1. X11 Deployment and User’s Guide
  2. Implementing Multi-User Access on Oracle Database Appliance

5 Implementing Multi-User Access on Oracle Database Appliance

Understand how multi-user access can be implemented on Oracle Database Appliance, its advantages and restrictions and the associated life cycle management changes for your appliance.

Caution:

You can enable multi-user access only at the time of provisioning Oracle Database Appliance on bare metal systems and cannot rollback multi-user access after you provision and deploy your appliance. The Oracle Database Appliance administration model changes when you deploy the Multi-User Access feature. Evaluate your role separation requirements before using this feature. Deploying on a test system first can help with the evaluation and assessment of the new administration model.

Note:

You can enable multi-user access on Oracle Database Appliance DB systems when you create the DB system either using ODACLI commands or Browser User Interface (BUI).

About Multi-User Access on Oracle Database Appliance

Before provisioning your appliance, understand how multi-user access can enhance the security of the system and provide an efficient mechanism for role separation.

Currently, a single Oracle Database Appliance account with user name and password is used to securely connect to the appliance, run ODACLI commands, or log into BUI. The root user performs all administration on an Oracle Database Appliance. With multi-user access, you have the option of providing separate access to database administrators to manage databases. Display of resources within the Browser User Interface are also filtered as per user role. The root access is restricted to the Oracle Database Appliance system administrator to access system logs or debug issues that require root access.

When you enable multi-user access, you create multiple users with different roles that restrict them from accessing resources created by other users and also restrict the set of operations they can perform using ODACLI commands or Browser User Interface (BUI). The same user credentials that you set up, can be used for logging into the BUI and running ODACLI commands. The BUI also displays resources and information based on access to the set of resources. A separate Multi-User Access Management tab is available only to the odaadmin user to administer the users and resources in the system.

Note:

When you enable multi-user access, the Oracle Database Appliance administrator is odaadmin. This user has access to all the resources on the appliance and can run any operations using ODACLI or the BUI using the same set of credentials. When you do not enable multi-user access, the user name you use to log into BUI is oda-admin.

Note:

The authentication token support for ODACLI session management is linked to a multi-user access user account. Since root is an operating system administrative user and not a multi-user access user, auth token based session management system is not supported when a user logs in as root. Therefore, you must provide an Oracle Database Appliance account user name and password to run any ODACLI command.

Benefits of enabling multi-user access

  • Multi-user access feature supports user lifecycle management such as creation, activation, updation, deactivation, deletion, and credential management.
  • By using multi-user access, multiple departments such as finance and human resources within the same organization can use Oracle Database Appliance as a consolidation platform for hosting their databases in a secure manner as only the authorized users in the respective departments can access their departmental databases and perform lifecycle management operations on the databases.
  • Organizations that have root access policy restrictions can use multi-user access and create separate users with restricted roles.
  • Without multi-user access, all databases were created as the default database user chosen during provisioning. Hence, even in a sudo-based multi-user environment, the ODA administrator could not track usage of resources. Now such reporting is possible at the database level.
  • Multi-user access feature supports token-based session management. A user enters the password only when they run the first odacli command. Subsequently, a token is generated and till it expires, the user is not required to enter the password again. Each time an odacli command is run, the existing token is refreshed with a new token that has the expiry of 120 mins or the value configured by the odaadmin user. This means if the odacli session is not idle for the expiry duration, the user does not need to enter the password again.
  • Both Basic Auth and mTLS modes of authentication are supported. ODACLI and BUI uses Basic Auth. Users such as oracle and grid can also run certain operations on the DCS agent using mTLS-based authentication. Basic Auth is a password-based authentication scheme. mTLS is a certificate-based authentication scheme where both the client (user) and the server (DCS agent) mutually present and authenticate each other's certificate before the authentication is deemed complete.
  • Multi-user access provides for user account locking on multiple failed login attempts and password expiration. You can also unlock and reset the account in case the password is forgotten.

Note:

You can enable multi-user access only at the time of provisioning Oracle Database Appliance and cannot rollback multi-user access after you provision and deploy your appliance. Provision the feature on your test system first, and then deploy this feature on your production system.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

About Users, Roles, Entitlements, and Operations on a Multi-User Access Enabled Oracle Database Appliance System

Understand the users, roles, entitlements, and operations when you provision your appliance with multi-user access enabled.

Note:

Note that in a multi-user access enabled deployment, the oda-admin user is not present. The ODA admin user name is odaadmin. The first user with administrative privileges is called odaadmin. This user can log into the BUI and run ODACLI commands. This user can also create other user accounts with roles and entitlements as required.

About Roles, Entitlements, and Operations

Each user can be assigned one or more roles in a multi-user enabled Oracle Database Appliance system. Each role encompasses a set of entitlements that authorizes a user to perform only a specific set of operations using ODACLI or BUI. Each entitlement in turn, is a group of a similar set of operations. For example, PROVISIONDB-MGMT is an entitlement that encompasses provisioning-related operations such as create-database, clone-database, delete-database, register-database. Similarly, BACKUPDB-MGMT encompasses backup related operations such as create-backup, delete-backup, irestore-database, recover-database , and so on. The ODA-DB role has access to a collection of entitlements such as PROVISIONDB-MGMT, BACKUPDB-MGMT, and PATCHDB-MGMT. A user with the ODA-DB role can perform all the database lifecycle management operations on the databases that they own. Additionally, if a user with the role of ODA-DB is granted the ODA-GRID role as well, this user can now perform Oracle Grid Infrastructure-related operations.

Roles can be internal or external. Internal roles are assigned to system users and are used internally for the purpose of administration of the Oracle Database Appliance system. For example, the ODA-ADMINISTRATOR role is assigned to the Oracle Database Appliance system administrator to manage the appliance or associated entities. Another example is a DB system communicating with the bare metal using a system user with the role of ODA-DBVMINFRA.

External roles can be granted to the new users created by odaadmin, the Oracle Database Appliance system administrator. For example, the odaadmin creates a new user odadb1 with the role of ODA-DB. Now this user odadb1 is entitled to create databases and perform lifecycle management operations because of the role granted to them. A user can have one or more roles.

The topic ODACLI Command Changes with Multi-User Access on Oracle Database Appliance describes the ODACLI commands that have changes for multi-user access and the entitlements required to run the commands.

Multi-User Access User Roles

When you enable multi-user access on Oracle Database Appliance, the following user roles are available:

  • ODA-ADMINISTRATOR: This is an internal role assigned to the first user (odaadmin) created during the provisioning of an Oracle Database Appliance. This role entitles odaadmin to run all ODACLI commands or perform all Browser User Interface (BUI) operations. This role cannot be assigned to the new users that odaadmin creates. The odaadmin account is an administrator role that can run any operation (command) on any resource. For example, user oda1 creates a database db1 and user oda2 creates a database db2. Each user can now perform lifecycle management operations on their respective database only. But, odaadmin can patch both databases by running odacli commands. This allows both DBAs (oda1 and oda2) and an overall administrator (odaadmin) to perform functions specific to their role.
  • ODA-DB: This is an external role available to odaadmin to assign to newly-created users. This role entitles the user to perform database management operations such as create, modify, restore, recover, backup, patch, clone, move, register, and delete.
  • ODA-OAKDROOT: This is an internal role that is assigned to system user oakdroot created during provisioning and is used by OAKD to run certain operations such as get-disks and release-disks on the DCS agent. OAKD communicates with DCS through mTLS certificates-based authentication. Hence, this user does not have any password associated with it. Do not use this role to connect by SSH to the appliance or log into the Browser User Intercae to run ODACLI commands. None of the password management commands such as change-password apply to this user.
  • ODA-GRID: This is an internal role assigned to the grid user. This role entitles the user to run Oracle Grid Infrastructure-related operations.
  • ODA-DBVMINFRA: This is an internal role assigned to the DBVM user created on the bare metal system when the DB system is provisioned. This role entitles the user to synchronize metadata between the DB system and the bare metal system.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

About Granting and Revoking Resource Access

Muti-user access allows exclusive or shared access to resources. Review this example about shared resource access.

