1. X8-2 Deployment and User’s Guide
  2. Implementing Multi-User Access on Oracle Database Appliance

5 Implementing Multi-User Access on Oracle Database Appliance

Understand how multi-user access can be implemented on Oracle Database Appliance, its advantages and restrictions and the associated life cycle management changes for your appliance.

Caution:

You can enable multi-user access only at the time of provisioning Oracle Database Appliance on bare metal systems and cannot rollback multi-user access after you provision and deploy your appliance. The Oracle Database Appliance administration model changes when you deploy the Multi-User Access feature. Evaluate your role separation requirements before using this feature. Deploying on a test system first can help with the evaluation and assessment of the new administration model.

Note:

You cannot enable multi-user access on Oracle Database Appliance DB systems. DB systems do not require role separation since you can create only one database on each DB system.

About Multi-User Access on Oracle Database Appliance

Before provisioning your appliance, understand how multi-user access can enhance the security of the system and provide an efficient mechanism for role separation.

Currently, a single Oracle Database Appliance account with user name and password is used to securely connect to the appliance, run ODACLI commands, or log into BUI. The root user performs all administration on an Oracle Database Appliance. With multi-user access, you have the option of providing separate access to database administrators to manage databases. Display of resources within the Browser User Interface are also filtered as per user role. The root access is restricted to the Oracle Database Appliance system administrator to access system logs or debug issues that require root access.

When you enable multi-user access, you create multiple users with different roles that restrict them from accessing resources created by other users and also restrict the set of operations they can perform using ODACLI commands or Browser User Interface (BUI). The same user credentials that you set up, can be used for logging into the BUI and running ODACLI commands. The BUI also displays resources and information based on access to the set of resources. A separate Multi-User Access Management tab is available only to the odaadmin user to administer the users and resources in the system.

Note:

When you enable multi-user access, the Oracle Database Appliance administrator is odaadmin. This user has access to all the resources on the appliance and can run any operations using ODACLI or the BUI using the same set of credentials. When you do not enable multi-user access, the user name you use to log into BUI is oda-admin.

Note:

The authentication token support for ODACLI session management is linked to a multi-user access user account. Since root is an operating system administrative user and not a multi-user access user, auth token based session management system is not supported when a user logs in as root. Therefore, you must provide an Oracle Database Appliance account user name and password to run any ODACLI command.

Benefits of enabling multi-user access

  • Multi-user access feature supports user lifecycle management such as creation, activation, updation, deactivation, deletion, and credential management.
  • By using multi-user access, multiple departments such as finance and human resources within the same organization can use Oracle Database Appliance as a consolidation platform for hosting their databases in a secure manner as only the authorized users in the respective departments can access their departmental databases and perform lifecycle management operations on the databases.
  • Organizations that have root access policy restrictions can use multi-user access and create separate users with restricted roles.
  • Without multi-user access, all databases were created as the default database user chosen during provisioning. Hence, even in a sudo-based multi-user environment, the ODA administrator could not track usage of resources. Now such reporting is possible at the database level.
  • Multi-user access feature supports token-based session management. A user enters the password only when they run the first odacli command. Subsequently, a token is generated and till it expires, the user is not required to enter the password again. Each time an odacli command is run, the existing token is refreshed with a new token that has the expiry of 120 mins or the value configured by the odaadmin user. This means if the odacli session is not idle for the expiry duration, the user does not need to enter the password again.
  • Both Basic Auth and mTLS modes of authentication are supported. ODACLI and BUI uses Basic Auth. Users such as oracle and grid can also run certain operations on the DCS agent using mTLS-based authentication. Basic Auth is a password-based authentication scheme. mTLS is a certificate-based authentication scheme where both the client (user) and the server (DCS agent) mutually present and authenticate each other's certificate before the authentication is deemed complete.
  • Multi-user access provides for user account locking on multiple failed login attempts and password expiration. You can also unlock and reset the account in case the password is forgotten.

