Oracle Database System Privileges Accounts and Passwords

Review these system privileges accounts after installation in preparation for unlocking accounts and changing passwords.

All databases created by the Database Configuration Assistant (DBCA) include the SYS, SYSTEM, and DBSNMP database accounts. In addition, Oracle Database provides several other administrative accounts. Before using these accounts, you must unlock them and reset their passwords.

Starting with Oracle Database 12c Release 2 (12.2), only the HR sample schema is automatically installed after a database installation. All sample schemas, including HR, are distributed on GitHub:

https://github.com/oracle/db-sample-schemas

Note:

This list contains some of the important system privileges user accounts, but it is not complete. Use Oracle Enterprise Manager Database Express 12c to view the complete list of database accounts.

Table 12-1 Partial List of Oracle Database System Privileges Accounts Locked After Installation

User Name	Description	For More Information
ANONYMOUS	Enables HTTP access to Oracle XML DB.	Oracle XML DB Developer's Guide
APEX_050100	The account that owns the Oracle Application Express schema and metadata.	Oracle Application Express App Builder User’s Guide
APEX_PUBLIC_USER	The minimally privileged account used for Oracle Application Express configuration with Oracle Application Express Listener or Oracle HTTP Server and `mod_plsql`.	Oracle Application Express App Builder User’s Guide
APPQOSSYS	Used for storing and managing all data and metadata required by Oracle Quality of Service Management.	None
AUDSYS	The account where the unified audit data trail resides.	Oracle Database Security Guide
CTXSYS	The Oracle Text account.	Oracle Text Application Developer's Guide
DBSFWUSER	The account used to run the DBMS_SFW_ACL_ADMIN package.	Oracle Database PL/SQL Packages and Types Reference
DBSNMP	The account used by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database.	Oracle Enterprise Manager Cloud Control Administrator's Guide
DIP	The account used by the Directory Integration Platform (DIP) to synchronize the changes in Oracle Internet Directory with the applications in the database.	None
DVSYS	There are two roles associated with this account. The Database Vault owner role manages the Database Vault roles and configurations. The Database Vault Account Manager is used to manage database user accounts. Note: Part of Oracle Database Vault user interface text is stored in database tables in the DVSYS schema. By default, only the English language is loaded into these tables. You can use the `DVSYS.DBMS_MACADM.ADD_NLS_DATA` procedure to add other languages to Oracle Database Vault.	Oracle Database Vault Administrator's Guide
DVF	The account owned by Database Vault that contains public functions to retrieve the Database Vault Factor values.	Oracle Database Vault Administrator's Guide
FLOWS_FILES	The account owns the Oracle Application Express uploaded files.	Oracle Application Express App Builder User’s Guide
GGSYS	The internal account used by Oracle GoldenGate. It should not be unlocked or used for a database login.	None
GSMADMIN_INTERNAL	The internal account that owns the Global Data Services schema. It should not be unlocked or used for a database login.	Oracle Database Global Data Services Concepts and Administration Guide
GSMCATUSER	The account used by Global Service Manager to connect to the Global Data Services catalog.	Oracle Database Global Data Services Concepts and Administration Guide
GSMUSER	The account used by Global Service Manager to connect to the database.	Oracle Database Global Data Services Concepts and Administration Guide
HR	The account that owns the Human Resources schema included in the Oracle Sample Schemas.	Oracle Database Sample Schemas
LBACSYS	The Oracle Label Security administrator account. Starting with Oracle Database 18c, the LBACSYS user account is created as a schema-only account.	Oracle Label Security Administrator’s Guide
MDDATA	The schema used by Oracle Spatial and Graph for storing geocoder and router data.	Oracle Spatial and Graph Developer's Guide
MDSYS	The Oracle Spatial and Graph administrator account.	Oracle Spatial and Graph Developer's Guide
OUTLN	The account that supports plan stability. Plan stability enables you to maintain the same execution plans for the same SQL statements. OUTLN acts as a role to centrally manage metadata associated with stored outlines.	None
ORACLE_OCM	This account contains the instrumentation for configuration collection used by the Oracle Configuration Manager.	None
REMOTE_SCHEDULER_AGENT	The account to disable remote jobs on a database. This account is created during the remote scheduler agent configuration. You can disable the capability of a database to run remote jobs by dropping this user.	Oracle Database Administrator’s Guide
SYS	The account used to perform database administration tasks.	Oracle Database Administrator’s Guide
SYSTEM	Another account used to perform database administration tasks.	Oracle Database Administrator’s Guide
SYSBACKUP	The account used to perform backup and recovery tasks.	Oracle Database Administrator’s Guide
SYSKM	The account used to perform encryption key management.	Oracle Database Administrator’s Guide
SYSDG	The account used to administer and monitor Oracle Data Guard.	Oracle Database Administrator’s Guide
SYSRAC	The account used to administer Oracle Real Application Clusters (RAC).	Oracle Database Administrator’s Guide
SYS$UMF	The account used to administer Remote Management Framework, including the remote Automatic Workload Repository (AWR).	Oracle Database Performance Tuning Guide
WMSYS	The account used to store the metadata information for Oracle Workspace Manager.	Oracle Database Workspace Manager Developer's Guide
XDB	The account used for storing Oracle XML DB data and metadata.	Oracle XML DB Developer’s Guide
XS$NULL	The internal account that represents the absence of a database schema user in a session, and indicates an application user session is in use. XS$NULL cannot be authenticated to a database, nor can it own any database schema objects, or possess any database privileges.	Oracle Database Real Application Security Administrator's and Developer's Guide

Except for the accounts provided with the Oracle Sample Schemas, most of these database accounts are locked by default and created without passwords as schema only. This prevents malicious users from logging into these accounts using the default password set during catalog creation. To find the status of an account, query the AUTHENTICATION_TYPE column of the DBA_USERS data dictionary view. If AUTHENTICATION_TYPE is schema only, then the status is NONE.

Many of these accounts are automatically created when you run standard scripts such as the various cat*.sql scripts. To find user accounts that are created and maintained by Oracle, query the USERNAME and ORACLE_MAINTAINED columns of the ALL_USERS data dictionary view. If the output for ORACLE_MAINTAINED is Y, then you must not modify the user account except by running the script that was used to create it.