Muti-user access allows exclusive or shared access to resources. It is recommended that each user creates their own database home and then creates databases in the home. This provides for an efficient method of separation of duties where each user has exclusive access to their databases. However, in certain exceptional situations, such as lack of disk space, a user can request the administrator odaadmin to grant them shared access to a resource owned by another user.

For example, if user oda1 wants to create a database of version 19c and there is already a database home DBH2 of the same version created by another user oda2. With the consent of user oda2, user oda1 can now request the odaadmin user to grant them shared access to database home DBH2. Once the shared access is granted, user oda1 can now create a database db1 on the shared database home DBH2 and manage it. Note that user oda1 can connect to the database db1 only through the SYS user password and not as a password-less connection based on operating system authentication, as the database home DBH2 is still owned by user oda2. Oracle Database Appliance resources such as database home, database storage, and databases can be shared accross users in a similar fashion on an on-demand basis. However, there are restrictions to the secondary owner managing the shared resource.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Using Passwordless Multi-User Access on Oracle Database Appliance

Understand how you can implement passwordless multi-user access on Oracle Database Appliance, its advantages and restrictions, and the associated life cycle management changes for your appliance.

Caution:

You can enable passwordless multi-user access only at the time of provisioning Oracle Database Appliance on bare metal and DB systems and cannot rollback multi-user access after you provision and deploy your appliance. The Oracle Database Appliance administration model changes when you deploy the passwordless multi-user access feature. Evaluate your role separation requirements before using this feature. Deploying on a test system first can help with the evaluation and assessment of the new administration model.

Existing bare metal and DB system deployments that do not have multi-user access enabled or have the earlier multi-user access feature which requires a password when you first run an odacli command, cannot be converted to a passwordless multi-user access deployment.

Note:

Starting with Oracle Database Appliance release 19.23, a passwordless flavor of the multi-user access feature is also available. You can provision a DB system with either flavor of multi-user access on a bare metal system that does not have multi-user access enabled. On such a bare metal system, you can still use role separation and resource ownership capabilities that multi-user access or multi-user access passwordless provides.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

About Passwordless Multi-User Access on Oracle Database Appliance

Before provisioning your appliance, understand how passwordless multi-user access can enhance the security of the system and provide an efficient mechanism for role separation.

Oracle Database Appliance supports enabling of passwordless multi-user access at the time of provisioning of Oracle Database Appliance, on bare metal systems and DB systems. You must specify the "isMultiUserAccessPLEnabled": true option in the JSON file used for provisioning bare metal systems and DB systems. For more information, see the example JSON file with this option in this chapter.

When you enable passwordless multi-user access, you create multiple users with different roles that restrict them from accessing resources created by other users and also restrict the set of operations they can perform using ODACLI commands.

Note:

You can enable passwordless multi-user access on Oracle Database Appliance bare metal and DB systems at the time of provisioning using ODACLI commands. You cannot use the Browser User Interface (BUI) to enable passwordless multi-user access on Oracle Database Appliance bare metal systems. However, you can use the BUI on the Oracle Database Appliance bare metal system to enable multi-user access on Oracle Database Appliance DB systems at the time of provisoning.

Benefits of enabling passwordless multi-user access

  • If your corporate policies prevent direct usage of Oracle Database Appliance user account passwords by employing tools or software that allow access to Oracle Database Appliance through your corporate credentials, then you can configure passwordless multi-user access and run commands on your appliance without the need for specifying your Oracle Database Appliance account password when you first run an ODACLI command or when your authentication token expires. This does not compromise the security of the system as all communication to the Oracle Database Appliance server is through a strong and secure system generated password, unique for every user.
  • Passwordless multi-user access feature provides role separation and supports user lifecycle management such as creation, deletion, and credential management.
  • By using passwordless multi-user access, multiple departments such as finance and human resources within the same organization can use Oracle Database Appliance as a consolidation platform for hosting their databases in a secure manner as only the authorized users in the respective departments can access their departmental databases and perform lifecycle management operations on the databases.
  • Organizations that have root access policy restrictions can use passwordless multi-user access and create separate users with restricted roles.
  • Without multi-user access, all databases were created as the default database user chosen during provisioning. Hence, even in a sudo-based multi-user environment, the ODA administrator could not track usage of resources. Now such reporting is possible at the database level.
  • For passwordless multi-user access, you do not have to specify the Oracle Database Appliance account password when you first run an ODACLI command or when the authentication token expires. The Oracle Database Appliance system generates a strong and secure password for every user. This password is internally stored by the system and used when you run odacli commands.
  • Both Basic Auth and mTLS modes of authentication are supported. ODACLI uses Basic Auth. Users such as oracle and grid can also run certain operations on the DCS agent using mTLS-based authentication. Basic Auth is a password-based authentication scheme. mTLS is a certificate-based authentication scheme where both the client (user) and the server (DCS agent) mutually present and authenticate each other's certificate before the authentication is deemed complete.

Note:

You can enable passwordless multi-user access only at the time of provisioning Oracle Database Appliance and cannot rollback passwordless multi-user access after you provision and deploy your appliance. Provision the feature on your test system first, and then deploy this feature on your production system.

Parent topic: Using Passwordless Multi-User Access on Oracle Database Appliance

Provisioning Oracle Database Appliance with Passwordless Multi-User Access

You can enable passwordless multi-user access only when you provision Oracle Database Appliance using CLI commands. Passwordless multi-user access feature provisioning and management is not supported through the Browser User Interface (BUI).

Provision your appliance as described in the chapter Provisioning Oracle Database Appliance Bare Metal System.

Caution:

You can enable passwordless multi-user access only at the time of provisioning Oracle Database Appliance on bare metal systems and cannot rollback multi-user access after you provision and deploy your appliance. The Oracle Database Appliance administration model changes when you deploy the passwordless multi-user access feature. Evaluate your role separation requirements before using this feature. Deploying on a test system first can help with the evaluation and assessment of the new administration model.

Overall Steps in Provisioning Oracle Database Appliance with Passwordless Multi-User Access Enabled

  1. Enable passwordless multi-user access.
    • To provision your appliance using a JSON file, add the attribute "isMultiUserAccessPLEnabled": true in the prov_req.json file. If the attribute is set to false or does not exist in the prov_req.json file, then passwordless multi-user access is not enabled during provisioning of the appliance. Note that you can set either multi-user access or passwordless multi-user access in the JSON file, not both.
      "isRoleSeparated": true,
        "isMultiUserAccessPLEnabled": true,
        "osUserGroup": {
            "groups": [{
                    "groupId": 1001,
                    "groupName": "oinstall",
                    "groupRole": "oinstall"
                },

...
  2. Connect to the Oracle Database Appliance network and run the odacli configure-firstnet command using the Oracle ILOM console.
  3. Log into Oracle Database Appliance as the root user and run the odacli create-appliance -r prov.json command with "isMultiUserAccessPLEnabled": true in the prov.json file.
  4. After the provisoning job is submitted, log out as root and log in as the odaadmin user using a PAM utility or passwordless SSH and check the status of the provisioning job and ensure that it is successful.
  5. The system creates Oracle Database Appliance accounts for odaadmin, oracle, and grid users. These are Oracle Database Appliance system users and their accounts are activated during created. The user odaadmin is created with the role of ODA-ADMINISTRATOR while the oracle and grid users are created with the role of ODA_DB and ODA_GRID respectively.
  6. The system configures the multi-user access repository with a list of roles and entitlements, used for assigning to the users in the system.
  7. You can now log into the appliance using the PAM utility that is integrated with the appliance. The PAM utility prompts you for your corporate credentials and on successful authentication, logs you into the appliance as an Oracle Database Appliance user as per the mapping defined by the PAM utility administrator. Alternatively, you can set up passwordless SSH to log into the appliance.
  8. After the bare metal system is provisioned, log in as the odaadmin user and run the odacli create-dbsystem -p prov.json command with "isMultiUserAccessPLEnabled": true in the prov.json file.
  9. After the DB system is provisioned, log in as the odaadmin user through the PAM utility or passwordless SSH and create additional users, if required.
  10. Log into the DB system as the oracle user through the PAM utility or passwordless SSH and create databases for the oracle user.
  11. Log into DB system as a custom user through the PAM utility or passwordless SSH and create databases for the custom user.

