What are backupdba, dgdba, and kmdba groups?

Basics (Database Roles)

In the Oracle database administration world, the following are standard database roles:

1. OSDBA (Operating System Database Administrator): This special system privilege enables users to perform high-level administrative tasks for the Oracle database instance. It allows the user to start, shut down, mount, and open a database, perform backups and recoveries, and manage database files.

2. SYSDBA (System Database Administrator): This is the most powerful database privilege. Users with the SYSDBA privilege can perform any database operation, including creating, altering, and dropping users, as well as starting and stopping the database.

3. OSOPER (Operating System Operator): This special system privilege allows users to perform basic operational tasks for the Oracle database instance, such as starting and stopping the database and managing memory and processes.

4. SYSOPER (System Operator): This restricted system privilege allows a user to perform basic operational tasks for the database, such as starting and stopping the database and performing database recovery.

5. OSBACKUPDB (Operating System Backup Operator): This special system privilege allows users to perform backup and recovery operations for the Oracle database instance at the operating system level.

6. SYSBACKUP (System Backup Administrator): This powerful database privilege allows a user to perform backup and recovery operations for the database.

7. OSDGDBA (Operating System Data Guard Administrator): This special system privilege enables a user to perform administrative tasks for Oracle Data Guard at the operating system level.

8. SYSDG (System Data Guard Administrator): This powerful database privilege allows users to perform administrative tasks for Oracle Data Guard.

9. OSKMDBA (Operating System Key Management Administrator): This special system privilege enables users to perform administrative tasks for Oracle Key Vault at the operating system level.

10. SYSKM (System Key Management Administrator): This powerful database privilege allows users to perform administrative tasks for Oracle Key Vault.

These roles and privileges are essential for managing and securing an Oracle database environment.

Database Groups

In Oracle, the following groups are used to manage specific administrative privileges.

1. BACKUPDBA Group: This group is created to provide a limited set of database backup and recovery related administrative privileges to a separate group of operating system users. Members of this group are granted access to perform backup and recovery operations for the Oracle Database.

2. DGDBA Group: The DGDBA (Data Guard Database Administrator) group is created to provide a limited set of administrative privileges related to Oracle Data Guard to a separate group of operating system users. Members of this group are granted access to perform administrative tasks for Oracle Data Guard.

3. KMDBA Group: The KMDBA (Key Management Database Administrator) group is created to provide a limited set of administrative privileges related to encryption key management to a separate group of operating system users. Members of this group are granted access to perform administrative tasks for Oracle Key Vault and encryption key management.

These groups are designed to provide task-specific and less privileged administrative privileges, and they are used to control access to specific database operations. Members of these groups are authorized to perform their respective tasks through operating system group membership. The creation and management of these groups are essential for ensuring that the appropriate users have the necessary privileges to carry out everyday database operations while maintaining security and access control.

Process

Description

Users in the OSDBA group are granted the SYSDBA administrative privilege. Similarly, the OSOPER group is used to grant SYSOPER administrative privilege to users, the OSBACKUPDBA group is used to grant SYSBACKUP administrative privilege to users, the OSDGDBA group is used to grant SYSDG administrative privilege to users, and the OSKMDBA group is used to grant SYSKM administrative privilege to users.

Step 1: whoami?

[oracleuser@localhost lib]$ id oracleuser
uid=501(oracle user) gid=501(oinstall) groups=501(oinstall),502(dba)
[oracleuser@localhost lib]$

Step 2: Create the following groups: OSOPER, OSBACKUPDBA, OSDGDBA, and OSKMDBA groups as secondary and add Oracle users to these groups.

Example/Sample:
/usr/sbin/groupadd -g 503 oper
/usr/sbin/groupadd -g 504 backupdba
/usr/sbin/groupadd -g 505 dgdba
/usr/sbin/groupadd -g 506 kmdba

/usr/sbin/usermod -g oinstall -G dba,asmdba,backupdba,dgdba,kmdba[,oper] oracleuser

Step 3: Again, whoami?

Now, the Oracle user is a member of all the above groups.

[oracleuser@localhost lib]$ id oracle user
uid=501(oracle user) gid=501(oinstall) groups=501(oinstall),502(dba),503(oper),504(backupdba),505(dgdba),506(kmdba)
[oracleuser@localhost lib]$

Step 4: Make necessary changes in config.c of $ORACLE_HOME/rdbms/lib/. Below is the config.c file on Linux (64-bit) platform. Define the groups oper,backupdba, dgdba, kmdba.

