Skip Headers
Oracle® Secure Backup Administrator's Guide
Release 10.4

Part Number E21476-07
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

2 Managing Users and Classes

This chapter describes Oracle Secure Backup users and classes and explains how to configure them in your administrative domain.

This chapter contains these sections:

Note:

Before you set up an administrative domain, ensure you have logged into Oracle Secure Backup.

2.1 Understanding Users and Classes

An Oracle Secure Backup user is an administrative domain-wide identity, associated with a username. A class is a named collection of rights assigned to this user.

Note:

Do not confuse this sense of the term class with defaults and policies classes, which are a convenience for grouping defaults and policies related to one functional area of Oracle Secure Backup.

2.1.1 Oracle Secure Backup Users and Passwords

Oracle Secure Backup stores information pertaining to Oracle Secure Backup users and rights on the administrative server, enabling Oracle Secure Backup to maintain a consistent Oracle Secure Backup user identity across the administrative domain.

Each user of an Oracle Secure Backup administrative domain has an account and an encrypted password stored on the administrative server. An operating system user can enter his or her Oracle Secure Backup username and password in the Oracle Secure Backup Web tool or obtool. The client program sends the password over an encrypted SSL connection to the administrative server for host authentication.

Note:

The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the user be prompted for the password.

2.1.1.1 Operating System Accounts

The namespace for Oracle Secure Backup users is distinct from the namespaces of existing UNIX, Linux, and Windows users. Thus, if you log in to a host in the administrative domain as operating system user johndoe, and if an Oracle Secure Backup user in the administrative domain is named johndoe, then these accounts are separately managed even though the name is the same. For convenience, you might want to create an Oracle Secure Backup user with the same name and password as an operating system user.

When you create an Oracle Secure Backup user, you can associate it with Linux, UNIX and Windows accounts. You can use one of these accounts for a backup operation that does not run with root privileges, also known as an unprivileged backup operation. In contrast, privileged backup and restore operations run on a client with root permissions on Linux and UNIX or Local System permissions on Windows.

Assume you create the Oracle Secure Backup user jdoe and associate it with UNIX account x_usr and Windows account w_usr. When jdoe uses the backup --unprivileged command to back up a client in the administrative domain, the job runs under the operating system accounts associated with jdoe. Thus, jdoe can only back up files on a UNIX client accessible to x_usr and files on a Windows client accessible to w_usr.

If you have the modify administrative domain's configuration right, then you can configure the preauthorization attribute of an Oracle Secure Backup user. You can preauthorize operating system users to make RMAN backups or log in to Oracle Secure Backup command-line utilities. For example, you can preauthorize the x_usr UNIX user to log in to obtool as Oracle Secure Backup user jdoe.

See Also:

Oracle Secure Backup Reference for more information on the modify administrative domain's configuration right

Note:

On Windows, Oracle Secure Backup stores the Windows name, password, and domain for each account. This data is communicated to the required client host over an encrypted SSL channel.

2.1.1.2 NDMP Hosts

When setting up an Oracle Secure Backup user account, you can configure user access to an NDMP host, which is a device such as a filer that does not run NDMP natively. Passwords for NDMP hosts are associated with the host instead of the user. You can configure the host to use the default NDMP password, a user-defined text password, or a null password. You can also configure a password authentication method such as text or MD5-encrypted.

Note:

The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the user be prompted for the password.

2.1.1.3 About User Configuration

When you ran installob on the administrative server, Oracle Secure Backup created the admin user by default. Unless you chose to create the oracle user for use in backing up and recovering Oracle Databases, no other Oracle Secure Backup users exist in the administrative domain.

After installation, you can create more Oracle Secure Backup users or manage the attributes of individual Oracle Secure Backup users. The following user attributes are particularly important:

  • Preauthorizations

    You can preauthorize an operating system user to log in to the user-invoked Oracle Secure Backup command-line utilities. You must preauthorize an operating system user to make Oracle Database SBT backups through RMAN.

