8 Classes and Rights

Table 8-1 defines the predefined obtool classes. The rights are described in "Class Rights".

Table 8-1 Classes and Rights

Class RIghts admin operator oracle user reader monitor

access file system backups

all

all

owner

owner

none

all

access Oracle database backups

all

all

owner

owner

none

all

browse backup catalogs with this access

privileged

notdenied

permitted

permitted

named

none

display administrative domain's configuration

yes

yes

yes

yes

no

yes

list any backups owned by user

yes

yes

yes

yes

no

yes

list any backup, regardless of its owner

yes

yes

no

no

no

yes

list any jobs owned by user

yes

yes

yes

yes

no

yes

list any job, regardless of its owner

yes

yes

no

no

no

yes

manage devices and change device state

yes

yes

yes

no

no

no

modify administrative domain's configuration

yes

no

no

no

no

no

modify any backup, regardless of its owner

yes

yes

no

no

no

no

modify any backups owned by user

yes

yes

yes

yes

no

no

modify any job, regardless of its owner

yes

yes

no

no

no

no

modify any jobs owned by user

yes

yes

yes

yes

no

no

modify catalog

yes

no

no

no

no

no

modify own name and password

yes

yes

yes

yes

yes

no

perform file system backups as privileged user

yes

yes

no

no

no

no

perform file system backups as self

yes

yes

yes

no

no

no

perform file system restores as privileged user

yes

yes

no

no

no

no

perform file system restores as self

yes

yes

yes

yes

no

no

perform Oracle database backups and restores

yes

no

yes

no

no

no

query and display information about devices

yes

yes

yes

yes

no

yes

receive email describing internal errors

yes

yes

yes

no

no

no

receive email regarding expired passphrase keys

yes

no

no

no

no

no

receive email requesting operator assistance

yes

yes

yes

no

no

no

See Also:

"Class Commands"

Class Rights

This section describes the rights in Oracle Secure Backup classes.

access file system backups

This right specifies the type of access to file-system backups. The values are as follows:

  • owner indicates that the Oracle Secure Backup user can access only file-system backups created by the user.

  • class indicates that the Oracle Secure Backup user can access file-system backups created by any Oracle Secure Backup user in the same class.

  • all indicates that the Oracle Secure Backup user can access all file-system backups.

  • none indicates that the Oracle Secure Backup user has no access to file-system backups.

You can set this right with the --fsrights option of the mkclass or chclass commands.

access Oracle database backups

This right specifies the type of access to Oracle database backups made through the SBT interface. The values are as follows:

  • owner indicates that the Oracle Secure Backup user can access only SBT backups created by the user.

  • class indicates that the Oracle Secure Backup user can access SBT backups created by any Oracle Secure Backup user in the same class.

  • all indicates that the Oracle Secure Backup user can access all SBT backups.

  • none indicates that the Oracle Secure Backup user has no access to SBT backups.

You can set this right with the --orarights option of the mkclass or chclass commands.

browse backup catalogs with this access

This right applies to browsing access to the Oracle Secure Backup catalog. The rights are listed in order of decreasing privilege. Your choices are:

  • privileged means that Oracle Secure Backup users can browse all directories and catalogs.

  • notdenied means that Oracle Secure Backup users can browse any catalog entries for which they are not explicitly denied access. This option differs from permitted in that it allows access to directories having no stat record stored in the catalog.

  • permitted means that Oracle Secure Backup users are bound by normal UNIX rights checking. Specifically, Oracle Secure Backup users can only browse directories if at least one of these conditions is applicable:

    • The UNIX user defined in the Oracle Secure Backup identity is listed as the owner of the directory, and the owner has read rights.

    • The UNIX group defined in the Oracle Secure entity is listed as the group of the directory, and the group has read rights.

    • Neither of the preceding conditions is met, but the UNIX user defined in the Oracle Secure Backup identity has read rights for the directory.

  • named means that Oracle Secure Backup users are bound by normal UNIX rights checking, except that others do not have read rights. Specifically, Oracle Secure Backup users can only browse directories if at least one of these conditions is applicable:

    • The UNIX user defined in the Oracle Secure Backup identity is listed as the owner of the directory, and the owner has read rights.

    • The UNIX group defined in the Oracle Secure Backup identity is listed as the group of the directory, and the group has read rights.

  • none means that Oracle Secure Backup users have no rights to browse any directory or catalog.

