This chapter describes the users and groups user environment and management environment settings to complete before you install Oracle Database and Grid Infrastructure for a standalone server. It contains the following topics:
Depending on if this is the first time Oracle software is being installed on your system and on the products that you are installing, you may have to create several operating system groups and users.
If you prefer to allocate operating system user privileges so that you can use one administrative user and one group for operating system authentication for all administrative privileges, then you can use the
oracle user as the installation owner, and use one group as the primary group for any user requiring administrative privileges for Oracle ASM, and Oracle Database administration. This group must also be the Oracle Inventory group. To simplify using the defaults for Oracle tools the group name should be
You can also create custom configuration groups and users based on job role separation that divide access privileges.
Log in as
root, and use the instructions in the following sections to locate or create the Oracle Inventory group and a Oracle software owner user:
When you install Oracle software on the system for the first time, Oracle Universal Installer creates the
oraInst.loc file. This file identifies the name of the Oracle Inventory group (typically,
oinstall) and the path of the Oracle Inventory directory.
You can configure one group to be the access control group for Oracle Inventory, for database administrators (OSDBA), and for all other access control groups used by Oracle software for operating system authentication. However, if you use one group to provide operating system authentication for all system privileges, then this group must be the primary group for all users to whom you want to grant administrative system privileges.
If you have an existing central Oracle Inventory, then ensure that you use the same Oracle Inventory for all Oracle software installations, and ensure that all Oracle software users you intend to use for installation have permissions to write to this directory.
To determine if the Oracle Inventory group exists, perform the following steps:
oraInst.loc file has content similar to the following:
In the preceding example, central_inventory_location is the location of the Oracle Central Inventory, and group is the name of the group that has permissions to write to the central inventory.
# more /var/opt/oracle/oraInst.loc
oraInst.loc file exists, then the output from this command is similar to the following:
Use the command
/etc/group to confirm that the group specified as the Oracle Inventory group still exists on the system. For example:
# grep oinstall /etc/group oinstall:x:1000:grid,oracle
oraInst.loc file does not exist, then create the Oracle Inventory group by entering the following command:
# /usr/sbin/groupadd -g 54321 oinstall
A job role separation configuration of Oracle Database and Oracle ASM is a configuration with groups and users to provide separate groups for operating system authentication.
Review the following restrictions for users created to own Oracle software:
Oracle recommends that you create one software owner to own each Oracle software installation. See "Oracle Software Owner For Each Oracle Software Product" for more information.
To create separate Oracle software owners and separate operating system privileges groups for different Oracle software installations, note that each of these users must have the Oracle central inventory group (
oraInventory) as their primary group. Members of this group have write privileges to the Oracle central inventory (
oraInventory) directory, and are also granted permissions for various Oracle Restart resources and directories in the Oracle Restart home to which DBAs need write access, and other necessary privileges. In Oracle documentation, this group is represented as
oinstall in code examples. See "Creating the Oracle Inventory Group If an Oracle Inventory Does Not Exist".
Oracle software installation owner users must also have the OSDBA group of the database, the OSDBA group of the Oracle Grid Infrastructure home (if you create it), and (if you create them) the OSOPER, OSBACKUPDBA, OSDGDBA, and OSKMDBA groups as secondary groups. Oracle software owners require membership to the OSDBA group of the Oracle Grid infrastructure home so that database instances can log on to Oracle ASM.
The Oracle Database, and the Oracle Grid Infrastructure for a standalone server installation owner users (
grid respectively) must belong to the Oracle Inventory group (
Each Oracle software owner must be a member of the same central inventory group. Oracle recommends that you do not have more than one central inventory for Oracle installations. If an Oracle software owner has a different central inventory group, then you may corrupt the central inventory.
The Oracle Grid Infrastructure for a standalone server installation owner user (
grid) must be in the OSDBA group of every database home.
The following sections provide an overview about users and groups to divide access privileges by job roles:
You can create a single user (for example,
oracle) to own both Oracle Database, and Oracle Grid Infrastructure for a standalone server installations. However, Oracle recommends that you create one software owner to own each Oracle software installation (typically,
oracle, for the database software and
grid for the Oracle Restart owner user).
