Overview of NTFS File System and Windows Registry Permissions

5.4 Overview of NTFS File System and Windows Registry Permissions

Oracle recommends that you configure Oracle Database files, directories, and registry settings to provide full control to authorized database administrators (DBAs).

If you have created a database using Oracle Database Configuration Assistant or upgraded a database using Oracle Database Upgrade Assistant, then no further action is required.

Learn about the permissions automatically set by Oracle Universal Installer, Oracle Database Configuration Assistant, and Oracle Database Upgrade Assistant and the steps to set these permissions manually.

In addition to the various groups listed in Oracle Database software installation creates the following groups for Oracle internal use and sets permissions on files and registry entries for these groups to ensure that the Oracle software functions properly. The group memberships and permissions set for the following groups must not be changed or removed:

ORA_INSTALL
ORA_GRID_LISTENERS
ORA_CLIENT_LISTENERS
ORA_HOMENAME_SVCSIDS

5.4.1 Setting File Permissions

Oracle Universal Installer, Oracle Database Configuration Assistant, and Oracle Database Upgrade Assistant set file permissions when you install or upgrade Oracle Database software.

Topics:

About Default File Permissions Set by Oracle Universal Installer
During Oracle Database installation, by default Oracle Universal Installer installs software in the ORACLE_HOME directory.
About File Permissions Set by Oracle Database Configuration Assistant
During Oracle Database configuration, Oracle Database Configuration Assistant installs files and directories in the following default locations, where database_name is the database name or SID.
About File Permissions Set by Oracle Database Upgrade Assistant
When an earlier version of the database is upgraded to Oracle Database 12c Release 2 (12.2), Oracle Database Upgrade Assistant installs software in the following directories, where database_name is the database name or SID.
About Setting Permissions for Oracle Wallets
When an Oracle Wallet is created in the file system, the user creating the wallet is granted access to the wallet by wallet creation tools.
About Setting File System ACLs Manually
As Oracle Database services now run under a standard Windows User Account, a file might not be accessible by Oracle Database services unless the file system Access Control Lists (ACLs) grant access to the file.

5.4.1.1 About Default File Permissions Set by Oracle Universal Installer

During Oracle Database installation, by default Oracle Universal Installer installs software in the ORACLE_HOME directory.

Oracle Universal Installer sets the following permissions to this directory, and to all files and directories under this directory:

For the Oracle Grid Infrastructure home:

Full control - Administrators, SYSTEM, ORA_GRID_LISTENERS, Oracle Installation User, Oracle Home User
Read, execute, and list content - Authenticated Users

For the Database ORACLE_HOME:

Full control - Administrators, SYSTEM, Oracle Installation User, Oracle Home User, or ORA_<HomeName>_SVCACCTS group for Virtual Account homes.
Read, execute, and list content - Authenticated Users

For the Client ORACLE_HOME:

Full control - Administrators, SYSTEM, Oracle Installation User, ORA_HOMENAME_SVCSIDS or the Oracle Home User
Read, execute, and list content - Authenticated Users

Oracle Universal Installer sets the following permissions to the ORACLE_BASE directory, and to all the files and directories under this directory with the exception of database files, wallets, and so on:

Full control - Administrators, SYSTEM, Oracle Installation User, Oracle Home User or ORA_<HomeName>_SVCACCTS group for Virtual Account homes.
Full control - ORA_GRID_LISTENERS if the ORACLE_BASE is for the Oracle Grid Infrastructure ORACLE_HOME
Full control - ORA_HOMENAME_SVCSIDS or Oracle Home User if the ORACLE_BASE is for a Client ORACLE_HOME

Note:

If these accounts already exist and have more restrictive permissions, then most restrictive permissions are retained. If accounts other than Administrators, SYSTEM, Authenticated Users, and the Oracle groups mentioned exist, then the permissions for these accounts are removed.

5.4.1.2 About File Permissions Set by Oracle Database Configuration Assistant

During Oracle Database configuration, Oracle Database Configuration Assistant installs files and directories in the following default locations, where database_name is the database name or SID.

ORACLE_BASE\admin\database_name (administration file directories)
ORACLE_BASE\oradata\database_name (database file directories)
ORACLE_BASE\oradata\database_name (redo log files and control files)
ORACLE_HOME\database (SPFILESID.ORA)

Oracle Database Configuration Assistant sets the following permission to these directories, and to all the files and directories under these directories:

Full control Administrators, SYSTEM, Oracle Home User or ORA_<HomeName>_SVCACCTS group for Virtual Account homes

Note:

If these accounts already exist and have more restrictive permissions, then the most restrictive permissions are retained. If accounts other than Administrators, SYSTEM, and Oracle Home User already exist, then the permissions for these accounts are removed.

