techblog 

The introduction of Automatic Storage Management (ASM) in Oracle 10g has added a new set of skills needed to manage the Oracle technology stack. In some organizations this role is not filled by the DBA, but a different specialist. In its latest release 11g, Oracle wants to give organizations the opportunity to split the management of the RDBMS and ASM securely between different people. For this purpose the new Oracle role SYSASM has been created. Authenticating connections as SYSASM can be done in two ways:
1.    Password authentication through the database
2.    OS authentication via membership of a specific group (by default “dba”)

For this article I would like to focus on the case of OS authentication. Imagine the case where you originally did not want to separate the ASM and RDBMS administrator roles. Let’s say a security audit has now prescribed that the two roles should be separated and/or a storage specialist called tom has been hired to manage ASM. How do you do it ? Well, first it is good to know that the Unix groups that have the privilege to connect as SYSDBA are compiled into the oracle executable, normally during installation of the software.
Do you need to do a complete new installation to compile a new “asm” group role into the oracle executable ? No, you just need to know which file to edit and then relink the Oracle executable. Here is how to do it:

First create the OS group “asm”:

  groupadd -g 2003 asm

The OS groups that have the different Oracle roles assigned to them are configured in $ORACLE_HOME/rdbms/lib/config.s (on Linux).
Append the group “asm” to the OS user of a storage administrator called tom:

  usermod -a -G asm tom

Shutdown all databases running from this ORACLE_HOME with the IMMEDIATE option.
Make a backup of config.s and edit these lines in the original:
Change:

  #define SS_ASM_GRP "dba"

To:

  #define SS_ASM_GRP "asm“

Make a backup of config.o:

  mv config.o config.o.orig

Relink the oracle executable with:

  make -f ins_rdbms.mk ioracle

You can now connect as the OS user tom, set your ORACLE_SID to point to the ASM instance and connect as follows to start the ASM instance:

[tom@test1 ~]$ sqlplus / as sysasmSQL*Plus: Release 11.1.0.6.0 - Production on Wed Jan 21 14:45:57 2009

Copyright (c) 1982, 2007, Oracle.  All rights reserved.
Connected to an idle instance.

SQL> startup;
ASM instance started
Total System Global Area  267227136 bytes
Fixed Size                  2143544 bytes
Variable Size             239917768 bytes
ASM Cache                  25165824 bytes
ASM diskgroups mounted
SQL>

Hopefully this clarifies the way Oracle has implemented the OS authentication. It also may save you the hassle of doing a new installation and having to save your configuration files like tnsnames.ora and possibly init.ora’s.