1. Frequently Asked Questions
  2. Oracle Database Appliance Frequently Asked Questions
  3. Multi-User Access on Oracle Database Appliance

Multi-User Access on Oracle Database Appliance

FAQs on Oracle Database Appliance Multi-User Access.

What are the advantages of enabling multi-user access on Oracle Database Appliance?

Multi-user access provides enhanced capabilities for authentication, authorization, resource ownership, and access control. This helps in providing an efficient mechanism for role separation. The Oracle Database Appliance administrator can create users with specific roles, limiting these users to only the operations allowed by that role. This role separation also restricts one user from accessing resources of other users, thereby ensuring resource ownership. This isolation removes barriers to consolidation. For example, creation and management of departmental databases can be delegated to different owners while maintaining separation. See the chapter Implementing Multi-User Access on Oracle Database Appliance in the Oracle Database Appliance Deployment and User's Guide for your hardware model for more information.

Is multi-user access enabled by default on provisioning Oracle Database Appliance?

No, multi-user access is enabled when provisioning Oracle Database Appliance only if you choose to enable the option at the time of provisioning the appliance.

Can I enable multi-user access on my current Oracle Database Appliance deployment?

No. The option to enable multi-user access is available only for new deployments of Oracle Database Appliance. Existing Oracle Database Appliance systems provisioned before Oracle Database Appliance release 19.13 continue to function without multi-user access feature even after patching to Oracle Database Appliance release 19.13 or later.

Can I disable multi-user access after enabling it during provisioning on Oracle Database Appliance?

No. Once enabled, multi-user access cannot be disabled. It is recommended that you provision the feature on your staging systems first, and then deploy it on your production system.

If I enable multi-user access on Oracle Database Appliance, do I need to enter my password every time I run an ODACLI command?

No, once you login with your Oracle Database Appliance account credentials, you are prompted for a password only when you run an ODACLI command for the first time. On successful authentication, an auth token is generated and used for authentication for running subsequent ODACLI commands. For every ODACLI command, the authentication token is further refreshed for a time interval equal to the token expiration duration. This implies that if your system is not idle for more than the token expiration duration, you need to enter the password only once. The default value of token expiration duration is 120 minutes and can be configured at the time of provisioning of the appliance up to a maximum of 600 minutes. However, it is recommended that the Oracle Database Appliance administrator takes the security policies of the organization into account while modifying the token expiration duration from its default value.

With multi-user access enabled, I am logged into the appliance as the root user. Why do I need to enter my password every time in spite of authentication token support ?

The authentication token support for ODACLI session management is linked to a multi-user access user account. Since root is an operating system administrative user and not a multi-user access user, auth token based session management system is not supported when a user logs in as root. Therefore, they must provide an Oracle Database Appliance account user name and password to run any ODACLI command.

Note that root access must be used only by the Oracle Database Appliance administrator and only for tasks that require root privileges. In all other cases, all multi-user access users in the system including odaadmin must use the Oracle Database Appliance credentials assigned to them.

Can I create new roles and entitlements?

No. This release supports default roles and entitlements and there is no provision for the odaadmin user to create new roles and entitlements.

What are the configurable parameters for multi-user access?

You can configure the following system settings:
  • Token expiration duration in minutes: The minimum value you can specify is 10 minutes, the maximum value is 600 minutes, and the default is 120 minutes.
  • Password expiration duration in days: The minimum value you can specify is 30 days, the maximum value is 180 days, and the default is 90 days.
  • Maximum failed login attempts allowed: The minimum value you can specify is 2, the maximum value is 5, and the default is 3.

I have enabled multi-user access but do not plan to create new users. Will all Oracle Database Appliance features work as before ?

Yes. You can login as the default user created with the role of oracleUser and gridUser during the provisioning of the appliance, for all your needs.

What happens if I forget my Oracle Database Appliance account password?

You can reset your Oracle Database Appliance account password after authorization from the Oracle Database Appliance administrator. You can reset the password using ODACLI or the BUI.

What happens if I enter wrong password multiple times ?

Your account is locked when your consecutive login attempts have failed, as defined in the Maximum failed login attempts allowed setting. You can unlock your account by resetting the password after getting the authorization from the Oracle Database Appliance administrator. You can reset the password using ODACLI or the BUI.

I am a non-odadmin user with ODA-DB role. Should I create a separate database home for my use?

The recommended practice is to create your own database home and then create databases in these database homes so that you have exclusive and full control of your database without anyone else being able to access it. However, in exceptional circumstances, you can request the Oracle Database Appliance administrator to grant you shared access to another database home. Creating a database on a shared database home restricts the operations you can perform on the database.

Are there any restrictions on the number of users that can be created on multi-user access enabled systems?

No. There is no maximum limit on the number of users that you can create on your deployment. The actual number of users depends on the availability of hardware resources such as CPU cores, disk space and memory on the appliance.

Parent topic: Oracle Database Appliance Frequently Asked Questions