Database Schemas Found in Oracle E-Business Suite

This appendix covers the following topics:

Table of Database Schemas in Oracle E-Business Suite

Type Schemas Change Managed Description
1 SYS Y N Initial schema in any Oracle database. Owns the SQL data dictionary.
1 SYSTEM Y N Initial DBA User. Used by Oracle E-Business Suite.
1 DBSNMP SYSMAN MGMT_VIEW Y N Used for database status monitoring.
2 SCOTT Y N Demo account delivered with RDBMS.
2 SSOSDK Y N Single Sign On SDK.
3 JUNK_PS MDSYS ODM_MTR OLAPSYS ORDPLUGINS ORDSYS OUTLN OWAPUB MGDSYS Y N  
3 PORTAL30_DEMO PORTAL30_PUBLIC PORTAL30_PS PORTAL30_SSO_PUBLIC Y N Oracle Portal and Portal Single Sign On
4 PORTAL30 PORTAL30_SSO Y Y Oracle Portal and Portal Single Sign On
4 CTXSYS Y Y InterMedia schema used by Online Help and CRM service products for indexing knowledge base data.
4 EDWREP Y Y Embedded Data Warehouse Metadata Repository
4 ODM Y Y Oracle Data Manager
5 APPLSYSPUB Y Y Initial, pre-authentication user with minimal privileges to assist with APPS (FND) user authentication.
5 APPLSYS Y Y Contains shared APPS objects.
5 APPS APPS_NE Y Y Runtime user for E-Business Suite. Owns all of the applications code in the database. (APPS_NE is new in R12.2)
5 APPS_mrc Y Y Optional, additional APPS schemas for the (now obsolete) Multiple Reporting Currencies feature. Defaults to APPS_MRC, but country code suffixes may be used, e.g. APPS_UK, APPS_JP.
5 AD_MONITOR
EM_MONITOR
Y N Used by Oracle Applications Manager (OAM) or EM to monitor patching.
6 ABM AHL AHM AK ALR AMF AMS AMV AMW AP AR ASF ASG ASL ASN ASO ASP AST AX AZ BEN BIC BIL BIM BIS BIV BIX BNE BOM BSC CCT CE CLN CN CRP CS CSC CSD CSE CSF CSI CSL CSM CSP CSR CSS CUA CUE CUF CUG CUI CUN CUP CUS CZ DDD DDR DNA DOM DPP EAA EAM EC ECX EDR EGO ENG ENI EVM FA FEM FII FLM FPA FPT FRM FTE FTP FUN FV GCS GHG GL GMA GMD GME GMF GMI GML GMO GMP GMS GR HR HRI HXC HXT IA IBA IBC IBE IBP IBU IBW IBY ICX IEB IEC IEM IEO IES IEU IEX IGC IGF IGI IGS IGW IMC IMT INL INV IPA IPD IPM ISC ITA ITG IZU JA JE JG JL JMF JTF JTM JTS LNS ME MFG MRP MSC MSD MSO MSR MST MTH MWA OE OKB OKC OKE OKI OKL OKO OKR OKS OKX ONT OPI OSM OTA OZF OZP OZS PA PFT PJI PJM PMI PN PO POA POM PON POS PRP PSA PSB PSP PV QA QOT QP QPR QRM RG RHX RLA RLM RRS SSP VEA VEH WIP WMS WPS WSH WSM XDO XDP XLA XLE XNB XNC XNI XNM XNP XNS XTR ZFA ZPB ZSA ZX Y Y These schemas belong to individual APPS base products. By default the password is the same as the SCHEMA name. Changing the password for these schemas does not affect any configuration files.

In the previous table, "Type" refers to the categories listed in "Change Default Installation Passwords." Change means we recommend changing the default password for the listed schemas. Managed means that AFPASSWD (or FNDCPASS) should be used to change the passwords of the listed schemas.

You can identify Oracle E-Business Suite managed schemas by querying the table FND_ORACLE_USERID. The managed schemas are all listed in FND_ORACLE_USERID. The READ_ONLY_FLAG identifies the category.

