Cloud Control 12c (and the former Grid Control 11g) offers the possibility to create administrators and manage their privileges through the “emcli” command line utility. The main advantage of this method (based on scripts) is to be able to reproduce the creation of the users as soon as a new Cloud Control infrastructure must be built up (for instance in order to migrate Grid Control 11g on Windows to Cloud Control 12c on Linux).
Indeed, whereas some objects like the monitoring templates can be easily exported and imported, there is no possibility to export and import the Grid/Cloud Control users.
Creating these users through scripts thus offers the advantage of being able to reproduce their creation on a new environment.
To get a complete help of the “emcli create_user” command, use the following statement:
# emcli help create_user emcli create_user -name="name" -password="password" [-type="type of user"] [-roles="role1;role2;..."] [-email="email1;email2;..."] [-privilege="name[;secure-resource-details]]" [-separator=privilege="sep_string"] [-subseparator=privilege="subsep_string"] [-profile="profile_name"] [-desc="user_description"] [-expired="true/false"] [-prevent_change_password="true/false"] [-department="department_name"] [-cost_center="cost_center"] [-line_of_business="line_of_business"] [-contact="contact"] [-location="location"] [-input_file="arg_name:file_path"]
The name and password of the user are mandatory parameters. Beside these parameters the other important settings for a Grid Control user are of course its privileges and access rights.
Concerning the privilege management Cloud Control 12c distinguishes between three main groups of privileges:
- privileges concerning Jobs
- privileges concerning Targets
- System privileges
To get details about these privileges, use the following commands (once connected to CC 12c with “emcli login -username=”):
oracle@chhs-sora011:/home/oracle [oms12c] emcli get_supported_privileges -type=SYSTEM
As an example we will create a simple user having access to a particular database (The Enterprise Manager repository database):
emcli create_user -name=”useryann” -password=”useryann” -privilege=”view_target;EMREP12_SITE1.domain.ch:oracle_database”User “USERYANN” created successfully
To extend a user in order to provide aditionnal privileges, the modify_user command can be used (be careful the existing privileges must be specified during the modification, if not they will be lost):
emcli modify_user -name=”useryann” -privilege=”view_target;EMREP12_SITE1.domain.ch:oracle_database”
-privilege=”CONNECT_TARGET;EMREP12_SITE1.domain.ch:oracle_database”
User “USERYANN” modified successfully
The “connect_target” privilege allows to access the performance view of the database target, supposing the user also knows a database user credential to access it.
Drawback of the emcli/script-based method
Of course if Oracle changes/adds/removes some privileges in Cloud Control 12c, the script won’t be accurate anymore and must be adapted for the new releases of the Cloud Control infrastructure. This will however take less time than re-create all users through the Graphical User Interface.
Since Cloud Control 12c , the system privileges granularity is much more dense, more than 75 system privileges are available compared to the 11 system privileges in Grid Control 11g.
Details of the system privileges are available under:
http://docs.oracle.com/cd/E25178_01/doc.1111/e24473.pdf
In order to check the current privileges of a Cloud Control 12c administrator, emcli does not provide any command (or Verb), therefore the only possibility is to access the repository as Repository Owner (SYSMAN) and start the following select:
set lines 132
set pages 999
col GRANTEE format a20
col PRIV_NAME format a25
col TARGET_NAME format a40
col TARGET_TYPE format a25
select grantee, PRIV_NAME, TARGET_NAME, TARGET_TYPE
from MGMT_PRIV_GRANTS pg, MGMT_TARGETS mt
where pg.GUID = mt.TARGET_GUID
