-->
User accounts can also be created for machine entities, such as service accounts for running programs, system accounts for storing system files and processes, and root and administrator accounts for system administration. A privileged account is a user account that has more privileges than a normal user account. Examples include database.
This article shows you how to create a new Azure Active Directory (Azure AD) application and service principal that can be used with the role-based access control. When you have code that needs to access or modify resources, you can create an identity for the app. This identity is known as a service principal. You can then assign the required permissions to the service principal. This article shows you how to use the portal to create the service principal. It focuses on a single-tenant application where the application is intended to run within only one organization. You typically use single-tenant applications for line-of-business applications that run within your organization.
Important
Instead of creating a service principal, consider using managed identities for Azure resources for your application identity. If your code runs on a service that supports managed identities and accesses resources that support Azure AD authentication, managed identities are a better option for you. To learn more about managed identities for Azure resources, including which services currently support it, see What is managed identities for Azure resources?.
Create an Azure Active Directory application
Let's jump straight into creating the identity. If you run into a problem, check the required permissions to make sure your account can create the identity.
Sign in to your Azure Account through the Azure portal.
Select Azure Active Directory.
Select App registrations.
Select New registration.
Name the application. Select a supported account type, which determines who can use the application. Under Redirect URI, select Web for the type of application you want to create. Enter the URI where the access token is sent to. You can't create credentials for a Native application. You can't use that type for an automated application. After setting the values, select Register.
You've created your Azure AD application and service principal.
Assign a role to the application
To access resources in your subscription, you must assign a role to the application. Decide which role offers the right permissions for the application. To learn about the available roles, see RBAC: Built in Roles.
You can set the scope at the level of the subscription, resource group, or resource. Permissions are inherited to lower levels of scope. For example, adding an application to the Reader role for a resource group means it can read the resource group and any resources it contains.
In the Azure portal, select the level of scope you wish to assign the application to. For example, to assign a role at the subscription scope, search for and select Subscriptions, or select Subscriptions on the Home page.
Select the particular subscription to assign the application to.
If you don't see the subscription you're looking for, select global subscriptions filter. Make sure the subscription you want is selected for the portal.
Select Access control (IAM).
Select Add role assignment.
Select the role you wish to assign to the application. For example, to allow the application to execute actions like reboot, start and stop instances, select the Contributor role. Read more about the available roles By default, Azure AD applications aren't displayed in the available options. To find your application, search for the name and select it.
Select Save to finish assigning the role. You see your application in the list of users with a role for that scope.
Your service principal is set up. You can start using it to run your scripts or apps. The next section shows how to get values that are needed when signing in programmatically.
Get values for signing in
When programmatically signing in, you need to pass the tenant ID with your authentication request. You also need the ID for your application and an authentication key. To get those values, use the following steps:
Select Azure Active Directory.
From App registrations in Azure AD, select your application.
Copy the Directory (tenant) ID and store it in your application code.
Copy the Application ID and store it in your application code.
Certificates and secrets
Daemon applications can use two forms of credentials to authenticate with Azure AD: certificates and application secrets. We recommend using a certificate, but you can also create a new application secret.
Upload a certificate
You can use an existing certificate if you have one. Optionally, you can create a self-signed certificate for testing purposes only. Open PowerShell and run New-SelfSignedCertificate with the following parameters to create a self-signed certificate in the user certificate store on your computer:
Export this certificate to a file using the Manage User Certificate MMC snap-in accessible from the Windows Control Panel.
Select Run from the Start menu, and then enter certmgr.msc.
The Certificate Manager tool for the current user appears.
To view your certificates, under Certificates - Current User in the left pane, expand the Personal directory.
Right-click on the cert you created, select All tasks->Export.
Follow the Certificate Export wizard. Do not export the private key, and export to a .CER file.
To upload the certificate:
Select Azure Active Directory.
From App registrations in Azure AD, select your application.
Select Certificates & secrets.
Select Upload certificate and select the certificate (an existing certificate or the self-signed certificate you exported).
