An Oracle Secure Backup user is an administrative domain-wide identity, associated with a username. A class is a named collection of rights assigned to this user.
Note:
Do not confuse this sense of the term class with defaults and policies classes, which are a convenience for grouping defaults and policies related to one functional area of Oracle Secure Backup.
This chapter describes Oracle Secure Backup users and classes and explains how to configure them in your administrative domain.
This chapter contains these sections:
Note:
Before you set up an administrative domain, ensure you have logged into Oracle Secure Backup.
Oracle Secure Backup stores information pertaining to Oracle Secure Backup users and rights on the administrative server, enabling Oracle Secure Backup to maintain a consistent Oracle Secure Backup user identity across the administrative domain.
Each user of an Oracle Secure Backup administrative domain has an account and an encrypted password stored on the administrative server. An operating system user can enter his or her Oracle Secure Backup username and password in the Oracle Secure Backup Web tool or obtool. The client program sends the password over an encrypted SSL connection to the administrative server for host authentication.
Note:
The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the user be prompted for the password.
The namespace for Oracle Secure Backup users is distinct from the namespaces of existing UNIX, Linux, and Windows users. Thus, if you log in to a host in the administrative domain as operating system user johndoe
, and if an Oracle Secure Backup user in the administrative domain is named johndoe
, then these accounts are separately managed even though the name is the same. For convenience, you might want to create an Oracle Secure Backup user with the same name and password as an operating system user.
When you create an Oracle Secure Backup user, you can associate it with Linux, UNIX and Windows accounts. You can use one of these accounts for a backup operation that does not run with root
privileges, also known as an unprivileged backup operation. In contrast, privileged backup and restore operations run on a client with root
permissions on Linux and UNIX or Local
System
permissions on Windows.
Assume you create the Oracle Secure Backup user jdoe
and associate it with UNIX account x_usr
and Windows account w_usr
. When jdoe
uses the backup --unprivileged
command to back up a client in the administrative domain, the job runs under the operating system accounts associated with jdoe
. Thus, jdoe
can only back up files on a UNIX client accessible to x_usr
and files on a Windows client accessible to w_usr
.
If you have the modify
administrative
domain's
configuration
right, then you can configure the preauthorization attribute of an Oracle Secure Backup user. You can preauthorize operating system users to make RMAN backups or log in to Oracle Secure Backup command-line utilities. For example, you can preauthorize the x_usr
UNIX user to log in to obtool
as Oracle Secure Backup user jdoe
.
See Also:
Oracle Secure Backup Reference for more information about the modify
administrative
domain's
configuration
right
Note:
On Windows, Oracle Secure Backup stores the Windows name, password, and domain for each account. This data is communicated to the required client host over an encrypted SSL channel.
When setting up an Oracle Secure Backup user account, you can configure user access to an NDMP host, which is a device such as a filer that does not run NDMP natively. Passwords for NDMP hosts are associated with the host instead of the user. You can configure the host to use the default NDMP password, a user-defined text password, or a null password. You can also configure a password authentication method such as text or MD5-encrypted.
Note:
The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the user be prompted for the password.
When you ran installob
on the administrative server, Oracle Secure Backup created the admin
user by default. Unless you chose to create the oracle
user for use in backing up and recovering Oracle Databases, no other Oracle Secure Backup users exist in the administrative domain.
After installation, you can create more Oracle Secure Backup users or manage the attributes of individual Oracle Secure Backup users. The following user attributes are particularly important:
Preauthorizations
You can preauthorize an operating system user to log in to the user-invoked Oracle Secure Backup command-line utilities. You must preauthorize an operating system user to make Oracle Database SBT backups through RMAN.
A preauthorization for an operating system user is associated with a specific Oracle Secure Backup user. For example, you can enable the Linux user johndoe
to log in to obtool
as the Oracle Secure Backup user named backup_admin
. You could also preauthorize johndoe
to run RMAN backups under the backup_admin
identity.
Operating system accounts for unprivileged backups
An unprivileged backup is a file-system backup of a client that does not run on the operating system as root
on UNIX and Linux or as a member of the Administrators group on Windows. You must specify which operating system accounts are used for unprivileged backups.
