To manage Oracle ASM File Access Control for a disk group, you must set the ACCESS_CONTROL.ENABLED
and ACCESS_CONTROL.UMASK
disk group attributes. You can set the attributes by altering the disk group with the ALTER
DISKGROUP
SQL statement or you can set the attributes with the ASMCMD setattr
command. For information about the ASMCMD setattr
command, see "setattr".
When you set up file access control on an existing disk group, the files previously created remain accessible by everyone, unless you run the ALTER
DISKGROUP
SET
PERMISSION
SQL statement or the ASMCMD chmod
command to restrict the permissions. For information about the ASMCMD chmod
command, see "chmod".
The COMPATIBLE.ASM
and COMPATIBLE.RDBMS
disk group attributes must be set to 11.2
or higher to enable Oracle ASM File Access Control. For information about disk group compatibility attributes, see "Disk Group Compatibility".
The disk group attributes that control Oracle ASM File Access Control are the following:
This attribute determines whether Oracle ASM File Access Control is enabled for a disk group.
The value can be true
or false
. The default is false
.
If the attribute is set to true
, accessing Oracle ASM files is subject to access control. If false
, any user can access every file in the disk group. All other operations behave independently of this attribute.
This attribute determines which permissions are masked out on the creation of an Oracle ASM file for the user that owns the file, users in the same user group, and others not in the user group. This attribute applies to all files on a disk group.
The values can be combinations of three digits {0
|2
|6
} {0
|2
|6
} {0
|2
|6
}. The default is 066
.
Setting to 0
masks out nothing. Setting to 2
masks out write permission. Setting to 6
masks out both read and write permissions.
Before setting the ACCESS_CONTROL.UMASK
disk group attribute, you must set the ACCESS_CONTROL.ENABLED
attribute to true
to enable Oracle ASM File Access Control.
Example 4-11 shows how to enable Oracle ASM File Access Control for a disk group using SQL*Plus. In this example, the umask
permissions setting is 026
which enables read-write access for the owner (masks out nothing with 0
), read access for users in the group (masks out write permission with 2
), and no access to others (masks out all access with 6
) not in the group.