Share this
by Uldis Augulis on Nov 1, 2023 10:16:53 AM
If you have started familiarizing yourself with Oracle Cloud Infrastructure (OCI) Autonomous Database (ADB) service, you most probably know it is a fully automated service, that provides an opportunity to concentrate effort on development and fast delivery, rather than spending time on provisioning hardware and software media, installation and configuration routines as well as spending time on daily maintenance activities such as patching, backup strategy implementation, etc.
Even if it is a fully automated service, there may be cases, where company standards require internal or external auditors and/or in-house or outsourced security teams, to assess, evaluate, and audit the safety of database and data access. Audit requests could be related to SOX compliance requirements or similar.
As a result, side-driving the auditing process and preparing auditing reports may be and most probably will be interested in database schemas that are present in Autonomous Database (ADB).
The purpose of this article is to provide the list of seeded schemas and corresponding details like schema status (OPEN/LOCKED), belonging to schema maintainability (Oracle maintained / Cloud maintained), and schema description.
The below table contains a list of seeded schemas from the Autonomous Transaction Processing (ATP) database instance.
NOTE: Not all schemas presented in the below table are described. There are a number of C## like schemas that are considered Oracle's Internal Schemas, therefore no description is available for those. In order to clarify details regarding the purpose and usage of C## schemas, I created an Oracle SR in My Oracle Support portal, however desired outcome was not achieved, Oracle support specialist did not share any information regarding internal schemas.
|
Schema name |
Schema status |
Oracle maintained |
Cloud maintained |
Description |
|
ADBSNMP |
LOCKED |
YES |
YES |
This schema is created out-of-the-box when the Autonomous Database is created in Oracle Cloud Infrastructure. The schema used by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database. This schema is locked by default. You can reset the password and unlock the schema using the OCI console. |
|
ADMIN |
OPEN |
NO |
NO |
This is the super user for the Autonomous Database and is required for real-time database management. Note: The Admin user can also perform monitoring tasks, however, it is recommended that the Monitoring User (ADBSNMP) schema is used for monitoring. In the Oracle Autonomous Database, the ADMIN user is pre-enabled for SQL Developer Web. |
|
APEX$_APP_STORE |
LOCKED |
NO |
NO |
Default schema for APEX development. |
|
APEX_220200 |
LOCKED |
YES |
YES |
APEX release schema. |
|
APPQOSSYS |
LOCKED |
YES |
YES |
Schema used for storing/managing all data and metadata required by Oracle Quality of Service Management. |
|
AUDSYS |
LOCKED |
YES |
YES |
Oracle Autonomous Database writes audit records to the AUDSYS schema. |
|
C##ADP$SERVICE |
LOCKED |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
C##API |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
C##CLOUD$SERVICE |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
C##CLOUD_OPS |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
C##DATA$SHARE |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
C##DNSREST |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
C##DV_ACCT_ADMIN |
LOCKED |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. Assuming that schema is related to Oracle Database Vault for Cloud. |
|
C##DV_OWNER |
LOCKED |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. Assuming that schema is related to Oracle Database Vault for Cloud. |
|
C##OMLIDM |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
C##OMLREST2 |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
C##RFS |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
CTXSYS |
LOCKED |
YES |
YES |
The schema used to administer Oracle Text. |
|
DBSFWUSER |
LOCKED |
YES |
YES |
The schema used to run the DBMS_SFW_ACL_ADMIN package. |
|
DBSNMP |
LOCKED |
YES |
YES |
The schema used by the Management Agent component of Oracle Enterprise Manager to monitor and manage the database. |
|
DCAT_ADMIN |
LOCKED |
NO |
YES |
Local database schema that can run a sync and grant READ privilege on synced tables to other users or roles. The user is created as a no-authentication user without the CREATE SESSION privilege. |
|
DIP |
LOCKED |
YES |
YES |
The schema used by the Directory Integration Platform (DIP) to synchronize the changes in Oracle Internet Directory with the applications in the database. |
|
DVF |
LOCKED |
YES |
YES |
The schema owned by Database Vault contains public functions to retrieve the Database Vault Factor values. |
|
DVSYS |
LOCKED |
YES |
YES |
There are two roles associated with this schema. The Database Vault owner role manages the Database Vault roles and configurations. The Database Vault Account Manager is used to manage database user accounts. |
|
FLOWS_FILES |
LOCKED |
YES |
YES |
The schema owns the Oracle Application Express uploaded files. |
|
GGADMIN |
LOCKED |
NO |
YES |
Oracle GoldenGate administrator schema. |
|
GGSYS |
LOCKED |
YES |
YES |
The internal schema used by Oracle GoldenGate. It should not be unlocked or used for a database login. |
|
GRAPH$METADATA |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
GRAPH$PROXY_USER |
OPEN |
YES |
YES |
This is Oracle's Internal Schema. No information was found regarding the schema. Information not shared by Oracle after SR opened in My Oracle Support. |
|
GSMADMIN_INTERNAL |
LOCKED |
YES |
YES |
The internal schema that owns the Global Data Services. It should not be unlocked or used for a database login. |
|
GSMCATUSER |
LOCKED |
YES |
YES |
