How to Create backupdba, dgdba and kmdba groups after the 12c, 18c and 19c binary installation

Users in the OSDBA group are granted the SYSDBA administrative privilege. Similarly, the OSOPER group is used to grant SYSOPER administrative privilege to users, the OSBACKUPDBA group is used to grant SYSBACKUP administrative privilege to users, the OSDGDBA group is used to grant SYSDG administrative privilege to users, and the OSKMDBA group is used to grant SYSKM administrative privilege to users.

Below are the detailed steps:

$ id oracle
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba)

Step 1

Create the required groups like OSOPER, OSBACKUPDBA, OSDGDBA, and OSKMDBA groups as secondary groups. For example:

# groupadd -g 503 oper
# groupadd -g 504 backupdba
# groupadd -g 505 dgdba
# groupadd -g 506 kmdba
# usermod -g oinstall -G dba,asmdba,backupdba,dgdba,kmdba[,oper] oracle

The oracle user is now member of all the above groups.

$ id oracle
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper),504(backupdba),505(dgdba),506(kmdba)

Step 2

Make the necessary changes in config.c of $ORACLE_HOME/rdbms/lib/. Below is the config.c file on Linux (64-bit) platform.

Define the groups oper,backupdba, dgdba, kmdba.

$ cat config.c

/* SS_DBA_GRP defines the UNIX group ID for sqldba adminstrative access. */
/* Refer to the Installation and User's Guide for further information. */

.section .rodata.str1.4, "aMS",@progbits,1
.align 4
.Ldba_string: .string "dba"
.Loper_string: .string "oper"
.Lasm_string: .string ""
.Lbkp_string: .string "backupdba"
.Ldgd_string: .string "dgdba"
.Lkmt_string: .string "kmdba"

.section .rodata
.align 8
.globl ss_dba_grp
ss_dba_grp:
.quad .Ldba_string
.quad .Loper_string
.quad .Lasm_string
.quad .Lbkp_string
.quad .Ldgd_string
.quad .Lkmt_string
.type ss_dba_grp,@object
.size ss_dba_grp,.-ss_dba_grp
.section .note.GNU-stack, ""
.end
/*
* Assembler will not parse a file past the .end directive
*/
#endif

#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oper"
#define SS_ASM_GRP ""
#define SS_BKP_GRP "backupdba"
#define SS_DGD_GRP "dgdba"
#define SS_KMT_GRP "kmdba"

const char * const ss_dba_grp[] =
{SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP,
SS_BKP_GRP, SS_DGD_GRP, SS_KMT_GRP};

Step 3

Move the config.o file and regenerate using below make command.

$ cd $ORACLE_HOME/rdbms/lib/
$ mv config.o config.o.BKP
$ make -f ins_rdbms.mk config.o ioracle

Step 4

Create the required users for the OSoper, OSbackupdba, OSdbdba and OSkmdba groups.

  • If you are a member of the OSOPER group, and you specify AS SYSOPER when you connect to the database, then you connect to the database with the SYSOPER administrative privilege.
  • if you are a member of the OSBACKUPDBA group, and you specify AS SYSBACKUP when you connect to the database, then you connect to the database with the SYSBACKUP administrative privilege.
  • If you are a member of the OSDGDBA group, and you specify AS SYSDG when you connect to the database, then you connect to the database with the SYSDG administrative privilege.
  • If you are a member of the OSKMDBA group, and you specify AS SYSKM when you connect to the database, then you connect to the database with the SYSKM administrative privilege.

A user can connect to the database using operating system authentication. A user can be authenticated, enabled as an administrative user, and connected to a local database by typing one of the following SQL*Plus commands:

SQL> CONNECT / AS SYSDBA
SQL> CONNECT / AS SYSOPER
SQL> CONNECT / AS SYSBACKUP
SQL> CONNECT / AS SYSDG
SQL> CONNECT / AS SYSKM

For example, creating a backup_ora user for SYSBACKUP administrative privilege:

$ useradd -g oinstall -G dba,backupdba backup_ora

Step 5

Connect as sysbackup using OS authentication. Oracle Database provides methods to secure the authentication of database administrators who have the SYSDBA, SYSOPER, SYSBACKUP, SYSDG, or SYSKM administrative privilege. To perform backup and recovery operations from either Oracle Recovery Manager (RMAN) and or through SQL*Plus, you can log in with the SYSBACKUP administrative privilege.

OS Authentication with the SYSBACKUP Privilege.

% rman target '"/ as sysbackup"'

For example:

$ rman target '"/ as sysbackup"'
Recovery Manager: Release 12.1.0.2.0 - Production on Sun Feb 12 00:38:57 2017
Copyright (c) 1982, 2014, Oracle and/or its affiliates. All rights reserved.
connected to target database: orcl (DBID=1027533583)
RMAN>

non-SYS user can be created using below command:

Incase, of 12c CDB environment, we need to create the command users as below for all the containers:

SQL> create user c##backup_rman identified by oracle account unlock ;

Grant the sysbackup privilege to the user c##backup_rman.

SQL> grant sysbackup to c##backup_rman ;
$ rman target c##backup_rman/oracle
Recovery Manager: Release 12.1.0.2.0 - Production on Sun Feb 12 00:32:29 2017
Copyright (c) 1982, 2014, Oracle and/or its affiliates. All rights reserved.
connected to target database: orcl (DBID=1027533583)

RMAN> backup database;

Starting backup at 12-FEB-17
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=85 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00001 name=/u01/app/oracle/oradata/orcl/datafile/o1_mf_system_cckrhmcw_.dbf
.........

channel ORA_DISK_1: backup set complete, elapsed time: 00:00:45
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/u01/app/oracle/oradata/orcl/datafile/o1_mf_sysaux_cckrnl56_.dbf
input datafile file number=00005 name=/u01/app/oracle/oradata/orcl/datafile/o1_mf_system_cckrnl6c_.dbf
channel ORA_DISK_1: starting piece 1 at 12-FEB-17
channel ORA_DISK_1: finished piece 1 at 12-FEB-17
piece handle=/u01/app/oracle/fast_recovery_area/orcl/2B47A2C2061C3C65E0530100007FF3E7/backupset/2017_02_12/o1_mf_nnndf_TAG20170212T003344_d9yr6ct6_.bkp tag=TAG20170212T003344 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:55
Finished backup at 12-FEB-17

Starting Control File and SPFILE Autobackup at 12-FEB-17
piece handle=/u01/app/oracle/fast_recovery_area/orcl/autobackup/2017_02_12/o1_mf_s_935714267_d9yr851n_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 12-FEB-17

RMAN>