Select Add.
After registering the certificate with your application in the application registration portal, you need to enable the client application code to use the certificate.
Create a new application secret
If you choose not to use a certificate, you can create a new application secret.
Select Certificates & secrets.
Select Client secrets -> New client secret.
Provide a description of the secret, and a duration. When done, select Add.
After saving the client secret, the value of the client secret is displayed. Copy this value because you won't be able to retrieve the key later. You will provide the key value with the application ID to sign in as the application. Store the key value where your application can retrieve it.
Configure access policies on resources
Keep in mind, you might need to configure addition permissions on resources that your application needs to access. For example, you must also update a key vault's access policies to give your application access to keys, secrets, or certificates.
- In the Azure portal, navigate to your key vault and select Access policies.
- Select Add access policy, then select the key, secret, and certificate permissions you want to grant your application. Select the service principal you created previously.
- Select Add to add the access policy, then Save to commit your changes.
Required permissions
You must have sufficient permissions to register an application with your Azure AD tenant, and assign to the application a role in your Azure subscription.
Check Azure AD permissions
Select Azure Active Directory.
Note your role. If you have the User role, you must make sure that non-administrators can register applications.
In the left pane, select User settings.
Check the App registrations setting. This value can only be set by an administrator. If set to Yes, any user in the Azure AD tenant can register an app.
If the app registrations setting is set to No, only users with an administrator role may register these types of applications. See available roles and role permissions to learn about available administrator roles and the specific permissions in Azure AD that are given to each role. If your account is assigned the User role, but the app registration setting is limited to admin users, ask your administrator to either assign you one of the administrator roles that can create and manage all aspects of app registrations, or to enable users to register apps.
Check Azure subscription permissions
In your Azure subscription, your account must have Microsoft.Authorization/*/Write access to assign a role to an AD app. This action is granted through the Owner role or User Access Administrator role. If your account is assigned the Contributor role, you don't have adequate permission. You will receive an error when attempting to assign the service principal a role.
To check your subscription permissions:
Search for and select Subscriptions, or select Subscriptions on the Home page.
Select the subscription you want to create the service principal in.
If you don't see the subscription you're looking for, select global subscriptions filter. Make sure the subscription you want is selected for the portal.
Select My permissions. Then, select Click here to view complete access details for this subscription.
Select View in Role assignments to view your assigned roles, and determine if you have adequate permissions to assign a role to an AD app. If not, ask your subscription administrator to add you to User Access Administrator role. In the following image, the user is assigned the Owner role, which means that user has adequate permissions.
Next steps
- To learn about specifying security policies, see Azure Role-based Access Control.
- For a list of available actions that can be granted or denied to users, see Azure Resource Manager Resource Provider operations.
This chapter describes the users, groups, and environment settings to complete before you install Oracle Database and Grid Infrastructure for a standalone server.
Generate Server Admin Privilege Keyboard
This chapter contains the following topics:
See Also:
Oracle Database Platform Guide for Microsoft Windows4.1 Creating Required Operating System Groups and Users
Depending on if this is the first time you are installing Oracle software on your system and on the products that you are installing, you may have to create several operating system groups and users.
You can choose to create one administrative user and use one group for operating system authentication for all system privileges on the storage and database tiers. For example, you can designate the oracle user to be the Oracle Installation user for all Oracle software and use only the ORA_DBA group for authentication. You can also create custom configuration groups and users based on job role separation that divide access privileges.
Log in as an Administrator user, and use the following instructions to create the Oracle Installation user for Oracle Database.
See Also:
Oracle Database Platform Guide for Microsoft Windows4.1.1 About the Oracle Installation User
To install Oracle Grid Infrastructure for a standalone server or Oracle Database software, you must use either a local or domain user that is also a member of the Administrators group. This user is the Oracle Installation User. The Oracle Installation User can be either a local user or a domain user.
