tfactl access

9.3.1.1 tfactl access

Use the tfactl access command to enable non-root users to have controlled access to Oracle Trace File Analyzer, and to run diagnostic collections.

Non-root users can run a subset of tfactl commands. Running a subset of commands enables non-root users to have controlled access to Oracle Trace File Analyzer, and to run diagnostic collections. However, root access is still required to install and administer Oracle Trace File Analyzer. Control non-root users using the tfactl access command. Add or remove non-root users depending upon your business requirements.

Note:

By default, all Oracle home owners, OS DBA groups, and ASM groups are added to the Oracle Trace File Analyzer Access Manager list while installing or upgrading Oracle Trace File Analyzer.

AHF introduces two roles, platinum and privileged-compliance-check in release 22.3.

platinum can perform the following actions:
- Run the diagnosetfa command to collect Oracle Trace File Analyzer diagnostic data from the local node to identify issues with Oracle Trace File Analyzer
- Set auto-upgrade
- Run compliance-checks as root
- Update AHF metadata
- Change AHF configuration parameters
- Run default commands of a non-root TFA user
privileged-compliance-checks can perform the following actions:
- Run compliance-checks as root
- Run default commands of a non-root TFA user

When AHF is upgraded, following operation will be performed for orarom user:
- If the orarom user is already promoted, it will be added to the platinum role.
- If the orarom user has not already been promoted, it will not be added to the platinum role
After upgrade, to add any user to the platinum role, use the below commands:
- To add a role for an existing TFA user:
```
tfactl access grant -user <user_name> -role platinum
```
- To remove a role for a user:
```
tfactl access revoke -user <user_name> -role platinum
```
A user who has been assigned a role is role-managed. It is not possible for the user to revert to the old promotion system.
A user can have multiple roles.

To find the current role of any user, run the

tfactl access
                        lsusers

command.

tfactl access lsusers
.-------------------------------------------------------------------------.
|            TFA Users in Node1                                           |
+-----------+---------+----------+----------------------------------------+
| User Name | Status  | Promoted | Roles                                  |
+-----------+---------+----------+----------------------------------------+
| dbusr     | Allowed | false    | n/a                                    |
| giusr     | Allowed | true     | n/a                                    |
| grid      | Allowed | n/a      | privileged-compliance-checks           |
| orarom    | Allowed | n/a      | platinum                               |
| oracle    | Allowed | n/a      | platinum, privileged-compliance-checks |
'-----------+---------+----------+----------------------------------------'

In this example:

dbusr has the basic set of privileges
giusr and grid have the ability to run compliance checks as root in addition to basic privileges
orarom user has the privileges of platinum user in addition to basic privileges
orarom user has the privileges of platinum and privileged-compliance-checks user in addition to basic privileges

Syntax

tfactl access <command> [options]
commands:lsusers|add|remove|block|unblock|promote|demote|grant|revoke|reset|removeall
options: -user|-role|-json|-local

tfactl access lsusers

tfactl access lsusers [ -json ]

tfactl access lsusers [ -local ]

tfactl access add -user user_name

tfactl access add -user user_name -role role_name

tfactl access add -user user_name -role role_name [ -local ]

tfactl access remove -user user_name [ -local ]

tfactl access block -user user_name [ -local ]

tfactl access unblock -user user_name [ -local ]

tfactl access promote [ -local ]

tfactl access demote [ -local ]

tfactl access grant -user user_name -role role_name [ -local ]

tfactl access revoke -user user_name -role role_name [ -local ]

tfactl access reset

tfactl access removeall

Parameters

Table 9-45 tfactl access Command Parameters

Parameter	Description
`lsusers`	Lists all the Oracle Trace File Analyzer users.
`add`	Adds a user to the Oracle Trace File Analyzer access list.
`remove`	Removes a user from the Oracle Trace File Analyzer access list.
`block`	Blocks Oracle Trace File Analyzer access for non-root user. Use this command to block a specific user's access to Oracle Trace File Analyzer.
`unblock`	Enables Oracle Trace File Analyzer access for non-root users who were blocked earlier. Use this command to unblock a user that was blocked earlier by running the command `tfactl access block`.
`promote`	Promotes Oracle Trace File Analyzer access for non-root users. Use the `–local` flag to change settings only on the local node.
`demote`	Demotes Oracle Trace File Analyzer access for non-root users. However, the list of users who were granted access to Oracle Trace File Analyzer is stored, if the access to non-root users is promoted later. Use the `–local` flag to change settings only on the local node.
`grant`	Grants a role to a non-root user.
`revoke`	Revokes the role granted to a non-root user.
`reset`	Resets to the default access list that includes all Oracle Home owners and DBA groups.
`removeall`	Removes all Oracle Trace File Analyzer users. Remove all users from the Oracle Trace File Analyzer access list including the default users.

Example 9-42 tfactl access

To list all the Oracle Trace File Analyzer users:

tfactl access lsusers
.-------------------------------------------------------------------------.
|            TFA Users in Node1                                           |
+-----------+---------+----------+----------------------------------------+
| User Name | Status  | Promoted | Roles                                  |
+-----------+---------+----------+----------------------------------------+
| dbusr     | Allowed | false    | n/a                                    |
| giusr     | Allowed | true     | n/a                                    |
| grid      | Allowed | n/a      | privileged-compliance-checks           |
| orarom    | Allowed | n/a      | platinum                               |
| oracle    | Allowed | n/a      | platinum, privileged-compliance-checks |
'-----------+---------+----------+----------------------------------------'

tfactl access lsusers -json

testuser: {
  "node1": [
    {
      "Promoted": "n/a",
      "Roles": "platinum",
      "Status": "Allowed",
      "User Name": "dbusr"
    },
    {
      "Promoted": "false",
      "Roles": "n/a",
      "Status": "Allowed",
      "User Name": "giusr"
    }
  ],
  "node2": [
    {
      "Promoted": "n/a",
      "Roles": "platinum",
      "Status": "Allowed",
      "User Name": "dbusr"
    },
    {
      "Promoted": "false",
      "Roles": "n/a",
      "Status": "Allowed",
      "User Name": "giusr"
    }
  ]
}

To add a user, for example, abc to the Oracle Trace File Analyzer access list and enable access to Oracle Trace File Analyzer across cluster:

tfactl access add -user abc

To add a user, for example, abc, assign a role, and enable access to Oracle Trace File Analyzer across cluster nodes:

tfactl access add -user abc -role platinum

To remove a user, for example, abc from the Oracle Trace File Analyzer access list:

tfactl access remove -user abc

To block a user, for example, xyz from accessing Oracle Trace File Analyzer:

tfactl access block -user xyz

To grant a role to non-root user:

tfactl access grant -user xyz -role platinum

To revoke a role granted to a non-root user:

tfactl access revoke -user xyz -role platinum

To remove all Oracle Trace File Analyzer users:

tfactl access removeall

Parent topic: Running Oracle Trace File Analyzer Administration Commands