Parent topic: Using Passwordless Multi-User Access on Oracle Database Appliance

Creating, Viewing, and Deleting Users on Oracle Database Appliance with Passwordless Multi-User Access

After provisioning the appliance with passwordless multi-user access enabled, you can create users with specific entitlements.

After you provision your appliance with multi-user access enabled, do the following:

Creating, Viewing, and Deleting Users with ODACLI Commands

  1. Connect to the appliance as the odaadmin user.
    ssh odaadmin@oda-box hostname/IP
  2. Run any ODACLI command and provide the odaadmin password when prompted.
  3. On successful authentication, create a user with the following command:
    odacli create-user –u username -r comma-separated role names
    For example, create a user dbuser1 with lifecycle management privileges for dabatases:
    odacli create-user –u dbuser1 –r ODA-DB

    The odaadmin user creates dbuser1 and assigns a temporary password.

  4. After the user is created successfully, the dbuser1 can log into the appliance with the temporary password.
  5. The dbuser1 is in the Inactive state. Activate the user with the following command:
    odacli activate-user

    You are prompted to change the password. Enter the temporary password, the new password, and confirm the new password.

  6. Use the new password to connect by SSH into the appliance and run ODACLI commands or connect to the Browser User Interface.
  7. The odaadmin user can view all the users in the system:
    # odacli list-users
  8. The odaadmin user can view details for a user in the system:
    # odacli describe-user -u user_id
  9. Delete a user in the system. Note that only the odaadmin user can delete a user in the system.
    # odacli delete-user -u user_id

Parent topic: Using Passwordless Multi-User Access on Oracle Database Appliance

Changing the Password for a User Account on Oracle Database Appliance with Passwordless Multi-User Access

Understand how to manage passwords on multi-user access Oracle Database Appliance.

Note:

If your appliance is configured as passwordless multi-user enabled, then all user accounts are preactivated during creation and never get locked because the system internally generates the password for each user and provides it to the DCS agent for authentication when required for running ODACLI commands. For passwordless multi-user enabled systems, do not run any scripts for unlocking the odaadmin account or the odacli reset-password command to reset the password. Run the odacli change-password command to change the system generated password for your Oracle Database Appliance account.

Changing the Password on Passwordless Multi-User Access Enabled System Using ODACLI Commands

  • You can change password for an Oracle Database Appliance user, whose account is active. This command resets the password of this user account to a new randomly generated password. 
    odacli change-password

Parent topic: Using Passwordless Multi-User Access on Oracle Database Appliance

Example JSON Files to Create a Single-Node Passwordless Multi-User Enabled Appliance

Follow these JSON file examples to create a JSON file to deploy a single node appliance with the command odacli create-appliance.

Note:

If you do not enter your network and Oracle ILOM information correctly based on your setup, then network access is lost to both the host and Oracle ILOM.

When using the example to create your JSON file, change the definitions to match your environment. The password must meet password requirements.

Note: To configure Oracle ASR during provisioning, always specify the asrType parameter in the JSON file.

Example 5-1 JSON File to Create a Single Node Oracle Database Appliance with Role Separation and Passwordless Multi-User Access

The following is an example of a JSON file that creates a single node appliance on Oracle Database Appliance. The example uses role separation and enables passwordless multi-user access.

    {
  "instance" : {
    "name" : "odambox",
    "instanceBaseName" : "odambox-c",
    "dbEdition" : "EE",
    "timeZone" : "UTC",
    "ntpServers" : ["xx.x.x.x"],
    "dnsServers" : ["x.x.x.xx","xx.x.x.xx","xx.x.x.xx"],
    "domainName" : "example.com",
    "isRoleSeparated" : true,
    "isMultiUserAccessPLEnabled" : true,
    "osUserGroup" : {
      "groups" : [ {
        "groupId" : 1001,
        "groupName" : "oinstall",
        "groupRole" : "oinstall"
      }, {
        "groupId" : 1002,
        "groupName" : "dbaoper",
        "groupRole" : "dbaoper"
      }, {
        "groupId" : 1003,
        "groupName" : "dba",
        "groupRole" : "dba"
      }, {
        "groupId" : 1004,
        "groupName" : "asmadmin",
        "groupRole" : "asmadmin"
      }, {
        "groupId" : 1005,
        "groupName" : "asmoper",
        "groupRole" : "asmoper"
      }, {
        "groupId" : 1006,
        "groupName" : "asmdba",
        "groupRole" : "asmdba"
      } ],
      "users" : [ {
        "userId" : 1000,
        "userName" : "oracle",
        "userRole" : "oracleUser"
      }, {
        "userId" : 1001,
        "userName" : "grid",
        "userRole" : "gridUser"
      } ]
    }
  },
   "users": [
                {
                    "id": 1000,
                    "name": "ugrid",
                    "role": "gridUser"
                },
                {
                    "id": 1001,
                    "name": "uoracle",
                    "role": "oracleUser"
                }
            ]
        },
        "multiUserAccess": {
            "isMultiUserAccessPLEnabled": true
        }
    },
  "sysOraHomeStorage": {
        "volumeSize": "160",
        "diskgroup": "DATA"
    }
  "nodes" : [ {
    "nodeNumber" : "0",
    "nodeName" : "odambox",
    "network" : [ {
       "nicName" : "btbond1",
       "ipAddress" : "xx.x.x.xx",
       "subNetMask" : "xxx.xxx.xxx.x",
       "gateway" : "xx.x.x.x",
       "networkType" : [ "Public" ],
       "isDefaultNetwork" : true
      },
    ],
    "ilom" : {
      "ilomName":"odambox-c",
      "ipAddress":"xx.x.x.xx",
      "subNetMask":"xxx.xxx.xx.x",
      "gateway":"xx.x.x.x"
     }
  } ],
  "grid" : {
    "diskGroup" : [ {
      "diskGroupName" : "DATA",
      "redundancy" : "NORMAL",
      "diskPercentage" :80
    }, {
      "diskGroupName" : "RECO",
      "redundancy" : "NORMAL",
      "diskPercentage" :20
    } ],
  "scan" : null,
  "vip": null,
    "language" : "en",
    "enableAFD":"TRUE"
  },
  "database" : {
    "dbName" : "myTestDb",
    "databaseUniqueName":"myTestDb_sea1kj",
    "dbEdition" : "EE",
    "dbVersion" : "19.23.0.0",
    "dbHomeId":null,
    "instanceOnly" : false,
    "isCdb" : true,
    "pdBName" : "pdb1",
    "pdbAdminuserName" : "pdbuser",
    "enableTDE":true,
    "adminPassword" : "password",
    "dbType" : "SI",
    "dbTargetNodeNumber" : null,
    "dbClass" : "OLTP",
    "dbShape" : "odb1",
    "dbStorage" : "ACFS",
    "dbCharacterSet" : {
      "characterSet" : "AL32UTF8",
      "nlsCharacterset" : "AL16UTF16",
      "dbTerritory" : "AMERICA",
      "dbLanguage" : "AMERICAN"
    },
    "dbConsoleEnable" : false,
    "backupConfigId":null,
    "rmanBkupPassword": null
  },
  "asr" :{
    "asrType": "INTERNAL",
    "userName":"john.smith@example.com",
    "password":"password",
    "proxyServerName":"www-proxy.example.com",
    "proxyPort":"80",
    "proxyUserName":"proxy-user",
    "proxyPassword":"proxy-password",
    "httpsPortNumber":"16163"
  }
}

Example 5-2 JSON File to Create a Single Node Oracle Database Appliance without Role Separation and with Passwordless Multi-User Access

The following is an example of a JSON file that creates an Oracle Database Appliance without using role separation and with passwordless multi-user access. This example creates two groups (oinstall and dba) and one user (oracle).

