The file dollar Oracle home and oh gosh what’s that file called find what Angus names under Linux its config see yes an R DBMS lib config don’t see under Solaris and AIX I think it’s called something different but it’ll be something on those lines something on those lines it’s something like config Dorsey though it does vary from one UNIX to another and what you’re doing is you are populating this file those the values that we chose at the installation time and at the bottom of the file you see the association of operating system group with Oracle privilege right so you’re populating config don’t see or whatever it’s called on your platform and then when you do the real ink at the end of the installation these group names are going to be embedded in the executables as having at the during the real link to give you the appropriate privileges, but that’s what’s going on I’m the windows it’s a bit different.
So if I look under windows necklace and Who am I well I’m this chap called JW, no I’m not I’m John logged on to the Machine JW and I’ll call how to get my groups up / groups yes and these are my group memberships so under windows we see the groups in which I’m a member and they’re the old ones or a DBA and that’s backward compatibility there’s auto install or upper but then we see the Tulsa groups or DB 12 home one DBA upper and then sis back up vista km sis back up and I did a grid infrastructure install and he’s also got these groups even though grid infrastructure will never use data guard or whatever under windows you have no choice about the group names when you run the installer the groups are created for you implicitly with hard coded names, so that’s the difference UNIX pre create the group’s put them in your group’s file and then install time choose the group’s windows the group’s hard coded names created for you when you’re on the installer.
And that’s one reason why you have to run the installer with administrative privileges so it can create these groups I’m doing everything with local group membership I’m told that oracle has finally sorted out the problems people have with running databases or Windows domain controllers when they’re using domain accounts my knowledge of windows is pathetic so I can’t comment on this but if you ever have problems with windows and domain accounts and things apparently then I’ll fix and this finer granularity of the groups is part of it, okay, so that’s what’s happening at the operating system level so you’ve got these new privileges well granted through password file or OS groups right password file if we look at the 11g password file the 11g password file select star from the dollar PW file users sis who has this DBA diocese or perm to say SME doesn’t have because this is a database instance, so that’s your 11g password file and of course.
I can grant 16 two scores and put him in the password file and there he is right under unique under Tulsa sequel + / assist EBA the password file is a bit different because we’ve got these new privileges and we see here my usual great performance we’ve got not only cysts we’ve also got 60 Jesus back up at 6 am and we’ve got the extra columns here so if I describe it we see this there are extra columns in it whereas in earlier releases 11 it was just 60 basis or poem sis ASM but now we’ve got these as well there’s also container ID that’s limited value so you’ve got these extra privileges columns in the table, extra users if you call them users now and the syntax is the same I can grant say on these new privileges grants this back up to Scott’s and that will have copied is the password into the password file it’s an awful performance here and there is in the password file with the privilege sis backup right.
So is the same mechanism that we’ve been using for years but we’ve got these extra privileges well what can they do and what’s that purpose well the usual views will give you a pretty good idea of what’s going on and the previous slide well they really fall is here if you have cysts backup privilege you can do anything necessary from a couple of recoveries but guess what you can’t see any data sis deg anything you need to a medical broker but you can’t see any data since a.m. you can manage transparent data encryption but you can’t see any data this is really important because from now on there is no reason ever to log on assisting you will hardly ever need to log on a sis many DBA’s including me have a very bad habit of connecting assists all the time give me a hand up if you log on to your databases assist I did I’m sure you do as well Rochelle you just haven’t admitted it right.
You hardly ever need to there is virtually nothing that requires a Syslog on virtually nothing people often think you need is to startup and shutdown you don’t connect / as sis upper right select star from Scott dot M can’t do it but I can do shut down startup you can do that and we really should be using sis upper privilege when we always tend to you sis DBA other issues as well backup and recovery and sis OPA, unfortunately, can’t do much in the way of backup you can’t be very much backup at all you nearly always need sisters to do backup not any more sorry now that’s wrong sis upper can do backups what he can’t do is incomplete recovery, but sis opera can do most of your backup work just can’t do incomplete recovery sis DG is real problem the day cigar broker the data car broker has to do things like flashback if you have to do a reinstatement of a database after a failover delegate broke-ass new flashback sis upper cannot do a flashback.
So you have to give us this DBA log on when you’re using dead ago broker the really part 1 was transparent data encryption to manage the transplant data encryption key store in release 11i that was when you needed sis you needed sis which was an appalling breach of security because it meant that the database administrator was in charge of encryption no separation of duties whatsoever so what oracle is done with Ruiz 12 is made a clean separation of duties if you log on with thesis backup privilege which I just granted discourse I can connect scores, tiger, oops I can connect to Scott tiger and Who am I being, of course, Scott and if I try to do something like this, of course, I can’t do it but I can connect Scott’s tiger as backup and when I find good who am I and this guy and if I try to look at tables such as that even my own table I can’t do it but I could do that startup force I’m not going to do it now I can do startup shut down.
I can do anything at all necessary for backup and recovery but I can’t see any data right so what can I do are going a system yay which I just said you never need to do and let’s look at a couple of use DBA sis proofs so what consists backup actually do select star or privilege select privilege from DBA sis proves we’re grantee equals CESS back up he’s a pretty amazingly powerful user drop table space create any table but he can’t do any selects he’s got create any table but he can’t select any table interesting his nest he can do anything necessary for backup and recovery and backup recovery includes things like data pump that’s why he needs to create a new table so in creating tables for you but he can’t see any data he cannot see any data if we look at some the other ones does he have any table privileges execute I need the table name as well table name he’s got execute on all the island packages and notes transportable table spaces he’s got privileges on logical some Billy things as well.
And just for completeness check his roles from TVA well you’ll see whoops the wrong name he was granted roll wasn’t it granted roll sorry about that granted role he’s got select catalog so he’s very powerful and believe me he can do anything that’s through backup and restore but he can’t see any data and it’s the same with these other ones as well sis DJ can do anything needed but regarded including a flashback of course but can’t see any data so you’ve got a nice clean separation of duties and what this really means going back to the previous slide we should never log on a cyst DBA again.