5.4.1.3 About File Permissions Set by Oracle Database Upgrade Assistant

When an earlier version of the database is upgraded to Oracle Database 12c Release 2 (12.2), Oracle Database Upgrade Assistant installs software in the following directories, where database_name is the database name or SID.

ORACLE_BASE\admin\database_name (administration files)
ORACLE_BASE\oradata\database_name (database file directories)
ORACLE_BASE\oradata\database_name (redo log files and control files)
ORACLE_BASE\ORACLE_HOME\database (SPFILESID.ORA)

Oracle Database Upgrade Assistant sets the following permissions to these directories, and to all files and directories under these directories:

Full control Administrators, SYSTEM, Oracle Home User or ORA_<HomeName>_SVCACCTS group for Virtual Account homes

Note:

If these accounts already exist and have more restrictive permissions, then the most restrictive permissions are retained. If accounts other than Administrators, SYSTEM, and Oracle Home User already exist, then the permissions for these accounts are removed.

Starting with Oracle Database 12c Release 2 (12.2), Oracle Database Upgrade Assistant can also configure Oracle Enterprise Manager. If the Enable daily backup option is selected while configuring Oracle Enterprise Manager, then Oracle Database Upgrade Assistant shows a separate screen asking for Fast Recovery Area. Oracle Database Upgrade Assistant tries to create the directory structure (if it does not exist) in the specified file system location. Oracle Database Upgrade Assistant also puts the same set of file permissions to this location. The default location shown by Oracle Database Upgrade Assistant for Fast Recovery Area is:

ORACLE_BASE\recovery_area

5.4.1.4 About Setting Permissions for Oracle Wallets

When an Oracle Wallet is created in the file system, the user creating the wallet is granted access to the wallet by wallet creation tools.

Starting with Oracle Database 12c Release 1 (12.1), Oracle Database Windows services may run under a standard Windows User Account or Virtual Account and might not be able to access to the wallet. You may need to change the file system ACL for the wallet file manually to grant access to database and listener services.

5.4.1.5 About Setting File System ACLs Manually

As Oracle Database services now run under a standard Windows User Account, a file might not be accessible by Oracle Database services unless the file system Access Control Lists (ACLs) grant access to the file.

Though Oracle installation configures the ACLs in a way to ensure that you do not have to change ACLs manually for typical usage, it is necessary to change ACLs manually, for example, to manually upgrade databases, and database files not in Oracle base, or to grant access to wallets in the file system.

The rules to set file system ACLs manually are:

To allow Oracle Database service access to a file: Grant access to Oracle Home User for the file when a Windows User Account is used as the Oracle Home User. If a Windows built-in account is used as the Oracle Home User, then no such permission is necessary because the Oracle Database services run under the administrative account.
To allow Oracle Grid Listeners services access to a file: Grant access to ORA_GRID_LISTENERS group for the file.
To allow Oracle services from a client ORACLE_HOME access to a file: Grant access to Oracle Home User for the file when a Windows User Account is used as the Oracle Home User for the client home. If a Windows built-in account is used as the Oracle Home User, then grant access to the ORA_HOMENAME_SVCSIDS group for the file.

5.4.2 Setting Permissions for Windows Registry Entries

Oracle Universal Installer sets the permissions for Windows registry entries pertaining to Oracle Database software.

Follow the guidelines listed below to set the permissions for Windows registry entries:

All users have read permissions.
Local administrators and Oracle Installation User have full control.

5.4.3 Setting Permissions for Windows Service Entries

Oracle Universal Installer sets the following permissions to users and user groups for Windows service entries for Oracle Database services.

The guidelines to set permissions to users and user groups for Windows service entries for Oracle Database services are:

ORA_DBA and ORA_HOMENAME_DBA group users have start and stop privileges for Windows service entries.
Local System Account and local administrators have full control of Windows service entries.

5.4.4 Setting NTFS File System Security

Use this procedure to set the NTFS file system security.

To ensure that only authorized users have full file system permissions:

Go to Windows Explorer.
Set the following permissions for each directory or file based on the information provided in the earlier sections.

5.4.5 Setting Windows Registry Security

Oracle recommends that you remove write permissions from users who are not Oracle Database DBAs or system administrators in the HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE directory of the Windows registry.

To remove write permissions:

Open the registry.
Go to HKEY_LOCAL_MACHINE\SOFTWARE\ORACLE.
Select Permissions from the Edit menu.

The Permissions for Oracle dialog box appears.
Remove write privileges from any users who are not Oracle Database DBAs or system administrators. Note that the SYSTEM account must have Full Control, because some Oracle Database services run as SYSTEM.
Ensure that user accounts that must run Oracle applications have read privileges.
Select OK.
Exit the registry.