You must create at least one software owner the first time you install Oracle software on the system.
Note:In Oracle documentation, a user created to own only Oracle Grid Infrastructure software installations is called the
griduser. A user created to own either all Oracle installations, or only Oracle database installations, is called the
Create the following operating system groups, if you are installing Oracle Database:
You must create this group the first time you install Oracle Database software on the system. This group identifies operating system user accounts that have database administrative privileges (the
This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of database administrative privileges for starting up and shutting down the database (the
SYSOPER privilege). This group cannot directly connect as
SYSOPER, unless explicitly granted. However, they have the privileges granted by the
SYSOPER privilege. By default, members of the OSDBA group have all privileges granted by the
Starting with Oracle Database 12c release 1 (12.1), in addition to the OSOPER privilege to start and shut down the database, you can create new administrative privileges that are more task-specific and less privileged than the OSDBA/SYSDBA system privileges to support specific administrative privileges tasks required for everyday database operation. Users granted these system privileges are also authenticated through operating system group membership.
You do not have to create these specific group names, but during installation you are prompted to provide operating system groups whose members are granted access to these system privileges. You can assign the same group to provide authentication for these privileges, but Oracle recommends that you provide a unique group to designate each privilege.
The OSDBA subset job role separation privileges and groups consist of the following:
Create this group if you want a separate group of operating system users to have a limited set of database backup and recovery related administrative privileges (the
Add the Oracle software installation owner to the OSBACKUPDBA group.
Create this group if you want a separate group of operating sytem users to have a limited set of privileges to administer and monitor Oracle Data Guard (the SYSDG privilege).
Add the Oracle software installation owner to the OSDGDBA group
Create this group if you want a separate group of operating sytem users to have a limited set of privileges for encryption key management such as Oracle Wallet Manager management (the SYSKM privilege).
If you want to have an OSKMDBA group for Oracle Database, then the Oracle software installation owner must be a member of this group.
Create the following operating system groups if you are installing Oracle Grid Infrastructure:
The OSDBA group for Oracle ASM can be the same group used as the OSDBA group for the database, or you can create a separate OSDBA group for Oracle ASM to provide administrative access to Oracle ASM instances.
The Oracle Grid Infrastructure software owner (typically,
grid) must be a member of the OSDBA group. Membership in the OSDBA group enables access to the files managed by Oracle ASM. If you have a separate OSDBA group for Oracle ASM, then the Oracle Restart software owner must be a member of the OSDBA group for each database and the OSDBA group for Oracle ASM.
The OSASM group for Oracle ASM Administration (typically,
Create this group as a separate group if you want to have separate administration privileges groups for Oracle ASM and Oracle Database administrators. Members of this group are granted the SYSASM system privileges to administer Oracle ASM. In Oracle documentation, the operating system group whose members are granted
SYSASM privileges is called the OSASM group, and in command lines, is referred to as
Oracle ASM can support multiple databases. If you have multiple databases on your system, and use multiple OSDBA groups so that you can provide separate SYSDBA privileges for each database, then you should create a group whose members are granted the OSASM/SYSASM administrative privileges, and create a grid infrastructure user (
grid) that does not own a database installation, so that you separate Oracle Grid Infrastructure SYSASM administrative privileges from a database administrative privileges group.
Members of the OSASM group can use SQL to connect to an Oracle ASM instance as
SYSASM using operating system authentication. The
SYSASM privileges permit mounting and dismounting of disk groups, and other storage administration tasks.
SYSASM privileges provide no access privileges on an RDBMS instance.
If you do not designate a separate group as the OSASM group, then the OSDBA group you define is also, by default, the OSASM group.
The OSOPER group for Oracle ASM (typically,
This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of Oracle instance administrative privileges (the
SYSOPER for ASM privilege), including starting up and stopping the Oracle ASM instance. By default, members of the OSASM group also have all privileges granted by the SYSOPER for ASM privilege.
If you want to have an OSOPER group for Oracle ASM, then the Oracle Grid Infrastructure owner must be a member of this group.
