TME 10 Module For Oracle** - User Management User s Guide Version 1.0
TME 10 Module For Oracle - User Management User s Guide (November 1997) Copyright Notice Copyright 1997 by Tivoli Systems, an IBM Company, including this documentation and all software. All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement or Addendum for Tivoli Products to IBM Customer or License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission of Tivoli Systems. The document is not intended for production and is furnished as is without warranty of any kind. All warranties on this document are hereby disclaimed including the warranties of merchantability and fitness for a particular purpose. Note to U.S. Government Users Documentation related to restricted rights Use, duplication or disclosure is subject to restrictions set forth in GSA ADP Schedule Contract with IBM Corporation. Trademarks The following product names are trademarks of Tivoli Systems or IBM Corporation: AIX, IBM, OS/2, RISC System/6000, Tivoli Management Environment, and TME 10. Microsoft, Windows, and the Windows 95 logo are trademarks or registered trademarks of Microsoft Corporation. UNIX is a registered trademark in the United States and other countries licensed exclusively through X/Open Company Limited. Oracle is a registered trademark of Oracle Corporation. Other company, product, and service names mentioned in this document may be trademarks or servicemarks of others. Notice References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to Tivoli Systems or IBM s valid intellectual property or other legally protectable right, any functionally equivalent product, program, or service can be used instead of the referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, 500 Columbus Avenue, Thornwood, New York 10594.
TME 10 Module For Oracle - User Management User s Guide Preface... v Chapter 1 Installation Software Requirements...1-1 Hardware Requirements...1-1 Installation...1-2 Command Line...1-8 Chapter 2 Understanding TME 10 Oracle User Management Management Policy...2-2 Management-by-Subscription...2-2 Secure Delegation...2-2 Profile Capabilities...2-3 Management of Database Configuration Information...2-3 Setting Default and Validation Policy...2-4 Chapter 3 Setting up Oracle User Management Profiles Setting Managed Resources...3-1 Desktop...3-2 Command Line...3-4 Creating a Profile Manager...3-4 Desktop...3-4 Command Line...3-6 Creating an Oracle User Profile...3-6 Desktop...3-7 Command Line...3-11 Adding Subscribers...3-11 TME 10 Module For Oracle - User Management User s Guide i
Desktop, Drag and Drop... 3-11 Desktop, Profile Manager... 3-12 Command Line... 3-15 Removing Subscribers... 3-16 Desktop, Edit Menu... 3-16 Command Line... 3-20 Chapter 4 Profile Policy Setting and Editing Default Policy... 4-1 Desktop... 4-2 Command Line... 4-7 Setting and Editing Validation Policy... 4-7 Desktop... 4-7 Command Line... 4-12 Using String Constants in User and Role Profiles... 4-13 Using String Constants in Resource Profiles... 4-15 Chapter 5 Using Oracle User Management Profiles Populating an Oracle User Profile from a Database... 5-1 Copying Profile Records... 5-6 Moving Profile Records... 5-9 Locking/Unlocking Records... 5-11 Listing User Information... 5-11 Distributing Profiles... 5-11 Deleting a Profile... 5-18 Chapter 6 Managing Oracle Database Users Adding a User Record... 6-1 Editing a User Record... 6-10 Editing Multiple Users Records... 6-13 Managing Object Privileges... 6-19 Deleting a User Record... 6-25 ii Version 1.0
Viewing Granted Object Privileges...6-27 Setting the Tablespace List...6-29 Chapter 7 Managing Oracle Database Roles Understanding TME 10 Oracle Role Profiles...7-1 Adding a Role Record...7-1 Editing a Role Record...7-8 Editing Multiple Role Records...7-10 Deleting a Role Record...7-13 Chapter 8 Managing Oracle Database Resource Profiles Understanding TME 10 Oracle Resource Profiles...8-1 Adding a Resource Record...8-2 Desktop...8-2 Command Line...8-7 Editing a Resource Record...8-7 Editing Multiple Resource Records...8-9 Desktop...8-9 Command Line...8-12 Deleting a Resource Record...8-12 Desktop...8-13 Command Line...8-14 Appendix A Examples Profile Validation Policy... A-1 Locking... A-15 TME 10 Module For Oracle - User Management User s Guide iii
iv Version 1.0
Preface Preface The TME 10 Module For Oracle - User Management User s Guide describes how to install and use the TME 10 Module For Oracle - User Management. You can install it from the Tivoli Management Environment 10 (TME 10) desktop or from the command line. With TME 10 Module For Oracle - User Management, you can manage Oracle users, roles, and resource profiles for any number of Oracle databases. Who Should Read This Guide This guide explains the concepts you should know to use TME 10 Module For Oracle - User Management. Readers of this guide should have a knowledge of the UNIX or Windows NT operating system, TME 10, and Oracle database administration. Prerequisite and Related Documents The TME 10 Framework User s Guide contains more detailed information about profiles and profile management. The TME 10 Module For Oracle - Framework User s Guide contains information about database and instance management using TME 10 Module For Oracle - Framework, and how it is integrated into TME 10. For general information about the Oracle server and how it works, see the relevant version of the Server Concepts Manual. For information about administering the Oracle Server, see the relevent version of the Server Administrator s Guide. What This Guide Contains The TME 10 Module For Oracle - User Management User s Guide contains the following sections: Chapter 1 Installation Contains information about software and hardware requirements, and describes how to the installation the product. Chapter 2 Understanding TME 10 Oracle User Management TME 10 Module For Oracle - User Management User s Guide v
