When you manage a CDB, for the most part you are connecting to the root container as SYS and performing tasks as you would with a non-CDB database.
I would recommend different users for different tasks, such as backing up, creating new PDBs, and cloning. Even though these are SYSDBA-level tasks, it still makes sense to leave SYSOPER permissions to a different user instead of the risk of shutting down a CDB.
Enough of the separation of duties soapbox. However, there are several points to be aware of thatare specific to maintaining a CDB. The following tasks can be performed only while connected to the root container with SYSDBA privileges:
• Starting/stopping the instance
• Enabling/disabling archive log mode
• Managing instance settings that affect all databases with the CDB, such as overall memory size
• Backup and recovery of all data files within the database
• Managing control files (adding, restoring, removing, and so on)
• Managing online redo logs
• Managing the root UNDO tablespace
• Managing the root TEMP tablespace
• Creating common users and roles
• Creating PDBs and application containers
Connecting to the Root Container
Connecting to the root container as SYS allows you to perform all the tasks you normally associate with database administration.
You can connect as SYS locally from the database server through OS authentication or a network connection (which requires a listener and password file).
It is recommended that there are roles that are set up for CDB administrators to be able to use individual accounts and not log in via SYS.
Logins on the server would be needed only when performing the server tasks; otherwise, the connection to the CDB through a network connection should be what is allowed for security and compliance.
