Oinstall and Dba group

What are the levels of security maintained with Oinstall and Dba group at the Oracle level.
Just want to know for which set of files we need to assign Oinstall and Dba group for which files. Is there any particular reason.
if so please let me know
kumaresh

oinstall/dba are the unix oracle privileged groups. Only the Oracle installation owner and the SYSDBA/SYSOPER roles should belong to this groups.
If you installed your RDBMS using oinstall, all of the ORACLE_HOME and oracle related files must belong to this group. If using OS authentication to startup/shutdown, and generally speaking, connect / as sysdba, your user must belong to the oracle privileged group. No other user is recommended to belong to this group as this would open excesive administrative privileges to other users.

Similar Messages

  • Trying to add oinstall and dba (for Oracle Database and Enterprise Manager) to my LDAP account

    I want to add groups to my LDAP user account abc. Currently I have uid=243782(abc) gid=10(wheel) groups=1275(nsn-emp),9834(nsn-moh),10(wheel), but I want groups oinstall, oper and dba added.
    According to the database installation document, local os group must include oinstall and dba.
    The following local operating system groups and users are required if you are
    installing Oracle Database:
    ■ The Oracle Inventory group (typically, oinstall)
    ■ The OSDBA group (typically, dba)
    ■ The Oracle software owner (typically, oracle)
    I tried to add abc groups oinstall and dba using root user, but it failed.
    Could you please inform me how to add these groups?
    Thanks.
    lf

    Folks,
    Hello. Thanks a lot for replying. I do the following command: [user@localhost bin]$ wget http://localhost.localdomain:1158/em
    The command returns the message:
    --11:36:33-- http://localhost.localdomain:1158/em
    Resolving localhost.localdomain... 127.0.0.1
    Connecting to localhost.localdomain|127.0.0.1|:1158... connected.
    HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
    Length: unspecified
    Saving to: `em'
    [ <=>                                                                                                              ] 7 --.-K/s in 0.002s
    11:36:33 (4.15 KB/s) - Read error at byte 7 (Connection reset by peer).Retrying.
    --11:36:34-- (try: 2) http://localhost.localdomain:1158/em
    Connecting to localhost.localdomain|127.0.0.1|:1158... connected.
    HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
    Length: unspecified
    Saving to: `em.1'
    100%[=================================================================================================================>] 7 --.-K/s in 0s
    11:36:34 (16.8 KB/s) - Read error at byte 7 (Connection reset by peer).Retrying.
    The above message repeats again and again until finally returns the following message:
    11:39:02 (40.2 KB/s) - Read error at byte 7 (Connection reset by peer).Giving up.
    In browser, http://localhost.localdomain:1158/em cannot display and pop up a Windows with the message: You have chosen to open whicn is BIN file from http://localhost.localdomain:1158 What sholud FireFox do with this file ? Save to Disk ?
    My question is:
    I don't know how to display http://localhost.localdomain:1158/em in Browser. How to solve the issue ?
    Thanks.

  • Kerberos auth in Oracle, sys user and dba group

    Hello.
    I've set up kerbros auth in test oracle 10g r2 database on 64-bit linux according to Oracle® Database Advanced Security Administrator's Guide. I have the following issue: kerberos user can login to the test server (from this server) and normal database user can login to database server from other hosts. However, oracle system user, members of dba group and normal users can't longer login to this server from it. So, when oracle system user runs sqlplus "/as sysdba" , he gets ORA-12638: Credential retrieval failed.
    sqlnet.ora looks the following way:
    SQLNET.KERBEROS5_CC_NAME = /tmp/krb5cc
    SQLNET.KERBEROS5_CONF_MIT=TRUE
    SQLNET.AUTHENTICATION_SERVICES= (KERBEROS5)
    NAMES.DIRECTORY_PATH= (TNSNAMES, EZCONNECT)
    SQLNET.KERBEROS5_CONF = /etc/krb5.conf
    SQLNET.KERBEROS5_REALMS = /etc/krb5.realms
    SQLNET.AUTHENTICATION_KERBEROS5_SERVICE = oracle
    What should I do to enable login to this server for members of dba group and normal users from the database server?

