Cloud Control 12c (and the former Grid Control 11g) offers the possibility to create administrators and manage their privileges through the “emcli” command line utility. The main advantage of this method (based on scripts) is to be able to reproduce the creation of the users as soon as a new Cloud Control infrastructure must be built up (for instance in order to migrate Grid Control 11g on Windows to Cloud Control 12c on Linux).

Indeed, whereas some objects like the monitoring templates can be easily exported and imported, there is no possibility to export and import the Grid/Cloud Control users.

Creating these users through scripts thus offers the advantage of being able to reproduce their creation on a new environment.

To get a complete help of the “emcli create_user” command, use the following statement:

# emcli help create_user
  emcli create_user
        -name="name"
        -password="password"
        [-type="type of user"]
        [-roles="role1;role2;..."]
        [-email="email1;email2;..."]
        [-privilege="name[;secure-resource-details]]"
        [-separator=privilege="sep_string"]
        [-subseparator=privilege="subsep_string"]
        [-profile="profile_name"]
        [-desc="user_description"]
        [-expired="true/false"]
        [-prevent_change_password="true/false"]
        [-department="department_name"]
        [-cost_center="cost_center"]
        [-line_of_business="line_of_business"]
        [-contact="contact"]
        [-location="location"]
        [-input_file="arg_name:file_path"]

The name and password of the user are mandatory parameters. Beside these parameters the other important settings for a Grid Control user are of course its privileges and access rights.

Concerning the privilege management Cloud Control 12c distinguishes between three main groups of privileges:

  • privileges concerning Jobs
  • privileges concerning Targets
  • System privileges

To get details about these privileges, use the following commands (once connected to CC 12c with “emcli login -username=”):

[email protected]:/home/oracle [oms12c] emcli get_supported_privileges -type=SYSTEM

As an example we will create a simple user having access to a particular database (The Enterprise Manager repository database):

emcli create_user -name=”useryann” -password=”useryann” -privilege=”view_target;EMREP12_SITE1.domain.ch:oracle_database”User “USERYANN” created successfully

To extend a user in order to provide aditionnal privileges, the modify_user command can be used (be careful the existing privileges must be specified during the modification, if not they will be lost):

emcli modify_user -name=”useryann” -privilege=”view_target;EMREP12_SITE1.domain.ch:oracle_database”
-privilege=”CONNECT_TARGET;EMREP12_SITE1.domain.ch:oracle_database”
User “USERYANN” modified successfully

The “connect_target” privilege allows to access the performance view of the database target, supposing the user also knows a database user credential to access it.

Drawback of the emcli/script-based method

Of course if Oracle changes/adds/removes some privileges in Cloud Control 12c, the script won’t be accurate anymore and must be adapted for the new releases of the Cloud Control infrastructure. This will however take less time than re-create all users through the Graphical User Interface.

Since Cloud Control 12c , the system privileges granularity is much more dense, more than 75 system privileges are available compared to the 11 system privileges in Grid Control 11g.

Details of the system privileges are available under:

http://docs.oracle.com/cd/E25178_01/doc.1111/e24473.pdf

In order to check the current privileges of a Cloud Control 12c administrator, emcli does not provide any command (or Verb), therefore the only possibility is to access the repository as Repository Owner (SYSMAN) and start the following select:

set lines 132
set pages 999

col GRANTEE format a20
col PRIV_NAME format a25
col TARGET_NAME format a40
col TARGET_TYPE format a25

select grantee, PRIV_NAME, TARGET_NAME, TARGET_TYPE
from MGMT_PRIV_GRANTS pg, MGMT_TARGETS mt
where pg.GUID = mt.TARGET_GUID
and grantee = ‘USERYANN’
/

Below some information about the available Cloud Control 12c privileges. List the supported privileges for Jobs management:

# emcli get_supported_privileges -type=JOB
 Privilege Name  Privilege Scope  Security Class  Resource Guid Column  Resource Id Columns
 MANAGE_JOB      Resource         JOB             JOB_ID
 GRANT_VIEW_JOB  Resource Type    JOB
 FULL_JOB        Resource         JOB             JOB_ID
 CREATE_JOB      Resource Type    JOB
 VIEW_JOB        Resource         JOB             JOB_ID

List of supported privileges for Targets:

# emcli get_supported_privileges -type=SYSTEM
Privilege Name                  Privilege Scope  Security Class           Resource Guid Column  Resource Id Columns
 MANAGE_PRIV_ANY_PATCH_PLAN      Resource Type    PATCH
 CREATE_PLAN_TEMPLATE            Resource Type    PATCH
 PATCH_SETUP                     Resource Type    PATCH
 CREATE_PATCH_PLAN               Resource Type    PATCH
 VIEW_ANY_PATCH_PLAN             Resource Type    PATCH
 FULL_ANY_PATCH_PLAN             Resource Type    PATCH
 CREATE_BUSINESS_RULESET         Resource Type    RULESET_SEC
 SWLIB_EXPORT                    Resource Type    SWLIB_ENTITY_MGMT
 SWLIB_EDIT_ANY_ENTITY           Resource Type    SWLIB_ENTITY_MGMT
 SWLIB_MANAGE_ANY_ENTITY         Resource Type    SWLIB_ENTITY_MGMT
 SWLIB_IMPORT                    Resource Type    SWLIB_ENTITY_MGMT
 SWLIB_CREATE_ANY_ENTITY         Resource Type    SWLIB_ENTITY_MGMT
 SWLIB_VIEW_ANY_ENTITY           Resource Type    SWLIB_ENTITY_MGMT
 SWLIB_GRANT_ANY_ENTITY_PRIV     Resource Type    SWLIB_ENTITY_MGMT
 GRANT_VIEW_JOB                  Resource Type    JOB
 CREATE_JOB                      Resource Type    JOB
 VIEW_ANY_TC                     Resource Type    TEMPLATECOLLECTION
 CREATE_TC                       Resource Type    TEMPLATECOLLECTION
 CREATE_OBJECT                   Resource Type    FMW_DIAG_SEC_CLASS
 VIEW_OBJECT                     Resource Type    FMW_DIAG_SEC_CLASS
 BTM_USER                        Resource Type    BTM
 BTM_ADMINISTRATOR               Resource Type    BTM
 SWLIB_STORAGE_ADMIN             Resource Type    SWLIB_ADMINISTRATION
 PUBLISH_REPORT                  Resource Type    REPORT_DEF
 VIEW_BA_MENU_ITEM               Resource Type    APM
 VIEW_APM_PAYLOAD                Resource Type    APM
 ACCESS_APM_SESSION_DIAG         Resource Type    APM
 ASSOCIATE_APM_ENTITIES          Resource Type    APM
 IMPORT_DP                       Resource Type    DP
 CREATE_DP                       Resource Type    DP
 GRANT_FULL_DP                   Resource Type    DP
 GRANT_LAUNCH_DP                 Resource Type    DP
 OPERATOR_ANY_TARGET             Resource Type    TARGET
 PERFORM_OPERATION_ANYWHERE      Resource Type    TARGET
 FULL_ANY_TARGET                 Resource Type    TARGET
 PUT_FILE_AS_ANY_AGENT           Resource Type    TARGET
 PERFORM_OPERATION_AS_ANY_AGENT  Resource Type    TARGET
 CREATE_TARGET                   Resource Type    TARGET
 CONNECT_ANY_VIEW_TARGET         Resource Type    TARGET
 CREATE_PROPAGATING_GROUP        Resource Type    TARGET
 VIEW_ANY_TARGET                 Resource Type    TARGET
 USE_ANY_BEACON                  Resource Type    TARGET
 EM_MONITOR                      Resource Type    TARGET
 CREATE_BACKUP_CONFIG            Resource Type    SBRM_BACKUP_CONFIG
 CREATE_MEXT                     Resource Type    MEXT_SECURE_CLASS
 FULL_ANY_CCS                    Resource Type    CCS_SECURE_CLASS
 FULL_OWNED_CCS                  Resource Type    CCS_SECURE_CLASS
 CREATE_CREDENTIAL               Resource Type    NAMED_CREDENTIALS
 SUPER_USER                      Resource Type    SYSTEM
 VIEW_ANY_TEMPLATE               Resource Type    TEMPLATE
 VIEW_ANY_SELFUPDATE             Resource Type    SELFUPDATE_SECURE_CLASS
 SELFUPDATE_ADMINISTRATOR        Resource Type    SELFUPDATE_SECURE_CLASS
 VIEW_ANY_DISC_TARGETS_ON_HOST   Resource Type    DISCOVERY
 VIEW_ANY_DISCOVERED_HOSTS       Resource Type    DISCOVERY
 CAN_SCAN_NETWORK_PRIVILEGE      Resource Type    DISCOVERY
 AD4J_ADMINISTRATOR              Resource Type    AD4J
 AD4J_USER                       Resource Type    AD4J
 JVMD_VIEW_LOCALS_PRIV           Resource Type    AD4J
 ACCESS_EM                       Resource Type    ACCESS
 PLUGIN_AGENT_ADMINISTRATOR      Resource Type    PLUGIN
 PLUGIN_OMS_ADMINISTRATOR        Resource Type    PLUGIN
 PLUGIN_VIEW                     Resource Type    PLUGIN
 ASREPLAY_VIEWER                 Resource Type    ASREPLAY_ENTITY_MGMT
 ASREPLAY_OPERATOR               Resource Type    ASREPLAY_ENTITY_MGMT
 MANAGE_ANY_CHANGE_PLAN          Resource Type    CHANGE_PLAN
 VIEW_ANY_OMS_PROPERTY           Resource Type    OMS_PROP_SECURE_CLASS
 MANAGE_ANY_OMS_PROPERTY         Resource Type    OMS_PROP_SECURE_CLASS
 CREATE_ANY_POLICY               Resource Type    CLOUDPOLICY
 VIEW_ANY_POLICY                 Resource Type    CLOUDPOLICY
 SVCD_CREATE_DASH                Resource Type    SVCD
 EMHA_ADMINISTRATION             Resource Type    EMHA_SECURE_CLASS
 VIEW_ANY_COMPLIANCE_FWK         Resource Type    COMPLIANCE_FWK
 CREATE_COMPLIANCE_ENTITY        Resource Type    COMPLIANCE_FWK
 FULL_ANY_COMPLIANCE_ENTITY      Resource Type    COMPLIANCE_FWK
 VIEW_ANY_POLICY_GROUP           Resource Type    CLOUDPOLICYGROUP
 CREATE_POLICY_GROUP             Resource Type    CLOUDPOLICYGROUP