Note:

You can enable multi-user access only at the time of provisioning Oracle Database Appliance and cannot rollback multi-user access after you provision and deploy your appliance. Provision the feature on your test system first, and then deploy this feature on your production system.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

About Users, Roles, Entitlements, and Operations on a Multi-User Access Enabled Oracle Database Appliance System

Understand the users, roles, entitlements, and operations when you provision your appliance with multi-user access enabled.

Note:

Note that in a multi-user access enabled deployment, the oda-admin user is not present. The ODA admin user name is odaadmin. The first user with administrative privileges is called odaadmin. This user can log into the BUI and run ODACLI commands. This user can also create other user accounts with roles and entitlements as required.

About Roles, Entitlements, and Operations

Each user can be assigned one or more roles in a multi-user enabled Oracle Database Appliance system. Each role encompasses a set of entitlements that authorizes a user to perform only a specific set of operations using ODACLI or BUI. Each entitlement in turn, is a group of a similar set of operations. For example, PROVISIONDB-MGMT is an entitlement that encompasses provisioning-related operations such as create-database, clone-database, delete-database, register-database. Similarly, BACKUPDB-MGMT encompasses backup related operations such as create-backup, delete-backup, irestore-database, recover-database , and so on. The ODA-DB role has access to a collection of entitlements such as PROVISIONDB-MGMT, BACKUPDB-MGMT, and PATCHDB-MGMT. A user with the ODA-DB role can perform all the database lifecycle management operations on the databases that they own. Additionally, if a user with the role of ODA-DB is granted the ODA-GRID role as well, this user can now perform Oracle Grid Infrastructure-related operations.

Roles can be internal or external. Internal roles are assigned to system users and are used internally for the purpose of administration of the Oracle Database Appliance system. For example, the ODA-ADMINISTRATOR role is assigned to the Oracle Database Appliance system administrator to manage the appliance or associated entities. Another example is a DB system communicating with the bare metal using a system user with the role of ODA-DBVMINFRA.

External roles can be granted to the new users created by odaadmin, the Oracle Database Appliance system administrator. For example, the odaadmin creates a new user odadb1 with the role of ODA-DB. Now this user odadb1 is entitled to create databases and perform lifecycle management operations because of the role granted to them. A user can have one or more roles.

The topic ODACLI Command Changes with Multi-User Access on Oracle Database Appliance describes the ODACLI commands that have changes for multi-user access and the entitlements required to run the commands.

Multi-User Access User Roles

When you enable multi-user access on Oracle Database Appliance, the following user roles are available:

  • ODA-ADMINISTRATOR: This is an internal role assigned to the first user (odaadmin) created during the provisioning of an Oracle Database Appliance. This role entitles odaadmin to run all ODACLI commands or perform all Browser User Interface (BUI) operations. This role cannot be assigned to the new users that odaadmin creates. The odaadmin account is an administrator role that can run any operation (command) on any resource. For example, user oda1 creates a database db1 and user oda2 creates a database db2. Each user can now perform lifecycle management operations on their respective database only. But, odaadmin can patch both databases by running odacli commands. This allows both DBAs (oda1 and oda2) and an overall administrator (odaadmin) to perform functions specific to their role.
  • ODA-DB: This is an external role available to odaadmin to assign to newly-created users. This role entitles the user to perform database management operations such as create, modify, restore, recover, backup, patch, clone, move, register, and delete.
  • ODA-OAKDROOT: This is an internal role that is assigned to system user oakdroot created during provisioning and is used by OAKD to execute certain operations such as get-disks and release-disks on the DCS agent.
  • ODA-GRID: This is an internal role assigned to the grid user. This role entitles the user to run Oracle Grid Infrastructure-related operations.
  • ODA-DBVMINFRA: This is an internal role assigned to the DBVM user created on the bare metal system when the DB system is provisioned. This role entitles the user to synchronize metadata between the DB system and the bare metal system.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

About Granting and Revoking Resource Access

Muti-user access allows exclusive or shared access to resources. Review this example about shared resource access.