The following sections describe how to create the required operating system user and groups:
After you create the required operating system groups described in this section, you must add the Oracle software owner user (typically,
oracle) to these groups, otherwise these groups will not be available as an option in Oracle Universal Installer while performing the database installation.
The UIDs and GIDs mentioned in this section are illustrative only. Oracle recommends that you do not use the UID and GID defaults. Instead, provide common assigned group and user IDs, and confirm that they are unused before you create or modify groups and users.
If necessary, contact your system administrator before using or modifying an existing user or group.
You must create an OSDBA group in the following circumstances:
An OSDBA group does not exist, for example, if this is the first installation of Oracle Database software on the system
An OSDBA group exists, but you want to give a different group of operating system users database administrative privileges for a new Oracle Database installation
# /usr/sbin/groupadd -g 54322 dba
Create an OSOPER group only to identify a group of operating system users with a limited set of database administrative privileges (
SYSOPER operator privileges). For most installations, it is sufficient to create only the OSDBA group. If you want to use an OSOPER group, then you must create it in the following circumstances:
If an OSOPER group does not exist; for example, if this is the first installation of Oracle Database software on the system
If an OSOPER group exists, but you want to give a different group of operating system users database operator privileges in a new Oracle installation
# /usr/sbin/groupadd -g 54323 oper
Create the OSBACKUPDBA group using the group name
backupdba, unless a group with that name already exists:
# /usr/sbin/groupadd -g 54324 backupdba
Create the OSDGDBA group using the group name
dgdba, unless a group with that name already exists:
# /usr/sbin/groupadd -g 54325 dgdba
# /usr/sbin/groupadd -g 54326 kmdba
# /usr/sbin/groupadd -g 54327 asmdba
# /usr/sbin/groupadd -g 54328 asmoper
# /usr/sbin/groupadd -g 54329 asmadmin
Depending on whether you want to create a new user, or use an existing user, see the following sections:
If an Oracle software owner user does not exist; for example, if this is the first installation of Oracle software on the system.
If an Oracle software owner user exists, but you want to use a different operating system user, with different group membership, to give database administrative privileges to those groups in a new Oracle Database installation.
If you have created an Oracle software owner for Oracle Grid Infrastructure, such as
grid, and you want to create a separate Oracle software owner for Oracle Database software, such as
To determine if an Oracle software owner user named
grid exists, enter commands similar to the following:
# id oracle # id grid
oracle user exists, then the output from this command is similar to the following:
uid=54321(oracle) gid=54321(oinstall) groups=54322(dba),54323(oper)
grid user exists, then the output from this command is similar to the following:
uid=54322(grid) gid=54321(oinstall) groups=54321(oinstall),54329(asmadmin),54327(asmdba),54322(dba)
Determine whether you want to use an existing user, or create a new user. To use the existing user, ensure that the user's primary group is the Oracle Inventory group and that it is a member of the appropriate OSDBA and OSOPER groups. Depending on your choice, see one of the following sections for more information:
Note:If necessary, contact your system administrator before using or modifying an existing user.
If the Oracle software owner user (
grid) does not exist, or if you require a new Oracle software owner user, then create it as described in this section (in this case to create the
In the following procedure, use the user name
oracle unless a user with that name exists:
# /usr/sbin/useradd -u 54321 -g oinstall -G dba,asmdba,backupdba,dgdba,kmdba oracle
In the preceding command:
The -u option specifies the user ID. Using this command flag is optional because the system can provide you with an automatically generated user ID number. However, Oracle recommends that you specify a number. You must note the user ID number because you need it during preinstallation.
-g option specifies the primary group, which must be the Oracle Inventory group, for example
-G option specifies the secondary groups, which must include the OSDBA group, and, if required, the ASMDBA, OSOPER, OSBACKUPDBA, OSDGDBA, and OSKMDBA groups, for example,
Set the password of the
# passwd oracle
oracle user exists, but its primary group is not
oinstall, or it is not a member of the appropriate OSDBA, OSOPER, or OSDBA for ASM groups, then modify the user group settings for the user
# /usr/sbin/usermod -g oinstall -G dba,asmdba,backupdba,dgdba,kmdba[,oper] oracle
Oracle does not support modifying an existing installation owner. See "About Oracle Installations with Job Role Separation" for a complete list of restrictions.
