This chapter describes how to implement instance-level security in Oracle GoldenGate Monitor 12c (12.2.1). It contains the following sections:
In addition to the current functional level of security, instance level security is available in Oracle Golden Gate Monitor 12c (12.2.1) in order to restrict individual user access to different hosts/instances.
The following instance access rules apply:
A Super Administrator will always have access to all the Oracle GoldenGate Monitor Java Agent instances, and can always assign instances directly to users belongs to Operator/Power Operator and Administrator roles.
Administrators are not authorized to make any changes on the instances mapped to Super Administrators & other Administrators. Administrators can map and un-map the instances (that is, instances that are accessible by the current logged in Administrator) only for Operator and Power Operators.
Administrators and Operators/Power Operators can have shared instance access; that is, multiple users can have access to common/same instances from the instance pool; for example, Pool [1,2,3,4,5] Ad1 -->[1,2,3], Ad2-->[3,4,5]
A Super Administrator will always have the full/combined set of instances accessible to Operator/Power Operators, which are granted from different Administrators.A Super Administrator can override the instances assigned to Operator/Power Operators by an Administrator; for example: A user logs in as a Super Administrator and clicks on the user Opr1. The Super Administrator should see that only instances 1, 2, 3, 4,5 are enabled because the user Admin2 has access to instances 3,4,5 and had previously assigned 3,4,5 instance access to user Opr1.
Administrators can reassign the instances deleted by the Super Administrator to Operators/Power Operators, provided the Administrator has access to those instances.
If the Administrator gets deleted, the instances assigned to any Operator or Power Operators will remain as is. In the absence of a deleted Administrator, the instances owned by Operators or Power Operators will be administrated by the Super Administrator.
A user can be assigned multiple roles. Oracle GoldenGate Monitor will consider the highest role for that user; for example, Admin1 can be both a Super Administrator and an Administrator.
The following scenario shows how the preceding rules are applied during role/instance assignment. The roles used in this example are:
SA: Super Admin
JI: Jagent Instance
Ad1, Ad2: Administrators
Opr1, Opr2: Operators
PowerOpr1,PowerOpr2: Power Operators.
The available Oracle GoldenGate Monitor Java Agent Instances are: {1, 2, 3, 4, 5}
These steps illustrate how roles are assigned specific instances:
SA: Has access to JI 1,2,3,4,5
SA: Assigns JI 1,2,3 to Ad1
SA: Assigns JI 3,4,5 to Ad2
Ad1: Assigns JI 1,2,3 to Opr1
Ad2: Assigns JI 3,4,5 to Opr1
Ad1: Assigns JI 1,2,3 to PowerOpr1
Ad2: Assigns JI 3,4,5 to PowerOpr1
When the user tries to access the instance that are not assigned to that him or her, the user will see a message saying that he or she does not have access to the instance. The same behavior applies on the solutions/Views that are part of a specific instance.
Logged In User | EDIT USER Instance Enabled/Disabled | EDIT USER Instance Enabled/Disabled | EDIT USER Instance Enabled/Disabled | EDIT USER Instance Enabled/Disabled |
---|---|---|---|---|
Logged in as Super Administrator | Super Administrator Instance(s) Disabled | Administrator Instance(s) Enabled | Operator Instance(s) Enabled | Power Operator Instance(s) Enabled |
Logged in as Administrator | Super Administrator Instance(s) Disabled | Administrator Instance(s) Disabled | Operator Instance(s) Enabled | Power Operator Instance(s) Enabled |
Note:
Users can create alerts for the instance objects that are not accessible by that user.