dbi Blog

Let me tell you a story about how I discovered an undocumented role in GoldenGate that could break your automation. Recently, I wanted to do a massive update of the role of a GoldenGate user on multiple deployments. First of all, you should know that GoldenGate users are assigned to a role within the following list: User, Operator, Administrator and Security.

I will not dwell on the differences between them, but you just have to know something important here: you cannot change the role assigned to a GoldenGate user. If you try to edit a user, the only thing that you can change is the password.

That being said, the only possible option to change the role of a user in GoldenGate is to recreate it. In the web UI, it is rather simple. You just delete it, and recreate it with the same credentials, but a different role.

But as mentioned, I wanted to do it for multiple deployments and users, without having to do the operation manually.every time. That is why I decided to use the GoldenGate REST API to quickly iterate over users and deployments. And this is where the trouble began.

According to the GoldenGate documentation on the REST API, there are two endpoints that appear to replicate the web UI behavior :

Delete User : DELETE /services/{version}/authorizations/{role}/{user}

Create User : POST /services/{version}/authorizations/{role}/{user}

However, when calling the API with these endpoints and the Python client I presented in another blog, I had the following error after trying to recreate the user:

# Deletion works as intended
>>> ogg_client.delete_user('dbiblog','Operator')
{'$schema': 'api:standardResponse', 'links': [{'rel': 'canonical', 'href': 'https://vmogg/se/Operator', 'mediaType': 'application/json'}, {'rel': 'self', 'href': 'https://vmogg/se/Operator', 'mediaType': 'application/json'}], 'messages': []}

# Creation doesn't work
>>> ogg_client.create_user('dbiblog', 'User', data={'credential':'**'})
Exception: ERROR - https://vmogg/services/ogg_test_01/adminsrvr/v2/authorizations/Operator/dbiblog: The specified user already exists.

In the UI, the user was gone, but I couldn’t recreate it with the REST API. And even from the UI, the user couldn’t be recreated. Instead, I had the following error: OGG-12430 : The specified user already exists.

At first, I thought something was wrong with either my deployment or my client, but I found nothing wrong. So I checked the restapi.log files of my deployment to understand:

What the REST API calls were doing
What the web UI was doing.

`restapi.log` analysis

Let’s try to create the exact same user (dbiblog / Operator) from the UI, and see what passes through the API. For more insight about how to query the restapi.log file efficiently, you can read a blog I wrote on the topic. Otherwise, you can just search through the logs.

As shown below, the creation of a user from the UI only generated one call to the API (excluding GET calls) to the same endpoint used by my method.

{
  "content": {
    "credential": "** Masked **",
    "type": "Basic"
  },
  "uri": "/services/v2/authorizations/Operator/dbiblog",
  "uriTemplate": "/services/{version}/authorizations/{role}/{user}",
  "verb": "POST",
  "restapi_datetime": "2026-03-27 05:40:58.776+0000",
  "restapi_reqno": 1840,
  "restapi_service": "adminsrvr",
  "restapi_status": "INFO"
}

Now, when deleting the user from the UI, two DELETE operations go through the API.

{
  "content": null,
  "uri": "/services/v2/authorizations/Operator/dbiblog",
  "uriTemplate": "/services/{version}/authorizations/{role}/{user}",
  "verb": "DELETE",
  "restapi_datetime": "2026-03-27 05:42:20.994+0000",
  "restapi_reqno": 1926,
  "restapi_service": "adminsrvr",
  "restapi_status": "INFO"
}
{
  "content": null,
  "uri": "/services/v2/authorizations/all/dbiblog",
  "uriTemplate": "/services/{version}/authorizations/{role}/{user}",
  "verb": "DELETE",
  "restapi_datetime": "2026-03-27 05:42:21.012+0000",
  "restapi_reqno": 1927,
  "restapi_service": "adminsrvr",
  "restapi_status": "INFO"
}

On top of making a DELETE call to the dbiblog / Operator pair, the UI generates another DELETE call on the dbiblog user with an undocumented all role !

This explains why you get an error when recreating a user with the REST API. If the user was deleted by a single REST API call, it still exists with the hidden all role.

To verify this hypothesis, let’s look at the list of users with the Operator and all roles before and after the user creation. Before, we only have the default ogg user (with the Security role, not shown here).

>>> ogg_client.list_users('Operator')
[]

>>> ogg_client.list_users('all')
[{'username': 'ogg'}]

But after, the newly created user also gets the all role.

>>> ogg_client.create_user(user='dbiblog', role='Operator', data={'credential':'**'})
{'$schema': 'api:standardResponse', 'links': [{'rel': 'canonical', 'href': 'https://vmogg/ser/Operator/dbiblog', 'mediaType': 'application/json'}, {'rel': 'self', 'href': 'https://vmogg/ser/Operator/dbiblog', 'mediaType': 'application/json'}], 'messages': []}

>>> ogg_client.list_users('Operator')
[{'username': 'dbiblog'}]

>>> ogg_client.list_users('all')
[{'username': 'ogg'}, {'username': 'dbiblog'}]

And of course, when deleting the user, I was only deleting it with the role I knew about.

How to recreate a GoldenGate user with the REST API ?

The conclusion is simple: to recreate a GoldenGate user with the REST API, you need to delete the user on its current role, but also on the all role. After doing this, you can recreate the user:

# User deletion on the 'Operator' role
>>> ogg_client.delete_user(user='dbiblog', role='Operator')
{'$schema': 'api:standardResponse', 'links': [{'rel': 'canonical', 'href': 'https://vmogg/Operator', 'mediaType': 'application/json'}, {'rel': 'self', 'href': 'https://vmogg/ser/Operator', 'mediaType': 'application/json'}], 'messages': []}

# User deletion on the 'all' role
>>> ogg_client.delete_user(user='dbiblog', role='all')
{'$schema': 'api:standardResponse', 'links': [{'rel': 'canonical', 'href': 'https://vmogg/ser/All', 'mediaType': 'application/json'}, {'rel': 'self', 'href': 'https://vmogg/ser/All', 'mediaType': 'application/json'}], 'messages': []}

# User creation on the 'Operator' role
>>> ogg_client.create_user(user='dbiblog', role='Operator', data={'credential':'**'})
{'$schema': 'api:standardResponse', 'links': [{'rel': 'canonical', 'href': 'https://vmogg/ser/Operator/dbiblog', 'mediaType': 'application/json'}, {'rel': 'self', 'href': 'https://vmogg/ser/Operator/dbiblog', 'mediaType': 'application/json'}], 'messages': []}

The Undocumented GoldenGate ‘all’ Role You Should Know About

`restapi.log` analysis

How to recreate a GoldenGate user with the REST API ?

Julien Delattre

Leave a Reply:

Related blog articles

restapi.log analysis

How to recreate a GoldenGate user with the REST API ?

Julien Delattre

Leave a Reply:

Related blog articles

Starting ODA 19.29 – Old grid version cleanup

ODA 19.30 prepatch report failing on OS patches

Deployment Creation INS-85037 Error With GoldenGate 26ai for DB2 z/OS

Discover refreshable clone PDB with Autoupgrade

`restapi.log` analysis