The Oracle release 11gR1 is the last
version which supports logon to an ASM instance with
sysdba privileges. In coming future releases, sysasm
privileges will need to be used in order to logon to an ASM
instance using operation system authentication. This is a
security enhancement which is used to cleanly separate ASM
storage administrators from database administrators.
In 10gR2, Oracle had introduced the asmcmd tool to
provide a storage administrator with an interface for
managing ASM storage.
In the first 11g release, it is still
possible to logon as sysdba as well as sysasm.
This will definitely be changed with the next coming release
11gR2. When Oracle 11g is installed, a question will come up
about the operating system group which is allowed to logon
to an ASM instance without needing a password in addition to
the OS groups for logon as sysdba respectively as
sysoper. The access to remote ASM instances is managed
through the password file of the ASM instance. This password
is case sensitive as all passwords are in an 11g database.
For more information on secure passwords, refer to chapter
There is a new column in
v$pwfile_users for the sysasm privilege:
AS SYSDBA @ orcl11 SQL> select * from v$pwfile_users;
SYSDB SYSOP SYSAS
------------------------------ ----- ----- -----
TRUE TRUE FALSE
% Add a user to the
password file by granting sysasm privileges.
Oracle Enterprise Manager for 11g
also provides an interface which allows creating and
managing ASM users. This functionality can only be accessed
when the user is logged on to OEM with sysasm privileges.
Creating and Managing ASM-Users
To separate storage management
responsibilities from database administration duties is a
very good idea. There should not be a need to explain what
the difference between a database instance and an ASM
instance is to the storage administrators and how to logon
to it. Also, DBAs might not really be interested in how a
database works and what a tablespace is.
All a DBA wants from the storage administration side are
enough LUNs in place in time.
On the other side, the storage
administrator might only be interested if there is still
enough free disk space left in the ASM disk groups. This is
possible now. With asmcmd, a storage administrator
can use UNIX look and feel like commands to find out
about the space utilization in the ASM storage. And by using
the sysasm operating system privileges, it is
possible to limit the access to instances without needing a
password for logon only to ASM instances.