{
  "instance" : {
    "name" : "odambox",
    "instanceBaseName" : "odambox-c",
    "dbEdition" : "EE",
    "timeZone" : "UTC",
    "ntpServers" : ["xx.x.x.xx"],
    "dnsServers" : ["xx.x.x.xx","xx.x.x.xx","xx.x.x.xx"],
    "domainName" : "example.com",
    "isRoleSeparated" : false,
    "isMultiUserAccessPLEnabled" : true,
    "osUserGroup" : {
      "groups" : [ {
        "groupId" : 1001,
        "groupName" : "oinstall",
        "groupRole" : "oinstall"
      }, {
        "groupId" : 1002,
        "groupName" : "dba",
        "groupRole" : "dba"
      } ],
        "multiUserAccess": {
            "isMultiUserAccessPLEnabled": true
        }
    },
  "nodes" : [ {
    "nodeNumber" : "0",
    "nodeName" : "odambox",
    "network" : [ {
       "nicName" : "btbond1",
       "ipAddress" : "xx.x.x.xx",
       "subNetMask" : "xxx.xxx.xxx.x",
       "gateway" : "xx.x.x.x",
       "networkType" : [ "Public" ],
       "isDefaultNetwork" : true
      },
    ],
    "ilom" : {
      "ilomName":"odambox-c",
      "ipAddress":"xx.x.x.xx",
      "subNetMask":"xxx.xxx.xxx.x",
      "gateway":"xx.x.x.x"
     }
  } ],
  "grid" : {
    "diskGroup" : [ {
      "diskGroupName" : "DATA",
      "redundancy" : "NORMAL",
      "diskPercentage" :80
    }, {
      "diskGroupName" : "RECO",
      "redundancy" : "NORMAL",
      "diskPercentage" :20
    } ],
  "scan" : null,
  "vip": null,
    "language" : "en",
    "enableAFD":"TRUE"
  },
  "database" : {
    "dbName" : "myTestDb",
    "databaseUniqueName":"myTestDb_sea1kj",
    "dbEdition" : "EE",
    "dbVersion" : "19.21.0.0",
    "dbHomeId":null,
    "instanceOnly" : false,
    "isCdb" : true,
    "pdBName" : "pdb1",
    "pdbAdminuserName" : "pdbuser",
    "enableTDE":true,
    "adminPassword" : "password",
    "dbType" : "SI",
    "dbTargetNodeNumber" : null,
    "dbClass" : "OLTP",
    "dbShape" : "odb1",
    "dbStorage" : "ACFS",
    "dbCharacterSet" : {
      "characterSet" : "AL32UTF8",
      "nlsCharacterset" : "AL16UTF16",
      "dbTerritory" : "AMERICA",
      "dbLanguage" : "AMERICAN"
    },
    "dbConsoleEnable" : false,
    "backupConfigId":null,
    "rmanBkupPassword": null
  },
  "asr" :{
    "asrType": "INTERNAL",
    "userName":"john.smith@example.com",
    "password":"password",
    "proxyServerName":"www-proxy.example.com",
    "proxyPort":"80",
    "proxyUserName":"proxy-user",
    "proxyPassword":"proxy-password",
    "httpsPortNumber":"16163"
  }
}

Parent topic: Using Passwordless Multi-User Access on Oracle Database Appliance

Example JSON File to Create a High-Availability Passwordless Multi-User Enabled Appliance

Follow the JSON file example to create a JSON file to deploy a high-availability appliance with the command odacli create-appliance.

Note:

It is important to review the readme and the examples carefully before creating your JSON file. If you do not enter your network and Oracle ILOM information correctly based on your setup, then network access is lost to both the host and Oracle ILOM.

Example 5-3 JSON File to Create a High-Availability Oracle Database Appliance with Role Separation and with Passwordless Multi-User Access

The following is an example of a JSON file that creates a high-availability appliance on Oracle Database Appliance bare metal platform. The example uses role separation and with passwordless multi-user access. When using the example to create your JSON file, change the definitions to match your environment. The password must meet password requirements. 

{ 
   "instance":{ 
      "name":"odahabox",
      "instanceBaseName":"odahabox",
      "dbEdition":"EE",
      "timeZone":"UTC",
      "ntpServers" : ["10.0.3.14"],
      "dnsServers" : ["10.0.4.10","10.0.4.11","10.0.4.12"],
      "domainName":"example.com",
      "isRoleSeparated":true,
      "isMultiUserAccessPLEnabled" : true,
      "osUserGroup":{ 
         "groups":[ 
            { 
               "groupId":1001,
               "groupName":"oinstall",
               "groupRole":"oinstall"
            },
            { 
               "groupId":1002,
               "groupName":"dbaoper",
               "groupRole":"dbaoper"
            },
            { 
               "groupId":1003,
               "groupName":"dba",
               "groupRole":"dba"
            },
            { 
               "groupId":1004,
               "groupName":"asmadmin",
               "groupRole":"asmadmin"
            },
            { 
               "groupId":1005,
               "groupName":"asmoper",
               "groupRole":"asmoper"
            },
            { 
               "groupId":1006,
               "groupName":"asmdba",
               "groupRole":"asmdba"
            }
         ],
         "users":[ 
            { 
               "userId":101,
               "userName":"grid",
               "userRole":"gridUser"
            },
            { 
               "userId":102,
               "userName":"oracle",
               "userRole":"oracleUser"
            }
         ]
      },
      "users": [
                {
                    "id": 1000,
                    "name": "ugrid",
                    "role": "gridUser"
                },
                {
                    "id": 1001,
                    "name": "uoracle",
                    "role": "oracleUser"
                }
            ]
        },
        "multiUserAccess": {
            "isMultiUserAccessPLEnabled": true
        }
    },
      "objectStoreCredentials":null
   },
   "sysOraHomeStorage": {
        "volumeSize": "160",
        "diskgroup": "DATA"
    } 
   "nodes":[ 
      { 
         "nodeNumber":"0",
         "nodeName":"odahaboxc1n2",
         "network":[ 
            { 
               "nicName":"btbond1",
               "ipAddress":"10.31.98.133",
               "subNetMask":"255.255.240.0",
               "gateway":"10.31.96.1",
               "networkType":[ 
                  "Public"
               ],
               "isDefaultNetwork":true
            }
         ],
         "ilom":{ 
            "ilomName":"odahabox2-c",
            "ipAddress":"10.31.16.140",
            "subNetMask":"255.255.240.0",
            "gateway":"10.31.16.1"
         }
      },
      { 
         "nodeNumber":"1",
         "nodeName":"odahaboxc1n1",
         "network":[ 
            { 
               "nicName":"btbond1",
               "ipAddress":"10.31.98.132",
               "subNetMask":"255.255.240.0",
               "gateway":"10.31.96.1",
               "networkType":[ 
                  "Public"
               ],
               "isDefaultNetwork":true
            }
         ],
         "ilom":{ 
            "ilomName":"odahabox1-c",
            "ipAddress":"10.31.16.139",
            "subNetMask":"255.255.240.0",
            "gateway":"10.31.16.1"
         }
      }
   ],
   "grid":{ 
      "diskGroup":[ 
         { 
            "diskGroupName":"DATA",
            "redundancy":"HIGH",
            "diskPercentage":80
         },
         { 
            "diskGroupName":"RECO",
            "redundancy":"HIGH",
            "diskPercentage":20
         },
      ],
      "scan":{ 
         "scanName":"odahaboxc1-scan",
         "ipAddresses":[ 
            "10.31.98.182",
            "10.31.98.183"
         ]
      },
      "vip":[ 
         { 
            "nodeNumber":"0",
            "vipName":"odahaboxc1n2-vip",
            "ipAddress":"10.31.98.159"
         },
         { 
            "nodeNumber":"1",
            "vipName":"odahaboxc1n1-vip",
            "ipAddress":"10.31.98.158"
         }
      ],
      "language":"en",
      "enableAFD":"TRUE"
   },
   "database":{ 
      "dbName":"myTestDb",
      "databaseUniqueName":"myTestDb_sea1kj",
      "dbVersion":"19.21.0.0",
      "dbHomeId":null,
      "instanceOnly":false,
      "isCdb":true,
      "pdBName":"pdb1",
      "pdbAdminuserName":"pdbuser",
      "enableTDE":true,
      "adminPassword":"password",
      "dbType":"RAC",
      "dbTargetNodeNumber":null,
      "dbClass":"OLTP",
      "dbShape":"odb1",
      "dbStorage":"ACFS",
      "dbCharacterSet":{ 
         "characterSet":"AL32UTF8",
         "nlsCharacterset":"AL16UTF16",
         "dbTerritory":"AMERICA",
         "dbLanguage":"AMERICAN"
      },
      "dbConsoleEnable":false,
      "backupConfigId":null
   },
   "asr":null
}