Preface Describes Tivoli concepts relevant to the TME 10 Module For Oracle - User Management, including policy, management-by-subscription and profiles. Chapter 3 Setting up Oracle User Management Profiles Describes how to create profile managers, profiles and subscribers. Chapter 4 Profile Policy Describes how to set up default and validation policy in a profile. Chapter 5 Using Oracle User Management Profiles Describes how to populate, distribute and delete profiles, and copy, move, and lock profile records. Chapter 6 Managing Oracle Database Users Describes how to add, edit and drop users in a profile. Chapter7 Managing Oracle Database Roles Describes how to add, edit and drop roles in a profile. Chapter 8 Managing Oracle Database Resource Profiles Describes how to add, edit and drop resource profiles in a profile. Appendix A Examples Contains examples demonstrating how validation policy and locking can be applied to the management of Oracle users. Typeface Conventions The guide uses several typeface conventions for special terms and actions. These conventions have the following meaning: Bold Italics Commands, keywords, file names, or other information that you must use literally appear in bold. Names of windows, dialogs, and other controls also appear in bold. Variables and values that you must provide appear in italics. vi Version 1.0
Preface Bold Italics Monospace New terms appear in bold italics the first time they are used. Code examples appear in a monospace font. Platform-Specific Information The following markers are used to identify platform-specific information or procedures. Platform AIX 3.2.5 AIX 4.1 HP 9.x HP 10.0 SunOS Solaris Supported Configuration IBM RS/6000 series running AIX 3.2.5 IBM RS/6000 series running AIX 4.1 HP9000/700 and 800 series running HP/UX 9.x HP9000/700 and 800 series running HP/UX 10.0 Sun SPARC series running SunOS 4.1.2 or higher Sun SPARC series running Solaris 2.3 or higher Oracle Software Requirements TME 10 Module For Oracle - User Management can manage Oracle version 7.1 or higher. Contacting Customer Support We are very interested in hearing from you about your experience with the products in the Tivoli Management Environment 10. We welcome your suggestions for improvements. If you encounter difficulties with any TME 10 product, please contact your customer support representative. To assist you, the TME 10 Framework includes the wsupport command. This command prompts you for problem information, which can be E-mailed to your support provider or saved to a text file. You can then print the saved file, and fax the resulting TME 10 Problem Report form to your support provider. See the TME 10 Framework Reference Manual for additional information about the wsupport command. TME 10 Module For Oracle - User Management User s Guide vii
Preface If you have comments or suggestions about the TME 10 documentation, please send E-mail to pubs@tivoli.com. viii Version 1.0
1 Installation 1Installation TME 10 Module For Oracle - User Management software enables you to use TME 10 to add Oracle database management capabilities to your TME 10 platform. This chapter provides the information you need to install this application in your TME 10. This chapter covers the following topics: Software requirements Hardware requirements Installation Before installing TME 10 Module For Oracle - User Management, please review the release notes for the specific release. Software Requirements This product is dependent on the following software: TME 10 Framework, Version 3.1. TME 10 Module For Oracle - Framework, Version 1.0 Hardware Requirements The following table provides the estimated disk space requirements for the TME 10 Module For Oracle - User Management software. The space requirements listed below are for the Tivoli Management Region (TMR) server and clients. This space is in addition to the space requirements for the management platform and other products. Please TME 10 Module For Oracle - User Management User s Guide 1 1
Installation refer to the TME 10 Framework Planning and Installation Guide for TMR server and client hardware requirements. Platform Server Client AIX3 AIX4 HP-UX9 HP-UX10 Solaris SunOS 6.69MB 5.85MB 4.49MB 18.45MB 3.43MB 8.96MB 6.35 MB 5.45MB 4.15MB 18.11MB 3.1MB 8.62MB NT 17 Mb 16.5 Mb Installation Desktop You can install the TME 10 Module For Oracle - User Management application from either thetme 10 desktop or command line. Use the following steps to install the application from the TME 10 desktop. You must have the TME 10 senior authorization role to install this application. 1 2 Version 1.0
Installation 1. Select the Install -> Install Product... option from the Desktop menu. Installation TME 10 Module For Oracle - User Management User s Guide 1 3
Installation TME 10 displays the Install Product dialog. If the Select Product to Install: scrolling list is empty, proceed to step 2. If there are products listed in the scrolling list, move directly to step 3. 2. Press the Select Media... button. 1 4 Version 1.0
Installation TME 10 displays the File Browser dialog. Installation The File Browser dialog enables you to identify or specify the path to the installation media. If you already know the path to the installation media: a. Enter the full path in the Path Name: field. b. Press the Set Path button to change to the specified directory. c. Press the Set Media & Close button to save the new media path and return to the Install Product dialog. The dialog now contains a list of products that are available for installation. If you do not know the exact path to the installation media: a. From the Hosts: scrolling list, choose the host on which the install media is mounted. b. Choose a directory from the Directories: scrolling list. c. Press the Set Media & Close button to save the new media path and return to the Install Product dialog. The dialog now contains a list of products that are available for installation. TME 10 Module For Oracle - User Management User s Guide 1 5
