Keep “SYSMAN” user locked for general use in Oracle Enterprise Manager.
Sometimes, you may wish to prevent SYSMAN from logging into the OEM console. This is one of the good practices which I follow in my organization. I make sure that OEM administrators login using their own individual accounts to perform daily operations rather than using SYSMAN account. Also If required I make them Super Administrator than regular Administrator which gives them some extra permissions to perform admin operations. However, Super Administrator privilege should be limited to users who truly need all the permissions that Super Administrator gives them.
Having Multiple Super Administrators accounts reduces the need for SYSMAN access. SYSMAN is the schema owner and is more privileged than Enterprise Manager Super Administrators.
By executing the following SQL statement on the Repository database as the SYSMAN user, you can Lock SYSMAN user login in OEM Console:
UPDATE MGMT_CREATED_USERS SET SYSTEM_USER='-1' WHERE user_name='SYSMAN'
Once you have disabled the account, you will still be able to login to “sysman” as repository user but this will restrict your access to OEM console and also using “emcli login -username=sysman“. So in both cases you will see errors like :-
SQL> UPDATE MGMT_CREATED_USERS SET SYSTEM_USER='-1' WHERE user_name='SYSMAN' 2 3 ; 1 row updated. SQL> commit; Commit complete. SQL> conn / as sysdba Connected. SQL> show user USER is "SYS" SQL> conn sysman Enter password: Connected. SQL> SQL> SQL> exit Disconnected from Oracle Database 12c Enterprise Edition Release 188.8.131.52.0 - 64bit Production With the Partitioning, OLAP, Advanced Analytics and Real Application Testing options You have new mail in /var/spool/mail/oracle [oracle@houoemap2 bin]$ pwd /app/oracle/product/middleware/middleware13c/bin [oracle@houoemap2 bin]$ ./emcli login -username=sysman Enter password : Error: Login failed. Retry with correct hostname, port or username / password else check the log files for further details. Log file location is : /app/oracle/product/middleware/gc_inst1/em/EMGC_OMS1/sysman/emcli/setup/.emcli/.emcli.log [oracle@houoemap2 bin]$
Also after disabling SYSMAN from logging into console, you can re-enable it by executing:
UPDATE MGMT_CREATED_USERS SET SYSTEM_USER='1' WHERE user_name='SYSMAN'
This is small and quick Tip using which you can Secure you SYSMAN login in Oracle Enterprise Manager.