User Roles for the Recovery Appliance

The Recovery Appliance introduces roles for named user accounts and limits operations available to those roles to improve security and logging.

The Recovery Appliance has the following security roles that have changed or are new in software release 21.1, and provide more options to meet audit and security requirements.

  • The rasys account is the original administrator, root-level account formerly needed to perform operations on the Recovery Appliance. Named users db_user with roles and responsibilities replace the usage of rasys for day-to-day operations.

    The rasys account is now an internal user account. It remains the owner of the RMAN catalog, the Recovery Appliance metadata schema, and all user-facing views. It is used during deployment, patch, and upgrade by Oracle Support. The usage of rasys is restricted and available only for approved tasks and for break-glass operations.

    Note:

    "Break glass" is any time where the API's do not allow access to the data needed. This might be:
    • If we need to set a config parameter which is an underscore.
    • If we need access to a trace file that is not accessible.
    • If we need to run an internal API (dbms_ra_int.delete_backup_piece).

  • The db_user is a role for new named user who can perform limited operations depending on user types.

    • admin: this db_user user type replaces the usage of rasys for configuration and day-to-day Recovery Appliance management operations. This account can manipulate the database and issue SQL Plus commands.

    • vpc: this db_user user type is for Virtual Private Catalog (VPC) user activities on the Recovery Appliance. It is required to be in the wallet client side to allow access for backing up and restoring.

    • monitor: this db_user user type is intended for OEM applications like Enterprise Manager and job functions that are read-only for monitoring incidents and the status of the Recovery Appliance.

  • The admin_user account is a role for new named users who manage the Recovery Appliance from an operation's perspective. It permits operating system level operations on the Recovery Appliance that previously required root access. However admin_user is not root.

  • The sys account is the super user for Oracle databases, and can change any schema in the database. Remote sys access is now disabled and can be selectively enabled for approved tasks and for break-glass operations.

Immutability and Role Management

The enforcement of immutability requires restricting and fully controlling access privileges. The data-to-day Recovery Appliance administration is limited to admin_user accounts and to documented commants RACLI and DBMS_RA API comments. The root and rasysaccounts are highly restricted, require a quorum of two other admin users to enable, and can be rejected with a single denial from an admin user.

All operations for auditing purposes are logged and assigned to identifiable users. The command history of admin_user OS are provided in the syslog. The Recovery Appliance administration commands issued through the API are logged in RA_API_HISTORY.

Compliance

To meet compliance checks, all of the following must be true:

  • ssh access is disabled on all nodes

  • rasys access is disabled

  • sys remote access is disabled

  • time service is enabled

  • there are three (3) or more OS admin users

  • there are two (2) or more DB admin users

The following sections provide details for creating those users.