I wanted to know what is the best account to give someone access to if they will be installing and maintaining an Oracle database including making backups of the database on a Windows Server 2012 R2. What role should I assign them? I don't think an administrator is necessary, should it be Power user or something else?
-
Windows Server administration accounts
-
If you are trying to follow principle of least privilege, you really need to separate the two tasks, installing and maintaining.
From the Windows side, they would need administrative rights to install the software. The power users group is still there and would work, but it's really only there for backwards compatibility (might go away at some point).
By default the administrators, backup operators, and users groups have the right to log on locally on member servers. So once the software is installed, no additional Windows rights or permissions are needed (unless you have restricted write access to wherever the backup location is). You would need to assign the appropriate permissions through Oracle for creating and backing up databases, etc.
So I would suggest having an existing administrator install the software for them, or adding them to the local administrators group so they can install the software, and then removing them from the administrators group after installation (i.e. privilege bracketing).
Hope this helps,
Mike
-
To add to what Mike said, if this need comes up where people need to work on a server for short term, I use some security groups that have temporary user accounts in them on the appropriate domain and set an expiration date and tell them they have until then to finish the software install then add those groups to the Administrators group on the system.
