This content has been marked as final. Show 4 replies
The "grid" user account is recommended in some cases http://docs.oracle.com/cd/E11882_01/install.112/e24614/preaix.htm#BABJJEFF but it is not really mandatory.
There are two ways to set up Oracle 11gR2 cluster ware and RAC installations. These have to do with what is called role separation. The idea is to separate grid infrastructure activities from Oracle database activities from an OS user point of view. Important thing to know is that this is a choice to make and is not mandatory.
Technically there are two sets of logical accounts:
GRIDOWNER: Grid Infrastructure admin User. Normally called "grid".
ORACLEOWNER: Database Admin User. Normally called "oracle".
Thee are also the followign groups involved.
OINSTALL Group: The group that will own the installation and inventory of the oracle installation.. Typically called oinstall.
ASMADMIN Group: The Oracle ASM Admin Group. This group has SYSASM privileges. Typically called asmadmin.
ASMDBA Group: The Oracle ASM DBA group. This groups has SYSDBA privileges. Typically this would asmdba.
ASMOPER Group: The Oracle ASM DB Operator Administrator group. Typically this would asmoper.
OSDBA group: The Oracle database administrator group. This groups has SYSDBA privileges. Typically set to dba.
OSPER Group: The group associated with operational tasks for database administration. Typically oper.
However, The group membership is as follows:
ORACLEOWNER belongs to OINSTALL / OSDBA / ASMDBA, with OINSTALL being the primary group..
GRIDOWNER belongs to OINSTALL / ASADMIN.
RAW DEVICES used as ASM disks for ASM Disk Griups are set permission of 660, with owner=GRIDOWNER and group=ASMDBA
This way the ORACLEOWNER and GRIDOWNER can both see and write to the disks.
When setting up for role separation, each user and group is called out separately.
If not looking at setting up role separation, then
GRIDOWNER=ORACLEONWNER= oracle ( most often).
Hope that helps.
923395 wrote:Job role separation is really stupid when the DBA handles both "roles". What exactly does management think they gain by making it difficult (more annoying than anything...) for us to do our job.
IN THE Oracle® Database Installation Guide
11g Release 2 (11.2) for IBM AIX on POWER Systems (64-Bit)
Part Number E24332-02
My question is? Since the user "grid" is not in the dba group but is in the oinstall group why should we create permissions as oracle:dba? This goes against the job role seperation duties of having the grid user and the sysasm privs?
Is this a mistake in the doc?
I believe the correct uid:gid should be grid:dba Both grid AND oracle must be able to READ and WRITE to these devices. Permissions should be 660. With AIX and Solaris make sure you are using a partition that excludes the first 2 cylinders (0,1) and starts at cylinder 2. eg: /dev/rhdiskn is partition 2-nnnnnnn
while I agree that role separation does not make a lot of sense if the DBA does both roles, having 2 users still makes sense.
The GI user could have set the environment directly to the GI Home, and the DB User to the database home.
This avoids errors where your system has the wrong OH or Path set, and increases the visibility vs. just setting it in the environment via. scripts.
However I would put both users in the same groups, to not have to hassle with role separation.
That beeing said, the main group for both users should be oinstall, not DBA. Otherwise you might have an issue if you wan't to grant another DBA the rights to manage the DB, but don't access the GI, e.g. a trainee ;)