    A preauthorization for an operating system user is associated with a specific Oracle Secure Backup user. For example, you can enable the Linux user johndoe to log in to obtool as the Oracle Secure Backup user named backup_admin. You could also preauthorize johndoe to run RMAN backups under the backup_admin identity.

  • Operating system accounts for unprivileged backups

    An unprivileged backup is a file-system backup of a client that does not run on the operating system as root on UNIX and Linux or as a member of the Administrators group on Windows. You must specify which operating system accounts are used for unprivileged backups.

Oracle recommends that you follow these steps to set up and manage Oracle Secure Backup users in your administrative domain:

  1. Add Oracle Secure Backup users if necessary.

  2. Change the admin password if necessary.

    You set the original password when you installed Oracle Secure Backup on the administrative server. "Changing a User Password" describes this task.

  3. Review the attributes of each Oracle Secure Backup user.

    "Editing or Displaying User Properties" describes this task.

  4. Configure preauthorization and account settings for unprivileged backups if necessary.

    "Assigning Windows Account Information", and "Assigning Preauthorized Access" describe this task.

2.1.2 Oracle Secure Backup Classes and Rights

An Oracle Secure Backup class defines a set of rights granted to an Oracle Secure Backup user. A class is similar to a Linux or UNIX group, but it defines a finer granularity of access rights tailored to the needs of Oracle Secure Backup.

As shown in Figure 2-1, you can assign multiple Oracle Secure Backup users to a class. Each Oracle Secure Backup user can be a member of only one class.

Figure 2-1 Classes and Rights

Description of Figure 2-1 follows
Description of "Figure 2-1 Classes and Rights"

The following classes are key to understanding Oracle Secure Backup user rights:

  • admin

    This class is used for overall management of an administrative domain. The admin class has all the rights needed to modify administrative domain configurations and perform backup and restore operations.

  • operator

    This class is used for standard day-to-day operations. The operator class lacks configuration rights but has all the rights needed for backup and restore operations. It also allows the Oracle Secure Backup user to query the state of any primary or secondary storage device and to control the state of these devices.

  • oracle

    This class is similar to the operator class. The oracle class has all rights necessary to modify Oracle Database configuration settings and to perform Oracle Database backups. Class members are usually Oracle Secure Backup users that are mapped to operating system accounts of Oracle Database installations.

  • user

    This class gives Oracle Secure Backup users permission to interact in a limited way with their domains. This class is reserved for Oracle Secure Backup users who must browse their own data within the Oracle Secure Backup catalog and perform user-based restore operations.

  • reader

    This class enables Oracle Secure Backup users only to modify the given name and password for their user account and to browse their own catalog. Users in the reader class must know the exact restore path that they own, because they are not even able to see a listing of what hosts belong to the Oracle Secure Backup administrative domain.

    When creating a user in the reader class, you must map the user to a valid operating system user and group.

  • monitor

    This class enables Oracle Secure Backup users only to access Oracle Database backups, access file-system backups, display the administrative domain configuration, list all jobs, and display information about devices. Users in this class cannot perform backup or restore operations, modify the administrative domain, or receive email notifications.

    An Oracle Secure Backup user assigned to the monitor class is necessary as the OSB username parameter in Oracle Secure Backup target registration within Oracle Enterprise Manager.

See Also:

  • "Configuring Classes" for a detailed description of the rights available to each class

  • Oracle Secure Backup Reference

2.2 Configuring Defaults and Policies

Defaults and policies are configuration settings that control how Oracle Secure Backup operates within an administrative domain. Defaults and policies are divided into classes, depending upon what area of functionality they control. The policy defaults are usually sufficient to protect your data and secure your network. But if you have special requirements, environments, or backup strategies, then you should review the defaults and make changes where necessary.

Note:

Do not confuse policy classes, which are only an organizational convenience, with user classes.

The classes of policies that you might want to review or change are:

  • Backup Encryption

    This policy class controls how Oracle Secure Backup performs backup encryption. For example, you can specify which encryption algorithms to use and how encryption keys are managed.

  • Device

    This policy class controls how tape devices are automatically detected during device discovery. It also controls when tape device write warnings are generated.

