Subscribe to Posts by Email

Subscriber Count

    699

Disclaimer

All information is offered in good faith and in the hope that it may be of use for educational purpose and for Database community purpose, but is not guaranteed to be correct, up to date or suitable for any particular purpose. db.geeksinsight.com accepts no liability in respect of this information or its use. This site is independent of and does not represent Oracle Corporation in any way. Oracle does not officially sponsor, approve, or endorse this site or its content and if notify any such I am happy to remove. Product and company names mentioned in this website may be the trademarks of their respective owners and published here for informational purpose only. This is my personal blog. The views expressed on these pages are mine and learnt from other blogs and bloggers and to enhance and support the DBA community and this web blog does not represent the thoughts, intentions, plans or strategies of my current employer nor the Oracle and its affiliates or any other companies. And this website does not offer or take profit for providing these content and this is purely non-profit and for educational purpose only. If you see any issues with Content and copy write issues, I am happy to remove if you notify me. Contact Geek DBA Team, via geeksinsights@gmail.com

Pages

12c Database: New groups for OS Authentication and New Sys roles and users

From 12c onwards we have seperate roles to be created for OS Authentication

Prior to 12c we have OSDBA, OSOPER, OSASM, OSDBA, OSOPER groups

From 12c onwards,

	OSBACKUPDBA maps to backupdba by default and is used to allow users to backup the database. Users in this group can connect as SYSBACKUP and have their privileges limited to what is needed for backup and recovery operations.

	OSDGDBA typically maps to dgdba and is used to administer and monitor Data Guard configurations. Members of the group can connect as SYSDBG)

	OSKMDBA typically maps to kmdba and allows the user connecting with the SYSKM role to perform key management and encryption tasks.

So first of all you have to create the required OS groups along with new 11g groups

	for i in asmdba asmadmin oinstall dba backupdba kmdba dgdba; do
	  groupadd $i
	done

Add the oinstall user as secondary group for all the groups you have created

	# useradd -g oinstall -G asmdba,dba,backupdba,dgdba,kmdba oracle
	# passwd oracle

Create the asmdba, asmadmin, grid users

	# useradd -g oinstall -G asmdba,asmadmin grid

# passwd grid

After you install 12c and select the above groups appropriately, the following database users will be created for you

	SQL> select username,account_status
	  2  from dba_users
	  3  where username like 'SYS%';

	USERNAME             ACCOUNT_STATUS
	-------------------- --------------------------------
	SYS                  OPEN
	SYSTEM               OPEN
	SYSBACKUP            EXPIRED
	SYSKM                EXPIRED & LOCKED
	SYSDG                EXPIRED & LOCKED

Upon checking the password file users you find the respective roles assigned to the users created.

	SQL> select * from v$pwfile_users;

	USERNAME                       SYSDB SYSOP SYSAS SYSBA SYSDG SYSKM     CON_ID
	------------------------------ ----- ----- ----- ----- ----- ----- ----------
	SYS                            TRUE  TRUE  FALSE FALSE FALSE FALSE          0
	SYSDG                          FALSE FALSE FALSE FALSE TRUE  FALSE          1
	SYSBACKUP                      FALSE FALSE FALSE TRUE  FALSE FALSE          1
	SYSKM                          FALSE FALSE FALSE FALSE FALSE TRUE           1

For example if you want to take a backup of rman (suppose you belongs to a team who has to do backups )

	rman / as sysbackup

-Thanks
Geek DBA

Comments are closed.