    I've tried to set SQLNET.AUTHENTICATION_SERVICES to (BEQ,KERBEROS5), it works almost as expected, but I have strange effect: my os user is not in dba group, but can connect "/as sysdba"...
    $ id -nG
    domusers oinstall
    $ sqlplus "/as sysdba"
    SQL*Plus: Release 10.2.0.1.0 - Production on Tue Mar 3 13:20:55 2009
    Copyright (c) 1982, 2005, Oracle. All rights reserved.
    Connected to:
    Oracle Database 10g Enterprise Edition Release 10.2.0.1.0 - 64bit Production
    With the Partitioning, OLAP and Data Mining options
    SQL>

  • Oinstall vs dba

    Hi,
    we are having oracle applications 11i db (9.2.0.7) running on hp-ux itanium machine
    Oracle Apps 11i DB is installed with oraprod as under dba as primary group. no other group is there in system.
    and on the same machine, we are going to intall another production db (9.2.0.7) and unix oracle account as owner for this instance. I want to make this user under dba group as primary user.
    which group you prefer oinstall or dba as primary group for oracle owner on unix machine?
    I know oinstall group is just for oracle file system ownership and inventory ........and dba group is for maintenance like startup and shutdown etc

    The new install could be under a group "dba2", it doesn't have to be "oinstall".
    By convention, "oinstall" is the software owner group group while "dba" is the SYSDBA group. The two are Unix groups which can be seperate. The $ORACLE_HOME/rdbms/lib/config.c file would be created (and oracle binaries relinked) on the basis of your selection of group name(s) when running the installer.
    (corrected "SYSOPER" to "software owner")
    Edited by: Hemant K Chitale on Mar 18, 2009 4:04 PM
    (corrected "SYSOPER" to "software owner")

  • sapsid adm has no access to "dba" group

    My client, a LARGE telecom company, has 150+ SAP instances and is in the process of moving most of them from PARISC to Itanium HP servers.
    As part of the replatforming effort, we have to create <sapsid>adm ids on the new servers.  As per SAP installation Manuals, <sapsid>adm should have "sapsys" as primary and "dba" as secondary group. The Basis, DBA and SA support functions are performed by different work groups and due to SOX and other internal security policies, the DBA groups feels it is against "separation of duties", etc, to have someone other than DBAs have access to the "dba" group and is unwilling to approve "dba" as secondary group for <sapsid>adm.  The Basis Admins feel that the failure to allow access to "dba" will negatively impact our ability to perform our Basis support activities, For example: unable to start & stop the database when using start|stopsap scripts; inability to perform any activity that uses sapinst (as sapinst checks for existence of <sapsid>adm and its membership of "sapsys" and "dba" groups; probably some of the database related transactions within the SAP gui, etc).
    Have any other Basis Admins run across these SOX restrictions? How are they handled in other companies?  What other impacts could the failure to have access to the "dba" group have?
    Sharing of Any experiences in this area would be greatly appreciated.
    Alex

    Hi Alex,
    Making the user <SID>adm as part of the group "dba" as secondary is the SAP Standard installation configuration. Indeed sometimes the internal Security policies of the organizations do make some restrictions for the "Segregation of duties" part due to which user configurations need to be different at the OS level. SAP do have a solution for that.
    Now there can be 3 scenarios and you have to identify which scenario you want to implement-
    1. SAP standard configuration where an operator has full privilege for DB administration.
    2. An operator is authorized to backup the DB and also to start/shut down the DB but restricted privileges to modify the data.
    3. Only authorized DBA operators are allowed to execute BR*Tools operations. Such users have
        no other database access rights.
    Please refer to the below link for more details-
    http://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/9e626b1c-0d01-0010-b2ba-cfa2443c1cce?quicklink=ora&overridelayout=true
    Additonally you can also refer to the SAP note 832662.
    Regards
    Sourabh Majumdar