You can set this right with the --browse option of the mkclass or chclass commands.

display administrative domain's configuration

This right allows class members to list objects, for example, hosts, devices, and users, in the administrative domain.

You can set this right with the --listconfig option of the mkclass or chclass commands.

modify administrative domain's configuration

This right allows class members to edit, that is, create, modify, rename, and remove, all configuration data in an Oracle Secure Backup administrative domain. The data includes the following:

  • Classes

  • Users

  • Hosts

  • Devices

  • Defaults and policies

  • Schedules

  • Datasets

  • Media families

  • Summaries

  • Backup windows

  • Rotation policies

  • Duplication policies

  • Duplication windows

You can set this right with the --modconfig option of the mkclass or chclass commands.

list any backup, regardless of its owner

This right enables class members to view information about backup images, backup image instances, and backup sections that they create.

You can set this right with the --listanybackups option of the mkclass or chclass commands.

list any backups owned by user

This right enables class members to view information about backup images and backup image instances that they create.

You can set this right with the --listownbackups option of the mkclass or chclass commands.

list any job, regardless of its owner

This right enables class member to view the status of any scheduled, ongoing, and completed jobs and transcripts for any job.

You can set this right with the --listanyjob option of the mkclass or chclass commands.

list any jobs owned by user

This right enables class members to view the status of scheduled, ongoing, and completed jobs that they create and transcripts for jobs that they create.

You can set this right with the --listanyjob option of the mkclass or chclass commands.

manage devices and change device state

This right enables class members to control the state of devices.

You can set this right with the --managedevs option of the mkclass or chclass commands.

modify any backup, regardless of its owner

This right enables admin and operator class members to modify all backups.

You can set this right with the --modanybackups option of the mkclass or chclass commands.

modify any backups owned by user

This right enables admin and operator class members to modify backups that they create.

You can set this right with the --modownbackups option of the mkclass or chclass commands.

modify any job, regardless of its owner

This right enables class members to make changes to all jobs.

You can set this right with the --modanyjob option of the mkclass or chclass commands.

modify any jobs owned by user

This right enables class members to modify only jobs that they configured.

You can set this right with the --modownjob option of the mkclass or chclass commands.

modify catalog

This right enables class members to modify the Oracle Secure Backup volumes catalog.

modify own name and password

This right enables class members to modify the password and given name attributes for their own user objects.

You can set this right with the --modself option of the mkclass or chclass commands.

perform file system backups as privileged user

This right enables class members to back up files and directories while acting as a privileged user. A privileged user is root on UNIX or a member of the Administrators group on Windows.

You can set this right with the --backuppriv option of the mkclass or chclass commands.

perform file system backups as self

This right allows the class member to back up only those files and directories to which the member has access by using either UNIX user and group names or a Windows domain account.

You can set this right with the --backupself option of the mkclass or chclass commands.

perform Oracle database backups and restores

This right enables class members to back up and restore Oracle databases. Users with this right are Oracle Secure Backup users that are mapped to operating system accounts of Oracle database installations.

You can set this right with the --orauser option of the mkclass or chclass commands.

perform file system restores as privileged user

This right enables class members to restore the contents of backup images and backup image instances as a privileged user. A privileged user is root on UNIX and a member of the Administrators group on Windows.

You can set this right with the --restpriv option of the mkclass or chclass commands.

perform file system restores as self

This right enables class members to restore the contents of backup images and backup image instances under the restrictions of the access rights imposed by the user's UNIX name/group or Windows domain/account.

You can set this right with the --restself option of the mkclass or chclass commands.

query and display information about devices

This right enables class members to query the state of all storage devices configured within the administrative domain.

You can set this right with the --querydevs option of the mkclass or chclass commands.

receive email describing internal errors

This right enables class members to receive email messages describing errors that occurred in any Oracle Secure Backup activity.

You can set this right with the --mailerrors option of the mkclass or chclass commands.

receive email regarding expired passphrase keys

This right enables class members to receive email messages describing expired passphrase keys.

You can set this right with the --mailrekey option of the mkclass or chclass commands.

receive email requesting operator assistance

This right enables class members to receive email when Oracle Secure Backup needs manual intervention. Occasionally, during backups and restores, operator assistance might be required, as when a different volume is required to continue a backup. In such cases, Oracle Secure Backup sends e-mail to all users who belong to classes with this attribute.

You can set this right with the --mailinput option of the mkclass or chclass commands.