  • Media

    This policy class controls media management for the administrative domain. For example, you can choose whether tapes are required to have barcode labels and set the retention period and write window for volumes in the default media family.

  • NDMP

    This policy class controls settings applicable to hosts that use NDMP access mode. For example, you can configure backup environment variables or specify a user name for authentication.

  • Operations

    This policy class controls aspects of backup and restore operations. For example, you can set the amount of time that an RMAN backup job waits in the Oracle Secure Backup scheduler queue for the required resources to become available.

  • Scheduler

    This policy class controls the behavior of the Oracle Secure Backup scheduler. For example, you can specify the frequency at which the scheduler attempts to dispatch backup jobs.

  • Security

    This policy class controls aspects of administrative domain security. For example, you can enable SSL encryption for backup data in transit or set the host identity certificate key size. Oracle Secure Backup Installation and Configuration Guide explains how to change the default security policies.

  • Vaulting

    This policy class controls media management. It includes the autovolumerelease policy, the customer ID for each third-party storage location, minimum writeable volumes, and report retain time. See Chapter 9, "Vaulting" for more information on these policies.

  • Volume Duplication

    This policy class controls how volume duplication is performed using Oracle Secure Backup.

This section contains these topics:

2.2.1 Viewing Configured Defaults and Policies Values

In the Advanced section of the Configure page, click Defaults and Policies to display the page shown in Figure 2-2. This page lists the policy classes.

Figure 2-2 Defaults and Policies Page

Description of Figure 2-2 follows
Description of "Figure 2-2 Defaults and Policies Page"

See Also:

Oracle Secure Backup Reference to learn about the policy commands in the obtool command-line interface and the descriptions of the defaults and policies

2.2.2 Setting a Policy

Before changing a policy setting, refer to the "Defaults and Policies" appendix in Oracle Secure Backup Reference. This appendix contains extensive descriptions of the policies and describes valid settings. You should not ordinarily be required to change the default settings.

To change a policy setting: 

  1. In the Policy column on the Defaults and Policies page, click the name of the policy class to be edited. For example, click scheduler.

    The policy_name page appears. Figure 2-3 shows the Scheduler page before any changes are made.

    Figure 2-3 Unmodified Scheduler Page

    Description of Figure 2-3 follows
    Description of "Figure 2-3 Unmodified Scheduler Page"

  2. Change the settings of one or more policies.

  3. Do one of these:

    • Click Apply to remain on this page.

    • Click OK to save the changes and return to the Defaults and Policies page.

    When you change a policy setting from its default, the Web tool displays the default value for the policy in the Reset to Default Value column.

    Figure 2-4 shows the Scheduler page after the backup frequency has been changed to 6 minutes from the default of 5 minutes.

    Figure 2-4 Modified Scheduler Page

    Description of Figure 2-4 follows
    Description of "Figure 2-4 Modified Scheduler Page"

2.2.3 Resetting a Policy

You can use the Web tool to reset the value of one or more Oracle Secure Backup policies to the default value.

To reset a policy: 

  1. In the Policy column on the Defaults and Policies page, click the name of the policy class that contains the policy to be reset.

  2. Select the Reset to Default Value column for the policy that you are resetting.

  3. Click Apply or OK.

2.3 Configuring Users

Oracle Secure Backup users are managed in their own namespace, distinct from operating system users. This section describes how to create and manage an Oracle Secure Backup user with the Web tool.

This section contains these topics:

2.3.1 Displaying the Users Page

In the Configure page, click Users to display the Users page, which is shown in Figure 2-5. This page lists all users authorized by Oracle Secure Backup along with their class names and email addresses. You can perform all user configuration tasks in this page or in pages to which it provides links.

See Also:

Oracle Secure Backup Reference to learn about the user commands in obtool

2.3.2 Adding a User

You can use the Web tool to define an Oracle Secure Backup user. Each Oracle Secure Backup user account belongs to exactly one class, which defines the rights of the Oracle Secure Backup user.

To add one or more users: 

  1. Follow the procedure in "Displaying the Users Page".

    The Configure: Users page appears.

