We currently create dba group users for our POC customers. While this allows them to do basic dba commands (and get themselves into trouble) it does prevent them from doing several things that can cause them to ask for assistance.
Mainly, these tasks are things like starting/stopping dbconsole and running srvctl.
The ‘mts’ user in this example was created with primary group membership of oinstall, secondary group dba
Use visudo to edit the /etc/sudoers file
[root@ed2hcomp06 ~]# visudo
Find the line for ‘env_reset’ and comment it out.
Find the line for ‘env_keep’ and add the Oracle environment items to the list. ORACLE_BASE, ORACLE_HOME, ORACLE_SID, ORACLE_UNQNAME
Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY ORACLE_HOME ORACLE_SID ORACLE_BASE ORACLE_UNQNAME"
Add a line to add the mts user to the alias for Oracle command users (you can alias multiple users here,just make a comma separated list)
User_Alias USR_ORCL_ADMIN = mts
Add a line allowing the USR_ORCL_ADMIN group can run the command alias CMD_ORCL_ADMIN commands as oracle, without a password
USR_ORCL_ADMIN ALL=(oracle) NOPASSWD: CMD_ORCL_ADMIN
Create the command alias and populate it with the commands you want them to be able to run as Oracle
Cmnd_Alias CMD_ORCL_ADMIN=/u01/app/11.2.0/grid/bin/srvctl, \ /u01/app/11.2.0/grid/bin/crs_getperm, \ /u01/app/oracle/product/11.2.0/dbhome_1/bin/srvctl, \ /u01/app/oracle/product/11.2.0/dbhome_1/bin/emctl, \ /u01/app/11.2.0/grid/bin/emctl
Save your file in visudo and exit. You’ll get some informational messages to the screen and any errors if your commands were not correctly formatted
"/etc/sudoers.tmp" 104L, 3568C written visudo: Warning: unused Cmnd_Alias DELEGATING visudo: Warning: unused Cmnd_Alias DRIVERS visudo: Warning: unused Cmnd_Alias LOCATE visudo: Warning: unused Cmnd_Alias NETWORKING visudo: Warning: unused Cmnd_Alias PROCESSES visudo: Warning: unused Cmnd_Alias SERVICES visudo: Warning: unused Cmnd_Alias SOFTWARE visudo: Warning: unused Cmnd_Alias STORAGE
Now your user should be able to run commands
[mts@ed2hcomp05 ~]$ sudo -u oracle emctl status dbconsole Oracle Enterprise Manager 11g Database Control Release 126.96.36.199.0 Copyright (c) 1996, 2010 Oracle Corporation. All rights reserved. https://ed2hcomp05.ssclabs.net:5501/em/console/aboutApplication Oracle Enterprise Manager 11g is running. ------------------------------------------------------------------ Logs are generated in directory /u01/app/oracle/product/11.2.0/dbhome_1/ed2hcomp05_JASPER/sysman/log
Risks – well if you give someone access to srvctl they could possibly stop a database that does not belong to them – but this is a risk for *any* dba group user.