Learn how to create database users for the processes that interacts with the database, assign the correct privileges, and secure the credentials from unauthorized use.
Topics
The Oracle GoldenGate processes require one or more database credentials with the correct database privileges for the database version, database configuration, and Oracle GoldenGate features that you are using.
Create a source database user and a target database user, each one dedicated toOracle GoldenGate on the source and target systems. The assigned user can be the same user for all of the Oracle GoldenGate processes that must connect to a source or target Oracle Database.
Parent topic: Establishing Oracle GoldenGate Credentials
The Extract user performs metadata queries on the source database and fetches data from the source tables when needed. In a local mining deployment of integrated capture, this user also creates, alters, and connects to the logmining server and receives logical change records (LCR) from it. (See Deciding Which Capture Method to Use for more information about capture modes.)
If the source database is a multitenant container database, the Extract user must be a common user and must log into the root container. See Configuring Oracle GoldenGate in a Multitenant Container Database for more information.
You need to assign an additional user if Extract will be operating in integrated capture mode and you are using a downstream mining database. This user will be the mining user and is created in the downstream database. The mining user creates, alters, and connects to the log mining server on the mining database, and it receives logical change records (LCR) from it. This user can be the same as the source Extract user or different. Choose the name of the mining user carefully. Once created by this user, the database logmining server cannot be altered or used by another user. See Configuring a Downstream Mining Database for more information about configuring downstream mining.
Parent topic: Assigning Credentials to Oracle GoldenGate
The Replicat user creates the Replicat checkpoint table (if used) and applies DML and DDL operations through Oracle Call Interface or through a database inbound server, depending on the Replicat mode, see Deciding Which Apply Method to Use
Parent topic: Assigning Credentials to Oracle GoldenGate
A user is required in the source database for the Manager process if you are using Oracle GoldenGate DDL support. This user performs maintenance on the Oracle GoldenGate database objects that support DDL capture.
A user is required in either the source or target database for the DEFGEN utility. The location depends on where the data definition file is being generated. This user performs local metadata queries to build a data-definitions file that supplies the metadata to remote Oracle GoldenGate instances. For more information about the data-definitions file, see Administering Oracle GoldenGate.
Additional users or privileges may be required to use the following features, if Extract will run in classic capture mode:
RMAN log retention, see Log Retention Options.
TDE support, see Configuring Oracle TDE Data in Classic Capture Mode.
Parent topic: Assigning Credentials to Oracle GoldenGate
The user privileges that are required for Oracle GoldenGate depend on the database version and the Extract or Replicat process mode. For more information about process modes, see Choosing Capture and Apply Modes.
Parent topic: Assigning Credentials to Oracle GoldenGate
The following privileges apply to Oracle versions 11.2.0.4 or later.
| Privilege | ExtractClassic Mode | Extract Integrated Mode | Replicat All Modes | Purpose |
|---|---|---|---|---|
|
|
X |
X |
X |
Connect to the database |
|
|
X |
X |
X |
For Replicat, required only if Replicat owns target objects. Alternatively, use |
|
|
X |
X |
X |
Create objects If
|
|
|
X |
X |
Required for Oracle 12.1.0.1 only to issue the |
|
|
|
X |
X |
Perform administrative changes, such as enabling logging |
|
|
|
X |
X |
Required for multitenant architecture and |
|
|
Privileges granted through |
X |
X |
X |
(Extract) Grants privileges for both classic and integrated Extract, including the logmining server.(Replicat) Grants privileges for both nonintegrated and integrated replicat, including the database inbound server (Oracle 11.2.0.4 or later). |
|
Any or all of optional privileges of |
X |
X |
X |
See About the dbms_goldengate_auth.grant_admin_privilege Package for more information. |
|
|
X |
Apply replicated DML to target objects |
||
|
|
X |
Create a checkpoint table in target database |
||
|
DDL privileges on target objects (if using DDL support) |
X |
Issue replicated DDL on target objects |
||
|
|
X |
X |
DDL and sequence support |
|
|
|
X |
Lock target tables. Only required for initial load using direct bulk load to SQL*Loader. |
||
SELECT ANY DICTIONARY |
X | X | X | Allow all privileges to work properly on dictionary tables. |
|
|
X |
Use a newer Oracle ASM API. See Mining ASM-stored Logs in Classic Capture Mode. |
Parent topic: Granting the Appropriate User Privileges
The following privileges apply to Oracle versions 11.2.0.3 or earlier.