Installation 3. Select TME 10 Module For Oracle - User Management, Version 1.0 from the Select Product to Install: scrolling list. 4. Use the arrow buttons to move the clients from one choice list to another. The application will be installed on the clients in the Clients to Install On: list. You must install the software on the TMR server and on any client where you want to manage Oracle users, roles, and resource profiles. TME 10 Module For Oracle - Framework must already be installed on these machines. 5. Press the Install & Close button to install the product and close the Install Product dialog. OR Press the Install button to install the product and keep the Install Product dialog open. You can then install the same product on another set of clients or you can install another product. 1 6 Version 1.0
Installation The installation process prompts you with a Product Install dialog similar to the following. Installation This dialog provides the list of operations that will take place when installing the software. This dialog also warns you of any problems that you may want to correct before you install the application. 6. Press the Continue Install button to start the installation. TME 10 Module For Oracle - User Management User s Guide 1 7
Installation When the installation is complete, the Product Install dialog will return a completion message similar to the one below. Command Line 7. Press the Close button to close the dialog. You can use the winstall command to install TME 10 Module For Oracle - User Management from the command line winstall [-c cdrom-dir] [-s server] [-i product] [-ny] [install-variable...] [managed_node...] where: -c cdrom-dir Specifies the complete path to the images. 1 8 Version 1.0
Installation -s server Specifies the managed node in the TME 10 region to use as the product s installation server. -i product Specifies the product installation index file to install. A product installation index file ends with the file extension.ind. For example, the file OUSER.IND is the installation index file for TME 10 Module For Oracle - User Management. -n Installs the product on all managed nodes that do not currently have the product installed. This argument is ignored if managed_node is specified. -y Specifies that the installation should proceed without confirmation. install-variable=value Several of the install variables specify the directories where the TME 10 product will be installed. If a directory already contains files from a previous installation, winstall will not re-copy the files. You can force any of these directories to be re-installed by entering a! character after the specified directory. The following are the install variables related to the installation directories. Your settings will override the current default installation directories. BIN=binaries_directory Overrides the default installation path for the product s binaries. LIB=libraries_directory Overrides the default installation path for the product s libraries. MAN=man_page_directory Overrides the default installation path for the product s man pages. Installation TME 10 Module For Oracle - User Management User s Guide 1 9
Installation Examples CAT=message_catalog_directory Overrides the default installation path for the product s message catalogs. DB=database_directory Overrides the default installation path for the product s database. managed_node Specifies the managed node on which a TME 10 product will be installed. Multiple managed nodes can be specified. If no managed nodes are specified, the product will be installed on all managed nodes in the Tivoli Management Region (TMR). In most cases, this argument will not be specified. The following example installs TME 10 Module For Oracle - User Management on managed node donald. The installation will proceed without prompting for confirmation. The install image is taken from directory /Test/Oracle1.0 on solaris25. The product installation index file is OUSER.IND. The installation directory locations are determined by the current settings. winstall -y -c /Test/Oracle1.0 -s solaris25\ -i OUSER.IND donald 1 10 Version 1.0
2 2Understanding TME 10 Oracle User Management TME 10 Module For Oracle - User Management allows you to add, alter, and drop Oracle users, roles, and resource profiles for any number of Oracle databases in a distributed, heterogeneous environment. TME 10 introduces the powerful concepts of policy regions, management policy, management-by-subscription, and secure delegation. For details of registering and managing Oracle databases, see the TME 10 Module For Oracle - Framework User s Guide. This chapter describes these and other concepts that form the basis of TME 10 Module For Oracle - User Management. They are the following: Management policy Management-by-subscription Secure delegation Profile capabilities Management of database configuration information Setting default and validation policy Understanding TME 10 Oracle User Management TME 10 Module For Oracle - User Management User s Guide 2 1
Management Policy Management Policy TME 10 allows you to group Oracle database resources into entities called policy regions. Hierarchically structured, policy regions reflect groupings that make sense to your organization, such as department, job function, or geographic region. Once policy regions have been created, you establish policy guidelines for managed resources within each policy region. These guidelines are the rules by which you maintain control over Oracle installations on the network. TME 10 incorporates both default policy and validation policy to ensure that changes made to any Oracle users, roles, and resources conform to your current policy constraints. TME 10 Module For Oracle - User Management ships with built-in Best Practices policy for each managed resource. Management-by-Subscription TME 10 incorporates a powerful concept called management-by-subscription, which allows you to capture, define, and distribute Oracle configuration information in a series of logically organized profiles. Profiles enable you to define Oracle information and policies centrally and apply that information across the enterprise. You manage Oracle users, roles, and resources in profiles, for example, you define all of your Oracle users in the Sales department in an Oracle User profile. Oracle databases act as endpoints that subscribe to distributions of profile information. Profile managers manage the relationship between profiles and subscribers and provide scalability. You can easily update your enterprise-wide environment by editing a profile and then distributing the changes to all subscribing Oracle databases. Secure Delegation The advanced security mechanisms built into TME 10 enable you to delegate securely and confidently routine Oracle administrative tasks to less experienced database administrators (DBAs). You can specify which Oracle managed resources can be controlled within each policy region. You can also control the access and authority TME 10 administrators have within policy regions. In addition, TME 10 uses 2 2 Version 1.0
