Oracle Globally Distributed Database Users and Roles
Here you will learn about the management of database users and roles specific to Oracle Globally Distributed Database.
Overview of Users and Roles
In Oracle Globally Distributed Database some types of users require certain roles and privileges.
For distributed databases there are three kinds of users:
-
Distributed database/GSM administrator - Grant this user the
GSMADMIN_ROLE
role. This role should be granted to one, or only a few accounts, that require elevated privileges to do administrative tasks. This role has a number of powerful privileges, includingALTER SYSTEM
. -
Distributed database schema owner - Grant this user the
SHARDED_SCHEMA_OWNER
role. This role should be granted only to accounts which own a distributed database schema. The role only has enough privileges to allow the account to manage their own schema for various operations, for example, "select any table" would not​ be a privilege this role has. -
Regular distributed database user - This type of user includes any account which has been created under
ENABLE SHARD DDL
; these users have no special privileges or roles except those needed to run a distributed database application. The database administrator decides which privileges these accounts need, and grants them individually to the account.
Oracle Globally Distributed Database Roles
Oracle Globally Distributed Database provides a set of predefined database roles to help in distributed database administration.
Most of the Oracle Globally Distributed Database roles don't have many privileges, but they do have execute rights on certain Oracle-delivered procedures and packages which allow them to perform administrative tasks.
Predefined Role | Description |
---|---|
|
Should be granted to Oracle Globally Distributed Database administrators, so that they can administer the Oracle Globally Distributed Database configuration |
|
Provides privileges for Oracle Globally Distributed Database schema owners to perform administrative tasks on their own schema |
|
Granted only the Oracle delivered account |
|
Granted only to Oracle delivered account |
|
Granted only to Oracle delivered account |
For more information about database roles, see Predefined Roles in an Oracle Database Installation.
About the GSMUSER Account
The GSMUSER
account is used by GDSCTL and shard directors
(global service managers) to connect to databases in an Oracle Globally Distributed Database configuration.
This account need to be unlocked for both the CDB and PDB.
GSMUSER
exists by default on any Oracle database. In an Oracle Globally Distributed Database configuration, the account is used to connect to shards instead of pool
databases, and it must be granted both the SYSDG
and
SYSBACKUP
system privileges after the account has
been unlocked.
The password given to the GSMUSER
account is used in the
gdsctl add shard
command. Failure to grant
SYSDG
and SYSBACKUP
to
GSMUSER
on a new shard causes gdsctl add
shard
to fail with an ORA-1031: insufficient privileges
error.
About the GSMROOTUSER Account
GSMROOTUSER
is a database account specific to Oracle Globally Distributed Database that is only used when pluggable database (PDB) shards are present. The account is used
by GDSCTL and global service managers to connect to the root container of container
databases (CDBs) to perform administrative tasks.
If PDB shards are not in use, the GSMROOTUSER
user should not by
unlocked nor assigned a password on any database. However, in sharded configurations
containing PDB shards, GSMROOTUSER
must be unlocked and granted the
SYSDG
and SYSBACKUP
privileges before a successful
gdsctl add cdb
command can be run. The password for the
GSMROOTUSER
account can be changed after deployment if desired
using the alter user
SQL command in the root container of the CDB in
combination with the gdsctl modify cdb -pwd
command.