Oracle recommends that you configure Oracle Database files, directories, and registry settings to provide full control to authorized database administrators (DBAs).
If you have created a database using Oracle Database Configuration Assistant or upgraded a database using Oracle Database Upgrade Assistant, then no further action is required.
Learn about the permissions automatically set by Oracle Universal Installer, Oracle Database Configuration Assistant, and Oracle Database Upgrade Assistant and the steps to set these permissions manually.
In addition to the various groups listed in Oracle Database software installation creates the following groups for Oracle internal use and sets permissions on files and registry entries for these groups to ensure that the Oracle software functions properly. The group memberships and permissions set for the following groups must not be changed or removed:
ORA_INSTALL
ORA_GRID_LISTENERS
ORA_CLIENT_LISTENERS
ORA_HOMENAME_SVCSIDS
See Also:
Your operating system documentation for more information about modifying NTFS file system and Windows registry settings
HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE directory of the Windows registry.Oracle Universal Installer, Oracle Database Configuration Assistant, and Oracle Database Upgrade Assistant set file permissions when you install or upgrade Oracle Database software.
ORACLE_HOME directory.database_name is the database name or SID.database_name is the database name or SID.During Oracle Database installation, by default Oracle Universal Installer installs software in the ORACLE_HOME directory.
Oracle Universal Installer sets the following permissions to this directory, and to all files and directories under this directory:
For the Oracle Grid Infrastructure home:
For the Database ORACLE_HOME:
For the Client ORACLE_HOME:
Full control - Administrators, SYSTEM, Oracle Installation User, ORA_HOMENAME_SVCSIDS or the Oracle Home User
Oracle Universal Installer sets the following permissions to the ORACLE_BASE directory, and to all the files and directories under this directory with the exception of database files, wallets, and so on:
Full control - Administrators, SYSTEM, Oracle Installation User, Oracle Home User or ORA_<HomeName>_SVCACCTS group for Virtual Account homes.
Full control - ORA_GRID_LISTENERS if the ORACLE_BASE is for the Oracle Grid Infrastructure ORACLE_HOME
Full control - ORA_HOMENAME_SVCSIDS or Oracle Home User if the ORACLE_BASE is for a Client ORACLE_HOME
Note:
If these accounts already exist and have more restrictive permissions, then most restrictive permissions are retained. If accounts other than Administrators, SYSTEM, Authenticated Users, and the Oracle groups mentioned exist, then the permissions for these accounts are removed.
During Oracle Database configuration, Oracle Database Configuration Assistant installs files and directories in the following default locations, where database_name is the database name or SID.
ORACLE_BASE\admin\database_name (administration file directories)
ORACLE_BASE\oradata\database_name (database file directories)
ORACLE_BASE\oradata\database_name (redo log files and control files)
ORACLE_HOME\database (SPFILESID.ORA)
Oracle Database Configuration Assistant sets the following permission to these directories, and to all the files and directories under these directories:
Full control Administrators, SYSTEM, Oracle Home User or ORA_<HomeName>_SVCACCTS group for Virtual Account homes
Note:
If these accounts already exist and have more restrictive permissions, then the most restrictive permissions are retained. If accounts other than Administrators, SYSTEM, and Oracle Home User already exist, then the permissions for these accounts are removed.
When an earlier version of the database is upgraded to Oracle Database 12c Release 2 (12.2), Oracle Database Upgrade Assistant installs software in the following directories, where database_name is the database name or SID.
When an earlier version of the database is upgraded to Oracle Database 12c Release 2 (12.2), Oracle Database Upgrade Assistant installs software in the following directories, where database_name is the database name or SID:
ORACLE_BASE\admin\database_name (administration files)
ORACLE_BASE\oradata\database_name (database file directories)
ORACLE_BASE\oradata\database_name (redo log files and control files)
ORACLE_BASE\ORACLE_HOME\database (SPFILESID.ORA)
Oracle Database Upgrade Assistant sets the following permissions to these directories, and to all files and directories under these directories:
Full control Administrators, SYSTEM, Oracle Home User or ORA_<HomeName>_SVCACCTS group for Virtual Account homes
Note:
If these accounts already exist and have more restrictive permissions, then the most restrictive permissions are retained. If accounts other than Administrators, SYSTEM, and Oracle Home User already exist, then the permissions for these accounts are removed.
Starting with Oracle Database 12c Release 2 (12.2), Oracle Database Upgrade Assistant can also configure Oracle Enterprise Manager. If the Enable daily backup option is selected while configuring Oracle Enterprise Manager, then Oracle Database Upgrade Assistant shows a separate screen asking for Fast Recovery Area. Oracle Database Upgrade Assistant tries to create the directory structure (if it does not exist) in the specified file system location. Oracle Database Upgrade Assistant also puts the same set of file permissions to this location. The default location shown by Oracle Database Upgrade Assistant for Fast Recovery Area is:
ORACLE_BASE\recovery_area
When an Oracle Wallet is created in the file system, the user creating the wallet is granted access to the wallet by wallet creation tools.
Starting with Oracle Database 12c Release 1 (12.1), Oracle Database Windows services may run under a standard Windows User Account or Virtual Account and might not be able to access to the wallet. You may need to change the file system ACL for the wallet file manually to grant access to database and listener services.
As Oracle Database services now run under a standard Windows User Account, a file might not be accessible by Oracle Database services unless the file system Access Control Lists (ACLs) grant access to the file.
Though Oracle installation configures the ACLs in a way to ensure that you do not have to change ACLs manually for typical usage, it is necessary to change ACLs manually, for example, to manually upgrade databases, and database files not in Oracle base, or to grant access to wallets in the file system.
The rules to set file system ACLs manually are:
To allow Oracle Database service access to a file: Grant access to Oracle Home User for the file when a Windows User Account is used as the Oracle Home User. If a Windows built-in account is used as the Oracle Home User, then no such permission is necessary because the Oracle Database services run under the administrative account.
To allow Oracle Grid Listeners services access to a file: Grant access to ORA_GRID_LISTENERS group for the file.
To allow Oracle services from a client ORACLE_HOME access to a file: Grant access to Oracle Home User for the file when a Windows User Account is used as the Oracle Home User for the client home. If a Windows built-in account is used as the Oracle Home User, then grant access to the ORA_HOMENAME_SVCSIDS group for the file.
Oracle Universal Installer sets the permissions for Windows registry entries pertaining to Oracle Database software.
Follow the guidelines listed below to set the permissions for Windows registry entries:
All users have read permissions.
Local administrators and Oracle Installation User have full control.
Oracle Universal Installer sets the following permissions to users and user groups for Windows service entries for Oracle Database services.
The guidelines to set permissions to users and user groups for Windows service entries for Oracle Database services are:
ORA_DBA and ORA_HOMENAME_DBA group users have start and stop privileges for Windows service entries.
Local System Account and local administrators have full control of Windows service entries.
Use this procedure to set the NTFS file system security.
To ensure that only authorized users have full file system permissions:
See Also:
Your operating system online help for more information about how to modify NTFS file system and registry settings