$ cat config.c

/* SS_DBA_GRP defines the UNIX group ID for sqldba adminstrative access. */
/* Refer to the Installation and User's Guide for further information. */

.section .rodata.str1.4, "aMS",@progbits,1
.align 4
.Ldba_string: .string "dba"
.Loper_string: .string "oper"
.Lasm_string: .string ""
.Lbkp_string: .string "backupdba"
.Ldgd_string: .string "dgdba"
.Lkmt_string: .string "kmdba"

.section .rodata
.align 8
.globl ss_dba_grp
ss_dba_grp:
.quad .Ldba_string
.quad .Loper_string
.quad .Lasm_string
.quad .Lbkp_string
.quad .Ldgd_string
.quad .Lkmt_string
.type ss_dba_grp,@object
.size ss_dba_grp,.-ss_dba_grp
.section .note.GNU-stack, ""
.end
/*
* Assembler will not parse a file past the .end directive
*/
#endif

#define SS_DBA_GRP "dba"
#define SS_OPER_GRP "oper"
#define SS_ASM_GRP ""
#define SS_BKP_GRP "backupdba"
#define SS_DGD_GRP "dgdba"
#define SS_KMT_GRP "kmdba"

const char * const ss_dba_grp[] =
{SS_DBA_GRP, SS_OPER_GRP, SS_ASM_GRP,
SS_BKP_GRP, SS_DGD_GRP, SS_KMT_GRP};
[oracleuser@localhost lib]$

Step 5: Move the config.o file and regenerate using the below make command.

 $ cd $ORACLE_HOME/rdbms/lib/

 $ mv config.o config.o.BKP

 $ make -f ins_rdbms.mk config.o ioracle

Step 6: Create the required users for the  OSOPER, OSBACKUPDBA, OSDGDBA, and OSKMDBA groups.

A user can connect to the database using operating system authentication. A user can be authenticated, enabled as an administrative user, and connected to a local database by typing one of the following SQL*Plus commands:e.g.,

CONNECT / AS SYSDBA
CONNECT / AS SYSOPER
CONNECT / AS SYSBACKUP
CONNECT / AS SYSDG
CONNECT / AS SYSKM

for example, creating a backup_ora user for SYSBACKUP administrative privilege

$useradd -g oinstall -G dba,backupdba backup_ora

Step 7: Connect as sysbackup using OS authentication.

OS Authentication with the SYSBACKUP Privilege.

% rman target '"/ as sysbackup"'

e.g.,
[Oracleuser@localhost ~]$ rman target '"/ as sysbackup"'

Recovery Manager: Release 19.x - Production on Sun Jan 13 00:38:57 2024

Copyright (c) 1982, 2014, Oracle and/or its affiliates. All rights reserved.

connected to target database: oracledatabase (DBID=1027533583)

RMAN>

Step 8: Non-SYS users can be created using the below command. In case, of 19c CDB environment, you need to create the command users below for all the containers.

SQL> create user c##backup_rman identified by oracle account unlock ;

Step 9: Execute RMAN.

SQL> grant sysbackup to c##backup_rman ;

[Oracleuser@localhost ~]$ rman target c##backup_rman/oracle

Recovery Manager: Release 19.x - Production on Sun Jan 13 00:38:57 2024

Copyright (c) 1982, 2014, Oracle and/or its affiliates. All rights reserved.

connected to target database: oracledatabase (DBID=1027533583)

RMAN> backup database ;

Starting backup at 13-JAN-24
using target database control file instead of recovery catalog
allocated channel: ORA_DISK_1
channel ORA_DISK_1: SID=85 device type=DISK
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00001 name=/u01/app/oracle/oradata/oracledatabase/datafile/o1_mf_system_cckrhmcw_.dbf
.........

channel ORA_DISK_1: backup set complete, elapsed time: 00:00:45
channel ORA_DISK_1: starting full datafile backup set
channel ORA_DISK_1: specifying datafile(s) in backup set
input datafile file number=00007 name=/u01/app/oracle/oradata/oracledatabase/datafile/o1_mf_sysaux_cckrnl56_.dbf
input datafile file number=00005 name=/u01/app/oracle/oradata/oracledatabase/datafile/o1_mf_system_cckrnl6c_.dbf
channel ORA_DISK_1: starting piece 1 at 13-JAN-24
channel ORA_DISK_1: finished piece 1 at 13-JAN-24
piece handle=/u01/app/oracle/fast_recovery_area/oracledatabase/2B47A2C2061C3C65E0530100007FF3E7/backupset/2024_01_13/o1_mf_nnndf_TAG20170212T003344_d9yr6ct6_.bkp tag=TAG20240113T003344 comment=NONE
channel ORA_DISK_1: backup set complete, elapsed time: 00:00:55
Finished backup at 13-JAN-24

Starting Control File and SPFILE Autobackup at 13-JAN-24
piece handle=/u01/app/oracle/fast_recovery_area/oracledatabase/autobackup/2017_02_12/o1_mf_s_935714267_d9yr851n_.bkp comment=NONE
Finished Control File and SPFILE Autobackup at 13-JAN-24

RMAN>

REFERENCES

http://docs.oracle.com/database/121/ADMIN/E41484-12.pdf

NOTE:369260.1- Warning: Oracle Executable Binary Mismatch Detected

http://docs.oracle.com/database/121/DBSEG/E48135-15.pdf

http://docs.oracle.com/database/121/LADBI/E41491-16.pdf

http://docs.oracle.com/database/121/BRADV/E50658-07.pdf