Parent topic: Using Passwordless Multi-User Access on Oracle Database Appliance

Example JSON Files to Create a Single-Node Passwordless Multi-User Enabled DB System

Follow the JSON file example to create a JSON file to deploy a single-node DB System, with role separation, with the command odacli create-dbsystem.

Use the example JSON file to create a file for your environment.

Note:

It is important to review the readme and the examples carefully before creating your JSON file.

Example 5-4 JSON File to Create a Single-Node Oracle KVM Database System with Role Separation and Passwordless Multi-User Access

The following is an example of a JSON file that creates a single-node Oracle KVM Database System on Oracle Database Appliance bare metal platform. The example uses role separation and passwordless multi-user access. When using the example to create your JSON file, change the definitions to match your environment. The password must meet password requirements. 

{
    "system": {
        "name": "test_example",
        "shape": "odb2",
        "customMemorySize": "24G",
        "timeZone": "America/Los_Angeles",
        "diskGroup": "DATA",
        "cpuPoolName": "shared_dbsystem_cpupool",  
        "enableRoleSeparation": true,
        "customRoleSeparation": {
            "groups": [
                {
                    "name": "oinstall",
                    "id": 1001,
                    "role": "oinstall"
                },
                {
                    "name": "dbaoper",
                    "id": 1002,
                    "role": "dbaoper"
                },
                {
                    "name": "dba",
                    "id": 1003,
                    "role": "dba"
                },
                {
                    "name": "asmadmin",
                    "id": 1004,
                    "role": "asmadmin"
                },
                {
                    "name": "asmoper",
                    "id": 1005,
                    "role": "asmoper"
                },
                {
                    "name": "asmdba",
                    "id": 1006,
                    "role": "asmdba"
                }
            ],
            "users": [
                {
                    "name": "grid",
                    "id": 1000,
                    "role": "gridUser"
                },
                {
                    "name": "oracle",
                    "id": 1001,
                    "role": "oracleUser"
                }
            ]
        "users": [
                {
                    "id": 1000,
                    "name": "ugrid",
                    "role": "gridUser"
                },
                {
                    "id": 1001,
                    "name": "uoracle",
                    "role": "oracleUser"
                }
            ]
        },
        "multiUserAccess": {
            "isMultiUserAccessPLEnabled": true
        }
    },
        }
    },
    "database": {
        "name": "db19",
        "uniqueName": "db19",
        "domainName": "example.com",
        "version": "19.26.0.0.250121",
        "edition": "EE",
        "type": "SI",
        "dbClass": "OLTP",
        "shape": "odb2",
        "role": "PRIMARY",
        "targetNodeNumber": null,
        "enableDbConsole": false,
        "enableFlashStorage": false,  
        "enableFlashCache": false,   
        "enableUnifiedAuditing": true,
        "enableEEHA": true,
        "enableSEHA": false,  
        "redundancy": null,<<< if diskgroup redundancy is FLEX, then database redundancy must be set to one of "HIGH" or "MIRROR", otherwise, can be null
        "characterSet": {
            "characterSet": "AL32UTF8",
            "nlsCharacterset": "AL16UTF16",
            "dbTerritory": "AMERICA",
            "dbLanguage": "ENGLISH"
        },
        "enableTDE": false,
         "isCdb": true,
            "pdbName": "pdb1",
            "pdbAdminUser": "pdbadmin"
    },
    "network": {
        "domainName": "test_domain",
        "ntpServers": [
            "xx.xxx.xx.xxx"
        ],
        "dnsServers": [
            "xx.xxx.xx.xxx"
        ],
        "nodes": [
            {
                "name": "node1",
                "ipAddress": "xx.xx.xx.xxx",
                "netmask": "xxx.xxx.xxx.x",
                "gateway": "xx.xx.xx.x",
                "number": 0
            }
        ],
  "publicVNetwork": "vnet1" 
    },
    "grid": {
        "language": "en",
        "enableAFD": true
    }
}

Example 5-5 JSON File to Create a Single-Node Oracle KVM Database System without Role Separation and with Passwordless Multi-User Access

The following is an example of a JSON file that creates a single-node Oracle KVM Database System on Oracle Database Appliance bare metal platform, without role separation and with passwordless multi-user access. When using the example to create your JSON file, change the definitions to match your environment. The password must meet password requirements. 

{
    "system": {
        "name": "test_example",
        "shape": "odb2",
        "customMemorySize": "24G",
        "timeZone": "America/Los_Angeles",
        "diskGroup": "DATA",
        "cpuPoolName": "shared_dbsystem_cpupool",  
    "database": {
        "name": "db19",
        "uniqueName": "db19",
        "domainName": "example.com",
        "version": "19.26.0.0.250121",
        "edition": "EE",
        "type": "SI",
        "dbClass": "OLTP",
        "shape": "odb4",
        "role": "PRIMARY",
        "targetNodeNumber": null,
        "enableDbConsole": false,
        "enableUnifiedAuditing": true,  
        "redundancy": "HIGH",<<< if diskgroup redundancy is FLEX, then database redundancy must be set to one of "HIGH" or "MIRROR", otherwise, can be null
        "characterSet": {
            "characterSet": "AL32UTF8",
            "nlsCharacterset": "AL16UTF16",
            "dbTerritory": "AMERICA",
            "dbLanguage": "ENGLISH"
        },
        "enableTDE": false,
        "isCdb": true,
            "pdbName": "pdb1",
            "pdbAdminUser": "pdbadmin"
    },
     "users": [
                {
                    "id": 1000,
                    "name": "ugrid",
                    "role": "gridUser"
                },
                {
                    "id": 1001,
                    "name": "uoracle",
                    "role": "oracleUser"
                }
            ]
        },
        "multiUserAccess": {
            "isMultiUserAccessPLEnabled": true
        }
    },
    "network": {
        "domainName": "test_domain",
        "ntpServers": [],
        "dnsServers": [
            "xx.xxx.xx.xxx"
        ],
        "nodes": [
            {
                "name": "node1",
                "ipAddress": "xx.xx.xx.xxx",
                "netmask": "xxx.xxx.xxx.x",
                "gateway": "xx.xx.xx.x",
                "number": 0
            }
        ],
  "publicVNetwork": "vnet1" 
    },
    "grid": {
        "language": "en",
         "enableAFD": true
    }
}

Parent topic: Using Passwordless Multi-User Access on Oracle Database Appliance

Example JSON File to Create a High-Availability Passwordless Multi-User Enabled DB System

Follow the JSON file example to create a JSON file to deploy a two-node DB System, with role separation, with the command odacli create-dbsystem.