Profile Capabilities access control lists to limit authority on a resource-by-resource basis. This means that TME 10 administrators can perform privileged operations without privileged password access (SYS or SYSTEM). The event notification group for TME 10 Module For Oracle - User Management provides a detailed audit trail of all TME 10 administrators activity. For example, a corporate DBA creates a policy region for the databases in the Boston office. Within this policy region, he creates a profile manager to manage Oracle users for these databases. The DBA at the Boston office is relatively inexperienced, so the corporate DBA sets up default and validation policy to restrict what the DBA at Boston can do. A common mistake when adding a new user to an Oracle database is to set the temporary tablespace to SYSTEM. The corporate DBA sets a policy on the temporary tablespace attribute of the user profile that prevents the creation of a new Oracle user with the temporary tablespace set to SYSTEM. Profile Capabilities All profile-based managed resources share common functionality and GUI behavior, increasing ease of use for administrators. You can initially populate a profile from an existing Oracle database, extracting the information from the data dictionary, thus eliminating transcription errors. In the event that user changes are made out of TME 10 s control, you can use the synchronization facility to determine the differences between the profile configuration and the actual Oracle database. TME 10 gives you the ability to resolve the differences. Note: Changes are applied to each endpoint separately, and each distribution will succeed or fail without reference to other endpoints in the distribution. Understanding TME 10 Oracle User Management Management of Database Configuration Information It is important to distinguish between the records in a TME 10 Module For Oracle - User Management profile and the records in an Oracle TME 10 Module For Oracle - User Management User s Guide 2 3
Setting Default and Validation Policy database. You can initially populate from an Oracle database, but an endpoint database is not updated until the profile is distributed to the endpoint. Changes are made to the profile independently of an endpoint database. When you add, edit, or delete a record in a profile, you tell TME 10 how you want a user, role, or resource to look on the database. For example, adding records to a profile is not always synonymous with a CREATE statement in SQL. At the database endpoint, TME 10 determines the syntax of the SQL statement required to make the database match the specification in the profile. Setting Default and Validation Policy For each profile you can set default and validation policies. Default policy allows you to set initial values for each attribute in a profile and applies to creating new records in a profile. For example, creating a new user with an initial value for the user s temporary tablespace. Validation policy runs when you populate a profile, add a new profile record, or explicitly request validation. TME 10 uses validation policy to verify that a profile record complies with set policy and prevents records with invalid values being created. You can enable or disable validation policy within a profile. The policy for any attribute can be set to either Script or Constant. If the policy is set to Script, the user creates a shell script (called the script body). If the policy is set to Constant, the allowable values depend on the attribute, and are set as string representations of IDL structures. 2 4 Version 1.0
3 3Setting up Oracle User Management Profiles This chapter explains how to set up Oracle User profiles and manage subscribers in a profile manager. The same concepts apply equally to Oracle Role and Oracle Resource profiles. This chapter describes the following tasks: Setting managed resources Creating a profile manager Creating a TME 10 Oracle User Profile Adding subscribers Removing subscribers Setting Managed Resources Each policy region maintains a list of managed resource types that are valid or defined for that specific policy region. TME 10 provides the following three managed resource types for Oracle User Management: OracleUserProfile OracleRoleProfile OracleResourceProfile You can add or remove managed resource types at any time. To create and manage each type of Oracle User Management profile within a Setting up Oracle User Management Profiles TME 10 Module For Oracle - User Management User s Guide 3 1
Setting Managed Resources policy region, you must set the relevant managed resource type as a current resource in the region. TME 10 managed resource types are independent of each other. They can exist together or in separate policy regions. When you add a managed resource type to a policy region, TME 10 assigns the managed resource type the policy region's basic default policy. TME 10 also enables you to create new instances of the managed resource in the policy region. The following table provides the context and authorization role required for the following task: Activity Context Required Role Add or remove a managed resource type for a policy region Policy region senior Desktop You can perform this task from either the TME 10 desktop or the command line. Use the following steps to add or remove Oracle User Management managed resources. 1. In the policy region, select the Managed Resources... option from the Properties menu. 3 2 Version 1.0