  2. Click Add.

    The Configure: Users > New Users page appears.

  3. Enter a user name in the User field.

    The name you enter must start with an alphanumeric character. It can contain only letters, numerals, dashes, underscores, or periods. The maximum character length that you can enter is 31 characters.

    The user name must be unique among all Oracle Secure Backup user names. Formally, it is unrelated to any other name used in your computing environment or the Oracle Secure Backup administrative domain. Practically, it is helpful to choose Oracle Secure Backup user names that are identical to operating system user names.

  4. enter a password in the Password field.

    This password is used to log in to Oracle Secure Backup. The maximum character length that you can enter is 16 characters.

    Note:

    The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the Oracle Secure Backup user be prompted for the password.
  5. Select a class in the User class list.

    A class defines a set of rights.

  6. Enter a name for the Oracle Secure Backup user in the Given name box.

    This step is optional. The given name is for information purposes only.

  7. Enter a UNIX name for this account in the UNIX name field.

    This name forms the identity of any non-privileged jobs run by the Oracle Secure Backup user on UNIX systems. If you do not want this Oracle Secure Backup user to run Oracle Secure Backup jobs on UNIX systems, then leave this field blank.

  8. Enter a UNIX group name for this account in the UNIX group field.

    This name forms the identity of any non-privileged jobs run by the Oracle Secure Backup user on UNIX systems. If you do not want this Oracle Secure Backup user to run Oracle Secure Backup jobs on UNIX systems, then leave this field blank.

  9. Select yes in the NDMP server user list to request that NDMP servers in the Oracle Secure Backup administrative domain accept a login from this Oracle Secure Backup user by using the supplied user name and password.

    This option is not required for normal Oracle Secure Backup operation and is typically set to no.

  10. Enter the email address for the Oracle Secure Backup user in the Email Address field.

    When Oracle Secure Backup communicates with this user, for example to deliver a job summary or notify the user of a pending input request, it sends email to this address.

  11. Click Apply, OK, or Cancel.

  12. If the Oracle Secure Backup user you configured must initiate backup and restore operations on Windows clients, then see "Assigning Windows Account Information".

2.3.3 Editing or Displaying User Properties

This section explains how to modify properties for an existing user account.

Note:

To modify Oracle Secure Backup users, you must be a member of a class that has this right enabled. See "Oracle Secure Backup Classes and Rights" for details.

To edit Oracle Secure Backup user properties: 

  1. Follow the procedure in "Displaying the Users Page".

    The Configure: Users page appears.

  2. Select an Oracle Secure Backup user whose properties you want to modify from the User Name list.

  3. Click Edit.

    The Configure: Users > user_name page appears.

  4. Make whatever changes you want.

    You cannot change the name of an Oracle Secure Backup user on this page. To rename an Oracle Secure Backup user, see "Renaming a User".

  5. Click Apply to apply the changes and remain on the Configure: Users > user_name page.

  6. Click OK to apply the changes and return to the Configure: Users page.

  7. Click Cancel to return to the Configure: Users page without making any changes.

  8. If the Oracle Secure Backup user you configured must initiate backup and restore operations on Windows clients, then see "Assigning Windows Account Information".

2.3.4 Changing a User Password

This section explains how to modify the password for an existing user account.

Note:

To modify Oracle Secure Backup users, you must be a member of a class that has this right enabled. See "Oracle Secure Backup Classes and Rights" for details.

To change an Oracle Secure Backup user password: 

  1. Follow the procedure in "Displaying the Users Page".

    The Configure: Users page appears.

  2. From the Users page, select an Oracle Secure Backup user from the User name list.

  3. Click Change Password.

    The Configure: Users > user_name page appears.

  4. Enter a password.

  5. Confirm the password.

  6. Click OK or Cancel.

Note:

The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the Oracle Secure Backup user be prompted for the password.

2.3.5 Assigning Windows Account Information

This section explains how to configure Windows account information for a user who must initiate backups and restore operations on Windows systems. You can associate an Oracle Secure Backup user with multiple Windows domain accounts or use a single account that applies to all Windows domains.

