To manage Oracle ASM File Access Control for a disk group, you must set the ACCESS_CONTROL.ENABLED and ACCESS_CONTROL.UMASK disk group attributes. You can set the attributes by altering the disk group with the ALTER DISKGROUP SQL statement or you can set the attributes with the ASMCMD setattr command. For information about the ASMCMD setattr command, see "setattr".
When you set up file access control on an existing disk group, the files previously created remain accessible by everyone, unless you run the ALTER DISKGROUP SET PERMISSION SQL statement or the ASMCMD chmod command to restrict the permissions. For information about the ASMCMD chmod command, see "chmod".
The COMPATIBLE.ASM and COMPATIBLE.RDBMS disk group attributes must be set to 11.2 or higher to enable Oracle ASM File Access Control. For information about disk group compatibility attributes, see "Disk Group Compatibility".
The disk group attributes that control Oracle ASM File Access Control are the following:
This attribute determines whether Oracle ASM File Access Control is enabled for a disk group.
The value can be true or false. The default is false.
If the attribute is set to true, accessing Oracle ASM files is subject to access control. If false, any user can access every file in the disk group. All other operations behave independently of this attribute.
This attribute determines which permissions are masked out on the creation of an Oracle ASM file for the user that owns the file, users in the same user group, and others not in the user group. This attribute applies to all files on a disk group.
The values can be combinations of three digits {0|2|6} {0|2|6} {0|2|6}. The default is 066.
Setting to 0 masks out nothing. Setting to 2 masks out write permission. Setting to 6 masks out both read and write permissions.
Before setting the ACCESS_CONTROL.UMASK disk group attribute, you must set the ACCESS_CONTROL.ENABLED attribute to true to enable Oracle ASM File Access Control.
Example 4-11 shows how to enable Oracle ASM File Access Control for a disk group using SQL*Plus. In this example, the umask permissions setting is 026 which enables read-write access for the owner (masks out nothing with 0), read access for users in the group (masks out write permission with 2), and no access to others (masks out all access with 6) not in the group.