Using Operating System Groups for Segregating Database Permissions in Oracle Database

database administration Hits: 125

Introduction

Security and access management for databases are among the key challenges in database environments. Oracle Database 19c allows us to effectively manage access by using predefined operating system groups. In this article, we will explore how to use these groups to segregate permissions and perform backup operations on the database without accessing user data.

Operating System Groups in Oracle Database 19c

If you have installed the oracle-database-preinstall package during the initial setup, it creates the Oracle user and the relevant groups.

Link to installation instructions

Additionally, you need to manually create the remaining groups required for the Grid installation.

You can use the id command to see the groups that the Oracle user belongs to:

[oracle@vahiddb1922 ~]$ id

uid=54321(oracle) gid=54321(oinstall) groups=54321(oinstall),54322(dba),54323(oper),54324(backupdba),54325(dgdba),54326(kmdba),54327(asmdba),54328(asmoper),54329(asmadmin),54330(racdba)

The backupdba group is one of the default groups that allows users who need to perform backup operations. In this article, we will examine how to use this group for managing backups and limiting access.

Practical Steps

Creating and Configuring a User

Creating a New User and Adding to the backupdba Group

Given the predefined groups, we need to create a new user and add it to the backupdba group, and set a password for it. This is done as follows:

[root@vahiddb1922 ~]# useradd -m -G backupdba backupuser

[root@vahiddb1922 ~]# passwd backupuser

Changing password for user backupuser.

New password:

BAD PASSWORD: The password contains the user name in some form

Retype new password:

passwd: all authentication tokens updated successfully.

Setting Permissions

Based on your requirements, you can set specific permissions for the backupuser so that it only has the desired access.

Performing Backup Operations with the New User

Connecting to the Database

Connect to the database using the backupuser:

To do this, the operating system environment variables need to be set up as well.

[backupuser@vahiddb1922 ~]$ sqlplus / as sysbackup

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Aug 23 17:24:53 2024

Version 19.22.0.0.0

Copyright (c) 1982, 2023, Oracle.  All rights reserved.

Connected to:

Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

Version 19.22.0.0.0

Now let's see what we have access to:

[backupuser@vahiddb1922 ~]$ sqlplus / as sysbackup

SQL*Plus: Release 19.0.0.0.0 - Production on Fri Aug 23 17:26:57 2024

Version 19.22.0.0.0

Copyright (c) 1982, 2023, Oracle.  All rights reserved.

Connected to:

Oracle Database 19c Enterprise Edition Release 19.0.0.0.0 - Production

Version 19.22.0.0.0

SQL> SHOW PDBS

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED

---------- ------------------------------ ---------- ----------

         2 PDB$SEED                       READ ONLY  NO

         3 PDB                            READ WRITE NO

SQL> alter session set container=pdb;

Session altered.

SQL> select username from dba_users where username='HR';

USERNAME

--------------------------------------------------------------------------------

HR

SQL> SELECT TABLE_NAME FROM DBA_TABLES WHERE OWNER='HR';

TABLE_NAME

--------------------------------------------------------------------------------

REGIONS

LOCATIONS

DEPARTMENTS

JOBS

EMPLOYEES

JOB_HISTORY

COUNTRIES

7 rows selected.

SQL> SELECT * FROM HR.REGIONS;

SELECT * FROM HR.REGIONS

                 *

ERROR at line 1:

ORA-01031:insufficient privileges

 

So far, we have observed that although the user can see the list of tables and database users, they do not have access to the user data.

Now, let's proceed with the main task we expect to perform: taking a backup of the database.

[backupuser@vahiddb1922 ~]$ rman

Recovery Manager: Release 19.0.0.0.0 - Production on Fri Aug 23 17:37:08 2024

Version 19.22.0.0.0

Copyright (c) 1982, 2019, Oracle and/or its affiliates.  All rights reserved.

RMAN> connect target '/ as sysbackup'

connected to target database: ORCL (DBID=1703352953)

RMAN> backup database;

Starting backup at 23-AUG-24

using target database control file instead of recovery catalog

allocated channel: ORA_DISK_1

channel ORA_DISK_1: SID=50 device type=DISK

channel ORA_DISK_1: starting full datafile backup set

channel ORA_DISK_1: specifying datafile(s) in backup set

input datafile file number=00001 name=+DATA/ORCL/DATAFILE/system.270.1175572125

input datafile file number=00003 name=+DATA/ORCL/DATAFILE/sysaux.261.1175572161

input datafile file number=00004 name=+DATA/ORCL/DATAFILE/undotbs1.274.1175572175

input datafile file number=00007 name=+DATA/ORCL/DATAFILE/users.269.1175572177

channel ORA_DISK_1: starting piece 1 at 23-AUG-24

channel ORA_DISK_1: finished piece 1 at 23-AUG-24

piece handle=/u01/app/oracle/product/19.22/dbhome_1/dbs/163371im_38_1_1 tag=TAG20240823T173726 comment=NONE

channel ORA_DISK_1: backup set complete, elapsed time: 00:00:25

channel ORA_DISK_1: starting full datafile backup set

channel ORA_DISK_1: specifying datafile(s) in backup set

input datafile file number=00010 name=+DATA/ORCL/1E5F693390D2312FE0632438A8C0BDEA/DATAFILE/sysaux.268.1175573501

input datafile file number=00009 name=+DATA/ORCL/1E5F693390D2312FE0632438A8C0BDEA/DATAFILE/system.272.1175573501

input datafile file number=00011 name=+DATA/ORCL/1E5F693390D2312FE0632438A8C0BDEA/DATAFILE/undotbs1.273.1175573501

input datafile file number=00012 name=+DATA/ORCL/1E5F693390D2312FE0632438A8C0BDEA/DATAFILE/users.267.1175573517

channel ORA_DISK_1: starting piece 1 at 23-AUG-24

channel ORA_DISK_1: finished piece 1 at 23-AUG-24

piece handle=/u01/app/oracle/product/19.22/dbhome_1/dbs/173371jf_39_1_1 tag=TAG20240823T173726 comment=NONE

channel ORA_DISK_1: backup set complete, elapsed time: 00:00:15

channel ORA_DISK_1: starting full datafile backup set

channel ORA_DISK_1: specifying datafile(s) in backup set

input datafile file number=00006 name=+DATA/ORCL/86B637B62FE07A65E053F706E80A27CA/DATAFILE/sysaux.279.1175572811

input datafile file number=00005 name=+DATA/ORCL/86B637B62FE07A65E053F706E80A27CA/DATAFILE/system.262.1175572811

input datafile file number=00008 name=+DATA/ORCL/86B637B62FE07A65E053F706E80A27CA/DATAFILE/undotbs1.277.1175572811

channel ORA_DISK_1: starting piece 1 at 23-AUG-24

channel ORA_DISK_1: finished piece 1 at 23-AUG-24

piece handle=/u01/app/oracle/product/19.22/dbhome_1/dbs/183371jv_40_1_1 tag=TAG20240823T173726 comment=NONE

channel ORA_DISK_1: backup set complete, elapsed time: 00:00:15

Finished backup at 23-AUG-24

Starting Control File and SPFILE Autobackup at 23-AUG-24

piece handle=/u01/app/oracle/product/19.22/dbhome_1/dbs/c-1703352953-20240823-00 comment=NONE

Finished Control File and SPFILE Autobackup at 23-AUG-24

RMAN>

As we can see, the backup was successfully taken.

This approach is suitable for task segregation in large organizations.