and grantee = ‘USERYANN’
/
Below some information about the available Cloud Control 12c privileges. List the supported privileges for Jobs management:
# emcli get_supported_privileges -type=JOB Privilege Name Privilege Scope Security Class Resource Guid Column Resource Id Columns MANAGE_JOB Resource JOB JOB_ID GRANT_VIEW_JOB Resource Type JOB FULL_JOB Resource JOB JOB_ID CREATE_JOB Resource Type JOB VIEW_JOB Resource JOB JOB_ID
List of supported privileges for Targets:
# emcli get_supported_privileges -type=SYSTEM Privilege Name Privilege Scope Security Class Resource Guid Column Resource Id Columns MANAGE_PRIV_ANY_PATCH_PLAN Resource Type PATCH CREATE_PLAN_TEMPLATE Resource Type PATCH PATCH_SETUP Resource Type PATCH CREATE_PATCH_PLAN Resource Type PATCH VIEW_ANY_PATCH_PLAN Resource Type PATCH FULL_ANY_PATCH_PLAN Resource Type PATCH CREATE_BUSINESS_RULESET Resource Type RULESET_SEC SWLIB_EXPORT Resource Type SWLIB_ENTITY_MGMT SWLIB_EDIT_ANY_ENTITY Resource Type SWLIB_ENTITY_MGMT SWLIB_MANAGE_ANY_ENTITY Resource Type SWLIB_ENTITY_MGMT SWLIB_IMPORT Resource Type SWLIB_ENTITY_MGMT SWLIB_CREATE_ANY_ENTITY Resource Type SWLIB_ENTITY_MGMT SWLIB_VIEW_ANY_ENTITY Resource Type SWLIB_ENTITY_MGMT SWLIB_GRANT_ANY_ENTITY_PRIV Resource Type SWLIB_ENTITY_MGMT GRANT_VIEW_JOB Resource Type JOB CREATE_JOB Resource Type JOB VIEW_ANY_TC Resource Type TEMPLATECOLLECTION CREATE_TC Resource Type TEMPLATECOLLECTION CREATE_OBJECT Resource Type FMW_DIAG_SEC_CLASS VIEW_OBJECT Resource Type FMW_DIAG_SEC_CLASS BTM_USER Resource Type BTM BTM_ADMINISTRATOR Resource Type BTM SWLIB_STORAGE_ADMIN Resource Type SWLIB_ADMINISTRATION PUBLISH_REPORT Resource Type REPORT_DEF VIEW_BA_MENU_ITEM Resource Type APM VIEW_APM_PAYLOAD Resource Type APM ACCESS_APM_SESSION_DIAG Resource Type APM ASSOCIATE_APM_ENTITIES Resource Type APM IMPORT_DP Resource Type DP CREATE_DP Resource Type DP GRANT_FULL_DP Resource Type DP GRANT_LAUNCH_DP Resource Type DP OPERATOR_ANY_TARGET Resource Type TARGET PERFORM_OPERATION_ANYWHERE Resource Type TARGET FULL_ANY_TARGET Resource Type TARGET PUT_FILE_AS_ANY_AGENT Resource Type TARGET PERFORM_OPERATION_AS_ANY_AGENT Resource Type TARGET CREATE_TARGET Resource Type TARGET CONNECT_ANY_VIEW_TARGET Resource Type TARGET CREATE_PROPAGATING_GROUP Resource Type TARGET VIEW_ANY_TARGET Resource Type TARGET USE_ANY_BEACON Resource Type TARGET EM_MONITOR Resource Type TARGET CREATE_BACKUP_CONFIG Resource Type SBRM_BACKUP_CONFIG CREATE_MEXT Resource Type MEXT_SECURE_CLASS FULL_ANY_CCS Resource Type CCS_SECURE_CLASS FULL_OWNED_CCS Resource Type CCS_SECURE_CLASS CREATE_CREDENTIAL Resource Type NAMED_CREDENTIALS SUPER_USER Resource Type SYSTEM VIEW_ANY_TEMPLATE Resource Type TEMPLATE VIEW_ANY_SELFUPDATE Resource Type SELFUPDATE_SECURE_CLASS SELFUPDATE_ADMINISTRATOR Resource Type SELFUPDATE_SECURE_CLASS VIEW_ANY_DISC_TARGETS_ON_HOST Resource Type DISCOVERY VIEW_ANY_DISCOVERED_HOSTS Resource Type DISCOVERY CAN_SCAN_NETWORK_PRIVILEGE Resource Type DISCOVERY AD4J_ADMINISTRATOR Resource Type AD4J AD4J_USER Resource Type AD4J JVMD_VIEW_LOCALS_PRIV Resource Type AD4J ACCESS_EM Resource Type ACCESS PLUGIN_AGENT_ADMINISTRATOR Resource Type PLUGIN PLUGIN_OMS_ADMINISTRATOR Resource Type PLUGIN PLUGIN_VIEW Resource Type PLUGIN ASREPLAY_VIEWER Resource Type ASREPLAY_ENTITY_MGMT ASREPLAY_OPERATOR Resource Type ASREPLAY_ENTITY_MGMT MANAGE_ANY_CHANGE_PLAN Resource Type CHANGE_PLAN VIEW_ANY_OMS_PROPERTY Resource Type OMS_PROP_SECURE_CLASS MANAGE_ANY_OMS_PROPERTY Resource Type OMS_PROP_SECURE_CLASS CREATE_ANY_POLICY Resource Type CLOUDPOLICY VIEW_ANY_POLICY Resource Type CLOUDPOLICY SVCD_CREATE_DASH Resource Type SVCD EMHA_ADMINISTRATION Resource Type EMHA_SECURE_CLASS VIEW_ANY_COMPLIANCE_FWK Resource Type COMPLIANCE_FWK CREATE_COMPLIANCE_ENTITY Resource Type COMPLIANCE_FWK FULL_ANY_COMPLIANCE_ENTITY Resource Type COMPLIANCE_FWK VIEW_ANY_POLICY_GROUP Resource Type CLOUDPOLICYGROUP CREATE_POLICY_GROUP Resource Type CLOUDPOLICYGROUP