GSMCATUSER and GSMUSER schemas are shared by all global service managers in the Global Data Services framework and used for all management operations performed by global service managers, including automatic operations such as service failover. Human users should never connect to databases using these schemas. |
|
GSMUSER |
LOCKED |
YES |
YES |
GSMCATUSER and GSMUSER schemas are shared by all global service managers in the Global Data Services framework and used for all management operations performed by global service managers, including automatic operations such as service failover. Human users should never connect to databases using these schemas. |
|
LBACSYS |
LOCKED |
YES |
YES |
Oracle Label Security schema. LBACSYS is created as a locked schema with its password expired. |
|
MDDATA |
LOCKED |
YES |
YES |
The schema used by Oracle Spatial for storing Geocoder and router data. |
|
MDSYS |
LOCKED |
YES |
YES |
The Oracle Spatial and Oracle Multimedia Locator administrator schema. |
|
MTSSYS |
LOCKED |
YES |
YES |
Schema for Microsoft Transaction Server. |
|
ODI$PROXY |
OPEN |
YES |
YES |
Schema for Oracle Data Integrator. |
|
ODI_REPO_USER |
OPEN |
YES |
YES |
Schema for Oracle Data Integrator repository. |
|
OML$METADATA |
OPEN |
YES |
YES |
Schema for Oracle Machine Learning. |
|
OML$MODELS |
OPEN |
YES |
YES |
Schema for Oracle Machine Learning Services. |
|
OML$PROXY |
OPEN |
YES |
YES |
Schema for Oracle Machine Learning for Python. |
|
OMLMOD$PROXY |
OPEN |
YES |
YES |
This is Oracle's Internal Schema and it is restricted to share information on it. |
|
ORACLE_OCM |
LOCKED |
YES |
YES |
This schema contains the instrumentation for configuration collection used by the Oracle Configuration Manager. |
|
ORDS_METADATA |
LOCKED |
YES |
YES |
Owner of the PL/SQL packages used for implementing many Oracle REST Data Services capabilities. ORDS_METADATA is where the metadata about Oracle REST Data Services-enabled schemas is stored. |
|
ORDS_PLSQL_GATEWAY |
OPEN |
YES |
YES |
Oracle REST Data Services related schema. |
|
ORDS_PUBLIC_USER |
OPEN |
YES |
YES |
Schema for invoking RESTful Services in the Oracle REST Data Services-enabled schemas. |
|
OUTLN |
LOCKED |
YES |
YES |
The schema that supports plan stability. Plan stability prevents certain database environment changes from affecting the performance characteristics of applications by preserving execution plans in stored outlines. OUTLN acts as a role to centrally manage metadata associated with stored outlines. |
|
PYQSYS |
LOCKED |
YES |
YES |
Schema for Oracle® Machine Learning for Python. |
|
REMOTE_SCHEDULER_AGENT |
LOCKED |
YES |
YES |
Schema for Oracle Scheduler agent to run remote jobs. |
|
RMAN$CATALOG |
OPEN |
YES |
YES |
The Recovery Manager (RMAN) recovery catalog is preinstalled in the Autonomous Database in schema RMAN$CATALOG. The preinstalled catalog version is based on the latest version of Oracle Database and is compatible with all supported Oracle database versions. |
|
RMAN$VPC |
OPEN |
NO |
YES |
Access to the recovery catalog is provided through a predefined schema RMAN$VPC with the appropriate access to the recovery catalog only. The RMAN$VPC schema is locked by default. You can either proxy to the predefined user RMAN$VPC through the ADMIN user or explicitly unlock the preinstalled schema. |
|
RQSYS |
LOCKED |
YES |
YES |
The RQSYS schema is the system account for Oracle R Enterprise in Oracle Database. It contains metadata, PL/SQL packages, and other executable code that is used internally by Oracle R Enterprise Server. |
|
SH |
LOCKED |
YES |
YES |
Sample Schema. |
|
SSB |
LOCKED |
YES |
YES |
D Sample Star Schema Benchmark (SSB) Queries. The SSB schema contains the tables: lineorder, customer, supplier, part, and dwdate. Both SH and SSB are provided as schema-only users, so you cannot unlock or drop those users or set a password. And the storage of the sample data sets does not count towards your database storage. |
|
SYS |
OPEN |
YES |
YES |
The schema used to perform database administration tasks. |
|
SYS$UMF |
LOCKED |
YES |
YES |
Schema to execute the DBMS_UMF package that provides an interface for deploying the Remote Management Framework (RMF) for an Oracle Database. The RMF is used for collecting performance statistics for an Oracle Database. |
|
SYSBACKUP |
LOCKED |
YES |
YES |
In Oracle 12cR1, Oracle introduced the SYSBACKUP permission which allows a user to perform backup and recovery operations either from Oracle Recovery Manager (RMAN) or SQL*Plus. |
|
SYSDG |
LOCKED |
YES |
YES |
Schema SYSDG with the SYSDG administrative privilege to perform Data Guard operations. |
|
SYSKM |
LOCKED |
YES |
YES |
Schema SYSKM is short for "system key management", and as the name implies, SYSKM is for key management tasks. These key management tasks include transparent data encryption (TDE) (managing the encryption keys) and data vault operations. |
|
SYSRAC |
LOCKED |
YES |
YES |
The SYSRAC administrative privilege is the default mode of connecting to the database by the Oracle Clusterware agent on behalf of Oracle RAC utilities, such as SRVCTL, meaning that no SYSDBA connections to the database are necessary for the everyday administration of Oracle RAC database clusters. |
|
SYSTEM |
LOCKED |
YES |
YES |
Default generic database administrator account. |
|
XDB |
LOCKED |
YES |
YES |
The schema used for storing Oracle XML DB data and metadata. |
|
XS$NULL |
EXPIRED & LOCKED |
YES |
YES |
An internal schema that represents the absence of a user in a session. Because XS$NULL is not a user, this account can only be accessed by the Oracle Database instance. XS$NULL has no privileges and no one can authenticate as XS$NULL, nor can authentication credentials ever be assigned to XS$NULL. |
Thanks a lot for reading this article. I do hope that the information provided above will help you address questions that may come to you during the auditing process.
In addition, the above list gives you a little insight into Oracle Cloud Infrastructure (OCI) Autonomous Database (ADB) service.
No Comments Yet
Let us know what you think