Use the example JSON file to create a file for your environment.

Example 5-6 JSON File to Create Two-Node Oracle KVM Database System without Role Separation and with Passwordless Multi-User Access

The following is an example of a JSON file that creates two-node Oracle KVM Database System on Oracle Database Appliance bare metal platform, without role separation and with passwordless multi-user access. When using the example to create your JSON file, change the definitions to match your environment. The password must meet password requirements. 

{
    "system": {
        "name": "test_system",
        "shape": "odb2",
        "customMemorySize": "24G",
        "timeZone": "America/Los_Angeles",
        "diskGroup": "DATA",
        "cpuPoolName": "shared_dbsystem_cpupool",  
        },
    "database": {
        "name": "dbtest",
        "uniqueName": "dbtest",
        "domainName": "test_domain",
        "version": "19.26.0.0.250121",
        "edition": "EE",
        "type": "SI",
        "dbClass": "OLTP",
        "shape": "odb2",
        "role": "PRIMARY",
        "targetNodeNumber": "0",
        "enableDbConsole": false,version
        "enableUnifiedAuditing": true,
        "enableEEHA": true,
        "redundancy": "MIRROR", <<< if diskgroup redundancy is FLEX, then database redundancy must be set to one of "HIGH" or "MIRROR", otherwise, can be null
        "characterSet": {
            "characterSet": "AL32UTF8",
            "nlsCharacterset": "AL16UTF16",
            "dbTerritory": "AMERICA",
            "dbLanguage": "AMERICAN"
        },
         "enableTDE": false,
         "isCdb": true,
            "pdbName": "pdb1",
            "pdbAdminUser": "pdbadmin"
    },
     "users": [
                {
                    "id": 1000,
                    "name": "ugrid",
                    "role": "gridUser"
                },
                {
                    "id": 1001,
                    "name": "uoracle",
                    "role": "oracleUser"
                }
            ]
        },
        "multiUserAccess": {
            "isMultiUserAccessPLEnabled": true
        }
    },
    "network": {
        "domainName": "test_domain",
        "ntpServers": [],
        "dnsServers": [
            "xx.xxx.xx.xxx"
        ],
        "nodes": [
            {
                "name": "node1",
                "ipAddress": "xx.xx.xxx.xx",
                "netmask": "xxx.xxx.xxx.x",
                "gateway": "xx.xx.xxx.x",
                "number": 0,
                "vipName": "node1-vip",
                "vipAddress": "xx.xx.xxx.xx"
            },
            {
                "name": "node2",
                "ipAddress": "xx.xx.xxx.xx",
                "netmask": "xxx.xxx.xxx.x",
                "gateway": "xx.xx.xxx.x",
                "number": 1,
                "vipName": "node2-vip",
                "vipAddress": "xx.xx.xxx.xx"
            }
        ],
        "publicVNetwork": "vnet1",      
        "scanName": "test-scan",
        "scanIps": [
            "xx.xx.xxx.xx",
            "xx.xx.xxx.xx"
        ]
    },
    "grid": {
        "language": "en",
         "enableAFD": true
    }
}

Example 5-7 JSON File to Create Two-Node Oracle KVM Database System with Role Separation and with Passwordless Multi-User Access

The following is an example of a JSON file that creates two-node Oracle KVM Database System on Oracle Database Appliance bare metal platform. The example uses role separation and with passwordless multi-user access. When using the example to create your JSON file, change the definitions to match your environment. The password must meet password requirements. 

{
    "system": {
        "name": "test_system",
        "shape": "odb2",
        "customMemorySize": "24G",
        "timeZone": "America/Los_Angeles",
        "diskGroup": "DATA",
        "cpuPoolName": "shared_dbsystem_cpupool",  
        "enableRoleSeparation": true,
        "customRoleSeparation": {
            "groups": [
                {
                    "name": "oinstall",
                    "id": 1001,
                    "role": "oinstall"
                },
                {
                    "name": "dbaoper",
                    "id": 1002,
                    "role": "dbaoper"
                },
                {
                    "name": "dba",
                    "id": 1003,
                    "role": "dba"
                },
                {
                    "name": "asmadmin",
                    "id": 1004,
                    "role": "asmadmin"
                },
                {
                    "name": "asmoper",
                    "id": 1005,
                    "role": "asmoper"
                },
                {
                    "name": "asmdba",
                    "id": 1006,
                    "role": "asmdba"
                }
            ],
            "users": [
                {
                    "name": "grid",
                    "id": 1000,
                    "role": "gridUser"
                },
                {
                    "name": "oracle",
                    "id": 1001,
                    "role": "oracleUser"
                }
            ]
        }
    },
     "users": [
                {
                    "id": 1000,
                    "name": "ugrid",
                    "role": "gridUser"
                },
                {
                    "id": 1001,
                    "name": "uoracle",
                    "role": "oracleUser"
                }
            ]
        },
        "multiUserAccess": {
            "isMultiUserAccessPLEnabled": true
        }
    },
    "database": {
        "name": "dbtest",
        "uniqueName": "dbtest",
        "domainName": "test_domain",
        "version": "19.26.0.0.250121",
        "edition": "EE",
        "type": "SI",
        "dbClass": "OLTP",
        "shape": "odb2",
        "role": "PRIMARY",
        "targetNodeNumber": "0",
        "enableDbConsole": false,
        "enableUnifiedAuditing": true,
        "enableEEHA": true,
        "redundancy": null, <<< if diskgroup redundancy is FLEX, then database redundancy must be set to one of "HIGH" or "MIRROR", otherwise, can be null
        "characterSet": {
            "characterSet": "AL32UTF8",
            "nlsCharacterset": "AL16UTF16",
            "dbTerritory": "AMERICA",
            "dbLanguage": "AMERICAN"
        },
        "enableTDE": false,
        "isCdb": true,
            "pdbName": "pdb1",
            "pdbAdminUser": "pdbadmin"
    },
    "network": {
        "domainName": "test_domain",
        "ntpServers": [],
        "dnsServers": [
            "xx.xxx.xx.xxx"
        ],
        "nodes": [
            {
                "name": "node1",
                "ipAddress": "xx.xx.xxx.xx",
                "netmask": "xxx.xxx.xxx.x",
                "gateway": "xx.xx.xxx.x",
                "number": 0,
                "vipName": "node1-vip",
                "vipAddress": "xx.xx.xxx.xx"
            },
            {
                "name": "node2",
                "ipAddress": "xx.xx.xxx.xx",
                "netmask": "xxx.xxx.xxx.x",
                "gateway": "xx.xx.xxx.x",
                "number": 1,
                "vipName": "node2-vip",
                "vipAddress": "xx.xx.xxx.xx"
            }
        ],
        "publicVNetwork": "vnet1",  
        "scanName": "test-scan",
        "scanIps": [
            "xx.xx.xxx.xx",
            "xx.xx.xxx.xx"
        ]
    },
    "grid": {
        "language": "en",
         "enableAFD": true
    }
}

Parent topic: Using Passwordless Multi-User Access on Oracle Database Appliance

Provisioning Oracle Database Appliance with Multi-User Access

You can enable multi-user access only when you provision Oracle Database Appliance, using CLI commands or the Browser User Interface.

Provision your appliance as described in the chapter Provisioning Oracle Database Appliance Bare Metal System.

Caution:

You can enable multi-user access only at the time of provisioning Oracle Database Appliance on bare metal systems and cannot rollback multi-user access after you provision and deploy your appliance. The Oracle Database Appliance administration model changes when you deploy the Multi-User Access feature. Evaluate your role separation requirements before using this feature. Deploying on a test system first can help with the evaluation and assessment of the new administration model.

