9.3.1.1 tfactl access
Use the tfactl access
command to enable non-root users to
have controlled access to Oracle Trace File Analyzer, and to run diagnostic
collections.
Non-root users can run a subset of tfactl
commands. Running a
subset of commands enables non-root users to have controlled access to Oracle Trace
File Analyzer, and to run diagnostic collections. However, root
access is still required to install and administer Oracle Trace File Analyzer.
Control non-root users using the tfactl access
command. Add or
remove non-root users depending upon your business requirements.
Note:
By default, all Oracle home owners, OS DBA groups, and ASM groups are added to the Oracle Trace File Analyzer Access Manager list while installing or upgrading Oracle Trace File Analyzer.
AHF introduces two roles, platinum and privileged-compliance-check in release 22.3.
- platinum can perform the following actions:
- Run the
diagnosetfa
command to collect Oracle Trace File Analyzer diagnostic data from the local node to identify issues with Oracle Trace File Analyzer - Set
auto-upgrade
- Run compliance-checks as
root
- Update AHF metadata
- Change AHF configuration parameters
- Run default commands of a non-root TFA user
- Run the
- privileged-compliance-checks can perform the following
actions:
- Run compliance-checks as
root
- Run default commands of a non-root TFA user
- Run compliance-checks as
- When AHF is upgraded, following operation will be performed for
orarom
user:- If the
orarom
user is already promoted, it will be added to theplatinum
role. - If the
orarom
user has not already been promoted, it will not be added to theplatinum
role
- If the
- After upgrade, to add any user to the
platinum
role, use the below commands:- To add a role for an existing TFA
user:
tfactl access grant -user <user_name> -role platinum
- To remove a role for a
user:
tfactl access revoke -user <user_name> -role platinum
- To add a role for an existing TFA
user:
- A user who has been assigned a role is role-managed. It is not possible for the user to revert to the old promotion system.
- A user can have multiple roles.
- To find the current role of any user, run the
tfactl access lsusers
command.tfactl access lsusers .-------------------------------------------------------------------------. | TFA Users in Node1 | +-----------+---------+----------+----------------------------------------+ | User Name | Status | Promoted | Roles | +-----------+---------+----------+----------------------------------------+ | dbusr | Allowed | false | n/a | | giusr | Allowed | true | n/a | | grid | Allowed | n/a | privileged-compliance-checks | | orarom | Allowed | n/a | platinum | | oracle | Allowed | n/a | platinum, privileged-compliance-checks | '-----------+---------+----------+----------------------------------------'
In this example:dbusr
has the basic set of privilegesgiusr
andgrid
have the ability to run compliance checks asroot
in addition to basic privilegesorarom
user has the privileges ofplatinum
user in addition to basic privilegesorarom
user has the privileges ofplatinum
and privileged-compliance-checks user in addition to basic privileges
Syntax
tfactl access <command> [options]
commands:lsusers|add|remove|block|unblock|promote|demote|grant|revoke|reset|removeall
options: -user|-role|-json|-local
tfactl access lsusers
tfactl access lsusers [ -json ]
tfactl access lsusers [ -local ]
tfactl access add -user user_name
tfactl access add -user user_name -role role_name
tfactl access add -user user_name -role role_name [ -local ]
tfactl access remove -user user_name [ -local ]
tfactl access block -user user_name [ -local ]
tfactl access unblock -user user_name [ -local ]
tfactl access promote [ -local ]
tfactl access demote [ -local ]
tfactl access grant -user user_name -role role_name [ -local ]
tfactl access revoke -user user_name -role role_name [ -local ]
tfactl access reset
tfactl access removeall
Parameters
Table 9-45 tfactl access Command Parameters
Parameter | Description |
---|---|
|
Lists all the Oracle Trace File Analyzer users. |
|
Adds a user to the Oracle Trace File Analyzer access list. |
|
Removes a user from the Oracle Trace File Analyzer access list. |
|
Blocks Oracle Trace File Analyzer access for non-root user. Use this command to block a specific user's access to Oracle Trace File Analyzer. |
|
Enables Oracle Trace File Analyzer access for non-root users who were blocked earlier. Use this command to unblock a user that was blocked earlier by running the command |
|
Promotes Oracle Trace File Analyzer access for non-root users. Use the |
|
Demotes Oracle Trace File Analyzer access for non-root users. However, the list of users who were granted access to Oracle Trace File Analyzer is stored, if the access to non-root users is promoted later. Use the |
|
Grants a role to a non-root user. |
|
Revokes the role granted to a non-root user. |
|
Resets to the default access list that includes all Oracle Home owners and DBA groups. |
|
Removes all Oracle Trace File Analyzer users. Remove all users from the Oracle Trace File Analyzer access list including the default users. |
Example 9-42 tfactl access
tfactl access lsusers
.-------------------------------------------------------------------------.
| TFA Users in Node1 |
+-----------+---------+----------+----------------------------------------+
| User Name | Status | Promoted | Roles |
+-----------+---------+----------+----------------------------------------+
| dbusr | Allowed | false | n/a |
| giusr | Allowed | true | n/a |
| grid | Allowed | n/a | privileged-compliance-checks |
| orarom | Allowed | n/a | platinum |
| oracle | Allowed | n/a | platinum, privileged-compliance-checks |
'-----------+---------+----------+----------------------------------------'
tfactl access lsusers -json
testuser: {
"node1": [
{
"Promoted": "n/a",
"Roles": "platinum",
"Status": "Allowed",
"User Name": "dbusr"
},
{
"Promoted": "false",
"Roles": "n/a",
"Status": "Allowed",
"User Name": "giusr"
}
],
"node2": [
{
"Promoted": "n/a",
"Roles": "platinum",
"Status": "Allowed",
"User Name": "dbusr"
},
{
"Promoted": "false",
"Roles": "n/a",
"Status": "Allowed",
"User Name": "giusr"
}
]
}
tfactl access add -user abc
tfactl access add -user abc -role platinum
tfactl access remove -user abc
tfactl access block -user xyz
tfactl access grant -user xyz -role platinum
tfactl access revoke -user xyz -role platinum
tfactl access removeall