You can establish command security for Oracle GoldenGate to control which users have access to which Oracle GoldenGate functions.
Note:
The GGSCI
program is only available in the Oracle GoldenGate CA.
For example, you can allow certain users to issue INFO
and STATUS
commands, while preventing their use of START
and STOP
commands. Security levels are defined by the operating system's user groups.
To implement security for Oracle GoldenGate commands, you create a CMDSEC
file in the Oracle GoldenGate directory. Without this file, access to all Oracle GoldenGate commands is granted to all users.
Note:
The security of the GGSCI
program is controlled by the security controls of the operating system.
Topics:
The following example illustrates the correct implementation of a CMDSEC
file on a UNIX system.
Table 13-1 Sample CMDSEC File with Explanations
File Contents | Explanation |
---|---|
#GG command security |
Comment line |
STATUS REPLICAT * Smith NO |
|
STATUS * dpt1 * YES |
Except for the preceding rule, all users in |
START REPLICAT root * YES |
|
START REPLICAT * * NO |
Except for the preceding rule, |
* EXTRACT 200 * NO |
All |
* * root root YES |
Grants the |
* * * * NO |
Denies all commands to all users. This line covers security for any other users that were not explicitly granted or denied access by preceding rules. Without it, all commands would be granted to all users except for preceding explicit grants or denials. |
The following incorrect example illustrates what to avoid when creating a CMDSEC
file.
Table 13-2 Incorrect CMDSEC Entries
File Contents | Description |
---|---|
STOP * dpt2 * NO |
All |
STOP * * Chen YES |
All |
The order of the entries in Table 13-2 causes a logical error. The first rule (line 1) denies all STOP
commands to all members of group dpt2
. The second rule (line 2) grants all STOP
commands to user Chen
. However, because Chen is a member of the dpt2
group, he has been denied access to all STOP
commands by the second rule, even though he is supposed to have permission to issue them.
The proper way to configure this security rule is to set the user-specific rule before the more general rule(s). Thus, to correct the error, you would reverse the order of the two STOP
rules.
Parent topic: Configuring GGSCI Command Security
The security of the GGSCI program and that of the CMDSEC file is controlled by the security controls of the operating system. Because the CMDSEC
file is a source of security, it must be secured. You can grant read access as needed, but Oracle GoldenGate recommends denying write and delete access to everyone but Oracle GoldenGate Administrators.
Parent topic: Configuring GGSCI Command Security