See Also:
"Managing Users" for more information about creating and managing users
"Assigning Preauthorized Access" for more information about configuring preauthorization
"Configuring a User in an Administrative Domain" for steps on setting up and managing user in an administrative domain
Every time you log on to Oracle Secure Backup, you must enter a valid user name and user password. Oracle Secure Backup enables you to manage your user passwords and their lifetime by choosing appropriate security settings. You can configure the global password settings, that apply to all users, while setting the global security policies. You also have the choice to specify user-specific settings while creating an Oracle Secure Backup user. When password settings are not specified for a particular user, the global security password policies are automatically applied. When password settings are specified while creating a user, the user-specific settings override the global password settings.
You can configure and modify the following settings to manipulate the lifetime of your password:
Password lifetime is the length of time, measured in number of days, for which an Oracle Secure Backup user password is valid. Once the stated lifetime of a password expires, you are asked to change the password.
However, if password grace time has been set, you are allowed to log on using the current password for a limited number of days, after it's validity has expired.
You can also disable the password lifetime, in which case the password will never expire. The Oracle Secure Backup Web tool enables you to set the password lifetime for an Oracle Secure Backup user.
Password grace time is the length of time, measured in number of days, for which an Oracle Secure Backup user can continue to log on to Oracle Secure Backup, after the validity of the current password has expired. The user receives a warning message while logging in, during the period for which the grace time has been set, indicating that the password will expire after the grace time ends. If you do not change your password by the time the set grace time ends, you are forced to change your password when you attempt to log on. You can choose to disable the password grace time in which case no grace time will be provided for that user.
Assume that you create an Oracle Secure Backup user scott
and set the password lifetime to 60 days
and the password grace time to 6 days
. During the first Oracle Secure Backup login after the user password has expired, you will receive a message saying the current password has expired and you are recommended to change your password. You will not be forced to change the password immediately, but if you do not change the password, you will continue to receive the same message for the next six days as that is your password grace time. If the password is not changed even after the grace time expires, you will be presented with a password change screen during the next login. Once you change the password, you will be redirected to the user interface.
Password reuse time is the duration, in number of days, that must elapse before you may reuse a previously-used Oracle Secure Backup password. You can choose to disable the password reuse time, in which case the password can never be reused.
Forcing a Password Change
You can force an Oracle Secure Backup user to change their current password, if required. The user must implement the forced password change, regardless of the password settings that were set during the user configuration.
Note:
To modify Oracle Secure Backup users, you must be a member of a class that has this right enabled. See "Overview of Oracle Secure Backup Classes and Rights" for details.
An Oracle Secure Backup class defines a set of rights granted to an Oracle Secure Backup user. A class is similar to a Linux or UNIX group, but it defines a finer granularity of access rights tailored to the needs of Oracle Secure Backup.
As shown in Figure 2-1, you can assign multiple Oracle Secure Backup users to a class. Each Oracle Secure Backup user can be a member of only one class.
The following classes are key to understanding Oracle Secure Backup user rights:
admin
This class is used for overall management of an administrative domain. The admin
class has all the rights needed to modify administrative domain configurations and perform backup and restore operations.
operator
This class is used for standard day-to-day operations. The operator
class lacks configuration rights but has all the rights needed for backup and restore operations. It also allows the Oracle Secure Backup user to query the state of any primary or secondary storage device and to control the state of these devices.
oracle
This class is similar to the operator
class. The oracle
class has all rights necessary to modify Oracle Database configuration settings and to perform Oracle Database backups. Class members are usually Oracle Secure Backup users that are mapped to operating system accounts of Oracle Database installations.
user
This class gives Oracle Secure Backup users permission to interact in a limited way with their domains. This class is reserved for Oracle Secure Backup users who must browse their own data within the Oracle Secure Backup catalog and perform user-based restore operations.
reader
This class enables Oracle Secure Backup users only to modify the given name and password for their user account and to browse their own catalog. Users in the reader
class must know the exact restore path that they own, because they are not even able to see a listing of what hosts belong to the Oracle Secure Backup administrative domain.
When creating a user in the reader class, you must map the user to a valid operating system user and group.
monitor
This class enables Oracle Secure Backup users only to access Oracle Database backups, access file-system backups, display the administrative domain configuration, list all jobs, and display information about devices. Users in this class cannot perform backup or restore operations, modify the administrative domain, or receive email notifications.
An Oracle Secure Backup user assigned to the monitor class is necessary as the OSB
username
parameter in Oracle Secure Backup target registration within Oracle Enterprise Manager.
See Also:
"Managing Classes" for a detailed description of the rights available to each class
Oracle Secure Backup Reference for more information about classes and rights
Oracle Secure Backup users are managed in their own namespace, distinct from operating system users. This section describes how to create and manage an Oracle Secure Backup user with the Web tool.