Muti-user access allows exclusive or shared access to resources. It is recommended that each user creates their own database home and then creates databases in the home. This provides for an efficient method of separation of duties where each user has exclusive access to their databases. However, in certain exceptional situations, such as lack of disk space, a user can request the administrator odaadmin to grant them shared access to a resource owned by another user.

For example, if user oda1 wants to create a database of version 19c and there is already a database home DBH2 of the same version created by another user oda2. With the consent of user oda2, user oda1 can now request the odaadmin user to grant them shared access to database home DBH2. Once the shared access is granted, user oda1 can now create a database db1 on the shared database home DBH2 and manage it. Note that user oda1 can connect to the database db1 only through the SYS user password and not as a password-less connection based on operating system authentication, as the database home DBH2 is still owned by user oda2. Oracle Database Appliance resources such as database home, database storage, and databases can be shared accross users in a similar fashion on an on-demand basis. However, there are restrictions to the secondary owner managing the shared resource.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Provisioning Oracle Database Appliance with Multi-User Access

You can enable multi-user access only when you provision Oracle Database Appliance, using CLI commands or the Browser User Interface.

Provision your appliance as described in the chapter Provisioning Oracle Database Appliance Bare Metal System.

Caution:

You can enable multi-user access only at the time of provisioning Oracle Database Appliance on bare metal systems and cannot rollback multi-user access after you provision and deploy your appliance. The Oracle Database Appliance administration model changes when you deploy the Multi-User Access feature. Evaluate your role separation requirements before using this feature. Deploying on a test system first can help with the evaluation and assessment of the new administration model.

Note:

You can specify the token expiration duration, password expiration duration, maximum failed login attempts, and other details when you provision multi-user access enabled Oracle Database Appliance with JSON file. You cannot specify these values when you use Browser User Interface to provision your multi-user access enabled Oracle Database Appliance.

Overall Steps in Provisioning Oracle Database Appliance with Multi-User Access Enabled

  1. Enable multi-user access.
    • If you provision your appliance using a JSON file, then add the attribute "isMultiUserAccessEnabled": true in the prov_req.json file. If the attribute is set to false or does not exist in the prov_req.json file, then multi-user access is not enabled during provisioning of the appliance.
      "isRoleSeparated": true,
        "isMultiUserAccessEnabled": true,
        "osUserGroup": {
            "groups": [{
                    "groupId": 1001,
                    "groupName": "oinstall",
                    "groupRole": "oinstall"
                },

...
      You can also set the multi-user access attributes by adding the following in the JSON file:
      },
  "asr": null,
  "multiUserAccess": {
    "dcsUserPasswdExpDurationInDays": 90,
      "tokenExpirationInMins": 120,
    "maxNumFailedLoginAttempts": 3
  }
}
      The values for these attributes are as follows:
      • Token expiration duration in minutes: The minimum value you can specify is 10 minutes, the maximum value is 600 minutes, and the default is 120 minutes.
      • Password expiration duration in days: The minimum value you can specify is 30 days, the maximum value is 180 days, and the default is 90 days.
      • Maximum failed login attempts allowed: The minimum value you can specify is 2, the maximum value is 5, and the default is 3.
    • If you create the appliance using the Browser User Interface (BUI), then select the Enable Multi-User Access (N/A for DB System) checkbox in the BUI login page.
  2. Provide passwords for odaadmin, oracle, and grid users. These are Oracle Database Appliance system users and their accounts are activated during created. The user odaadmin is created with the role of ODA-ADMINISTRATOR while the oracle and grid users are created with the role of ODA_DB and ODA_GRID respectively.
  3. The system configures the multi-user access repository with a list of roles and entitlements, used for assigning to the users in the system.
  4. You can now log into the appliance with the newly-created user credentials and deploy databases.