To assign Windows account information to an Oracle Secure Backup user: 

  1. Follow the procedure in "Displaying the Users Page".

    The Configure: Users page appears.

  2. Select an Oracle Secure Backup user in the User Name list.

  3. Click Edit.

    The Configure: Users > user_name page appears.

  4. Click Windows Domains.

    The Configure: Users > user_name > Windows Domains page appears.

  5. Enter a Windows domain name in the Domain name field.

    Enter an asterisk (*) in this field to associate this Oracle Secure Backup user with all Windows domains.

  6. Enter the account information for a Windows user in the Username and Password fields.

  7. Click Add to add the Windows account information.

    The page displays a success message, and account information appears in the Domain:Username list.

Note:

The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the Oracle Secure Backup user be prompted for the password.

2.3.5.1 Removing a Windows Account

You can use the Web tool to remove Windows account information from an Oracle Secure Backup user account.

To remove a Windows account: 

  1. From the Windows Domain page, select a Windows account in the Domain: Username list.

  2. Click Remove.

    The Configure: Users > user_name > Windows Domains page displays a message informing you that the Windows account was successfully removed.

2.3.6 Assigning Preauthorized Access

This section explains how to give access to Oracle Secure Backup services and data to a specified operating system user. You can preauthorize Oracle Database SBT backups through RMAN or preauthorize login to the user-invoked Oracle Secure Backup command-line utilities.

Oracle Secure Backup preauthorizes access only for a specified operating system user on a specified host. For each host within an Oracle Secure Backup administrative domain, you can declare one or more one-to-one mappings between operating system user and Oracle Secure Backup user identities.

You can create a preauthorization only if you have the modify administrative domain's configuration right. Typically, only an Oracle Secure Backup user in the admin class has this right.

See Also:

Oracle Secure Backup Reference for more information on the modify administrative domain's configuration right

To assign preauthorized access: 

  1. Follow the procedure in "Displaying the Users Page".

    The Configure: Users page appears.

  2. Select an Oracle Secure Backup user in the User Name list.

  3. Click Edit.

    The Configure: Users > user_name page appears.

  4. Click Preauthorized Access.

    The Configure: Users > user_name > Preauthorized Access page appears.

  5. In the Hosts list, select either all hosts or the name of the host to which the operating system user is granted preauthorized access.

  6. In the OS username field, enter the operating system user account with which the Oracle Secure Backup user should access services and data. Enter an asterisk (*) or leave blank to select all operating system users.

  7. In the Windows domain name field, enter the Windows domain to which the operating system user belongs. The Windows domain is only applicable to preauthorized logins from a Windows host. Enter an asterisk (*) or leave blank to select all domains.

    If you enter a Windows account name in the OS username field, then you must enter an asterisk, leave the box blank, or enter a specific domain.

  8. In the Attributes list, select cmdline, rman, or both.

    You can select both attributes by clicking one of them and then shift-clicking the other.

    The cmdline attribute preauthorizes login through the user-invoked Oracle Secure Backup command-line utilities such as obtool. The rman attribute preauthorizes Oracle Database SBT backups through RMAN.

  9. Click Add.

    The page displays a success message, and the preauthorized Oracle Secure Backup user appears in the list.

    See Also:

    "Creating a Preauthorized Oracle Secure Backup User" for more details about RMAN preauthorization

2.3.6.1 Removing Preauthorized Access

You can remove a preauthorization only if you have the modify administrative domain's configuration right. Typically, only an Oracle Secure Backup user in the admin class has this right.

To remove preauthorized access: 

  1. From the Configure: Users > user_name > Preauthorized Access page, select the preauthorized access entry you want to remove in the main text pane.

  2. Click Remove.

    The preauthorized access entry is no longer displayed in the main text pane.

2.3.7 Renaming a User

You must have the modify administrative domain's configuration right to rename an Oracle Secure Backup user.

To rename an Oracle Secure Backup user: 

  1. Follow the procedure in "Displaying the Users Page".

    The Configure: Users page appears.

  2. Select the Oracle Secure Backup user whose name you want to change from the User Name list.

  3. Click Rename.

    A different page appears.