  • Problemm with dba group vs oinstall group

    Hi to all ;
    This is related to oracle as well as some os related security problems. please clarify it.
    I tried but couldn't solve it All information's given here ..
    Testing from user 'A'
    +# useradd -m -g oinstall a+
    +# passwd a+
    Changing password for user a.
    New UNIX password:
    BAD PASSWORD: its WAY too short
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
    su - a
    +[a@testorcl ~]$ export+
    ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1
    +$ export PATH=$PATH:$ORACLE_HOME/bin+
    +$ export ORACLE_SID=testdb+
    +$ sqlplus /nolog+
    SQL*Plus: Release 10.2.0.1.0 - Production on Thu Jan 3 01:33:49 2013
    Copyright (c) 1982, 2005, Oracle.  All rights reserved.
    Testing From user 'b' :
    +# useradd -m -g dba b+
    +# passwd b+
    Changing password for user b.
    New UNIX password:
    BAD PASSWORD: its WAY too short
    Retype new UNIX password:
    passwd: all authentication tokens updated successfully.
    su - b
    Password:
    +$ export ORACLE_HOME=/u01/app/oracle/product/10.2.0/db_1+
    +$ export PATH=$PATH:$ORACLE_HOME/bin+
    +$ export ORACLE_SID=testdb+
    +$ sqlplus /nolog+
    sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory
    *>> From oracle user finding libsqlplus.so >>*
    *[oracle@testorcl ~]$*
    *$ find / -name libsqlplus\* -ls 2>/dev/null*
    +1378188 1296 -rw-r----- 1 oracle oinstall 1319436 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.a+
    +1378193 1028 -rw-r----- 1 oracle oinstall 1047293 Jun 22 2005 /u01/app/oracle/product/10.2.0/db_1/lib/libsqlplus.so+
    SQLPLUS LOCATION with associated group
    +$ ls -l $ORACLE_HOME+
    drwxr-x--- 9 oracle oinstall 4096 Dec 24 03:28 sqlplus
    Please Note :
    USER 'a' belongs oinstall group.
    USER 'b' belongs dba group.
    My questions are :
    *1.why OS user can access database with oinstall group ?*
    *2.why OS user can't access database with dba group ?*
    Note: This is concept of oracle
    **To connect as sysdba using OS Authe*ntication ; UNIX OS user must be a part of OSDBA (dba) group.*
    Once the user is part of OSDBA group.
    but in dba group with os user 'b' , can't connect sqlplus , what's the real problem here ?
    version : 10gr2
    *$ uname -a*
    Linux testorcl 2.6.9-42.0.0.0.1.ELsmp #1 SMP Sun Oct 15 14:02:40 PDT 2006 i686 athlon i386 GNU/Linux
    Edited by: 952909 on Jan 4, 2013 1:03 PM

