17.4 Securing Access to Diagnostic Collections

Running tfactl commands is restricted to authorized users.

tfactl provides a command-line interface and shell to do the following:

• Run diagnostics and collect all relevant log data from a time of your choosing

• Trim log files to collect only what is necessary for diagnosis

• Collect and package all trimmed diagnostics from any desired nodes in the cluster and consolidate everything in one package on a single node

Authorized non-root users can run a subset of the tfactl commands. All other tfactl commands require root access. Users who are not authorized cannot run tfactl commands.

By default, the following users are authorized to access a subset of tfactl commands:

• Oracle Grid Infrastructure home owner

• Oracle Database home owners

User access is applicable only if Oracle Trace File Analyzer is installed as root on Linux and UNIX. User access is not applicable if Oracle Trace File Analyzer is installed as non-root, or on Microsoft Windows.

To provision user access to tfactl:

• To list the users who have access to tfactl:

  tfactl access lsusers

• To add a user to access tfactl:

  tfactl access add –user user [-local]

  By default, access commands are applicable to cluster-wide unless you specify the –local command option to restrict them to local node.

• To remove a user from accessing tfactl:

  tfactl access remove –user user [-local]

• To remove all users from accessing tfactl:

  tfactl access removeall [-local]

• To reset user access to default:

  tfactl access reset

• To enable user access:

  tfactl access enable

• To disable user access:

  tfactl access disable