Setting Managed Resources TME 10 displays the Set Managed Resources dialog. The Current Resources: scrolling list displays the policy region s current managed resource types. The Available Resources: scrolling list displays the managed resource types that you can add to the policy region. 2. Highlight the OracleResourceProfile, OracleRoleProfile and OracleUserProfile managed resource types from the Available Resources: scrolling list and press the Left Arrow button. Setting up Oracle User Management Profiles TME 10 moves the chosen managed resource types to the Current Resources: scrolling list. You can achieve the same result by double-clicking on an entry. TME 10 Module For Oracle - User Management User s Guide 3 3
Creating a Profile Manager Command Line To remove a managed resource type from the policy region, choose one or more managed resource types in the Current Resources: scrolling list. Use the Right Arrow button to move the managed resource types into the Available Resources: scrolling list. 3. Press Set & Close button to save the changes and return to the policy region. For more information about using the command line to examine and change the managed resource types of a policy region, see the manual page for the wgetpr and wsetpr commands. Creating a Profile Manager A profile manager manages the relationship between a profile and the subscribers who receive the profile s information. You create a profile in a profile manager. The following table provides the context and authorization role required for this task. Activity Context Required Role Create a profile manager Policy region senior Desktop You can perform this task from either the TME 10 desktop or the command line. Use the following steps to create a profile manager. 3 4 Version 1.0
Creating a Profile Manager 1. From a policy region, select the Profile Manager... option from the Create menu to display the Create Profile Manager dialog. 2. Enter the name of the profile manager in the Name/Icon Label text field. The name of a TME 10 resource such as a profile manager can include any alphanumeric character, an underscore (_), a dash (-), a period (.), or a space. We advise against using a space, which can make CLI operations awkward. Setting up Oracle User Management Profiles TME 10 Module For Oracle - User Management User s Guide 3 5
Creating an Oracle User Profile 3. Press Create & Close to create the profile manager and return to the policy region window. Command Line TME 10 displays the profile manager in the policy region window. For more information about using the command line to create a profile manager, see the manual page for the wcrtprfmgr command. Creating an Oracle User Profile The following table provides the context and authorization role required for this task. Activity Context Required Role Create an Oracle User profile Profile manager senior You can perform this task from either the TME 10 desktop or the command line. 3 6 Version 1.0
Desktop Creating an Oracle User Profile Use the following steps to create an Oracle User profile. You must have previously created the policy region and profile manger in which the Oracle User profile will reside. 1. To display the Profile Manager window, double-click on a profile manager icon. --OR-- Select the Open... option from the profile manager icon's pop-up menu. Setting up Oracle User Management Profiles TME 10 Module For Oracle - User Management User s Guide 3 7
Creating an Oracle User Profile 2. Select the Profile... option from the Create menu of the Profile Manager window to display the Create Profile dialog. 3. Select the appropriate profile type from the Type: scrolling list. 3 8 Version 1.0
Creating an Oracle User Profile The managed resources available in the policy region determine the types of profiles available in the Type: scrolling list. 4. Enter a name for the profile in the Name/Icon Label: field. Within a profile manager, each Oracle User profile must have a unique name. 5. Press Create to create the profile and keep the Create Profile dialog open. Repeat steps 3 and 4 to create more profiles. --OR-- Press the Create & Close button to create the profile and return to the Profile Manager window. Setting up Oracle User Management Profiles TME 10 Module For Oracle - User Management User s Guide 3 9
Creating an Oracle User Profile The icon for the Oracle User profile appears in the Profiles area of the Profile Manager window. 3 10 Version 1.0
The following illustration shows the icons for an Oracle Resource, Oracle Role and Oracle User profile. Adding Subscribers Command Line For more information about using the command line to create profiles in a profile manager, see the manual page for the wcrtprf command. Adding Subscribers Subscription takes place at the profile manager level. Therefore, to add a subscriber to an Oracle User profile, the subscriber must be added to the profile manager. You can subscribe a managed Oracle database to profiles, in the same way as any other managed resource. You can subscribe an Oracle database to a profile manager in one of the following ways: By The drag and drop method Through the Subscribers dialog From the command line Setting up Oracle User Management Profiles Desktop, Drag and Drop To subscribe an endpoint to a profile manager, drag and drop the endpoint icon onto the profile manager. Valid endpoints for a profile manager include other profile managers and Oracle databases. TME 10 Module For Oracle - User Management User s Guide 3 11
Adding Subscribers The following table provides the context and authorization role required for this task. Activity Context Required Role Add one or more subscribers Profile manager s policy region admin Desktop, Profile Manager Use the following steps to add one or more subscribers to a profile manager. Activity Context Required Role Add or remove one or more subscribers TMR admin 1. To display the Subscribers dialog, select the Subscribers... option from the profile manager icon s pop-up menu. --OR-- 3 12 Version 1.0
Adding Subscribers Select the Subscribers... option from the Profile Manager menu. Setting up Oracle User Management Profiles TME 10 Module For Oracle - User Management User s Guide 3 13