On HP-UX, if you intend to install Oracle Database, then use the following procedure to create an external jobs user account to provide a low-privilege user with which external jobs can be run:
Log in as
Create the unprivileged user
extjob, for example:
# useradd extjob
Bourne, Korn, and Bash shells:
$ export DISPLAY=hostname:0
$ setenv DISPLAY hostname:0
For example, if you are using the Bash shell and if your host name is
local_host, then enter the following command:
$ export DISPLAY=local_host:0
Using any text editor, edit or create the software installation owner's
Ensure that the
ForwardX11 attribute in the
~/.ssh/config file is set to
no. For example:
Host * ForwardX11 no
Ensure that the permissions on the
~/.ssh are secured to the
grid user. For example:
$ ls -al .ssh total 28 drwx------ 2 oracle oinstall 4096 Jun 21 2012 drwx------ 19 oracle oinstall 4096 Jun 21 2012 -rw-r--r-- 1 oracle oinstall 1202 Jun 21 2012 authorized_keys -rwx------ 1 oracle oinstall 668 Jun 21 2012 id_dsa -rwx------ 1 oracle oinstall 601 Jun 21 2012 id_dsa.pub -rwx------ 1 oracle oinstall 1610 Jun 21 2012 known_hosts
Note:If you are installing additional Oracle Database 12c products in an existing Oracle home, then stop all processes, including the listener and database, running in the Oracle home. You must complete this task to enable Oracle Universal Installer to relink certain executables and libraries.
Consider the following before you install Oracle Grid Infrastructure for a standalone server, or Oracle Database:
If you plan to use Oracle Restart, then you must install Oracle Grid Infrastructure for a standalone server before you install and create the database. When you perform a database installation, the database must use the same listener created during the Oracle Grid Infrastructure for a standalone server installation, thereafter you do not have to perform the steps listed in this section.
The default listener and any additional listeners must run from the Oracle Grid Infrastructure home. See "Configuring Oracle Software Owner Environment" to continue.
If you have an existing Oracle Database 12c running on Oracle ASM, then stop any existing Oracle ASM instances. After you finish installing Oracle Grid Infrastructure for a standalone server, start the Oracle ASM instance again.
If you create a database during the software installation, then most installation types configure and start a default Oracle Net listener using TCP/IP port
1521 and the IPC key value
EXTPROC. If an existing Oracle Net listener process is using the same port or key value, Oracle Universal Installer looks for the next available port (for example,
1522) and configures and starts the new listener on this available port.
Switch user to
# su - oracle
$ ps -ef | grep tnslsnr
This command displays information about the Oracle Net listeners running on the system:
... oracle_home1/bin/tnslsnr LISTENER -inherit
In this example,
oracle_home1 is the Oracle home directory where the listener is installed and
LISTENER is the listener name.
Note:If no Oracle Net listeners are running, then see "Configuring Oracle Software Owner Environment" to continue.
Bourne, Bash, or Korn shell:
$ ORACLE_HOME=oracle_home1 $ export ORACLE_HOME
C or tcsh shell:
% setenv ORACLE_HOME oracle_home1
Enter the following command to identify the TCP/IP port number and IPC key value that the listener is using:
$ $ORACLE_HOME/bin/lsnrctl status listenername
Note:If the listener uses the default name
LISTENER, then you do not have to specify the listener name in this command.
$ $ORACLE_HOME/bin/lsnrctl stop listenername
Repeat this procedure to stop all listeners running on this system.
You must run Oracle Universal Installer from the
grid account. However, before you start Oracle Universal Installer, you must configure the environment of the
grid user. To configure the environment, you must:
Caution:The Bash shell is not supported on HP-UX Itanium. Use shell programs supported by your operating system vendor. If you use a shell program that is not supported by your operating system, then you can encounter errors during installation.
