Using SYSBACKUP in 12c with a media manager layer
Posted by John Hallas on September 10, 2015
I think most large sites who have multiple support teams are aware of how the phrase “Segregation of Duties” is impacting the DBA world. The basic principle, that one user should not be able to, for instance, add a user, grant it privileges, let the user run scripts and then drop the user and remove all log files is a sound one and cannot be argued with.
With the release of 12c Oracle e added three new users to perform administrative tasks. Each user as a corresponding privilege with the same name as the user, which is a bit confusing.
SYSBACKUP – for RMAN backup and recovery work
SYSDG – to manage DataGuard operations
SYSKM – to manage activities involving ‘key management’ including wallets and Database Vault
I have no real experience of key management so cannot comment on that. I do fail to see which type of user would be allowed to manage a DG setup and yet not be allowed to perform other DBA work on the databases, however it probably does mean that any requirement to login as ‘sysdba’ is now reduced which can only be a good thing.
The SYSBACKUP user is a really good idea and has been a long-time coming
The privileges it has, along with select on many sys views are
CREATE ANY DIRECTORY
CREATE ANY TABLE
CREATE ANY CLUSTER
CREATE RESTORE POINT (including GUARANTEED restore points)
DROP RESTORE POINT (including GUARANTEED restore points)
SELECT ANY DICTIONARY
SELECT ANY TRANSACTION
One aspect I was keen to look at was if we could amend the connect string we use in our Media Manager Layer – Commvault from Simpana from having to connect using a ‘user/password as sysdba’ string
Unfortunately at the moment there is no way of changing the connect string to use the user SYSBACKUP. Simpana will be releasing Version 11 sometime later this year which will have be able to interact with the SYSBACKUP user, however I am unclear as to whether the requirement to connect as SYSDBA will be removed or not.
I am not aware of how other MMLs such as Networker, Netbackup or Data Protector have been updated to include the 12c changes and I am keen to find out.