Super Administrators.

By executing the following SQL statement on the Repository database as the SYSMAN user, you can Lock SYSMAN user login in OEM Console:

UPDATE MGMT_CREATED_USERS 
SET SYSTEM_USER='-1' 
WHERE user_name='SYSMAN'

Once you have disabled the account, you will still be able to login to “sysman” as repository user but this will restrict your access to OEM console and also using “emcli login -username=sysman“. So in both cases you will see errors like :-

SQL> UPDATE MGMT_CREATED_USERS
SET SYSTEM_USER='-1'
WHERE user_name='SYSMAN' 2 3 ;
1 row updated.

SQL> commit;
Commit complete.

SQL> conn / as sysdba
Connected.
SQL> show user
USER is "SYS"

SQL> conn sysman
Enter password:
Connected.
SQL>

SQL>
SQL> exit
Disconnected from Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options
You have new mail in /var/spool/mail/oracle

[oracle@houoemap2 bin]$ pwd
/app/oracle/product/middleware/middleware13c/bin

[oracle@houoemap2 bin]$ ./emcli login -username=sysman
Enter password :

Error: Login failed. Retry with correct hostname, port or username / password else check the log files for further details.
Log file location is : /app/oracle/product/middleware/gc_inst1/em/EMGC_OMS1/sysman/emcli/setup/.emcli/.emcli.log
[oracle@houoemap2 bin]$

 

Also after disabling SYSMAN from logging into console, you can re-enable it by executing:

UPDATE MGMT_CREATED_USERS 
SET SYSTEM_USER='1' 
WHERE user_name='SYSMAN'

This is small and quick Tip using which you can Secure you SYSMAN login in Oracle Enterprise Manager.

 

Please follow and like us:
RSS
Follow by Email
Facebook
Google+
http://emdeepaksharma.com/2019/01/secure-oem/
LinkedIn
Instagram

Leave a Reply

Your email address will not be published. Required fields are marked *