Database Ownership

Copyright 2004-2007 David Russell

 

The Oracle database software is “owned” by the “oracle” user in Linux.  Maintenance of the Oracle database software takes place through the “oracle” account.  This is the account that is used to apply software patches and upgrades.  This account should not be used for day-to-day activities by the DBA or other user(s).

 

Maintenance of the database takes place through another account with the necessary privileges.  The database “local admin” account in this document is “oradm”.  This is the account that the DBA uses for day-to-day operations.  When issues requiring software intervention are found, the “oracle” account should be used; otherwise, the local admin should use this local admin (or DBA) account.

 

Since the same Linux group, DBA, is usually used for both OSDBA and OSOPER during a standard install, if you are actually creating an installation in an environment that employs separate people for those functions, consider imposing these additional groups and limiting the privileges accordingly.

 

Additional accounts may be created for “others” in your organization on specific hosts.  It can be very hard for a DBA to say “no” to a user/owner of an oracle database host; but it can be beneficial to have these alternate accounts available, configured, functioning, and understood, so when the day comes you have to pass control you may do so in an orderly fashion.

 

The Oracle account on one node may be able to inherit privileges needed on another node just by the ownership of the oracle software.  The less well-known and used the “oracle” account, the better.  The implications of this make it rather easy to gain management, network, and/or IT support for restricting access.

 

The alternate accounts suggested above provide a means to a level of security to protect your interest as the dba in each system.  Oracle used a similar setup through the end of version five, and remnants will remain forever.  Due to the complexity of delivering installation code for over ninety platforms, this technique has been ignored in many environments... only retained by a trained DBA in that OS.

 

A similar discussion about users within the database can be viewed here.

 

Additional concerns if the host is connected to the internet should be addressed.

 

Last Revised: April 2007