Adding Subscribers 2. Select one or more subscribers from the Available to become Subscribers: list. This dialog contains a list of all profile managers and endpoints that can subscribe to the current profile manager. Only profile managers and Oracle databases are valid subscribers for TME 10 Module For Oracle - User Management profiles. 3. Press the left arrow button to move your selections from the available list to the Current Subscribers: list. 3 14 Version 1.0
Adding Subscribers 4. Press the Set Subscriptions & Close button to add the subscribers to the profile manager and dismiss the Subscribers dialog. The subscribers now appear in the profile manager. Command Line You update the subscribing Oracle database s system catalogs only when you distribute a profile to the endpoint subscribers. For more information about using the command line to subscribe a profile manager or profile endpoint to a profile manager, see the manual page for the wsub command. Setting up Oracle User Management Profiles TME 10 Module For Oracle - User Management User s Guide 3 15
Removing Subscribers Removing Subscribers Subscription takes place at the profile manager level. Therefore, to remove a subscriber from an Oracle User profile, you must remove it from the profile manager. You can unsubscribe a managed Oracle database to profiles, in the same way as any other managed resource. You can unsubscribe an Oracle database to a profile manager in one of the following ways: Through Subscribers-->Unsubscribe option on the Edit menu Through the Subscribers dialog From the command line The following table provides the context and authorization role required for this task. Activity Context Required Role Remove one or more subscribers Profile manager s policy region admin Desktop, Edit Menu Use the following steps to remove one or more subscribers from a profile manager. 3 16 Version 1.0
Removing Subscribers 1. From the Profile Manager window, select the subscriber s icon. Press the <Ctrl> key and click on additional icons to select multiple icons. Setting up Oracle User Management Profiles TME 10 Module For Oracle - User Management User s Guide 3 17
Removing Subscribers 2. Select the Subscribers-->Unsubscribe... option from the Edit menu. 3 18 Version 1.0
Removing Subscribers TME 10 displays the Unsubscribe Subscribers dialog. 3. Press the Delete all profile copies button to remove all local copies of any profile received by the subscriber in this profile manager and by its subscribers below in the subscription hierarchy. --OR-- Press the Keep all profile copies button if you do not want to delete the local copies of each profile received by a subscriber. Each local copy will become an original. Setting up Oracle User Management Profiles TME 10 Module For Oracle - User Management User s Guide 3 19
Removing Subscribers TME 10 returns you to the profile manager. The unsubscribed subscribers have been removed from the profile manager. Command Line For information about using the command line to remove a subscription to a profile manager, see the manual page for the wunsub command. 3 20 Version 1.0
4 Profile Policy 4Profile Policy This chapter explains how to set up profile policy in Oracle User profiles. The same concepts apply equally to Oracle Role and Oracle Resource profiles. This chapter describes the following tasks: Setting and editing default policy Setting and editing validation policy Using string constants in User and Role profiles Using string constants in Resource profiles Setting and Editing Default Policy When you create a new entry in an TME 10 Oracle User Management profile, default policy can provide initial values for one or more attributes. You can lock each default attribute against change by subscribers in their local copies of the distributed profiles. The following table provides the context and authorization role required for this task. Activity Context Required Role Set or edit default policy Oracle User profile senior You can perform this task from either the TME 10 desktop or the command line. TME 10 Module For Oracle - User Management User s Guide 4 1
Setting and Editing Default Policy Desktop Use the following steps to set or edit default policy in an Oracle User profile. 1. Select the Default Policies... option from the Edit menu in the Database User Profile window to display the Edit Default Policies dialog. 4 2 Version 1.0
Setting and Editing Default Policy 2. Select an attribute from the Attributes: scrolling list. Profile Policy 3. Select No in the Subscribers can edit field to prevent subscribers from changing this default attribute. 4. Select a default type from the Default Type options. You can choose None, Constant, or Script. If you choose None, there is no default policy for the selected attribute. 5. Enter the policy. TME 10 Module For Oracle - User Management User s Guide 4 3
Setting and Editing Default Policy Entering a Constant Value a. If you choose Constant, enter a constant for the attribute in the Value field. See Using String Constants in User and Role Profiles on page 4-13 and Using String Constants in Resource Profiles on page 4-15 for the allowable string formats. Press the Set button to save the changes and edit another default policy attribute. --OR-- Press the Set & Close button to apply your changes and dismiss the dialog. 4 4 Version 1.0
Setting and Editing Default Policy Entering a Script b. If you choose Script, TME 10 updates the dialog to include the Edit Script Arguments... and Edit Script Body... fields. Profile Policy Press the Edit Script Arguments... button to display the Policy Script Arguments dialog. Select one or more attributes and press the right arrow button to add them to the valid default Script Arguments: scrolling list. TME 10 Module For Oracle - User Management User s Guide 4 5