4.1.2 Creating Oracle Home User
During Oracle Database installation, you can specify an optional Oracle Home User associated with the Oracle home. For example, assume that you use an Administrator user named OraSys to install the software (Oracle Installation user), then you can specify the ORADOMAINOraDb domain user as the Oracle Home user for this installation. The specified Oracle Home domain user must exist before you install the Oracle Database software.
The Oracle Home User can be either the Windows built-in account (LocalSystem) or an existing user. If you specify an existing user as the Oracle Home User, then the Windows User Account you specify can either be a Windows Domain User or a Windows Local User.
Generate Server Admin Privilege Key For Windows 10
If you specify a non-existing user as the Oracle Home User, then the Windows User Account you specify must be a Windows Local User. This account is used for running the Windows services for the Oracle home. Do not log in using this account to perform administrative tasks. Windows User Account can be a Windows Local User, Windows Domain User or Managed Services Account (MSA).
If you want to create a new user during installation, then it can only be a Windows Local User. It cannot be a Windows Domain User or an MSA. The new user that is created is denied interactive logon privileges to the Windows computer. However, a Windows administrator can manage this account like any other Windows account. Oracle recommends that you use the standard Windows User Account (instead of Windows Built-in Account) as the Oracle Home User for enhanced security.
Note:
You cannot change the Oracle Home User after the installation is complete. If you must change the Oracle Home User, then you must reinstall the Oracle Database software.When you specify an Oracle Home user, the installer configures that user as the Oracle Service user for all software services that run from the Oracle home. The Oracle Service user is the operating system user that the Oracle software services run as, or the user from which the services inherit privileges.
Silent installation is enhanced to support password prompt for the Oracle Home User. So, customers and independent software vendors (ISV) can use response files without hard coding the password into the source code.
Oracle recommends using the standard Windows User Account (not an Administrator account) as the Oracle Home User for typical installation, software-only installation, and cloning.
If an existing Windows User Account is used as the Oracle Home User for software-only installation, then a password is not required. Thus, you can perform a silent, software-only installation using Windows User Account.
If using a Windows User Account as the Oracle Home User for cloning individual Oracle Database installations, then a password is not required.
4.1.3 Understanding the Oracle Inventory Directory and the Oracle Inventory Group
The Oracle Inventory directory is the central inventory location for all Oracle software installed on a server. By default, the location of the Oracle Inventory directory is C:Program FilesOracleInventory.
When you install Oracle software on the system for the first time, OUI creates the directories for the Oracle central inventory and the Oracle Inventory group, ORA_INSTALL. The ORA_INSTALL group contains all the Oracle Home Users for all Oracle homes on the server.
Whether you are performing the first installation of Oracle software on this server, or are performing an installation of additional Oracle software on the server, you do not need to create the Oracle central inventory or the ORA_INSTALL group; the Oracle Universal Installer creates them automatically. You cannot change the name of the Oracle Inventory group - it is always ORA_INSTALL.
4.1.4 Operating System Groups Created During Oracle Database Installation
During installation, the user groups listed in Table 4-1 are created, if they do not already exist. In the following table, the HOMENAME variable refers to the generated HOMENAME for a software installation, which is of the form OraproductmajorVersionHomenumber. For example, OraDB12cHome1.
