Creation of New User Groups and Users for Separation of Database Administration Duties
Oracle Database provides access control to separate the roles on Windows.
With Oracle Database services running under the Oracle Home User account instead of the Local System Account, the Oracle ASM access control feature must be enabled to support role separation on Windows. In previous releases, this feature was disabled on Windows because all Oracle Database services ran under Windows Built-in Local System Account.
The new user groups added are ORA_HOMENAME_DBA, ORA_HOMENAME_OPER, ORA_HOMENAME_SYSBACKUP, and so on. For Oracle ASM administration, new groups ORA_ASMADMIN, ORA_ASMDBA and ORA_ASMOPER are automatically created and populated during Oracle Database installation. The Oracle ASM administrator can manage these Windows groups using Windows tools, though you must ensure that the required user names are not removed from these groups.