To set the Oracle software owners' environments, follow these steps, for each software owner (
grid). The following procedure lists the steps for the
oracle user only:
Start a new X terminal session (
Enter the following command to ensure that X Window applications can display on this system:
$ xhost + RemoteHost
RemoteHost is the fully qualified remote host name. For example:
$ xhost + somehost.example.com
If you are not logged in as the user, then switch to the software owner user you are configuring. For example, as the
$ su - oracle
$ echo $SHELL
Open the user's shell startup file in any text editor:
Bash shell (
$ vi .bash_profile
Bourne shell (
sh) or Korn shell (
$ vi .profile
C shell (
% vi .login
Enter or edit the following line, specifying a value of 022 for the default file mode creation mask:
Save the file and exit from the text editor.
To run the shell startup script, enter one of the following commands:
$ . ./.bash_profile
Bourne or Korn shell:
$ . ./.profile
% source ./.login
If you are not installing the software on the local computer, then run the following command on the remote computer to set the
Bourne, Bash or Korn shell:
$ export DISPLAY=local_host:0.0
% setenv DISPLAY local_host:0.0
In this example,
local_host is the host name or IP address of the system (your workstation, or another client) on which you want to display the installer.
Run the following command on the remote system to check if the
SHELL and the
DISPLAY environment variables are set correctly:
echo $SHELL echo $DISPLAY
To change the display location from the default display to a remote system display, run the following command on the local computer:
$ xhost + RemoteHost
To verify that the X applications display is set properly, run an X11-based program that comes with the operating system such as
DISPLAY environment variable is set correctly, then you can see
xclock on your computer screen. If you get any display errors see "X Window Display Errors". If
xclock does not start, then contact your system administrator.
/tmp directory has less than 1 GB of free disk space, then identify a file system with at least 1 GB of free space and set the
TMPDIR environment variables to specify a temporary directory on this file system:
To determine the free disk space on each mounted file system use the following command:
# bdf /tmp
If necessary, enter commands similar to the following to create a temporary directory on the file system that you identified, and set the appropriate permissions on the directory:
$ sudo - s # mkdir /mount_point/tmp # chmod 775 /mount_point/tmp # exit
Enter commands similar to the following to set the
TMPDIR environment variables:
Bourne, Bash, or Korn shell:
$ TMP=/mount_point/tmp $ TMPDIR=/mount_point/tmp $ export TMP TMPDIR
% setenv TMP /mount_point/tmp % setenv TMPDIR /mount_point/tmp
If you have had an existing installation on your system, and you are using the same user account to install this installation, then unset the
TNS_ADMIN environment variables and any other environment variable set for the Oracle installation user that is connected with Oracle software homes.
Bourne, Bash, or Korn shell:
$ unset ORACLE_HOME $ unset ORACLE_BASE $ unset ORACLE_SID $ unset TNS_ADMIN
% unsetenv ORACLE_HOME % unsetenv ORACLE_BASE % unsetenv ORACLE_SID % unsetenv TNS_ADMIN
Use the following command to check the
PATH environment variable:
$ echo $PATH
Ensure that the
$ORACLE_HOME/bin path is removed from your
PATH environment variable.
ORACLE_HOMEenvironment variable is set, then Oracle Universal Installer uses the value that it specifies as the default path for the Oracle home directory. If you set the
ORACLE_BASEenvironment variable, then Oracle recommends that you unset the
ORACLE_HOMEenvironment variable and choose the default path suggested by Oracle Universal Installer.
To verify that the environment has been set correctly, enter the following commands:
$ umask $ env | more
Verify that the umask command displays a value of
0022 and that the environment variables you set in this section have the correct values.
During an Oracle Grid Infrastructure installation, Oracle Universal Installer prompts you to run scripts with superuser (or
root) privileges to complete several system configuration tasks. You can either run these root scripts manually as
root when prompted, or during installation you can provide configuration information and passwords using one of the following root privilege delegation options:
Use root user credentials
Provide the superuser (or
root) password. This option runs the root scripts automatically as the
Sudo is a UNIX and Linux utility that allows members of the sudoers group privileges to run individual commands as
root. To enable Sudo, have a system administrator with the appropriate privileges configure a user that is a member of the sudoers list, and provide the username and password when prompted during installation.
See Also:Step 9, "Root Script Execution Configuration" screen in the "Installing Oracle Grid Infrastructure for a Standalone Server with a New Database Installation" section.