Change the OS groups for SYSDBA, SYSOPER, SYSBACKUP, SYSDG and SYSKM

2015-09-17 Off By Markus Flechtner

Oracle 12c allows you the separate the DBA tasks backup (RMAN), DataGuard and key management (Transparent Data Encryption) between different OS users. This is not required, but can be helpful. Sometimes these groups are not available when you install the Oracle software or you decide later to separate the duties.

Oracle 12c erlaubt die Aufteilung der DBA-Tätigkeiten (Backup, DataGuard und Key-Management für Verschlüsselung) auf verschiedene Betriebssystemgruppen. Manchmal sind diese Gruppen zum Installationszeitpunkt noch nicht vorhanden oder eine derartige Aufteilung der Zuständigkeiten wird als nicht notwendig erachtet.

What are the steps to change this mapping of OS groups to DBA tasks at a later point in time?

The mapping is done via the filei $ORACLE_HOME/rdbms/lib/config.c.

At the end of the file you can find the following lines (in this example all roles are mapped to the DBA group):

..
#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oper"
#define SS_ASM_GRP ""
#define SS_BKP_GRP "pdba"
#define SS_DGD_GRP "dba"
#define SS_KMT_GRP "dba"

const char * const ss_dba_grp[] =
{SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP,
SS_BKP_GRP, SS_DGD_GRP, SS_KMT_GRP};

The following steps are necessary to change the OS groups for the OS authentication:

1. Create the OS groups and the corresponding users (for example “backupuser” with SYSBACKUP privileges)

oracle> grep dba /etc/group
dba:x:54322:oracle,grid
asmdba:x:54325:grid,oracle
backupdba:x:54328:oracle, backupuser
dgdba:x:54329:oracle
kmdba:x:54330:oracle

2. Shutdown the databases instances and the listener which were started from this ORACLE_HOME

3. Change config.c
(please do not forget to back up the file)

#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oper"
#define SS_ASM_GRP ""
#define SS_BKP_GRP "backupdba"
#define SS_DGD_GRP "dgdba"
#define SS_KMT_GRP "kmdba"

4. Relink the Oracle-Software

oracle> cd $ORACLE_HOME/rdbms/lib 
oracle> rm config.o 
oracle> make -f ins_rdbms.mk 
oracle> relink all 
writing relink log to: /u00/app/oracle/product/12.1.0.2/install/relink.log

5. Test
After that you can use the new OS groups for OS authentication:

root@si: su - backupuser
-bash-4.1$ id
uid=9999(backupuser) gid=54328(backupdba) groups=54328(backupdba) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.1$ . oraenv

ORACLE_SID = [backupuser] ? SI12C
ORACLE_BASE environment variable is not being set since this
information is not available for the current user ID backupuser.
You can set ORACLE_BASE manually if it is required.
Resetting ORACLE_BASE to its previous value or ORACLE_HOME
The Oracle base has been set to /u00/app/oracle/product/12.1.0.2
-bash-4.1$ rman

backupuser@si:~/ [SI12C] rman
Recovery Manager: Release 12.1.0.2.0 - Production on Tue Sep 15 23:12:16 2015
Copyright (c) 1982, 2014, Oracle and/or its affiliates. All rights reserved.

RMAN> connect target '/ as sysbackup'
connected to target database: SI12C (DBID=1353354747)

More information on “Relink of the Oracle Software”:
Support-Note “Relinking Oracle Home FAQ ( Frequently Asked Questions) (Doc ID 1467060.1)”