    Hi dude ;
    Thanks for your reply.
    So , You suggest me to change install directory permission from 750 to 775.
    $ cd install
    [oracle@testorcl install]$ ls -l
    total 240
    -rw-r-----  1 oracle oinstall      0 Jun  7  2005 createseed1.sh
    -rw-r-----  1 oracle oinstall      0 Jun  7  2005 createseed.sh
    -rw-r-----  1 oracle oinstall    977 Dec 24 03:29 envVars.properties
    drwxr-x---  2 oracle oinstall   4096 Dec 24 03:26 jlib
    -rw-r-----  1 oracle oinstall 194849 Dec 24 03:29 make.log
    -rwxr-xr-x  1 oracle oinstall      0 Dec 24 03:29 oratab
    -rw-r-----  1 oracle oinstall    132 Dec 24 04:01 portlist.ini
    -rw-r-----  1 oracle oinstall    221 Dec 24 04:02 readme.txt
    -rwxr-xr-x  1 oracle oinstall    824 Dec 24 03:28 rootdeletenode.sh
    -rw-r-----  1 oracle oinstall   9646 Dec 24 03:28 rootlocaladd
    -rw-r-----  1 oracle oinstall      0 Jun  7  2005 seed.log
    -rw-r-----  1 oracle oinstall   2800 Jun  7  2005 templocal
    drwxr-x---  2 oracle oinstall   4096 Dec 24 03:29 unix
    drwxr-x---  2 oracle oinstall   4096 Dec 24 03:28 utl
    *>> Permission changed as per your suggestion >>*
    *[oracle@testorcl db_1]$ chmod 775 install*
    *[oracle@testorcl db_1]$ ls -l*
    drwxrwxr-x   5 oracle oinstall   4096 Dec 24 04:02 install
    *>> Trying to find changePerm.sh >>*
    [oracle@testorcl db_1]$ cd install
    [oracle@testorcl install]$ ./changePerm.sh
    -bash: ./changePerm.sh: No such file or directory
    [oracle@testorcl install]$ cd
    [oracle@testorcl ~]$ whereis changePerm.sh
    changePerm:
    [oracle@testorcl ~]$
    In my testdb file not found ... Any suggestion  to find DUDE
    Please note :
    http://www.oracle-base.com/articles/10g/oracle-db-10gr2-installation-on-rhel-4.php
    Installation Doc did n't say anything to change permission related to install group +( from 750 to 775 )+
    Can you please clarify this ?
    Thanks Dude ..

  • ORA-01031: insufficient privileges despite oracle belonging to DBA group

    DB Version : 10.2.0.4.0
    OS Version : Solaris 5.10
    Os user oracle already belongs to DBA group.
    $ id -a
    uid=1001(oracle) gid=1100(oinstall) groups=1100(oinstall),1800(dba)But, i get the following error
    $ sqlplus / as sysdba
    SQL*Plus: Release 10.2.0.4.0 - Production on Mon Nov 29 14:33:59 2010
    Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
    ERROR:
    ORA-01031: insufficient privileges
    Enter user-name: ^C
    $
    $
    $ sqlplus sys/password as sysdba
    SQL*Plus: Release 10.2.0.4.0 - Production on Mon Nov 29 09:34:13 2010
    Copyright (c) 1982, 2007, Oracle.  All Rights Reserved.
    Connected to:
    Oracle Database 10g Enterprise Edition Release 10.2.0.4.0 - Production
    With the Partitioning, Data Mining and Real Application Testing options
    SQL>Value of remote_login_passwordfile parameter
    SQL> show parameter password
    NAME                                 TYPE        VALUE
    remote_login_passwordfile            string      EXCLUSIVEWhat could possibly be the reason?

    Hi,
    Have you create the orapw file in the $ORACLE_HOME/dbs with orapwd ?
    example :
    orapwd file=${ORACLE_HOME}/dbs/orapw${ORACLE_SID} password=change_on_install entries=40
    Then the unix user oracle will be create in the orapw${ORACLE_SID} file
    after if you want to create another user :
    grant sysdba to TOTO; the unix user TOTO could do : connect / as sysdba
    Regards,
    Mario Alcaide
    http://marioalcaide.wordpress.com

  • Changing the default DBA group

    Hi guys,
    For Oracle8i, 9i, and 10g, is it possible to change the DBA group once Oracle is installed? Let me give you an example:
    I got Oracle 10g, with the DBA group 'oinstall'. Is it possible that i create a new OS group called 'DBAtest' and use this as the default DBA group so OS users members of this group can os-authenticate to oracle?
    thanks,
    james

    Yes, on Unix platforms I think it is possible to change the OSDBA group (the group used to authenticate SYSDBA connection).
    Not sure if there are any consequences afterwards, if you did not separate the Oracle software owner OraInventory group, usually 'oinstall', from OSDBA/OPER groups. Could be a good idead to work that out before implementing any changes!

