The Oracle database software is “owned”
by the “oracle” user in Linux.
Maintenance of the Oracle database software takes place through the
“oracle” account. This
is the account that is used to apply software patches and upgrades. This account should not be used for
day-to-day activities by the DBA or other user(s).
Maintenance
of the database takes place through another account with the necessary
privileges. The database
“local admin” account in this document is “oradm”.
This is the account that the DBA uses for day-to-day operations. When issues requiring software
intervention are found, the “oracle” account should be used;
otherwise, the local admin should use this local admin (or DBA) account.
Since
the same Linux group, DBA, is usually used for both OSDBA and OSOPER during a
standard install, if you are actually creating an installation in an
environment that employs separate people for those functions, consider imposing
these additional groups and limiting the privileges accordingly.
Additional
accounts may be created for “others” in your organization on
specific hosts. It can be very hard
for a DBA to say “no” to a user/owner of an oracle database host;
but it can be beneficial to have these alternate accounts available,
configured, functioning, and understood, so when the day comes you have to pass
control you may do so in an orderly fashion.
The
Oracle account on one node may be able to inherit privileges needed on another
node just by the ownership of the oracle software. The less well-known and used the
“oracle” account, the better.
The implications of this make it rather easy to gain management,
network, and/or IT support for restricting access.
The alternate accounts suggested above provide a means to a level of security to protect your interest as the dba in each system. Oracle used a similar setup through the end of version five, and remnants will remain forever. Due to the complexity of delivering installation code for over ninety platforms, this technique has been ignored in many environments... only retained by a trained DBA in that OS.
A similar discussion about users within the database can be viewed here.
Additional concerns if the host is connected to the internet should be addressed.
Last Revised: April 2007