Re: Best Practices for Oracle on Windows

  • From: Mohammad Rafiq <rafiq9857@xxxxxxxxx>
  • To: niall.litchfield@xxxxxxxxx
  • Date: Thu, 3 Feb 2005 15:03:35 -0500

Niall,
can we create ORA_DBA group manually(if not created during
installation or removed afterward) and will it allow member of that
group to connect as SYSDBA without SYS password?
Regards
Rafiq



On Thu, 3 Feb 2005 13:27:20 +0000, Niall Litchfield
<niall.litchfield@xxxxxxxxx> wrote:
> On Thu, 3 Feb 2005 08:00:16 -0500, Sherrie.Kubis@xxxxxxxxxxxxxxxxxx
> <Sherrie.Kubis@xxxxxxxxxxxxxxxxxx> wrote:
> >
> >
> > I am looking for some best practice guidelines for assigning administrator
> > privilege for Oracle on Windows.  I'm coming from a UNIX environment, where
> > oracle binaries and datafiles and whatnot are all owned by oracle.  Root
> > things that need to be done are done from another account that is in the
> > root wheel, and done through deliberate actions as needed.
> 
> In terms of *installing* the Oracle software, you should use an
> account with local administrator privileges for this (doesn't have to
> be a domain administrator). That doesn't mean that the dba needs to
> have administrative access to the machine (though I do on all the
> database machines in our place). Oracle installation creates an OS
> group ORA_DBA which is equivalent to the dba group on Unix. DBA
> Accounts should be placed in this group. (You can also create a group
> ORA_<SID>_DBA just to restrict them to particular databases).
> 
> I'd strongly recommend that you create a domain group (or groups
> depending on how many types of dba you have) that you place dba users
> domain accounts in. Then you can assign the domain group to the local
> dba group on relevant boxes. Then you can audit who does what since
> the dbas all should use their own accounts to do their administration.
> 
> --
> Niall Litchfield
> Oracle DBA
> http://www.niall.litchfield.dial.pipex.com
> --
> //www.freelists.org/webpage/oracle-l
>
--
//www.freelists.org/webpage/oracle-l

Other related posts: