asm下权限和角色的介绍

1、SYSASM角色的新出现

SYSASM role was introduced in 11gR1 and was designed to administer ASM instances. In 11gR1 , if you connected with SYSDBA role , you used to get a warning which was only recorded in alert log (Refer to my earlier post here). But things have changed in 11gR2. While trying to dismount a Diskgroup, I found following errors：

SQL> alter diskgroup flash_arc mount;
alter diskgroup flash_arc mount
*
ERROR at line 1:
ORA-15032: not all alterations performed
ORA-15260: permission denied on ASM disk group

Above error indicates that I do not have permission on the ASM Diskgroup.  As per 11gR2 documentation, 
SYSASM privilege is used for carrying out administration tasks on ASM Diskgroups. 
SYSDBA privilege can be used only for creating/deleting aliases and querying ASM dictionary views. 

 Frankly speaking(坦白说), you should unlearn the habit of connecting as “/ as sysdba” to ASM instance and learn connecting as “/ as sysasm”

When connected as SYSDBA to the database instance, the Oracle ASM operations are 
limited to: 
■ Create and delete files, aliases, directories, and templates
■ Examine various Oracle ASM instance views
■ Operate on files that were created by this user or only access files to which another 
user had explicitly granted access
■ Granting Oracle ASM File Access Control to other users

2、Oracle ASM的privilege

Using One Operating System Group for Oracle ASM Users：

If you do not want to divide the privileges for system access into separate operating system groups, then you can designate one operating system group as the group whose members are granted access as OSDBA, OSOPER, and OSASM for Oracle ASM privileges. The default operating system group name for all of these is usually dba and  that group is typically chosen for the default configuration

Using Separate Operating System Groups for Oracle ASM Users：
You can designate separate operating system groups as the operating system authentication groups for privileges on Oracle ASM. The following list describes the separate operating system authentication groups for Oracle ASM and the privileges that their members are granted.

OSASM 组：

此组被授予SYSASM权限，此权限对asm 实例有完全的控制权，比如这个组可以是：asmadmin

oracle ASM的OSDBA组：■ OSDBA for Oracle ASM group

此组被授予在oracle ASM实例的SYSDBA权限，这样就有了访问ASM上存储的数据的权限，这个组有OSASM组的子集。oracle asm的OSDBA组合oracle db的OSDBA组是不一样的，比如db的OSDBA可以是dba，而asm的OSDBA组可以是asmdba。

Oracle asm的 osoper组：OSOPER for Oracle ASM group

这个组在asm实例上被授予SYSOPER权限，提供：启动关闭，mount/dismount，check disk group，This group has a subset of the privileges of the OSASM group. 比如这个组可以是asmoper。

When you implement separate Oracle ASM and database administrator duties, this configuration requires different group and different software owners. Implicitly this implementation requires that the OSASM and OSDBA are different groups. For this 
configuration, you must create an OSDBA for Oracle ASM group and a database instance must be a member of that group to access the Oracle ASM instance.

In an installation that has been configured as Oracle Grid Infrastructure, the Oracle ASM user, such as grid, does not have to be a member of the Oracle Database OSDBA group, such as dba1 or dba2, because the Oracle Clusterware database agent runs as the database owner and can use SYSDBA to connect to the database.

However, in an Oracle Restart configuration, the Oracle ASM user (grid) must be a member of the OSDBA group (dba1, dba2, ...) of every database. This requirement is necessary because Oracle Restart software runs as the Oracle ASM user (grid) and this user must be able to start and stop the databases using the CONNECT / AS SYSDBA 
authentication.
Additionally, the owner of the operating system disk devices should be the same as the owner of the Oracle ASM software. 

远程连接asm：

To connect remotely as SYSASM using password authentication with SQL*Plus, use 
the following statement:
sqlplus sys@\"myhost.mydomain.com:1521/+ASM\" AS SYSASM
...
Enter password:

本地连接asm：

sqlplus / AS SYSASM