Table 4-1 User Groups Created During Oracle Database Installation
| Operating System Group Name | Related System Privilege | Description |
|---|---|---|
| SYSDBA system privileges for all Oracle Database installations on the server | A special OSDBA group for the Windows operating system. Members of this group are granted SYSDBA system privileges for all Oracle Databases installed on the server. |
| SYSOPER system privileges for all Oracle databases installed on the server | A special OSOPER group for the Windows operating system. Members of this group are granted SYSOPER system privileges all Oracle Databases installed on the server. This group does not have any members after installation, but you can manually add users to this group after the installation completes. |
| SYSASM system privileges for Oracle ASM administration | The OSASM group for the Oracle ASM instance. Using this group and the SYSASM system privileges enables the separation of SYSDBA database administration privileges from Oracle ASM storage administration privileges. Members of the OSASM group are authorized to connect using the SYSASM privilege and have full access to Oracle ASM, including administrative access to all disk groups that the Oracle ASM instance manages. |
| SYSDBA system privileges on the Oracle ASM instance | The OSDBA group for the Oracle ASM instance. This group grants access for the database to connect to Oracle ASM. During installation, the Oracle Installation Users are configured as members of this group. After you create an Oracle Database, this groups contains the contains Oracle Home Users of those database homes. |
| SYSOPER for ASM system privileges | The OSOPER group for the Oracle ASM instance. Members of this group are granted SYSOPER system privileges on the Oracle ASM instance, which permits a user to perform operations such as startup, shutdown, mount, dismount, and check disk group. This group has a subset of the privileges of the OSASM group. Similar to the |
| SYSDBA system privileges for all instances that run from the Oracle home with the name | An OSDBA group for a specific Oracle home with a name of Members of this group can use operating system authentication to gain SYSDBA system privileges for any database that runs from the specific Oracle home. If you specified an Oracle Home User during installation, the user is added to this group during installation. |
| SYSOPER system privileges for all instances that run from the Oracle home with a name | An OSDBA group for the Oracle home with a name of Members of this group can use operating system authentication to gain SYSOPER system privileges for any database that runs from the specific Oracle home. This group does not have any members after installation, but you can manually add users to this group after the installation completes. |
| SYSBACKUP system privileges for all instances that run from the Oracle home with a name of | OSBACKUPDBA group for a specific Oracle home with a name of Members of this group have privileges necessary for performing database backup and recovery tasks on all database instances that run from the specified Oracle home directory. |
| SYSDG system privileges for all instances that run from the Oracle home with a name of | OSDGDBA group for a specific Oracle home with a name of Members of this group have privileges necessary for performing Data Guard administrative tasks on all database instances that run from the specified Oracle home directory. |
| SYSKM system privileges for all instances that run from the Oracle home with a name of | OSKMDBA group for a specific Oracle home with a name of Members of this group have privileges necessary for performing encryption key management tasks on all database instances that run from the specified Oracle home directory. |
During the installation of Oracle Database, all groups mentioned in the table are populated for proper operation of Oracle products. You must not remove any group member populated by Oracle. However, if you want to assign specific database privileges to new Windows operating system users, then you can manually add users to these groups after the installation completes.
See Also:
Oracle creates other groups, such as, ORA_INSTALL, ORA_CLIENT_LISTENERS, ORA_GRID_LISTENERS, ORA_HOMENAME_SVCSIDS during installation and you should not change these groups, memberships, and ACLs associated with various Oracle created groups.
4.1.5 Operating System Groups and Users for Job Role Separation
A job role separation configuration of Oracle Database and Oracle ASM is a configuration with groups and users to provide separate groups for operating system authentication.
This section contains the following topics:
4.1.5.1 About Job Role Separation Operating System Privileges Groups and Users
During the Oracle Database installation, the OSDBA, OSOPER, OSBACKUPDBA, OSDGDBA and OSKMDBA groups are created and users assigned to these groups. Members of these groups are granted operating system authentication for the set of database system privileges each group authorizes. Oracle recommends that you use different operating system groups for each set of system privileges.
4.1.5.2 Oracle Software Owner For Each Oracle Software Product
You can create a single user (for example, oracle) to own both Oracle Database, and Oracle Grid Infrastructure for a standalone server installations. However, Oracle recommends that you create one software owner to own each Oracle software installation typically, oracle, for the database software and grid for the Oracle Restart owner user.
You must create at least one software owner the first time you install Oracle software on the system.