Note:

You can specify the token expiration duration, password expiration duration, maximum failed login attempts, and other details when you provision multi-user access enabled Oracle Database Appliance with JSON file. You can also specify these values as a one-time activity from the Browser User Interface when you configure multi-user access and provision Oracle Database Appliance using the Browser User Interface.

Overall Steps in Provisioning Oracle Database Appliance with Multi-User Access Enabled

  1. Enable multi-user access.
    • If you provision your appliance using a JSON file, then add the attribute "isMultiUserAccessEnabled": true in the prov_req.json file. If the attribute is set to false or does not exist in the prov_req.json file, then multi-user access is not enabled during provisioning of the appliance.
      "isRoleSeparated": true,
        "isMultiUserAccessEnabled": true,
        "osUserGroup": {
            "groups": [{
                    "groupId": 1001,
                    "groupName": "oinstall",
                    "groupRole": "oinstall"
                },

...
      You can also set the multi-user access attributes by adding the following in the JSON file:
      },
  "asr": null,
  "multiUserAccess": {
    "dcsUserPasswdExpDurationInDays": 90,
      "tokenExpirationInMins": 120,
    "maxNumFailedLoginAttempts": 3
  }
}
      The values for these attributes are as follows:
      • Token expiration duration in minutes: The minimum value you can specify is 10 minutes, the maximum value is 600 minutes, and the default is 120 minutes.
      • Password expiration duration in days: The minimum value you can specify is 30 days, the maximum value is 180 days, and the default is 90 days.
      • Maximum failed login attempts allowed: The minimum value you can specify is 2, the maximum value is 5, and the default is 3.
    • If you create the appliance using the Browser User Interface (BUI), then select the Enable Multi-User Access (N/A for DB System) checkbox in the BUI login page.
  2. Provide passwords for odaadmin, oracle, and grid users. These are Oracle Database Appliance system users and their accounts are activated during created. The user odaadmin is created with the role of ODA-ADMINISTRATOR while the oracle and grid users are created with the role of ODA_DB and ODA_GRID respectively.
  3. The system configures the multi-user access repository with a list of roles and entitlements, used for assigning to the users in the system.
  4. You can now log into the appliance with the newly-created user credentials and deploy databases.

Provisioning Oracle Database Appliance Using the Browser User Interface with Multi-User Access Enabled

  1. Access the Browser User Interface: 
    https://host-ip-address:7093/mgmt/index.html
  2. For the first login, since the odaadmin role is not configured, you are prompted to provide the ODA password and enable multi-user access.
  3. Select Enable Multi-User Access (N/A for DB System) and provide a strong password for the ODA user.
  4. Click Configure Multi-User Settings and then set the User Password Expiry Duration (In Days), Session Expiration for CLI (minutes), and Maximum Failed Login Attempts. Click Save to save these settings and return to the Login page on the BUI.
  5. Click Submit. A confirmation message is displayed on successful creation of the user.
  6. Click OK. You are redirected to the Login page.
  7. Specify the User Name and ODA Password and click Login. Note that the ODA admin user name is odaadmin if multi-user access is enabled. If multi-user access is not enabled, then the ODA admin user name is oda-admin.
  8. In the Create Appliance page, specify the details for creating the appliance. See the topic Creating the Appliance for detailed information about the information you need to provide.
  9. Select Assign same password for admin, oracle, grid users if you want to specify the same password for all users. Otherwise, specify different passwords for the system admin, oracle, and grid users.
  10. Click Submit to create the appliance with multi-user access enabled.
  11. The job is submitted and a confirmation page appears with a link to the job. Click the link to view the job progress, tasks, and status. After you close the Job confirmation page, you can click the Activity tab to monitor the job progress. Click the job number to view the tasks and status details. Click Refresh to refresh the page.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Creating, Viewing, and Deleting Users on Oracle Database Appliance with Multi-User Access

After provisioning the appliance with multi-user access enabled, you can create users with specific entitlements.

After you provision your appliance with multi-user access enabled, do the following:

Creating, Viewing, and Deleting Users with ODACLI Commands

  1. Connect to the appliance as the odaadmin user.
    ssh odaadmin@oda-box hostname/IP
  2. Run any ODACLI command and provide the odaadmin password when prompted.
  3. On successful authentication, create a user with the following command:
    odacli create-user –u username -r comma-separated role names
    For example, create a user dbuser1 with lifecycle management privileges for dabatases:
    odacli create-user –u dbuser1 –r ODA-DB

    The odaadmin user creates dbuser1 and assigns a temporary password.

  4. After the user is created successfully, the dbuser1 can log into the appliance with the temporary password.
  5. The dbuser1 is in the Inactive state. Activate the user with the following command:
    odacli activate-user

    You are prompted to change the password. Enter the temporary password, the new password, and confirm the new password.

  6. Use the new password to connect by SSH into the appliance and run ODACLI commands or connect to the Browser User Interface.
  7. The odaadmin user can view all the users in the system:
    # odacli list-users
  8. The odaadmin user can view details for a user in the system:
    # odacli describe-user -u user_id
  9. Delete a user in the system. Note that only the odaadmin user can delete a user in the system.
    # odacli delete-user -u user_id

Creating, Viewing, and Deleting Users with Browser User Interface

  1. Log into the Browser User Interface as the odaadmin user: 
    https://host-ip-address:7093/mgmt/index.html
  2. Click the Multi-User Access tab.
  3. Click the Users link on the left-hand pane.
  4. Click Create User.
  5. In the Create User page, provide the User ID, specify the Role, and provide the ODA Password for this user. Note that the same user credentials work for login for BUI and ODACLI commands.
  6. Optionally, click Generate mTLS Certificate to enable mTLS-based authentication.
  7. Click Create.
  8. The job is submitted and a confirmation page appears with a link to the job. Click the link to view the job progress, tasks, and status. After you close the Job confirmation page, you can click the Activity tab to monitor the job progress. Click the job number to view the tasks and status details. Click Refresh to refresh the page.
  9. In the Multi-User Access tab, on the Users page, click on the link for the user whose details you want to view.
  10. To delete a user, log in as the the odaadmin user. In the Actions drop-down list, select Delete. Note that only a user of type Custom can be deleted.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Activating a New User on Oracle Database Appliance with Multi-User Access

Understand how to activate a new user on multi-user access enabled Oracle Database Appliance.

Activating the New User on Multi-User Access Enabled System Using ODACLI Commands

  1. After a new user is created by odaadmin successfully, the new user, for example, dbuser1 can log into the appliance with the temporary password.
  2. Activate the user with the following command:
    odacli activate-user

    You are prompted to change the password. Enter the temporary password, the new password, and confirm the new password.

Activating the New User on Multi-User Access Enabled System Using Browser User Interface

  1. After a new user is created by odaadmin, log into the Browser User Interface as the new user: 
    https://host-ip-address:7093/mgmt/index.html
  2. Specify the User Name and the temporary password in the ODA Password field.
  3. Since this is a new account, the Account Status is Inactive. You are prompted to specify and confirm a new password.
  4. Specify and confirm the Password and click Submit.
  5. On successful password change, log into the Browser User Interface with the new password.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Granting and Revoking Resource Access on Oracle Database Appliance with Multi-User Access

You can grant and revoke resource access on the appliance.

