Dangerous Alter User Permissions

Dangerous Alter User permission Alter user is a very powerful permission in the Oracle database system. It can modify attributes of general users, such as the default tablespace and profile, or even change the password of SYS users. Therefore, this permission is very dangerous, and you should be very careful when granting permissions. If an existing USER already has the ALTER user permission and cannot return the revoke, you can use the following trigger method to prevent any USER with the Alter user permission from modifying the SYSDBA password: SQL> grant alter user to alteruser; Grant succeeded. SQL> select * from DBA_SYS_PRIVS where grantee like 'alter % USER % '; grantee privilege admin _ ------------------ users ------ alteruser unlimited tablespace noalteruser alter user no SQL> conn/as sysdbaConnected. SQL> CREATE or REPLACE TRIGGER prohibit_alter_SYSTEM_SYS_pass BEFORE ALTER on ALTERUSER. schema begin if ora_sysevent = 'alter 'and ora_dict_obj_type = 'USER' and (ora_dict_obj_name = 'system' or ora_dict_obj_name = 'sys') THEN RAISE_APPLICATION_ERROR (-20003, 'You are not allowed to alter SYSTEM/SYS user. '); end if; END;/Trigger created. example: SQL> conn alteruser/oracleConnected. SQL> alter user system identified by manager; alter user system identified by manager * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1ORA-20003: you are not allowed to alter SYSTEM/SYS user. ORA-06512: at line 5 SQL> alter user sys identified by manager; alter user sys identified by manager * ERROR at line 1: ORA-00604: error occurred at recursive SQL level 1ORA-20003: you are not allowed to alter SYSTEM/SYS user. ORA-06512: at line 5 SQL> alter user dbsnmp identified by dbsnmp; User altered.