Skip to main content
Delphix

How to Create and Maintain Permissions for Delphix OS and Database Users on Host Systems

Overview

User When Used Requirements
Delphix OS User
  • Adding a host
  • Adding a dSource
  • Provisioning a VDB
  • Profile and privileges are similar to “Oracle user” but need not be identical
  • Primary group = OSDBA Group (typically dba), secondary group = Oracle Install Group (typically oinstall)
  • Additional group memberships = asmadmin and asmdba, to provision from and to ASM
  • Through sudo, rights to ps or pargs, if the listener is non-standard
  • On Target hosts: through sudo, rights to mount/umount and mkdir/rmdir 
  • Write permission to $ORACLE_HOME/dbs
  • Write permission to the directory $ORACLE_HOME/sqlplus 
Delphix DB User
  • Adding a dSource
  • System privileges = create session, select any dictionary
  • If the "select any dictionary" privilege is prohibited, must modify many system tables (see below)

The Delphix OS User

  • The primary group must be the OSDBA group (typically dba) and the secondary group must be the Oracle Install Group (typically oinstall).

  • If ASM is used, the OS user must be a member of the asmadmin and asmdba groups as well.

  • The HostChecker bundle includes a script named createDelphixOSUser.sh that lets the administrator create a Delphix OS user. The script prompts for the primary and secondary group memberships.
  • In order to properly detect listeners with non-standard configuration on both sources and targets, the Delphix OS user must be granted sudo access to either pargs on Solaris, or ps on Linux, HP-UX, or AIX. On Target hosts, this is in addition to the requirements below.  The reason superuser access levels are needed is to determine the TNS_ADMIN environment variable of the user running the listener (typically "oracle", not "delphix_os").  From TNS_ADMIN the Delphix OS user can derive the connection parameters.
    EXAMPLE (Solaris Source):
    Defaults:delphix_os !requiretty
    delphix_os ALL=NOPASSWD:/bin/pargs
    EXAMPLE (Linux, HP-UX, or AIX Source):
    Defaults:delphix_os !requiretty
    delphix_os ALL=NOPASSWD:/bin/ps

Target Host Requirements:
 

  • When provisioning to an ASM installation, the Delphix OS User must have a secondary group membership in the asmadmin group.
  • For target hosts, the Delphix OS user requires a narrow set of sudo privileges: permissions to mount/umount, mkdir/rmdir. For example, if the Delphix OS user is named “delphix_os”, you might add the following two lines to the end of a sudo config file (such as /etc/sudoers):
    EXAMPLE (All Targets, Standard Listener):
    Defaults:delphix_os !requiretty
    delphix_os ALL=NOPASSWD:/bin/mount, /bin/umount, /bin/mkdir, /bin/rmdir
    EXAMPLE (Solaris Target, Non-standard Listener):
    Defaults:delphix_os !requiretty
    delphix_os ALL=NOPASSWD:/bin/mount, /bin/umount, /bin/mkdir, /bin/rmdir, /bin/pargs
    EXAMPLE (Linux/HP-UX/AIX Target, Non-standard Listener):
    Defaults:delphix_os !requiretty
    delphix_os ALL=NOPASSWD:/bin/mount, /bin/umount, /bin/mkdir, /bin/rmdir, /bin/ps

Modify these instructions according to the filename/pathname conventions of your system:

  • The Delphix OS user or other provisioning user must have the appropriate permissions on a mount directory for VDBS, for example /mnt/provision. If the provisioning user does not have permissions to mount/umount, mkdir/rmdir, then the mount directory must exist and be writeable by the provisioning user.

  • The Delphix OS user on a target host must have write permission on $ORACLE_HOME/dbs.
  • The Delphix OS user on a source host must have write permission to the sqlplus directory, for example, $ORACLE_HOME/sqlplus.

 

The Delphix DB User

  • The Delphix DB user name and password are used when adding a dSource, in the "Select Database Instance" dialog.
  • The HostChecker bundle includes a script named createDelphixDBUser.sh that creates an authorized Delphix DB user.The Delphix DB User (for Oracle database instances) must have specific system privileges:
     
    • For users without DBA (role) privileges, the following commands need to be run to grant required privileges to the Delphix database user (sysdba privileges are required to execute these commands):
      -- system privileges
      grant create session,
          select any dictionary
          to <username>;
      create view v_x$kccfe as select * from x$kccfe;
      grant select on v_x$kccfe to <username>;
      create synonym <username>.x$kccfe for v_x$kccfe;
      
      
    • If corporate standards prohibit the use of "select any dictionary", privileges must be granted to the Delphix DB User on many system tables.  Please refer to the attached script,createDelphixDBUser.sh, for the needed permissions.