I create users using the "sysdba" user and I notice that all the created users have implicit rights(all rights) on sysdba database. How to avoid this and can these rights be revoked?
Solved! Go to Solution.
Are you referring to the (explicit) automatic rights given to the creator (SYSDBA) on the object created (someCreatedUser)? Automatic rights cannot be prevented, but as a rule anything you see in dbc.AllRightsV can be revoked.
If you are actually seeing UserName=someCreatedUser and DatabaseName=SYSDBA as stated, then an Owner of someCreatedUser must have been granted those rights with TO ALL option (AllnessFlag=Y). To prevent this from happening for new users, you could revoke those rights from the Owner (and then re-GRANT without TO ALL option, if the Owner itself should have the right).
Implicit rights are something else (and those cannot be revoked). Namely, an Owner can always grant access on its descendants whether or not that Owner explicitly holds the corresponding right.
You probably confused UserName and DatabaseName, sysdba (being the creator) got rights on the new user, but the new user didn't get any rights on sysdba.
Thanks for the responses Fred and Dieter!
Here is what is happenning. When I use SYSDBA user , to create a user let's say ABC, then ABC user is getting all the rights on SYSDBA automatically. Here is an example from DBC.ALLRIGHTS. If you look at the output below, then the user ABC is getting sh, EF, CU.....(everything) on sysdba.
Then it's most likely second situation I mentioned - TO ALL option was used which requests automatic rights for new descendants (as well as explicit rights for existing descendants).
Look at the access rights for the owner of ABC for access rights with AllnessFlag=Y. If you don't see any for the immediate owner of ABC (say XYZ) then look at the rights for the owner of XYZ, and so on.