Provisioning Oracle Database Appliance Using the Browser User Interface with Multi-User Access Enabled

  1. Access the Browser User Interface: 
    https://host-ip-address:7093/mgmt/index.html
  2. For the first login, since the odaadmin role is not configured, you are prompted to provide the ODA password and enable multi-user access.
  3. Select Enable Multi-User Access (N/A for DB System) and provide a strong password for the ODA user. Click Submit. A confirmation message is displayed on successful creation of the user.
  4. Click OK. You are redirected to the Login page.
  5. Specify the User Name and ODA Password and click Login. Note that the ODA admin user name is odaadmin if multi-user access is enabled. If multi-user access is not enabled, then the ODA admin user name is oda-admin.
  6. In the Create Appliance page, specify the details for creating the appliance. See the topic Creating the Appliance for detailed information about the information you need to provide.
  7. Select Assign same password for admin, oracle, grid users if you want to specify the same password for all users. Otherwise, specify different passwords for the system admin, oracle, and grid users.
  8. Click Submit to create the appliance with multi-user access enabled.
  9. The job is submitted and a confirmation page appears with a link to the job. Click the link to view the job progress, tasks, and status. After you close the Job confirmation page, you can click the Activity tab to monitor the job progress. Click the job number to view the tasks and status details. Click Refresh to refresh the page.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Creating, Viewing, and Deleting Users on Oracle Database Appliance with Multi-User Access

After provisioning the appliance with multi-user access enabled, you can create users with specific entitlements.

After you provision your appliance with multi-user access enabled, do the following:

Creating, Viewing, and Deleting Users with ODACLI Commands

  1. Connect to the appliance as the odaadmin user.
    ssh odaadmin@oda-box hostname/IP
  2. Run any ODACLI command and provide the odaadmin password when prompted.
  3. On successful authentication, create a user with the following command:
    odacli create-user –u username -r comma-separated role names
    For example, create a user dbuser1 with lifecycle management privileges for dabatases:
    odacli create-user –u dbuser1 –r ODA-DB

    The odaadmin user creates dbuser1 and assigns a temporary password.

  4. After the user is created successfully, the dbuser1 can log into the appliance with the temporary password.
  5. The dbuser1 is in the Inactive state. Activate the user with the following command:
    odacli activate-user

    You are prompted to change the password. Enter the temporary password, the new password, and confirm the new password.

  6. Use the new password to connect by SSH into the appliance and run ODACLI commands or connect to the Browser User Interface.
  7. The odaadmin user can view all the users in the system:
    # odacli list-users
  8. The odaadmin user can view details for a user in the system:
    # odacli describe-user -u user_id
  9. Delete a user in the system. Note that only the odaadmin user can delete a user in the system.
    # odacli delete-user -u user_id

Creating, Viewing, and Deleting Users with Browser User Interface

  1. Log into the Browser User Interface as the odaadmin user: 
    https://host-ip-address:7093/mgmt/index.html
  2. Click the Multi-User Access tab.
  3. Click the Users link on the left-hand pane.
  4. Click Create User.
  5. In the Create User page, provide the User ID, specify the Role, and provide the ODA Password for this user. Note that the same user credentials work for login for BUI and ODACLI commands.
  6. Optionally, click Generate mTLS Certificate to enable mTLS-based authentication.
  7. Click Create.
  8. The job is submitted and a confirmation page appears with a link to the job. Click the link to view the job progress, tasks, and status. After you close the Job confirmation page, you can click the Activity tab to monitor the job progress. Click the job number to view the tasks and status details. Click Refresh to refresh the page.
  9. In the Multi-User Access tab, on the Users page, click on the link for the user whose details you want to view.
  10. To delete a user, log in as the the odaadmin user. In the Actions drop-down list, select Delete. Note that only a user of type Custom can be deleted.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Activating a New User on Oracle Database Appliance with Multi-User Access

Understand how to activate a new user on multi-user access enabled Oracle Database Appliance.

Activating the New User on Multi-User Access Enabled System Using ODACLI Commands

  1. After a new user is created by odaadmin successfully, the new user, for example, dbuser1 can log into the appliance with the temporary password.
  2. Activate the user with the following command:
    odacli activate-user

    You are prompted to change the password. Enter the temporary password, the new password, and confirm the new password.