Of the two commands to change a managed password, AFPASSWD is the newest and more compliant with security best practice, it is available as of Oracle E-Business Suite Release 12.1.3, AFPASSWD is documented in the Oracle E-Business Suite Maintenance Guide.

In the examples below, we use FNDCPASS syntax as these can be shown on a single line.

For trouble shooting issues with running FNDCPASS, see My Oracle Support Knowledge Document 1306938.1, FNDCPASS Troubleshooting Guide For Login and Changing Applications Passwords.

Note, SQL*Plus provides two methods to change a schema's password: ALTER USER and PASSWORD syntax. To simplify these instructions, we have used the ALTER USER syntax. However, PASSWORD is often mentioned as the preferred method for changing a schema's password due to the lack of an echo back to the terminal.

The syntax for changing a schema password from within SQL*Plus is:

SQL> password <account>
Changing password for <account>
New password: <new-password>
Retype new password: <new-password>

Category 1 - SYS & SYSTEM

Change the passwords for these schemas:

SQL> alter user SYSTEM identified by <NEW_SYSTEM_PASSWORD>;
SQL> alter user SYS identified by <NEW_SYS_PASSWORD>;

Category 1 - DBSNMP, SYSMAN & MGMT_VIEW

These schemas are used by Oracle Enterprise Manager. The Enterprise Manager agent connects to DBSNMP for monitoring and management purposes. The Enterprise Manager application connects to SYSMAN. If you are not using Enterprise Manager with your applications database, follow database instructions for managing this account. If you are using Oracle Enterprise Manager with your applications database, you should change the password for these schemas using sqlplus and configure/re-configure Enterprise Manager accordingly. Instructions to do this are dependent on the version of Oracle Enterprise Manager in use.

Category 2 - SCOTT & SSOSDK

Change the password for SSOSDK:

SQL> alter user SSOSDK identified by <NEW_SSOSDK_PASSWORD>;

Lock the SCOTT schema:

SQL> alter user SCOTT account LOCK;

Category 3 - JUNK_PS, MDSYS, ODM_MTR, OLAPSYS, ORDPLUGINS, ORDSYS, OUTLN, OWAPUB, MGDSYS

Change the passwords for these schemas:

SQL> alter user <SCHEMA> identified by <NEW_PASSWORD_FOR_SCHEMA>;

Category 3 - PORTAL30_DEMO, PORTAL30_PUBLIC, PORTAL30_SSO_PS & PORTAL30_SSO_PUBLIC

If you are using Oracle Login Server and Portal 3.0.9 with Oracle E-Business Suite Release 11i as documented in My Oracle Support Knowledge Document 146469.1, Configuring Oracle Applications 11i With Oracle Portal, you should change the passwords for PORTAL30_PUBLIC, PORTAL30_SSO_PS & PORTAL30_SSO_PUBLIC and lock the PORTAL30_DEMO schema:

SQL> alter user PORTAL30_DEMO account lock;
SQL> alter user PORTAL30_PUBLIC identified by <newpassword>;
SQL> alter user PORTAL30_SSO_PS identified by <newpassword>;
SQL> alter user PORTAL30_SSO_PUBLIC identified by <newpassword>;

If you are not using Oracle Login Server and Portal 3.0.9 with Oracle E-Business Suite Release 11i as documented in My Oracle Support Knowledge Document 146469.1, Configuring Oracle Applications 11i With Oracle Portal, then log into SQL*Plus with administrative privileges and lock these schema:

SQL> alter user PORTAL30_DEMO account lock;
SQL> alter user PORTAL30_PUBLIC account lock;
SQL> alter user PORTAL30_SSO_PS account lock;
SQL> alter user PORTAL30_SSO_PUBLIC account lock;

Alternatively, if you are not using any PORTAL30 integration, you may remove the PORTAL30% schemas by following instructions in My Oracle Support Knowledge Document 312349.1, Remove Oracle Portal 3.0.9 from E-Business Suite 11i.