Note:
In Oracle documentation, a user created to own only Oracle Grid Infrastructure software installations is called thegrid user. A user created to own either all Oracle installations, or only Oracle database installations, is called the oracle user.4.1.5.3 Standard Oracle Database Groups for Job Role Separation for Oracle Database
The following is a list of standard Oracle Database groups. These groups provide operating system authentication for database administration system privileges:
Note:
All these groups are automatically created as a part of Oracle Database installation on Windows.The OSDBA group (
ORA_DBA)Use this group the first time you install Oracle Database software on the system. This group identifies operating system user accounts that have database administrative privileges the SYSDBA privilege for all database instances running on the server.
Members of the
ORA_DBAgroup do not have SYSASM privileges on Oracle ASM instances, which are needed for mounting and dismounting disk groups.The OSOPER group for Oracle Database (
ORA_OPER)Use this group if you want a separate group of operating system users to have a limited set of database administrative privileges for starting up and shutting down the database (the SYSOPER privilege).
The OSDBA group for a particular Oracle home (
ORA_HOMENAME_DBA)This group is created the first time you install Oracle Database software into a new Oracle home. This group identifies operating system user accounts that have database administrative privileges (the SYSDBA privilege) for the database instances that run from that Oracle home.
The OSOPER group for a particular Oracle home (
ORA_HOMENAME_OPER)Use this group if you want a separate group of operating system users to have a limited set of database administrative privileges for starting up and shutting down the database instances that run from a particular Oracle home (the SYSOPER privilege).
4.1.5.4 Extended Oracle Database Groups for Job Role Separation
In addition to the SYSOPER privilege to start up and shut down the database, you can create new administrative privileges that are more task-specific and less privileged than the ORA_DBA/SYSDBA system privileges to support specific administrative privileges tasks required for everyday database operation. Users granted these system privileges are also authenticated through operating system group membership.
During installation, you are prompted to provide operating system groups whose members are granted access to these system privileges. You can assign the same group to provide authentication for these privileges for example, ORA_DBA, but Oracle recommends that you provide a unique group to designate each privilege.
The OSDBA subset job role separation privileges and groups consist of the following:
The OSBACKUPDBA group for Oracle Database (
ORA_HOMENAME_SYSBACKUP)Use this group if you want a separate group of operating system users to have a limited set of database backup and recovery related administrative privileges, the SYSBACKUP privilege.
The OSDGDBA group for Oracle Data Guard (
ORA_HOMENAME_SYSDG)Use this group if you want a separate group of operating system users to have a limited set of privileges to administer and monitor Oracle Data Guard, the SYSDG privilege.
The OSKMDBA group for encryption key management (
ORA_HOMENAME_SYSKM)Use this group if you want a separate group of operating system users to have a limited set of privileges for encryption key management such as Oracle Wallet Manager management, the SYSKM privilege.
Note:
All these groups,ORA_HOMENAME_SYSBACKUP, ORA_HOMENAME_SYSDG, and ORA_HOMENAME_SYSKM, are applicable only to the database instances running from that particular Oracle home.4.1.5.5 Oracle Automatic Storage Management Groups for Job Role Separation
Create the following operating system groups if you are installing Oracle Grid Infrastructure:
The OSDBA group for Oracle ASM (
ORA_ASMDBA)This group grants access for the database to connect to Oracle ASM. During installation, the Oracle Installation Users are configured as members of this group. After you create an Oracle Database, this group contains the Oracle Home Users of those database homes. Any client of Oracle ASM that needs to access storage managed by Oracle ASM needs to be in this group.
The OSASM group for Oracle ASM Administration (
ORA_ASMADMIN)Use this separate group to have separate administration privilege groups for Oracle ASM and Oracle Database administrators. Members of this group are granted the SYSASM system privilege to administer Oracle ASM. In Oracle documentation, the operating system group whose members are granted privileges is called the OSASM group. During installation, the Oracle Installation User for Oracle Grid Infrastructure and Oracle Database Service IDs are configured as members of this group. Membership in this group also grants database access to the Oracle ASM disks.
Members of the OSASM group can use SQL to connect to an Oracle ASM instance as SYSASM using operating system authentication. The SYSASM privilege permits mounting and dismounting disk groups, and other storage administration tasks. SYSASM system privileges do not grant access privileges on an Oracle Database instance.
