The Oracle software installation requires a Linux user to be a designated Oracle software owner. The Oracle software owner runs the OUI (Oracle Universal Installer) to install Oracle Database and has full privileges to install, uninstall, and patch the Oracle software. The OUI cannot be run as the root user. The name of the Oracle software owner is commonly oracle, but you can use a different name.
The Oracle software installation also requires a low-privileged OS user to be the owner of the httpd process. This is usually provided by the nobody user.
Database operations require a few more users. A user who is a member of the OSOPER group can start, stop, back up, and recover the database. A user who is a member of the OSDBA group can create, drop database, and create other DBA privileged users, in addition to the privileges of the OSOPER.
Ordinary database users can have OS accounts on the database server, but it is not necessary. It is common for database users to connect to the database through a client or application server without any OS account. OS user accounts might be required by the database application for batch jobs or specialized external processes. The Oracle default installation does not require any ordinary database user to have OS accounts.
With Oracle Grid Infrastructure & ASM there is a user called grid and three groups: asmadmin, asmdba, and asmoper. The owner of the Grid Infrastructure is commonly the “grid” user.
The Oracle Database Installation Guide names three group identifiers:
- OSDBA (dba): Identifies OS accounts that have database administration privileges (SYSDBA)
- OSOPER (oper): Identifies OS accounts that have limited database administration privileges (SYSOPER)
- Oracle Inventory group (oinstall): Identifies the owner of the Oracle software
An OSDBA group is the only group that must be created to manage the database files. By default, this group is dba, but can have a different group name. SYSDBA is a high-level administrative privilege much like that of the root user on Linux. The members of the OSDBA group own the database files and have the privilege to connect to the database without a password, using AS SYSDBA through OS authentication.
The OSOPER group members connect to the database using the AS SYSOPER mechanism. This group has a restricted set of privileges. Each database can have its own OSDBA and OSOPER groups.
During installation, one inventory is created per system and all Oracle software installed on a server is registered in this inventory. The inventory group name is oinstall, and the Oracle software owner (oracle) is a member of this group. This user is also a member of the OSDBA and OSOPER groups.
Oracle Database 12c introduces new operating system groups:
- SYSBACKUP: Facilitates Oracle Recovery Manager (RMAN) backup and recovery operations either from RMAN or SQL*Plus.
- SYSDG: Facilitates Data Guard operations. The user can perform operations either with Data Guard Broker or with the DGMGRL command-line interface.
- SYSKM: Facilitates Transparent Data Encryption keystore operations.
Each of these accounts provides a designated user for the new administrative privilege with the same name.