4.8 Database Monitoring Using Database User Credentials

AHF now supports database monitoring using a configured username and password, eliminating the need for SYSDBA privileges.

Note:

It is preferred to utilize the default database connectivity ( / as sysdba) method for running SQL by AHF. Utilizing a common user for AHF will limit the diagnostic capabilities when performing database diagnostic collections as many of the SQL statements that are run require access to internal database structures.

  1. Create a database user for AHF to connect to the database. If the database is multitenant, the user will need to be created within the container database (CDB).
    Multitenant example:
    SQL> create user C##AHFUSER identified by <password>;
    Non-mulitenant example:
    SQL> create user AHFUSER identified by <password>;

    1. For the most comprehensive diagnostic data collection and analysis, it is recommended to grant the DBA role to the AHF common user.

      Example:

      grant dba to c##ahfuser container=all;

    2. Alternatively (if assigning the DBA role is not feasible), AHF common user must be granted the following minimum set of roles and privileges:

      • SELECT ANY DICTIONARY
      • CREATE ANY DIRECTORY
      • DROP ANY DIRECTORY
      • ADVISOR
      • ALTER SESSION
      • ALTER SESSION SET CONTAINER (only required for a multitenant database)
      • CREATE SESSION
      • SELECT_CATALOG_ROLE

      Multitenant example:

      SQL> GRANT SELECT ANY DICTIONARY to C##AHFUSER container=all;
SQL> GRANT CREATE ANY DIRECTORY TO C##AHFUSER container=all;
SQL> GRANT DROP ANY DIRECTORY TO C##AHFUSER container=all;
SQL> GRANT ADVISOR to C##AHFUSER container=all;
SQL> GRANT ALTER SESSION to C##AHFUSER container=all;
SQL> GRANT SET CONTAINER to C##AHFUSER container=all;
SQL> GRANT CREATE SESSION to C##AHFUSER container=all;
SQL> GRANT SELECT_CATALOG_ROLE to C##AHFUSER container=all;

      Non-mulitenant example:

      SQL> grant SELECT ANY DICTIONARY to AHFUSER;
SQL> grant ALTER SESSION to AHFUSER;
SQL> grant CREATE SESSION to AHFUSER;
SQL> grant SELECT_CATALOG_ROLE to AHFUSER;
  3. As the Oracle Database software owner, add the database login credentials to the AHF Wallet.

    Note:

    The database unique name (DB_UNIQUE_NAME) MUST be used when storing the credentials in the wallet as this will ensure the uniqueness of the database on the given system. 

    ahf security add-credentials --type password --database <db_unique_name> --user-name c##ahfuser --oracle-home <oracle_home> --oracle-sid <oracle sid>

Parent topic: Collect Diagnostic Data