The OSOPER group for Oracle ASM (
ORA_ASMOPER)This is an optional group. Create this group if you want a separate group of operating system users to have a limited set of Oracle ASM instance administrative privileges, the SYSOPER for ASM privilege, including starting up and stopping the Oracle ASM instance. By default, members of the OSASM group also have all privileges granted by the SYSOPER for ASM privilege.
To use the Oracle ASM Operator group to create an Oracle ASM administrator with fewer privileges than those granted by the SYSASM system privilege, you must assign the user to this group after installation.
See Also:
Oracle Database Administrator's Guide
Oracle Database Security Guide
4.2 Stopping Existing Oracle Services
Note:
If you are installing additional Oracle Database 12c products in an existing Oracle home, then stop all processes, including the listener and database, running in the Oracle home. You cannot install into an existing Oracle home other than 12c. You must complete this task to enable Oracle Universal Installer to relink certain executables and libraries.Consider the following before you install Oracle Grid Infrastructure for a standalone server or Oracle Database:
Generate Server Admin Privilege Key Generator
If you plan to use Oracle Restart, then you must install the Oracle Grid Infrastructure for a standalone server before you install and create the database. When you perform a database installation, the database must use the same listener created during the Oracle Grid Infrastructure for a standalone server installation, thereafter you do not have to perform the steps listed in this section.
The default listener and any additional listeners must run from the Oracle Grid Infrastructure home.
If you have an existing Oracle Database 12c running on Oracle ASM, then stop any existing Oracle ASM instances. After you finish installing Oracle Grid Infrastructure for a standalone server, start the Oracle ASM instance again.
If you choose to create a database during the installation, then most installation types configure and start a default Oracle Net listener using TCP/IP port 1521 and the IPC key value EXTPROC. However, if an existing Oracle Net listener process is using the same port or key value, Oracle Universal Installer looks for the next available port (for example, 1522) and configures and starts the new listener on this available port.
4.3 Configuring User Accounts
During installation, you can specify an Oracle Home User. Before starting the installation, there are a few checks you must perform for the Oracle Installation users, to ensure the installation succeeds.
This section contains the following topics:
4.3.1 Configuring Environment Variables for the Software Installation Owner
Before starting the Oracle Database installation, ensure that the TEMP environment variable is set correctly. See 'Hard Disk Space Requirements' for more information.
4.3.2 Managing User Accounts with User Account Control
To ensure that only trusted applications run on your computer, the Windows operating systems supported for Oracle Database provide User Account Control. If you have enabled this security feature, then, depending on how you have configured it, Oracle Universal Installer prompts you for either your consent or your credentials when installing Oracle Database. Provide either the consent or your Windows Administrator credentials as appropriate.
You must have Administrator privileges to run some Oracle tools, such as Database Configuration Assistant, Net Configuration Assistant, and OPatch, or to run any tool or application that writes to any directory within the Oracle home. If User Account Control is enabled, and you are logged in as the local Administrator, then you can successfully run each of these commands in the usual way. However, if you are logged in as 'a member of the Administrator group,' then you must explicitly start these tasks with Windows Administrator privileges. All the Oracle shortcuts that require Administrator privileges start as 'Administrator' automatically when you click the shortcuts. However, if you run the above tools from a Windows command prompt, you must run them from an Administrator command prompt. OPatch does not have a shortcut and has to be run from an Administrator command prompt.
See Also:
Oracle Database Platform Guide for Microsoft WindowsTo start a command prompt window with Windows Administrator privileges:
Generate Server Admin Privilege Keys
On your desktop, create a shortcut for the command prompt window. An icon for that shortcut appears on the desktop.
Right-click the icon for the newly created shortcut, and specify Run as administrator.
Generate Server Admin Privilege Key Generator
When you open this window, the title bar reads Administrator: Command Prompt. Commands run from within this window are run with Administrator privileges.