| Privilege | ExtractClassic Mode | ExtractIntegrated Mode | Replicat | Manager | Purpose |
|---|---|---|---|---|---|
|
and
|
X |
X |
X |
Connect to the database |
|
|
|
X |
X |
Perform administrative changes, such as enabling logging |
||
|
|
X |
X |
X |
Create objects If
|
|
|
|
X |
X |
X |
For Replicat, required only if Replicat owns target objects. Alternatively, use |
|
|
|
X |
X |
X |
Query data dictionary objects in the SYS schema |
|
|
or
|
X |
X |
Make flashback queries |
||
|
or
|
X |
X |
X |
Perform queries on any table |
|
|
|
X |
X |
|||
|
|
X |
Apply replicated DML to target objects |
|||
|
|
X |
Create a checkpoint table in target database |
|||
|
|
X |
X |
Call |
||
|
DDL privileges on target objects (if using DDL support) |
X |
Issue replicated DDL on target objects |
|||
|
|
X |
X |
DML privileges on Oracle GoldenGate DDL objects. Role is created by user with |
||
|
|
X |
Use parameters that maintain Oracle GoldenGate DDL objects |
|||
|
|
X |
Lock target tables. Only required for initial load using direct bulk load to SQL*Loader. |
|||
|
|
X |
Use a newer Oracle ASM API. See Mining ASM-stored Logs in Classic Capture Mode. |
|||
|
Privileges granted through |
X |
Interact with database logmining server |
|||
|
|
X |
Issue the Required for Oracle version >= 11.1.0.5 and <= 11.2.0.1. |
|||
|
|
X |
Issue the Required for Oracle version >= 11.1.0.5 and <= 11.2.0.1. |
Parent topic: Granting the Appropriate User Privileges
Most of the privileges that are needed for Extract and Replicat to operate in classic and integrated mode are granted through the dbms_goldengate_auth.grant_admin_privilege package.
The following grants base privileges for Oracle 11.2.0.4 and later. The first example is the default, which grants to both capture and apply. The second shows how to explicitly grant to either capture or apply (in this case, capture).
grant_admin_privilege('ggadm')
grant_admin_privilege('ggadm','capture');
The following grants base privileges for Oracle 11.2.0.3. The first example is the default, which grants to both capture and apply. The second shows how to explicitly grant to capture.
grant_admin_privilege('ggadm',grant_select_privileges=>true)
grant_admin_privilege('ggadm','capture',grant_select_privileges=>true)
Parent topic: Granting the Appropriate User Privileges
(Required) Enter introductory text here, including the definition and purpose of the concept.
Parent topic: Granting the Appropriate User Privileges
To preserve the security of your data, and to monitor Oracle GoldenGate processing accurately, do not permit other users, applications, or processes to log on as, or operate as, an Oracle GoldenGate database user.
Oracle GoldenGate provides different options for securing the log-in credentials assigned to Oracle GoldenGate processes. The recommended option is to use a credential store. You can create one credential store and store it in a shared location where all installations of Oracle GoldenGate can access it, or you can create a separate one on each system where Oracle GoldenGate is installed.
The credential store stores the user name and password for each of the assigned Oracle GoldenGate users. A user ID is associated with one or more aliases, and it is the alias that is supplied in commands and parameter files, not the actual user name or password. The credential file can be partitioned into domains, allowing a standard set of aliases to be used for the processes, while allowing the administrator on each system to manage credentials locally.
See Administering Oracle GoldenGate for more information about creating a credential store and adding user credentials.
Parent topic: Establishing Oracle GoldenGate Credentials