2.2 ACCESSRULE

Valid for Manager

Use ACCESSRULE to control connection access to the Manager process and the processes under its control. You can establish multiple rules by specifying multiple ACCESSRULE statements in the parameter file and control their priority. There is no limit to the number of rules that you can specify. To establish priority, you can either list the rules in order from most important to least important, or you can explicitly set the priority of each rule with the PRI option.

Default

None

Syntax

ACCESSRULE[, PROG program_name][, IPADDR address][, PRI rule][, login_ID]{, ALLOW | DENY}
Argument Description 
PROG program_name

Specifies connection security for a specific Oracle GoldenGate program or multiple programs specified with a wildcard. If one of these options is not specified, the access rule applies to all programs that Manager starts, stops, or kills.

Valid values:

  • GGSCI: Secures access to the GGSCI command-line interface.

  • GUI: Secures access to Oracle GoldenGate from the Activity Console.

  • MGR | MANAGER: Secures access to all inter-process commands controlled by Manager, such as START, STOP, and KILL

  • REPLICAT: Secures connection to the Replicat process.

  • COLLECTOR | SERVER: Secures the ability to dynamically create a Collector process.

  • * (asterisk): Wildcard. Use a wildcard to specify all of the preceding options.

 
IPADDR address

Permits access to Manager from the host with the specified IP address.

 
PRI rule

Specifies a priority for each ACCESSRULE statement. Valid values are from 1 through 99, with 1 being the highest priority and 99 being the lowest. Rules that have priorities assigned can appear in any order in the parameter file.

 
login_ID

Permits access based on a user password. This option requires specifying USER and PASSWORD options with the RMTHOST parameter.

The syntax for login_ID is:

USER user, PASSWORD password, [ENCRYPTKEY keyname]

Valid values:

  • user : The user specified with the USER option of the RMTHOST parameter.

  • password: The password specified with the PASSWORD option of the RMTHOST parameter.

  • keyname: Optional. Specifies an encryption key in the ENCKEYS file.

When ENCRYPTKEY keyname is used as part of the login ID, Oracle GoldenGate looks up the key in the ENCKEYS file on the target system and uses it to decrypt the corresponding password. If the decrypted password matches the password supplied with the password portion of the login ID option, the rule passes.

 
ALLOW | DENY

Determines whether the rule specified with ACCESSRULE permits or denies access. Either ALLOW or DENY is required.

Example 1

The following access rules allow any nodes that begin with IP address 205 or the node 194.168.11.102 to access the requested services. All others are denied.

ACCESSRULE, PROG *, IPADDR 194.168.11.102, ALLOW ACCESSRULE, PROG *, IPADDR 205.*, ALLOW ACCESSRULE, PROG *, IPADDR *, DENY

Example 2

The following access rules have been assigned explicit priority levels through the PRI option. These rules allow any user to access the Collector process (the SERVER program), and in addition, allow the IP address 122.11.12.13 to access GGSCI commands. Access to all other Oracle GoldenGate programs is denied.

ACCESSRULE, PROG *, DENY, PRI 99ACCESSRULE, PROG SERVER, ALLOW, PRI 1ACCESSRULE, PROG GGSCI, IPADDR 122.11.12.13, PRI 1

Example 3

The following access rules are the same as Example 2, but they assign priority by means of their order in the parameter file, instead of the PRI option.

ACCESSRULE, PROG SERVER, ALLOWACCESSRULE, PROG GGSCI, IPADDR 122.11.12.13ACCESSRULE, PROG *, DENY

Example 4

The following access rule grants access to all programs to the user JOHN.

ACCESSRULE, PROG *, USER JOHN, PASSWORD OCEAN1

Example 5

The following access rule grants access to all programs to the user JOHN and designates an encryption key to decrypt the password. If the password provided with PASSWORD matches the one in the ENCKEYS lookup file, connection is granted.

ACCESSRULE, PROG *, USER JOHN, PASSWORD OCEAN1, ENCRYPTKEY lookup1