This section contains these topics:
See Also:
Accessing the Oracle Secure Backup web tool home page is the first step in performing all Oracle Secure Backup backup and restore operations.
To access the Oracle Secure Backup web tool home page:
To display the Users page:
See Also:
Oracle Secure Backup Reference to learn about the user commands in obtool
You can use the Web tool to define an Oracle Secure Backup user. Each Oracle Secure Backup user account belongs to exactly one class, which defines the rights of the Oracle Secure Backup user.
To add one or more users:
Follow the steps in "Displaying the Users Page".
The Configure: Users page appears.
Click Add.
The Configure: Users > New Users page appears.
Enter a user name in the User field.
The name you enter must start with an alphanumeric character. It can contain only letters, numerals, dashes, underscores, or periods. The maximum character length that you can enter is 31 characters.
The user name must be unique among all Oracle Secure Backup user names. Formally, it is unrelated to any other name used in your computing environment or the Oracle Secure Backup administrative domain. Practically, it is helpful to choose Oracle Secure Backup user names that are identical to operating system user names.
Enter a password in the Password field.
This password is used to log in to Oracle Secure Backup. The maximum character length that you can enter is 16 characters.
Note:
The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the Oracle Secure Backup user be prompted for the password.
Select a class in the User class list.
A class defines a set of rights.
Enter a name for the Oracle Secure Backup user in the Given name box.
This step is optional. The given name is for information purposes only.
Enter a UNIX name for this account in the UNIX name field.
This name forms the identity of any non-privileged jobs run by the Oracle Secure Backup user on UNIX systems. If you do not want this Oracle Secure Backup user to run Oracle Secure Backup jobs on UNIX systems, then leave this field blank.
Enter a UNIX group name for this account in the UNIX group field.
This name forms the identity of any non-privileged jobs run by the Oracle Secure Backup user on UNIX systems. If you do not want this Oracle Secure Backup user to run Oracle Secure Backup jobs on UNIX systems, then leave this field blank.
Select yes in the NDMP server user list to request that NDMP servers in the Oracle Secure Backup administrative domain accept a login from this Oracle Secure Backup user by using the supplied user name and password.
This option is not required for normal Oracle Secure Backup operation and is typically set to no.
Enter the email address for the Oracle Secure Backup user in the Email Address field.
When Oracle Secure Backup communicates with this user, for example to deliver a job summary or notify the user of a pending input request, it sends email to this address.
Enter the duration of the password grace time in the Password grace time field. You can select the system default which is 3 days.
Enter the duration of the password lifetime in the Password lifetime field. You can select the system default which is 180 days.
Enter the duration of the password reuse time in the Password reuse time field. You can select the system default which is 1 year.
See Also:
"About Oracle Secure Backup Password Policies" for detailed description of the available password settings
Click Apply, OK, or Cancel.
If the Oracle Secure Backup user you configured must initiate backup and restore operations on Windows clients, then see "Assigning Windows Account Information".
This section explains how to modify properties for an existing user account.
Note:
To modify Oracle Secure Backup users, you must be a member of a class that has this right enabled. See "Overview of Oracle Secure Backup Classes and Rights" for details.
To edit Oracle Secure Backup user properties:
Follow the steps in "Displaying the Users Page".
The Configure: Users page appears.
Select an Oracle Secure Backup user whose properties you want to modify from the User Name list.
Click Edit.
The Configure: Users > user_name page appears.
Edit the required user properties.
See Also:
"Adding a User" for information on setting user properties
You cannot change the name of an Oracle Secure Backup user on this page. To rename an Oracle Secure Backup user, see "Renaming a User".
Click Apply to apply the changes and remain on the Configure: Users > user_name page.
Click OK to apply the changes and return to the Configure: Users page.
Click Cancel to return to the Configure: Users page without making any changes.
If the Oracle Secure Backup user you configured must initiate backup and restore operations on Windows clients, then see "Assigning Windows Account Information".
This section explains how to modify the password for an existing user account.
Note:
To modify Oracle Secure Backup users, you must be a member of a class that has this right enabled. See "Overview of Oracle Secure Backup Classes and Rights" for details.
To change an Oracle Secure Backup user password:
Follow the steps in "Displaying the Users Page".
The Configure: Users page appears.
From the Users page, select an Oracle Secure Backup user from the User name list.
Click Change Password.
The Configure: Users > user_name page appears.
Enter a password.
Confirm the password.
Click OK or Cancel.
Note:
The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the Oracle Secure Backup user be prompted for the password.