Granting and Revoking Resource Access with ODACLI Commands

  • Grant or revoke access to a resource in a multi-user access enabled system:
    # odacli grant-resource-access -ri resource_ID -u user_name
# odacli revoke-resource-access -ri resource_ID -u user_name
  • View access to a DCS resource in a multi-user access system:
    # odacli describe-resource-access -ri resource_ID
  • View access to all DCS resources defined in a multi-user access system:
    # odacli list-resources-access -ao -rn resource_name -rt resource_type

Granting and Revoking Resource Access with Browser User Interface

  1. Log into the Browser User Interface as odaadmin: 
    https://host-ip-address:7093/mgmt/index.html
  2. Click the Multi-User Access tab.
  3. Click the Resources link on the left-hand pane.
  4. Click on a Resource to view more details.
  5. For a Resource, in the Actions drop down list, select Grant Resource Access to grant the user shared access to a resource. Select the User Name from the drop-down list and click Grant. Click Yes to confirm and submit the job.
  6. Select Revoke Resource Access to revoke access to a resource from a user. Select the User Name from the drop-down list and click Revoke. Click Yes to confirm and submit the job.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Viewing Roles, Operations, and Entitlements on Oracle Database Appliance with Multi-User Access

You can view roles and entitlements on the appliance.

Viewing Roles, Operations, and Entitlements with ODACLI Commands

Note:

For Oracle Database Appliance release 19.13, the multi-user access feature is available for standalone Oracle Database Appliance systems. During provisioning, a single domain and tenancy is created by default and all users are created within the default domain and tenancy.
  • View all the roles defined in the system:
    # odacli list-user-roles
  • View details for a user role in the system:
    # odacli describe-user-role -n role_name
  • View all the entitlements defined in the system:
    # odacli list-user-entitlements
  • View details for an entitlement in the system:
    # odacli describe-user-entitlement -n entitlement_name
  • View all the operations defined in the system:
    # odacli list-user-operations
  • View details for an operation in the system:
    # odacli describe-user-operation -n operation_name
  • View the domains defined in the system. In this release, this is the default domain.
    # odacli list-domains
  • View details for a domain in the system:
    # odacli describe-domain -dn domain_name
  • View the tenants in a multi-user access enabled domain. In this release, this is the default tenancy.
    # odacli list-tenants
  • View details for a tenant in a multi-user access enabled domain:
    # odacli describe-tenant -tn tenant_name

Viewing Roles, Operations, and Entitlements with Browser User Interface

  1. Log into the Browser User Interface as odaadmin: 
    https://host-ip-address:7093/mgmt/index.html
  2. Click the Multi-User Access tab.
  3. Click the Roles link on the left-hand pane. The roles defined in the system are displayed. These roles cannot be edited or updated.
  4. Click on a Role to view more details.
  5. Click the Entitlements link on the left-hand pane. The entitlements defined in the system are displayed. These entitlements cannot be edited or updated.
  6. Click on an Entitlement to view more details.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Managing Databases and Database Homes on Oracle Database Appliance with Multi-User Access

The custom user created on multi-user access Oracle Database Appliance can deploy and manage databases and database homes.

After you create a custom dbuser1 on an Oracle Database Appliance with multi-user access enabled, manage databases as follows:

Creating and Listing Databases and Database Homes Using ODACLI Commands

  1. Connect to the appliance as dbuser1.
    ssh dbuser1@oda-box hostname/IP
  2. Create a database:
    odacli create-database -n dbName -v dbVersion
  3. Run the odacli list-databases to view the databases owned by dbuser1:
    odacli list-databases

    Another user with the ODA-DB role cannot use the resource owned by dbuser1 to create a database home, thus ensuring role separation.

  4. Use the -all option on the appliance when multi-user access is enabled to view all the databases in the system.
    odacli list-databases -all
  5. Use the -all option on the appliance when multi-user access is enabled to view all the database homes in the system.
    odacli list-dbhomes -all

Creating and Listing Databases and Database Homes Using Browser User Interface

  1. Log into the Browser User Interface as dbuser1: 
    https://host-ip-address:7093/mgmt/index.html
  2. Click the Database tab.
  3. Click Show All Databases. A list of all databases in the system is displayed.
    • View Details: View the details of the database.
    • Modify: Modify the database
    • Move: Move the database
    • Upgrade: Upgrade the database
    • Delete: Delete the database.
    • Grant Access: Grant access privilege to the database to a user.
    • Revoke Access: Revoke access privilege to the database from a user.
    • View Pre-patch reports: View prechecks report for patching.
  4. Click the Database Home link on the left hand pane. A list of all database homes in the system is displayed.
  5. For a database home, you can click the Actions dropdown list, and select from the following options:
    • View Database: View the details of the database home.
    • Delete: Delete the database.
    • Grant Access: Grant access privilege to the database home to a user.
    • Revoke Access: Revoke access privilege to the database home from a user.
    • View Pre-patch reports: View prechecks report for patching.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Changing the Password for a User Account on Oracle Database Appliance with Multi-User Access

Understand how to manage passwords on multi-user access Oracle Database Appliance.

Changing the Password on Multi-User Access Enabled System Using ODACLI Commands

  • You can change password for an Oracle Database Appliance user, whose account is active:
    odacli change-password

Changing the Password on Multi-User Access Enabled System Using Browser User Interface

  1. Log into the Browser User Interface as the user whose password you want to change: 
    https://host-ip-address:7093/mgmt/index.html
  2. To change the Account password at any time: Click on the Account drop down list in the top right-hand side of Browser User Interface and select Change Password.
  3. Specify the Old Password and also specify and confirm the new Password and click Submit.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance

Resetting the Password for a Locked User Account on Oracle Database Appliance with Multi-User Access

Understand how to reset the password on multi-user access Oracle Database Appliance.

Resetting Password for a Locked User Account on Multi-User Access Enabled System Using ODACLI Commands

Note:

If your appliance is configured as passwordless multi-user enabled, then all user accounts are preactivated during creation and never get locked because the system internally generates the password for each user and provides it to the DCS agent for authentication when required for running ODACLI commands. For passwordless multi-user enabled systems, do not run any scripts for unlocking the odaadmin account or the odacli reset-password command to reset the password. Run the odacli change-password command to change the system generated password for your Oracle Database Appliance account.
  • Unlock the odaadmin user account that is locked due to multiple failed login attempts or password expiry.
    1. Log in as root.
    2. Run the following:
      /opt/oracle/dcs/bin/resetCredsForOdaAdmin.sh
      A temporary password is assigned to the odaadmin user.
    3. Log in as the odaadmin user with the temporary password.
    4. Run the following command:
      odacli reset-password
      You are prompted to provide the temporary password and specify and confirm the new password. After the command runs successfully, the user account is unlocked.
  • Unlock any non-admin user account that is locked due to multiple failed login attempts or password expiry.
    1. Log in as odaadmin.
    2. Run the following command:
      odacli authorize-user

      After you provide a temporary password, the account is unlocked.

    3. Log in as the user whose account was locked, with the temporary password.
    4. Run the following command:
      odacli reset-password
      You are prompted to provide the old password, the temporary password and specify and confirm the new password. After the command runs successfully, the user account is unlocked and reactivated.

Resetting Password for a Locked User Account on Multi-User Access Enabled System Using Browser User Interface

  • Unlock the non-admin user account that is locked due to multiple failed login attempts or password expiry as follows:
    1. Log into the Browser User Interface as the odaadmin user: 
      https://host-ip-address:7093/mgmt/index.html
    2. In the Multi-User Access tab, on the Users page, click on the link for the user whose password you want to reset. Note that you can reset the password for users of type Custom only. The Account Status for the user is LockedFailedLogin.
    3. In the Actions drop down list, select Authorize Password Reset.
    4. In the Authorize Password Reset page, specify the Old Password, specify and confirm the Temporary ODA Password, and click Authorize.
    5. Now, log into the Browser User Interface as the user whose account is being unlocked. Specify the User Name and the temporary password in the ODA Password field.
    6. Since the account was locked, the Account Status is CredentialReset. You are prompted to specify and confirm a new password.
    7. Specify and confirm the Password and click Submit.
    8. On successful password change, log into the Browser User Interface with the new password.

Parent topic: Implementing Multi-User Access on Oracle Database Appliance