  • LINUX:while Deleting OLD backup's got error that ORACLE is not in DBA group

    Error
    Error - The specified host user is not a member of the operating system DBA group. The host user must be a DBA group member since the database user does not have the SYSDBA role.
    But. put users: system,oracle in OS /etc/group :
    oracle:x:500:oracle,system
    And both users have the DBA role

    To be able to OS authenticate login as sysdba, your OS user need to be in dba group which you choose when you do installation.
    SYSDBA role is not same as DBA role

  • "change the DBA group" in a windows environment

    I would like to prevent OS-privileged users or connect as SYSDBA without giving password!
    (there would be no passwordfile)
    In a unix environment we can hide the name of dba-group changing config at /rdbms/lib
    and relink:
    Change: #define SS_DBA_GRP "dba" to: #define SS_DBA_GRP "mygroup"
    rm config.o                    
    make -f ins_rdbms.mk config.o ioracle
    ??? How can I do that in a WINDOWS environment ???

    lkahlenb wrote:
    sorry, thats an windows environment.
    I didnt found anything like a config for group name as in unix (there is no relinking at windows).
    If I use windows I can modify the config (another existing group), relink and recopy the default config.
    So a unix.admin with only basic oracle o´know-how is confused.
    I am looking for similar steps on windows...Someone with admin authority on the OS has ultimate authority. Even if you figure out a way to have Oracle use a group other than ora_dba, it won't take a rocket scientist of an SA to figure it out and put himself in the correct group. You need to turn on auditing and have some strong policies regarding DBAs and SAs staying in their lane.

  • How to add a dba group in Unix after Installation

    I need help in figuring out how to add a dba group, which one would do prior to installation, but how can one do it after installation?
    I need to have a group that will have people allowed to start and stop oracle. Is this possible to modify to do after installation?
    Please help... Thank you.

    Thanks for the advice. I am looking in my config.s file and this is what i see..
         .section     ".text",#alloc,#execinstr
    /* 0x0000     7 */          .file     "x.c"
         .section     ".data",#alloc,#write
    /* 0x0000     9 */          .global     ss_dba_grp
    /* 0x0000     10 */          .align     8
         .global ss_dba_grp
    ss_dba_grp:
    /* 0x0000     17 */          .align     8
    /* 0x0000     18 */          .xword     (.L12+0)
    /* 0x0004     24 */          .align     8
    /* 0x0004     25 */          .xword     (.L13+0)
    /* 0x0008     26 */          .type     ss_dba_grp,#object
    /* 0x0008     27 */          .size     ss_dba_grp,16
         .section     ".rodata1",#alloc
    /* 0x0008     13 */          .align     8
    .L12:
    /* 0x0008     15 */          .ascii     "dba\0"
    /* 0x0014     20 */          .align     8
    .L13:
    /* 0x0014     22 */          .ascii     "dba\0"
    What should i change?

  • Multiple instances in Windows 7. & Adding Administrator in DBA group

    i have installed two databases Using DBCA in win7,
    & den used set oracle_sid= <old instance name>
    then when i said  sqlplus / as sysdba
    The new instance is starting.. then i tried sqlplus  sys/sys  as sysdba previous instance password.. it's asking for user name & password.. ??? which i did give & its promting error..
    how to deal with multiple instances in windows 7??
    & i created a user using net user administrator /active:no ... now i cudn't get to add this user to DBA group?? As while editing tnsnames.ora & etc.. it's saying access denied so created admin user.. now cudn't login to dba user using administrtor profile.. how to add this in dba group ??

