- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Oracle user permissions when consolidating databas...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-15-2006 07:16 PM
тАО05-15-2006 07:16 PM
We're currently consolidating a number of Oracle databases onto a DB cluster and I wanted to get some feedback on "best practices" for user setup.
Ideally, we'd like to do the following:
-The main "oracle" user would be able to access/modify/stop/start all databases.
-Each database would be owned by an application-specific user who would be able to only access/modify/stop/start their DB.
-The Oracle binaries may be shared between a number of databases (i.e. not one set per database) and should only be able to be changed by oracle:dba.
The use of DB-specific users is important to us to isolate the damage an application team user can do to other DBs they don't own. It also fits in better with our use of PRM (and SRM on Solaris).
I'm about to start doing some testing of various configurations and would be very interested in other people's experience in this area.
Thanks,
Andrew
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-15-2006 08:22 PM
тАО05-15-2006 08:22 PM
Re: Oracle user permissions when consolidating databases
The user "oracle" which belongs to dba group and owns the oracle software, will have th eprivillege to start / stop all the databases that exist in the oratab file flag="Y". The dbstart and dbshut scripts can be used for this purpose and for all the ORACLE_SID's defined in oratab, this user can start and stop the databases.
For individual databses, define an application users at the OS assign the group dba, and set the ORACLE_SID to this particular database in this users profile. Have a seperate database start / stop script and have execute privileges to this user only.
Likewise for the other databases set the ORACLE_SID to the respective databases in the users profile.
IA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-15-2006 09:55 PM
тАО05-15-2006 09:55 PM
Re: Oracle user permissions when consolidating databases
They just have to set their ORACLE_SID to the correct database instance. As far as I know, there is no way to give every database it's own system sysdba group.
What you can do is make a separate ORACLE RDBMS installation per database that needs a different group of administartors. Install every ORACLE_HOME with user oracle, but assign different system groups for sysdba and sysoper. Assign the users with administrative privileges to their database to the respective sysdba group of the database.
For PRM, it is very well possible to create a separate application group per database and thus monitor every database separately.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-16-2006 06:42 PM
тАО05-16-2006 06:42 PM
Re: Oracle user permissions when consolidating databases
Does anyone else have any other ideas?
Regards,
Andrew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-16-2006 07:42 PM
тАО05-16-2006 07:42 PM
Re: Oracle user permissions when consolidating databases
Secondly, I would be very reluctant in providing access to the database from the command line for any user. This should only be possible for the dba/admin guys. Any access to the server should be from a seperate box giving access through a firewall (probably only port 1521). On this box you may identify different users.
A os-user on the database server may easily stop the database from functioning. Either by directly making "mistakes" to the database and/or software or indirectly by causing problems on the os (like filling up /var or /tmp).
So, database consolidation, ok. No different apps in one database, but remain "agile" (this appears to be ok from your discription). Standardize your databases and provide access though different apps-servers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-18-2006 02:24 AM
тАО05-18-2006 02:24 AM
Re: Oracle user permissions when consolidating databases
One option that would remove the need for putting the application dba accounts into the 'dba' group would be to write a wrapper script around dbshut/dbstart, and make it suid. You could list out which ux ids have access to which database, so they don't have the ability to shutdown databases not belonging to them.
Brian
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-18-2006 06:48 AM
тАО05-18-2006 06:48 AM
SolutionI think your plan is fine, except that you should be using a different ORACLE_HOME (set of binaries) for each group.
The reason becuase of the following: go look in $ORACLE_HOME/rdbms/lib/config.c - you'll notice that there is a #define macro for the SS_DBA_GRP that is being set.
You get ONE of these groups you can have a person set to - and only one. And, even worse, the user that is starting and stopping databases MUST belong to this group. This means that for THIS example ORACLE_HOME you have exactly ONE group that the user MUST belong to stop and start databases. This means that if you have one ORACLE_HOME - everyone that is in this group can start and stop other people's ORACLE databases. All they'd have to do is change the ORACLE_SID to be the other team's value and they can do what they want to. This would naturally include full system privelges!!!
So, I think you need different ORACLE_HOMEs per group, and just make the main "oracle" user a member of every dba group. Then, in each ORACLE_HOME you should change the aforementioned config.c file to reflect the proper group name, and relink the executables in the ORACLE_HOME/bin directory.
Good luck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-18-2006 06:23 PM
тАО05-18-2006 06:23 PM
Re: Oracle user permissions when consolidating databases
I know what I outlined sounds a bit strange - it was largely to sound out options of fitting this into PRM/SRM (particularly SRM which is driven by user ids more than PRM).
I think that the route we will go down though is to maintain one Oracle user and sort out the resource management at a clustering level (we were a bit reluctant to change standard Veritas Cluster Server scripts, hence me floating this idea).
Thanks again,
Andrew