ASM privileges

Dear Erman,

We have a new installation of ASM GRID infrastructure 2 node box

Need your help in understanding about below group in ASM

OSDBA for Oracle ASM group:

This group is granted the SYSDBA privilege on the Oracle ASM instance, which grants access to data stored on Oracle ASM.

Is this read only access to the data?

No.
Members of the ASM Database Administrator group (OSDBA for ASM) are granted read and write access to files managed by Oracle ASM

Thanks for the update erman.

will this also have administrative priviliges like startup and shutdown?
or they will only have read and write access to the data?

i am trying to understand what is the difference between osdba group for oracle and osdba group for asm

OSDBA of RDBMS can do -sqlplus "/as sysdba"-  on DB.
So it can do anything that can be done using sysdba privilege.

The things can be done with OSDBA of ASM changes according to your release.
For ex: Members of the OSDBA group formerly were granted SYSASM privilege on Oracle ASM instances, including mounting and dismounting disk groups.
However, in 11gR2 this grant was removed. (Actually this grant is revoked if different operating system groups are designated as the OSDBA and OSASM groups. If the same group is used for both OSDBA and OSASM, then the privileges are retained.)


Ref Oracle:

Members of the ASM Database Administrator group (OSDBA for ASM) are granted read and write access to files managed by Oracle ASM. The Oracle Grid Infrastructure installation owner and all Oracle Database software owners must be a member of this group, and all users with OSDBA membership on databases that have access to the files managed by Oracle ASM must be members of the OSDBA group for ASM.

In Oracle 12.2, this group grants access for the database to connect to Oracle ASM.

So, this subject is a little tricky and the information is a little bit confusing, as you see.

Please tell me what your purpose is.. So that I can suggest you something.

Thanks for the update

Dear Erman,

We are on 12.1.0.2,2 node RAC

Please go through the below info

In my case,OS user is called oracle and the OSDBA group is called dba:

$ id oracle
uid=502(oracle) gid=500(oinstall) groups=500(oinstall),502(dba),506(asmdba)

OS user is called grid, the OSASM group is called asmadmin and the OSDBA for ASM group is called asmdba:

$ id grid
uid=1100(grid) gid=500(oinstall) groups=500(oinstall),506(asmdba),1000(asmadmin),1301(asmoper)

Oracle binary permission

$ ls -l $ORACLE_HOME/bin/oracle
-r-xr-s--x 1 oracle asmadmin 173515991 Apr 8 12:10 /u01/app/oracle/product/11.2.0/dbhome_2/bin/oracle

We already have asmadmin set for oracle binary which will provide the asm devices access,my concern here is why oracle user needs asmdba privilege when oracle binary has access to all the disk devices?

id oracle
uid=502(oracle) gid=500(oinstall) groups=500(oinstall),502(dba),506(asmdba)-->this asmdba

Thanks,
satish

Your ASM disks are owned by grid:asmadmin, right?

IF so, only users that are members of the asmadmin group have direct access to ASM disks and maintenance.
As for RDBMS owner (oracle in your case), this access is gained via the oracle executable ($ORACLE_HOME/bin/oracle). It should have a setgid bit with group set to "asmadmin".

So the binary permission will be like the following;

-rwsr-s--x 1 oracle asmadmin  (chmod 6751 oracle)

So, when the proper permissions are set for the oracle binary, oracle Osuser don't need to be in asmadmin group .

Thanks for the update erman.

So oracle user is getting access to the disks using Oracle executable.In this case why oracle user should be a member of asmdba group?we are already having access to the disks right

It is a must in job / role seperation.
the asmadmin setting that is done via oracle binary is only for that binary.
In other words, when you execute the oracle binary in the RDBMS  Home, you get the rights of asmadmin.
You understand what I mean?
Oracle OS user is not granted with asmadmin.. Only the oracle binary is granted with it.
However, oracle OS user still need to have some grants for asm. (the cases where oracle binary is not used)
And that's why, oracle OS user has the group asmdba.

This perfectly clears my concern.Thanks erman