It is recommended that you follow these steps to set up and manage Oracle Secure Backup users in your administrative domain:
This section explains how to configure Windows account information for a user who must initiate backups and restore operations on Windows systems. You can associate an Oracle Secure Backup user with multiple Windows domain accounts or use a single account that applies to all Windows domains.
To assign Windows account information to an Oracle Secure Backup user:
Follow the steps in "Displaying the Users Page".
The Configure: Users page appears.
Select an Oracle Secure Backup user in the User Name list.
Click Edit.
The Configure: Users > user_name page appears.
Click Windows Domains.
The Configure: Users > user_name > Windows Domains page appears.
Enter a Windows domain name in the Domain name field.
Enter an asterisk (*
) in this field to associate this Oracle Secure Backup user with all Windows domains.
Enter the account information for a Windows user in the Username and Password fields.
Click Add to add the Windows account information.
The page displays a success message, and account information appears in the Domain:Username list.
Note:
The practice of supplying a password in clear text on a command line or in a command script is not recommended by Oracle. It is a security vulnerability. The recommended procedure is to have the Oracle Secure Backup user be prompted for the password.
You can use the Web tool to remove Windows account information from an Oracle Secure Backup user account.
To remove a Windows account:
From the Windows Domain page, select a Windows account in the Domain: Username list.
Click Remove.
The Configure: Users > user_name > Windows Domains page displays a message informing you that the Windows account was successfully removed.
This section explains how to give access to Oracle Secure Backup services and data to a specified operating system user. You can preauthorize Oracle Database SBT backups through RMAN or preauthorize login to the user-invoked Oracle Secure Backup command-line utilities.
Oracle Secure Backup preauthorizes access only for a specified operating system user on a specified host. For each host within an Oracle Secure Backup administrative domain, you can declare one or more one-to-one mappings between operating system user and Oracle Secure Backup user identities.
You can create a preauthorization only if you have the modify
administrative
domain's
configuration
right. Typically, only an Oracle Secure Backup user in the admin
class has this right.
See Also:
Oracle Secure Backup Reference for more information about the modify
administrative
domain's
configuration
right
To assign preauthorized access:
Follow the steps in "Displaying the Users Page".
The Configure: Users page appears.
Select an Oracle Secure Backup user in the User Name list.
Click Edit.
The Configure: Users > user_name page appears.
Click Preauthorized Access.
The Configure: Users > user_name > Preauthorized Access page appears.
In the Hosts list, select either all hosts or the name of the host to which the operating system user is granted preauthorized access.
In the OS username field, enter the operating system user account with which the Oracle Secure Backup user should access services and data. Enter an asterisk (*) or leave blank to select all operating system users.
In the Windows domain name field, enter the Windows domain to which the operating system user belongs. The Windows domain is only applicable to preauthorized logins from a Windows host. Enter an asterisk (*) or leave blank to select all domains.
If you enter a Windows account name in the OS username field, then you must enter an asterisk, leave the box blank, or enter a specific domain.
In the Attributes list, select cmdline, rman, or both.
You can select both attributes by clicking one of them and then shift-clicking the other.
The cmdline attribute preauthorizes login through the user-invoked Oracle Secure Backup command-line utilities such as obtool
. The rman attribute preauthorizes Oracle Database SBT backups through RMAN.
Click Add.
The page displays a success message, and the preauthorized Oracle Secure Backup user appears in the list.
See Also:
"Creating a Preauthorized Oracle Secure Backup User" for more details about RMAN preauthorization
You can remove a preauthorization only if you have the modify
administrative
domain's
configuration
right. Typically, only an Oracle Secure Backup user in the admin
class has this right.
To remove preauthorized access:
From the Configure: Users > user_name > Preauthorized Access page, select the preauthorized access entry you want to remove in the main text pane.
Click Remove.
The preauthorized access entry is no longer displayed in the main text pane.
You must have the modify administrative domain's configuration
right to rename an Oracle Secure Backup user.
To rename an Oracle Secure Backup user:
Follow the steps in "Displaying the Users Page".
The Configure: Users page appears.
Select the Oracle Secure Backup user whose name you want to change from the User Name list.
Click Rename.
A different page appears.
Enter the name in the Rename user_name to field and click Yes.
The Configure: Users page displays a success message, and the Oracle Secure Backup user has a different name in the User Name list
You must have the modify administrative domain's configuration
right to remove an Oracle Secure Backup user.
To remove an Oracle Secure Backup user:
Follow the steps in "Displaying the Users Page".
