Oracle ASM File Access Control restricts the access of files to specific Oracle ASM clients that connect as SYSDBA. An Oracle ASM client is typically a database, which is identified as the user that owns the database instance home. Oracle ASM File Access Control uses this user name to identify a database. Oracle ASM File Access Control restricts access based on the operating system effective user identification number of a database owner. For example, in Table 3-2 the databases are identified as oracle1 and oracle2.
Oracle ASM uses file access control to determine the additional privileges that are given to a database that has been authenticated AS SYSDBA on the Oracle ASM instance. These additional privileges include the ability to modify and delete certain files, aliases, and user groups.
You can set up user groups to specify the list of databases that share the same access permissions to Oracle ASM files. User groups are lists of databases and any database that authenticates AS SYSDBA can create a user group. However, only the creator of a group can delete it or modify its membership list.
Each Oracle ASM file has three categories of privileges: owner, group, and other. Each category can have no permission, read-only permission, or read-write permission.
The file owner is usually the creator of the file and can assign permissions for the file in any of the owner, group, or other categories. The owner can also change the group associated with the file.
When you create a file, a group is not automatically associated with the file. You must use the asmcmd chgrp command to set the group manually because Oracle ASM File Access Control does not have the concept of the primary group of a user.
When administering Oracle ASM File Access Control, Oracle recommends that you connect as SYSDBA to the database instance that is the owner, or planned owner, of the files in the disk group.
To set up Oracle ASM File Access Control for files in a disk group, perform the following steps:
Alter a new or existing disk group to set the Oracle ASM File Access Control disk group attributes.
For a newly-created disk group, you should set the disk group attributes before creating any files in the disk group.
See "Setting Disk Group Attributes for Oracle ASM File Access Control".
For files that exist in a disk group before setting the Oracle ASM File Access Control disk group attributes, you must explicitly set the permissions and ownership on those existing files.
Ensure that the user exists before setting ownership or permissions on a file. The file must be closed before setting the ownership or permissions.
See ALTER DISKGROUP SET PERMISSION and ALTER DISKGROUP SET OWNERSHIP in "Using SQL Statements to Manage Oracle ASM File Access Control".
Optionally, you can create user groups that are groups of database users that share the same access permissions to Oracle ASM files.
See ALTER DISKGROUP ADD USERGROUP in "Using SQL Statements to Manage Oracle ASM File Access Control".