Setting and Editing Default Policy Press the Set & Close button to apply your changes and dismiss the dialog. --OR-- Press the Set button to apply your changes and continue editing in this dialog. Press the Edit Script Body... button in the Edit Default Policies dialog to display the Edit Policy Script dialog. In the text window, enter (or edit) the policy script for the selected attribute. Press the Save & Close button to apply your changes and dismiss the dialog. At the Edit Default Policies dialog, press the Set button to save the changes and edit another default policy attribute. --OR-- Press the Set & Close button to save the changes and return to the Database User Profile dialog. You must distribute the profile to update existing subscribers copies of the profile. Default policy only affects the profile records; it does not affect the Oracle database s system catalogs. 4 6 Version 1.0
Setting and Editing Validation Policy Command Line For more information about using the command line to examine and set default policy, see the manual page for the wlspolm, wgetpolm, and wputpolm commands. Setting and Editing Validation Policy If validation policy is enabled, it operates when you populate a profile, add a new entry, or explicitly request validation. TME 10 uses validation to verify that a profile entry complies with set policy and prevents you from creating an entry that does not meet validation policy. You can enable or disable validation policy within a profile. You can also lock an attribute s validation policy against change by subscribers at a lower level. See Profile Validation Policy on A-1, for an example of setting up and using validation policy. The following table provides the context and authorization role required for this task. Profile Policy Activity Context Required Role Set or edit validation policy Oracle User profile senior Desktop You can perform this task from either the TME 10 desktop or the command line. Use the following steps to set or edit validation policy in an Oracle User profile. TME 10 Module For Oracle - User Management User s Guide 4 7
Setting and Editing Validation Policy 1. Select the Validation Policies... option from the Edit menu in the Database User Profile window to display the Edit Validation Policies dialog. 2. Select the Validation Policy Disabled radio button if you want to turn off validation in this profile. 4 8 Version 1.0
Setting and Editing Validation Policy 3. Select an attribute from the Attributes: scroll list. 4. Press Yes in the Subscribers can edit policy field to allow subscribers to change this policy; otherwise press No. 5. Select a default type from the Default Type options. You can choose None, Constant, Script or Regular Expression. If you choose None, there is no validation policy for the selected attribute. 6. Enter the policy. Profile Policy Entering a Constant Value a. If you choose Constant, enter a constant for the attribute in the Value field. See Using String Constants in User and Role Profiles on page 4-13 and Using String Constants in Resource Profiles on page 4-15 for the allowable string formats. Press the Set & Close button to apply your changes and dismiss the dialog. --OR-- TME 10 Module For Oracle - User Management User s Guide 4 9
Setting and Editing Validation Policy Press the Set button to apply your changes and continue editing in this dialog. Entering a Script b. If you choose Script, the dialog is updated to include the Edit Script Arguments... and Edit Script Body... fields. Press the Edit Script Arguments... button to display the Policy Script Arguments dialog. 4 10 Version 1.0
Setting and Editing Validation Policy Select one or more attributes and press the right arrow button to add them to the list of validation Script Arguments: scrolling list. Press the Set & Close button to apply your changes and dismiss the dialog. --OR-- Press the Set button to apply your changes and continue editing in this dialog. In the Edit Validation Policy dialog, press the Edit Script Body... button to display the Edit Policy Script dialog. In the text window, enter (or edit) the policy script for the selected attribute. Profile Policy Press the Save & Close button to apply your changes and dismiss the dialog. TME 10 Module For Oracle - User Management User s Guide 4 11
Setting and Editing Validation Policy Entering a Regular Expression c. If you select Regular Expressions, the dialog prompts you to enter a regular expression in the Value field. Press the Set button to save the changes and edit another validation policy attribute. --OR-- Press the Set & Close button to save the changes and return to the Database User Profile dialog. You must distribute the profile to update existing subscribers copies of the profile. Validation policy only affects the profile records; it does not affect the Oracle database s system catalogs. Command Line For more information about using the command line to examine and set validation policy, see the manual page for the wlspolm, wgetpolm, and wputpolm commands. 4 12 Version 1.0
Using String Constants in User and Role Profiles Using String Constants in User and Role Profiles This section describes the syntax used when defining profile policy for Oracle User and Oracle Role profiles. See Setting and Editing Default Policy on page 4-1 and Setting and Editing Validation Policy on page 4-7 for the procedures for setting policy. Profile Oracle User Profile Attribute Default Tablespace Synopsis Tablespace Name Example USERS Enter the name of the tablespace in the Value field. Profile Policy Profile Attribute Synopsis Example Oracle User Profile Temporary Tablespace Tablespace Name TEMP Enter the name of the tablespace in the Value field. Profile Attribute Synopsis Example Oracle User Profile Resource Profile Name LIMITCPU Enter the name of the resource profile in the Value field. This value must relate to a record in an Oracle Resource profile within the same profile manager. Profile Attribute Synopsis Oracle User Profile or Oracle Role Profile Roles { Count_of [ {privilege_name is_grantable is_default_role } ]...} TME 10 Module For Oracle - User Management User s Guide 4 13