The Configure: Users page appears.
Select the Oracle Secure Backup user you want to remove from the User Name list.
Click Remove.
A confirmation page appears.
Click Yes to remove the Oracle Secure Backup user.
You are returned to the Configure: Users page. A message appears telling you the Oracle Secure Backup user was successfully removed.
To display the Oracle Secure Backup: Classes Page:
See Also:
Oracle Secure Backup Reference to learn about the class commands in obtool
Oracle Secure Backup creates default classes when the administrative domain is first initialized. You can use these classes or create your own.
To add a class:
Follow the steps in "Displaying the Classes Page"
The Configure: Classes page appears.
Click Add.
The Configure: Classes > New Classes page appears. This page lists class rights options.
Enter a name for the class in the Class field.
The name you enter must start with an alphanumeric character. It can contain only letters, numerals, dashes, underscores, or periods. The maximum character length is 127 characters.
The class name must be unique among all Oracle Secure Backup class names. It is unrelated to any other name used in your computing environment or the Oracle Secure Backup administrative domain.
Select the rights to grant to this class.
See Also:
Oracle Secure Backup Reference for a detailed explanation of these rights
Click Apply or OK.
The Configure: Classes page displays a success message, and your additional class appears in the list of classes.
To modify existing classes, you must have the modify
administrative
domain's
configuration
right. When you change the class that an Oracle Secure Backup user belongs to or modify the rights of such a class, changes do not take effect until the user exits from the Oracle Secure Backup component currently in use.
See Also:
Oracle Secure Backup Reference for more information about the modify
administrative
domain's
configuration
right
To edit a class:
Follow the steps in "Displaying the Classes Page"
The Configure: Classes page appears.
Select the name of the class to edit in the Class Name list.
Click Edit.
The Configure: Classes > class_name page appears with details for the class you selected.
Make the required changes.
You cannot rename a class from this page. To rename a class, see "Renaming a Class".
Click Apply to apply your changes and remain on the Configure: Classes > class_name page.
Click OK to apply your changes and return to the Configure: Classes page.
Click Cancel to return to the Configure: Classes page without making any changes.
You cannot remove a class to which a user currently belongs. Instead, you must reassign or delete all existing members of a class before the class can be removed.
To remove a class:
Follow the steps in "Displaying the Classes Page"
The Configure: Classes page appears.
Select the class to be removed in the Class Name list.
Click Remove.
A confirmation page appears.
Click Yes.
The Configure: Classes page displays a success message, and the class is gone from the Class Name list.
You must have the modify administrative domain's configuration
right to rename a class.
To rename a class:
Follow the steps in "Displaying the Classes Page"
The Configure: Classes page appears.
Select the class to rename in the Class Name list.
Click Rename.
A different page appears.
Enter the name for the class in the Rename class_name to field and click Yes.
The Configure: Classes page displays a success message, and the class appears with its different name in the Class Name list.
Defaults and policies control how Oracle Secure Backup operates within an administrative domain. Defaults and policies are divided into classes, depending upon what area of functionality they control. Each policy has a default setting, which you can modify based on your business or backup requirement.
See Also:
"About Defaults and Policies" for more information about the classification of policy classes
This section contains these topics:
To view the Oracle Secure Backup: Defaults and Policies Page:
See Also:
Oracle Secure Backup Reference to learn about the policy commands in the obtool
command-line interface and the descriptions of the defaults and policies
Before changing a policy setting, refer to the "Defaults and Policies" chapter in Oracle Secure Backup Reference. This chapter contains extensive descriptions of the policies and describes valid settings. You should not ordinarily be required to change the default settings.
To change a policy setting:
Follow the steps in "Viewing Configured Defaults and Policies Values".
In the Policy column on the Defaults and Policies page, click the name of the policy class to be edited. For example, click scheduler.
The policy_name page appears. Figure 2-6 shows the Scheduler page.
Change the settings of one or more policies.
Do one of these:
Click Apply to remain on this page.
Click OK to save the changes and return to the Defaults and Policies page.
When you change a policy setting from its default, the Web tool displays the default value for the policy in the Reset to Default Value column.
You can use the Web tool to reset the value of one or more Oracle Secure Backup policies to the default value.
To reset a policy:
Follow the steps in "Viewing Configured Defaults and Policies Values".
In the Policy column on the Defaults and Policies page, click the name of the policy class that contains the policy to be reset.
Select the Reset to Default Value column for the policy that you are resetting.
Click Apply or OK.