Use the crsctl setperm command to configure horizontal role separation using ACLs that are assigned to server pools, resources, or both. The CRSCTL utility is located in the path Grid_home/bin, where Grid_home is the Oracle Grid Infrastructure for a cluster home.
The command uses the following syntax, where the access control (ACL) string is indicated by italics:
crsctl setperm {resource | type | serverpool} name {-u acl_string |
-x acl_string | -o user_name | -g group_name}
The flag options are:
-u: Update the entity ACL
-x: Delete the entity ACL
-o: Change the entity owner
-g: Change the entity primary group
The ACL strings are:
{ user:user_name[:readPermwritePermexecPerm] |
group:group_name[:readPermwritePermexecPerm] |
other[::readPermwritePermexecPerm] }
where:
user: Designates the user ACL (access permissions granted to the designated user)
group: Designates the group ACL (permissions granted to the designated group members)
other: Designates the other ACL (access granted to users or groups not granted particular access permissions)
readperm: Location of the read permission (r grants permission and "-" forbids permission)
writeperm: Location of the write permission (w grants permission and "-" forbids permission)
execperm: Location of the execute permission (x grants permission, and "-" forbids permission)
For example, to set permissions on a server pool called psft for the group personnel, where the administrative user has read/write/execute privileges, the members of the personnel group have read/write privileges, and users outside of the group are granted no access, enter the following command as the root user:
# crsctl setperm serverpool psft -u user:personadmin:rwx,group:personnel:rw-, other::---