Using String Constants in User and Role Profiles Example { 2 { "CONNECT" FALSE TRUE } { "RESOURCE" FALSE TRUE } } The number of roles defined is 2. The first role, CONNECT, is not grantable but is a default role. The second role, RESOURCE, is not grantable but is a default role. Note that the role names are enclosed in double quotes, but the keywords TRUE and FALSE are not in quotes. Profile Oracle User Profile or Oracle Role Profile Attribute System Privileges Synopsis { Count_of [{ privilege_name is_grantable } ]...} Example { 2 { "SELECT ANY TABLE" TRUE } { "CREATE TABLE" FALSE } } The number of privileges is 2. The first privilege, SELECT ANY TABLE, is grantable. The second privilege, CREATE TABLE, is not grantable. Profile Oracle User Profile Attribute Object Privileges Synopsis { Count_of [ { grantee privilege_name { column_count [ column ]... } schema_name object is_grantable } ]... } Example { 1 { "ACCOUNTS" "UPDATE" { 2 "SAL" "COMM" } "SCOTT" "EMP" FALSE } } Only 1 user, ACCOUNTS, is granted an object privilege. The privilege UPDATE is granted on a sequence of 2 columns, SAL and COMM columns. The object is SCOTT.EMP, and the grantee is not allowed to grant the privileges to other users or roles. Profile Attribute Oracle User Profile Quotas 4 14 Version 1.0
Using String Constants in Resource Profiles Synopsis Example { Count_of [ { tablespace_name is_limited limit_value } ]... } { 2 { "USERS" TRUE 512000 } { "TEMP" FALSE 0 } } The user is given a quota of 512K bytes on the USERS tablespace, and UNLIMITED quota on the TEMP tablespace. Limit_value is the numerical value of the limit in bytes. Profile Policy Using String Constants in Resource Profiles This section describes the syntax used when defining profile policy for Oracle Resource profiles. See Setting and Editing Default Policy on page 4-1 and Setting and Editing Validation Policy on page 4-7 for the procedures for setting policy. Attribute Name Synopsis Resource profile name Examples LIMIT_CPU Enter the name of the resource profile. Attribute CompositeLimit SessionsPerUser CPUPerCall LogicalReadsPerCall IdleTime CPUPerSession LogicalReadsPerSession ConnectTime PrivateSGA Synopsis { limit_type limit_value } Examples { LIMITED 3000 } If this value is entered for the attribute CPU_PER_CALL, the profile will limit a user to 30 CPU seconds per call. TME 10 Module For Oracle - User Management User s Guide 4 15
Using String Constants in Resource Profiles { UNLIMITED 0 } This allows unlimited use of a resource. 4 16 Version 1.0
5 5Using Oracle User Management Profiles This chapter explains how to use Oracle User profiles. The same concepts apply equally to Oracle Role and Oracle Resource profiles. This chapter describes the following tasks: Populating an Oracle User profile from a database Copying profile records Moving profile records Locking/unlocking records Listing user information Distributing profiles Deleting a profile Using Oracle User Management Profiles Populating an Oracle User Profile from a Database The populate operation reads information from the specified database and copies it into an Oracle User profile. TME 10 provides basic validation policy, which prevents the pre-defined usernames SYS and SYSTEM from being read into a profile. These user accounts should not be modified. TME 10 provides basic validation policy in Oracle Role profiles to protect the following pre-defined roles: CONNECT TME 10 Module For Oracle - User Management User s Guide 5 1
Populating an Oracle User Profile from a Database DBA EXP_FULL_DATABASE IMP_FULL_DATABASE RESOURCE TME 10 provides basic validation policy in Oracle Resource profiles to protect the pre-defined profile DEFAULT. The following table provides the context and authorization role required for this task. Activity Context Required Role Populate an Oracle User profile Oracle User profile oracle_dba Desktop You can perform this task from either the TME 10 desktop or the command line. Use the following steps to populate an Oracle User profile with the entries from an Oracle database. 1. To display the Database User Profile window, double-click on an Oracle User profile icon. --OR-- 5 2 Version 1.0
Populating an Oracle User Profile from a Database Select the Edit Properties... option from the Oracle User profile's pop-up menu. Using Oracle User Management Profiles TME 10 Module For Oracle - User Management User s Guide 5 3
Populating an Oracle User Profile from a Database 2. Select the Populate... option from the Profile menu of the Database User Profile window to display the Populate Oracle Profile dialog. 3. Select the databases from which to populate the profile from the scrolling list. 5 4 Version 1.0
Populating an Oracle User Profile from a Database If more than one record exists with the same information on the databases from which you are populating, only the first instance of that record is added to the profile records. 4. Press the left arrow to move the databases into the Get records from these databases: scrolling list. 5. Press one of the following radio buttons: Append to existing record list Adds the new records to the existing records in the profile. Use this option when populating a profile that contains records you want to keep. Overwrite existing record list Replaces the user records in the profile with the new records. Use this option with caution. Existing records in this profile will be lost. 6. Press Populate to add the new records to the profile. --OR-- Press Populate & Close to add the records to the profile and close the dialog. If validation policy is enabled, TME 10 displays an Error message dialog. This message confirms that the pre-defined usernames of SYS and SYSTEM were not read into the profile. TME 10 validates each record from each Oracle database you choose to get records from. Using Oracle User Management Profiles 7. Press the Dismiss button. TME 10 Module For Oracle - User Management User s Guide 5 5
Copying Profile Records TME 10 displays the Database User Profile window with the user records. Command Line For information about using the command line to populate user profiles, see the manual page for the opopusers command. Copying Profile Records You can copy profile records from one Oracle User profile to another. The source and target profiles must be in different profile managers. The following table provides the context and authorization role required for this task. Activity Context Required Role Copy a profile record Oracle User profile admin You can perform this task from either the TME 10 desktop or the command line. 5 6 Version 1.0