Databases Reference
In-Depth Information
How It Works
Before you can connect to the Oracle database, you need to have the proper OS variables set. Additionally, if you want to
connect to Oracle as a privileged user, then you must also have access to either a privileged OS account or a privileged
database user. Connecting as a privileged user allows you to perform administrative tasks, such as starting and stopping
a database. You can use either OS authentication or a password file to connect to your database as a privileged user.
The concept of a privileged user is also important to RMAN backup and recovery. RMAN uses OS authentication
and password files to allow privileged users to establish a privileged database session (via the
rman
utility). Only a
privileged account is allowed to back up, restore, and recover a database.
Explaining OS Authentication
OS authentication means that if you can log on to an authorized OS account, then you are allowed to connect to your
database as a privileged user without the requirement of an additional password. OS authentication is administered
by assigning special groups to OS accounts.
When preparing to install the Oracle binaries, you are required to first create the OS groups and then when
installing the Oracle software, associate the names of the OS groups with various levels of database privileges.
Typically the three OS groups that pertain to backup and recovery are:
dba
•
oper
•
backupdba
(new in Oracle Database 12c)
•
Each OS group corresponds to certain database privileges. Table
2-1
shows the mapping of OS groups to database
system privileges and operations.
Table 2-1.
Mapping of OS groups to privileges related to backup and recovery
Operating System Group
Database System Privilege
Authorized Operations
dba
sysdba
Start up, shut down, alter database, create and drop
database, toggle archivelog mode, back up and recover
database.
oper
sysoper
Start up, shut down, alter database, toggle archivelog
mode, back up and recover database.
backupdba
sysbackup
New in Oracle Database 12c, this privilege allows you
to start up, shut down, and perform all backup and
recovery operations.
Any OS account assigned to the authorized OS groups can connect to the database without a password and perform
administrative operations. In Linux/Unix, it's common to create an
oracle
OS account and assign its primary group to
be
dba
, which in turn authorizes it to perform
sysdba
operations. If you need more granular control over privileges, you
can create other operating system accounts and assign them to groups as appropriate (such as
oper
and
backupdba
).
In Windows environments, you can verify which OS users belong to the
ora_dba
group as follows: select Control
Panel, Administrative Tools, Computer Management, Local Users and Groups, Groups. You should see a group named
something like
ora_dba
. You can click that group and view which OS users are assigned to it.
Additionally, for OS authentication to work in Windows environments, you must have the following entry in your
sqlnet.ora file:
SQLNET.AUTHENTICATION_SERVICES=(NTS)