Category 4 - PORTAL30 & PORTAL30_SSO

If you are using Oracle Login Server and Portal 3.0.9 with Oracle E-Business Suite Release 11i as documented in My Oracle Support Knowledge Document 146469.1, Configuring Oracle Applications 11i With Oracle Portal, you must use FNDCPASS to change the PORTAL30 and PORTAL30_SSO passwords

$ FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> ORACLE PORTAL30 <new pwd>
$ FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> ORACLE PORTAL30_SSO <new_pwd>

After you change the PORTAL30 and PORTAL30_SSO passwords, run AutoConfig as documented in My Oracle Support Knowledge Document 165195.1, Using AutoConfig to Manage System Configurations with Oracle Applications 11i. For more information, refer to My Oracle Support Knowledge Document 146469.1, Configuring Oracle Applications 11i With Oracle Portal, which describes the Portal 3.0.9 installation.

If you are not using Oracle Login Server and Portal 3.0.9 with Oracle E-Business Suite Release 11i as documented in My Oracle Support Knowledge Document 146469.1, Configuring Oracle Applications 11i With Oracle Portal, then log into SQL*Plus with administrative privileges and lock these schema:

SQL> alter user PORTAL30 account lock;
SQL> alter user PORTAL30_SSO account lock;

Alternatively, if you are not using any PORTAL30 integration, you may remove the PORTAL30% schemas by following instructions in My Oracle Support Knowledge Document 312349.1, Remove Oracle Portal 3.0.9 from E-Business Suite 11i.

Category 4 - EDWREP & ODM

Use FNDCPASS to change the password for these schemas:

$ FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> ORACLE <schema> <new_pwd>

If not using Embedded Data Warehouse, lock and expire EDWREP schema.

Category 4 - CTXSYS

Oracle E-Business Suite uses the CTXSYS schema.

The CTXSYS password should be changed to a non-default value using FNDCPASS.

Category 5 - APPLSYS, APPS, APPS_NE & APPS_MRC

APPLSYS, APPS (and APPS_NE in R12.2) and any additional APPS_mrc schemas share the same password. APPS is the shared runtime schema for all E-Business Suite products. APPS_MRC is an obsolete account, although it may be used in older versions of E-Business Suite. FNDCPASS knows the password must be synchronized across these schemas. Use a long (12 or more characters), secure password for these schemas.

$ FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> SYSTEM APPLSYS <new_pwd>

After changing the shared password for these schemas you must run AutoConfig to propagate the changed passwords into the application server configuration files.

All application tier processes (apaches, ccm, forms server) must be restarted following the password change and password propagation.

Category 5 - APPLSYSPUB

APPLSYSPUB schema has sufficient privileges to perform the authentication of an Applications User (also known as FND user), which includes running PL/SQL packages to verify the user name/password combination and the privilege to record the success or failure of a login attempt.

If you choose to change this password; you must use FNDCPASS and run AutoConfig to propagate the change to application tier configuration files.

Before running AutoConfig, update the s_gwyuid_pass variable in the AutoConfig context file:

$ vi $CONTEXT_FILE

Note that the APPLSYSPUB password must be uppercase, even if case sensitive passwords have been turned on in your database 11g or higher (SEC_CASE_SENSITIVE_LOGON=true).

$ FNDCPASS APPS/<apps_pwd> 0 Y SYSTEM/<system_pwd> ORACLE APPLSYSPUB <new_pwd>

All application tier processes must be restarted following the password change and password propagation.

Category 5 - AD_MONITOR

Oracle Applications Manager uses this schema to monitor running patches. Although the default password for AD_MONITOR is 'lizard', the schema is shipped locked and expired.

The SQL script $AD_TOP/patch/115/sql/admonusr.sql creates AD_MONITOR.

Category 6 - ABM ... ZX

Change all of these product schema passwords. For more information, see Change Default Installation Passwords.

If after running this ALLORACLE command you are still left with some schemas with unchanged password the reason may be that the schema is no longer "registered" as an Oracle E-Business Suite schema in FND_ORACLE_USERID. If this is the case, then the Oracle E-Business Suite password utility (AFPASSWD or FNDCPASS) will not change the password. You will need to use the Oracle Database SQL command ALTER USER to change any remaining schema passwords that still have default values.

This can happen for the following schemas: IBA IMT IPD OKB OKO OKR ABMAHM VEH XNC XNI XNM XNS RHX RLA which are no longer used in Oracle E-Business Suite Release 12, but may have been carried forward during database upgrades.