  4. Enter the name in the Rename user_name to field and click Yes.

    The Configure: Users page displays a success message, and the Oracle Secure Backup user has a different name in the User Name list

2.3.8 Removing a User

You must have the modify administrative domain's configuration right to remove an Oracle Secure Backup user.

To remove an Oracle Secure Backup user: 

  1. Follow the procedure in "Displaying the Users Page".

    The Configure: Users page appears.

  2. Select the Oracle Secure Backup user you want to remove from the User Name list.

  3. Click Remove.

    A confirmation page appears.

  4. Click Yes to remove the Oracle Secure Backup user.

    You are returned to the Configure: Users page. A message appears telling you the Oracle Secure Backup user was successfully removed.

2.4 Configuring Classes

A class defines a set of rights that are granted to a user. A class can include multiple Oracle Secure Backup users, but each Oracle Secure Backup user is a member of one and only one class. In most cases, the default classes are sufficient.

This section contains these topics:

2.4.1 Displaying the Classes Page

In the Advanced section of the Configure page, click Classes to display the Configure: Classes page, as shown in Figure 2-6. You can use this page to manage existing classes or configure additional classes.

See Also:

Oracle Secure Backup Reference to learn about the class commands in obtool

2.4.2 Adding a Class

Oracle Secure Backup creates default classes when the administrative domain is first initialized. You can use these classes or create your own.

To add a class: 

  1. Follow the procedure in "Displaying the Classes Page"

    The Configure: Classes page appears.

  2. Click Add.

    The Configure: Classes > New Classes page appears. This page lists class rights options.

  3. Enter a name for the class in the Class field.

    The name you enter must start with an alphanumeric character. It can contain only letters, numerals, dashes, underscores, or periods. The maximum character length is 127 characters.

    The class name must be unique among all Oracle Secure Backup class names. It is unrelated to any other name used in your computing environment or the Oracle Secure Backup administrative domain.

  4. Select the rights to grant to this class.

    See Also:

    Oracle Secure Backup Reference for a detailed explanation of these rights
  5. Click Apply or OK.

    The Configure: Classes page displays a success message, and your additional class appears in the list of classes.

2.4.3 Editing or Displaying Class Properties

To modify existing classes, you must have the modify administrative domain's configuration right. When you change the class that an Oracle Secure Backup user belongs to or modify the rights of such a class, changes do not take effect until the user exits from the Oracle Secure Backup component currently in use.

See Also:

Oracle Secure Backup Reference for more information on the modify administrative domain's configuration right

To edit a class: 

  1. Follow the procedure in "Displaying the Classes Page"

    The Configure: Classes page appears.

  2. Select the name of the class to edit in the Class Name list.

  3. Click Edit.

    The Configure: Classes > class_name page appears with details for the class you selected.

  4. Make whatever changes you want.

    You cannot rename a class from this page. To rename a class, see "Renaming a Class".

  5. Click Apply to apply your changes and remain on the Configure: Classes > class_name page.

  6. Click OK to apply your changes and return to the Configure: Classes page.

  7. Click Cancel to return to the Configure: Classes page without making any changes.

2.4.4 Removing a Class

You cannot remove a class to which a user currently belongs. Instead, you must reassign or delete all existing members of a class before the class can be removed.

To remove a class: 

  1. Follow the procedure in "Displaying the Classes Page"

    The Configure: Classes page appears.

  2. Select the class to be removed in the Class Name list.

  3. Click Remove.

    A confirmation page appears.

  4. Click Yes.

    The Configure: Classes page displays a success message, and the class is gone from the Class Name list.

2.4.5 Renaming a Class

You must have the modify administrative domain's configuration right to rename a class.

To rename a class:  

  1. Follow the procedure in "Displaying the Classes Page"

    The Configure: Classes page appears.

  2. Select the class to rename in the Class Name list.

  3. Click Rename.

    A different page appears.

  4. Enter the name for the class in the Rename class_name to field and click Yes.

    The Configure: Classes page displays a success message, and the class appears with its different name in the Class Name list.