Activating the New User on Multi-User Access Enabled System Using Browser User Interface

  1. After a new user is created by odaadmin, log into the Browser User Interface as the new user: 
    https://host-ip-address:7093/mgmt/index.html
  2. Specify the User Name and the temporary password in the ODA Password field.
  3. Since this is a new account, the Account Status is Inactive. You are prompted to specify and confirm a new password.
  4. Specify and confirm the Password and click Submit.
  5. On successful password change, log into the Browser User Interface with the new password.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Granting and Revoking Resource Access on Oracle Database Appliance with Multi-User Access

You can grant and revoke resource access on the appliance.

Granting and Revoking Resource Access with ODACLI Commands

  • Grant or revoke access to a resource in a multi-user access enabled system:
    # odacli grant-resource-access -ri resource_ID -u user_name
# odacli revoke-resource-access -ri resource_ID -u user_name
  • View access to a DCS resource in a multi-user access system:
    # odacli describe-resource-access -ri resource_ID
  • View access to all DCS resources defined in a multi-user access system:
    # odacli list-resources-access -ao -rn resource_name -rt resource_type

Granting and Revoking Resource Access with Browser User Interface

  1. Log into the Browser User Interface as odaadmin: 
    https://host-ip-address:7093/mgmt/index.html
  2. Click the Multi-User Access tab.
  3. Click the Resources link on the left-hand pane.
  4. Click on a Resource to view more details.
  5. For a Resource, in the Actions drop down list, select Grant Resource Access to grant the user shared access to a resource. Select the User Name from the drop-down list and click Grant. Click Yes to confirm and submit the job.
  6. Select Revoke Resource Access to revoke access to a resource from a user. Select the User Name from the drop-down list and click Revoke. Click Yes to confirm and submit the job.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Viewing Roles, Operations, and Entitlements on Oracle Database Appliance with Multi-User Access

You can view roles and entitlements on the appliance.

Viewing Roles, Operations, and Entitlements with ODACLI Commands

Note:

For Oracle Database Appliance release 19.13, the multi-user access feature is available for standalone Oracle Database Appliance systems. During provisioning, a single domain and tenancy is created by default and all users are created within the default domain and tenancy.
  • View all the roles defined in the system:
    # odacli list-user-roles
  • View details for a user role in the system:
    # odacli describe-user-role -n role_name
  • View all the entitlements defined in the system:
    # odacli list-user-entitlements
  • View details for an entitlement in the system:
    # odacli describe-user-entitlement -n entitlement_name
  • View all the operations defined in the system:
    # odacli list-user-operations
  • View details for an operation in the system:
    # odacli describe-user-operation -n operation_name
  • View the domains defined in the system. In this release, this is the default domain.
    # odacli list-domains
  • View details for a domain in the system:
    # odacli describe-domain -dn domain_name
  • View the tenants in a multi-user access enabled domain. In this release, this is the default tenancy.
    # odacli list-tenants
  • View details for a tenant in a multi-user access enabled domain:
    # odacli describe-tenant -tn tenant_name

Viewing Roles, Operations, and Entitlements with Browser User Interface

  1. Log into the Browser User Interface as odaadmin: 
    https://host-ip-address:7093/mgmt/index.html
  2. Click the Multi-User Access tab.
  3. Click the Roles link on the left-hand pane. The roles defined in the system are displayed. These roles cannot be edited or updated.
  4. Click on a Role to view more details.
  5. Click the Entitlements link on the left-hand pane. The entitlements defined in the system are displayed. These entitlements cannot be edited or updated.
  6. Click on an Entitlement to view more details.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Managing Databases and Database Homes on Oracle Database Appliance with Multi-User Access

The custom user created on multi-user access Oracle Database Appliance can deploy and manage databases and database homes.

