Disclaimer

Saturday, 10 July 2021

OS Users and Groups in Oracle 12c

With Job role separation in Oracle, each Oracle Database installation has separate operating system groups to provide authorization for system privileges on that Oracle Database. Multiple databases can, therefore, be installed on the cluster without sharing operating system authorization for system privileges. In addition, each Oracle software installation is owned by a separate installation owner, to provide operating system user authorization for modifications to Oracle Database binaries.

OS Users and Groups

The documentation discusses the following groups.

Generic Name          OS Group    Admin Privilege   Description
====================  ==========  ================  =================================
OraInventory Owner    oinstall                      (Mandatory)
OSDBA                 dba         SYSDBA            Full admin privileges (Mandatory)
OSOPER                oper        SYSOPER           Subset of admin privileges

OSDBA (for ASM)       asmdba
OSASM                 asmadmin    SYSASM            ASM management
OSOPER (for ASM)      asmoper     

OSBACKUPDBA           backupdba   SYSBACKUP         RMAN management
OSDGDBA               dgdba       SYSDG             Data Guard management
OSKMDBA               kmdba       SYSKM             Encryption key management

OSRACDBA              racdba      SYSRAC            Real Application Clusters management

Remember, if DBAs are the only people in your organisation that are allowed to manage Oracle functionality (databases, ASM, grid infrastructure etc.), these admin privileges are not needed. The only mandatory OS groups are “oinstall” and “dba”.

Creating OS Groups and Users

If you have used a preinstall package, like “oracle-rdbms-server-12cR1-preinstall”, to perform the prerequisites on Oracle Linux, the “oinstall”, “dba” and “oper” groups will be created already. The other groups can be created manually as follows.

groupadd -g 54321 oinstall
groupadd -g 54322 dba
groupadd -g 54323 oper

groupadd -g 54327 asmdba
groupadd -g 54328 asmoper
groupadd -g 54329 asmadmin

groupadd -g 54324 backupdba
groupadd -g 54325 dgdba
groupadd -g 54326 kmdba

# 12.2 only.
groupadd -g 54330 racdba

With the groups in place, you can create the “oracle” user with the useradd command.

useradd -u 54321 -g oinstall -G dba,oper,asmdba,backupdba,dgdba,kmdba oracle

If the “oracle” user already exists, it can be amended using the usermod command.

usermod -g oinstall -G dba,oper,asmdba,backupdba,dgdba,kmdba oracle

The id command shows the current settings for the user.

id oracle
uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54327(asmdba)
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

How to recovery PDB when PDB database is dropped in Oracle

  How to recovery PDB when PDB database is dropped :) [oracle@rac01 ~]$ sqlplus '/as sysdba' SQL*Plus: Release 21.0.0.0.0 - Product...