    Aduke wrote:
    i have installed two databases Using DBCA in win7,
    & den used set oracle_sid= <old instance name>
    Did you create both databases from the same ORACLE_HOME, or did you actually install oracle twice, into separate ORACLE_HOMEs and create your two databases from those separate homes?
    then when i said  sqlplus / as sysdba
    The new instance is starting.. then i tried sqlplus  sys/sys  as sysdba previous instance password.. it's asking for user name & password.. ??? which i did give & its promting error..
    how to deal with multiple instances in windows 7??
    & i created a user using net user administrator /active:no ... now i cudn't get to add this user to DBA group?? As while editing tnsnames.ora & etc.. it's saying access denied so created admin user.. now cudn't login to dba user using administrtor profile.. how to add this in dba group ??
    Control panel
    Computer Management
    Local Users and Groups
    Users  (select your Oracle user)
    Properties
    Member Of
    select orcl_dba
    But then, this IS Windows, who knows if your cascade of applets and options is the same as mine?   To paraphrase Forest Gump, "My momma always said Windows was like a box of chocolates.  You never know what you're going to get."

  • Add grid user to dba group

    Hello,
    After RAC installation, We are facing some cluster issues. After investigation, Oracle support suggested to add the grid user to the dba group. We missed to add the grid user to the dba user in most of the nodes. This is Linux Redhat 5.
    How can I add grid user to dba group and keep the grid user belonging to the other linux groups? what 's the correct command?
    Thanks,
    Diego

    Hi,
    As root:
    #### check before
    id  grid
    #### Change It
    usermod -a -G dba grid
    #### Check after
    id gridLevi Pereira

  • Tcode for DBA group

    What are the common transaction code that should be assigned to the member of the DBA group? I'm trying to use the SAP GUI to support some of the SAP-Database related issue and sometimes I find it very hard, due to the missing access on the tcode.

    only for db admin oracle?
    -> db* (db01, db02, db12, db14, db17 etc.)
    -> st04/st04n (db "cockpit")
    -> st05 (tracing)
    -> st02 & st06 (memory tuning etc.)
    GreetZ, AH

  • How to deal with 2 dba groups

    Hi Friends,
    I want to install two (2) Oracle 10g DBs in my linux server. I want different dba groups for each so that the dba on one database will not be able to touch the other's database.
    In my first DB the owner is > oraprod and group> dba
    In my 2nd DB the owner is> oratest and group> dba2
    My quiestion is, can the user oratest/dba2 be able to connect "/ as sysdba" and starup/shutdown oracle? What is the special tag thats makes a certain owner/group be able to connect as "sysdba". I just felt it is a reserved word granted by default to "dba" by oracle.
    Thanks

    Suggestions: (with a little humor)
    1) switch to Solaris and you can use zones isolating the dbas
    2) create user accounts in your separate databases and grant sysdba or sysoper privileges accordingly -- this is actually the way Oracle intended this to be for these types of situations.
    3) fire one of your dbas and give a big raise to the other one.
    4) trust your dbas - doesn't everyone trust their dbas?

Maybe you are looking for

  • Swf. from flash cs5.5 not showing in IE

    http://www.dissbike.eu/e-bikes/ I've no idea why I can't see at all my swf (bottom of the page) and why is white in IE 7 & 8 . I presume that it has something to do with flash publishing non IE compatible swf. I will really appreciate any help Of cou

  • Accessing Signed Applet Method From Javascript

    Hi All, In my intranet application i have to retrive the mac addres of the client using the applet. I have to capture the MAC Address and set it as a hidden value in the jsp page. I have used the signed applet and able to retrive the mac address of t

  • Query Based On Form

    Hi, I am writing queries which work very well and have managed to use a parameter to dynamically select the data I need (basically Purchase Orders raised from a Sales Order Number) SELECT T0.[DocNum], T0.[CardName], T0.[DocDate] FROM OPOR T0  INNER J

  • PPTP connection stall, but still "connected"

    Hi, I just bought new iMac 2 wks ago. It comes with Lion 10.7.2. Got problem on PPTP connection to my work. Basically, I can create a PPTP setup (VPN) and make connection work. However, it won't last for long, at most 15-20 min, all web request just

  • Cannot connect to ORACLE server in VPN

    Hello , May this be a networking question but it deals with oracle database. In a workgroup environment a client PC is not able to connect to the PC in which oracle is installed. I tried to ping the PC , sometimes it replies back & some times it says