After you create a custom dbuser1 on an Oracle Database Appliance with multi-user access enabled, manage databases as follows:

Creating and Listing Databases and Database Homes Using ODACLI Commands

  1. Connect to the appliance as dbuser1.
    ssh dbuser1@oda-box hostname/IP
  2. Create a database:
    odacli create-database -n dbName -v dbVersion
  3. Run the odacli list-databases to view the databases owned by dbuser1:
    odacli list-databases

    Another user with the ODA-DB role cannot use the resource owned by dbuser1 to create a database home, thus ensuring role separation.

  4. Use the -all option on the appliance when multi-user access is enabled to view all the databases in the system.
    odacli list-databases -all
  5. Use the -all option on the appliance when multi-user access is enabled to view all the database homes in the system.
    odacli list-dbhomes -all

Creating and Listing Databases and Database Homes Using Browser User Interface

  1. Log into the Browser User Interface as dbuser1: 
    https://host-ip-address:7093/mgmt/index.html
  2. Click the Database tab.
  3. Click Show All Databases. A read-only list of all databases in the system is displayed.
  4. Click the Database Home link on the left hand pane.
  5. Click Show All Database Homes. A read-only list of all database homes in the system is displayed.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Changing the Password for a User Account on Oracle Database Appliance with Multi-User Access

Understand how to manage passwords on multi-user access Oracle Database Appliance.

Changing the Password on Multi-User Access Enabled System Using ODACLI Commands

  • You can change password for an Oracle Database Appliance user, whose account is active:
    odacli change-password

Changing the Password on Multi-User Access Enabled System Using Browser User Interface

  1. Log into the Browser User Interface as the user whose password you want to change: 
    https://host-ip-address:7093/mgmt/index.html
  2. To change the Account password at any time: Click on the Account drop down list in the top right-hand side of Browser User Interface and select Change Password.
  3. Specify and confirm the Password and click Submit.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Resetting the Password for a Locked User Account on Oracle Database Appliance with Multi-User Access

Understand how to reset the password on multi-user access Oracle Database Appliance.

Resetting Password for a Locked User Account on Multi-User Access Enabled System Using ODACLI Commands

  • Unlock the odaadmin user account that is locked due to multiple failed login attempts or password expiry.
    1. Log in as root.
    2. Run the following:
      /opt/oracle/dcs/bin/resetCredsForOdaAdmin.sh
      A temporary password is assigned to the odaadmin user.
    3. Log in as the odaadmin user with the temporary password.
    4. Run the following command:
      odacli reset-password
      You are prompted to provide the temporary password and specify and confirm the new password. After the command runs successfully, the user account is unlocked.
  • Unlock any non-admin user account that is locked due to multiple failed login attempts or password expiry.
    1. Log in as odaadmin.
    2. Run the following command:
      odacli authorize-user

      After you provide a temporary password, the account is unlocked.

    3. Log in as the user whose account was locked, with the temporary password.
    4. Run the following command:
      odacli reset-password
      You are prompted to provide the temporary password and specify and confirm the new password. After the command runs successfully, the user account is unlocked and reactivated.

Resetting Password for a Locked User Account on Multi-User Access Enabled System Using Browser User Interface

  • Unlock the non-admin user account that is locked due to multiple failed login attempts or password expiry as follows:
    1. Log into the Browser User Interface as the odaadmin user: 
      https://host-ip-address:7093/mgmt/index.html
    2. In the Multi-User Access tab, on the Users page, click on the link for the user whose password you want to reset. Note that you can reset the password for users of type Custom only. The Account Status for the user is LockedFailedLogin.
    3. In the Actions drop down list, select Authorize Password Reset.
    4. In the Authorize Password Reset page, specify and confirm the Temporary ODA Password and click Authorize.
    5. Now, log into the Browser User Interface as the user whose account is being unlocked. Specify the User Name and the temporary password in the ODA Password field.
    6. Since the account was locked, the Account Status is CredentialReset. You are prompted to specify and confirm a new password.
    7. Specify and confirm the Password and click Submit.
    8. On successful password change, log into the Browser User Interface with the new password.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance