Understanding Operating System Privileges Groups

Review this information for system privileges required for Oracle Database or Oracle Automatic Storage Management (Oracle ASM) administration.

As an administrator, you often perform special operations such as shutting down or starting up a database, or configuring storage. Because only an administrator responsible for these administration decisions must perform these operations, system privileges for Oracle Database or Oracle Automatic Storage Management (Oracle ASM) administration require a secure authentication scheme.

Membership in special operating system groups enables administrators to authenticate to Oracle Database or Oracle ASM through the operating system rather than with a user name and password. This is known as operating system authentication. Each Oracle Database in a cluster can have its own operating system privileges groups, so that operating system authentication can be separated for each Oracle Database on a cluster. Because there can be only one Oracle Grid Infrastructure installation on a cluster, there can be only one set of operating system privileges groups for Oracle ASM.

During installation of Oracle Grid Infrastructure and Oracle Database, you provide the group names of operating system groups. These operating system groups are designated with the logical role of granting operating system group authentication for administration system privilege for Oracle Database and Oracle ASM.

In an Oracle RAC cluster, the group ID number (GID) for system privileges groups must be identical on each cluster member node. One operating system group can be designated the logical group whose members are granted all system privileges for Oracle Database and Oracle ASM, including the OINSTALL system privileges for installation owners. You can also delegate logical system privileges to two or more actual operating system groups. Oracle recommends that you designate separate operating system groups for each logical system privilege. This enables you to grant one or more subsets of administrator system privileges to database administrators. These database administrators can then perform standard database administration tasks without requiring the SYSDBA system privileges.

System privileges groups are listed in the following table:

Table 6-1 Role-Allocated Oracle System Privileges Operating System Groups

Logical Operating System Group Name	Default Actual UNIX or Linux Group Name	System Privileges Authenticated By Group Membership
OINSTALL	`oinstall`	Install system privileges for installation owners, which includes privileges to write to the central `oraInventory` directory for each server, and other privileges granted to Oracle binary installation owner users.
OSDBA	`dba`	`SYSDBA` system privileges for an Oracle Database, which includes all system privileges for the database.
OSOPER	`oper`	`SYSOPER` startup and shutdown system privileges for an Oracle Database.
OSBACKUPDBA	`backupdba`	`SYSBACKUP` backup and recovery system privileges for an Oracle Database.
OSDGDBA	`dgdba`	`SYSDG` system privileges to administer and monitor Oracle Data Guard.
OSKMDBA	`kmdba`	`SYSKM` system privileges for encryption key management for applications such as Oracle Wallet Manager.
OSASM	`asmadmin`	`SYSASM` system privileges for Oracle ASM on a cluster, which includes all system privileges for Oracle ASM storage.
OSOPER for ASM	`asmoper`	`SYSOPER` startup and shutdown system privileges for Oracle ASM on the cluster.
OSDBA for ASM	`asmdba`	`SYSDBA` for ASM system privileges to obtain read and write access to files managed by Oracle ASM. All Oracle Database software owners must be a member of this group.
OSRACDBA	`racdba`	`SYSRAC` privileges to perform day to day administration of Oracle databases on an Oracle RAC cluster. All Oracle Database software owners must be a member of this group.