Oracle® Secure Backup Reference Release 10.1 Part Number B14236-03 |
|
|
View PDF |
Purpose
Use the mkuser
command to define an Oracle Secure Backup user. Each user account belongs to exactly one class, which defines the rights of the user.
See Also:
"User Commands" for related commands
Prerequisites
You must have the modify administrative domain's configuration right to run the mkuser
command.
Usage Notes
When an Oracle Secure Backup user performs a backup or restore operation on a host with the default --unprivileged
option, the host is accessed by means of an operating system identity.
If a Linux or UNIX host is backed up or restored, then Oracle Secure Backup uses the --unixname
and --unixgroup
values for the operating system identity.
If a Windows host is backed up or restored, then Oracle Secure Backup begins with the first domain triplet in the list—skipping any with a wildcard (*
) for the domain name—and checks whether the domain and username allows access to the host.
Note:
Oracle Secure Backup uses theLookupAccountName
system call to determine whether access is allowed. No attempt at logging on actually occurs during the check, nor is there any attempt to enumerate all the valid Windows domains.If access is allowed, then Oracle Secure Backup uses this logon information to run the job. If not, then Oracle Secure Backup proceeds to the next domain triplet in the list. If Oracle Secure Backup does not find a triplet that allows access to the host, it performs a final check to see whether a triplet exists with a wildcard (*
) as the domain name.
Syntax
mkuser::=
mku•ser --class/-c userclass [ --password/-p password | --querypassword/-q ] [ --unixname/-U unix-user ] [ --unixgroup/-G unix-group ] [ --domain/-d { windows-domain | * },windows-account[,windows-password ] ]... [ --ndmpuser/-N { yes | no } ] [ --email/-e emailaddr ] [ --givenname/-g givenname ] [ --preauth/-h preauth-spec[,preauth-spec]... ] username
Semantics
Specifies the name of the class to which the user should belong. Table B-1, "Classes and Rights" describes the predefined classes and rights.
Specifies a password for the Oracle Secure Backup user when logging in to an administrative domain. The maximum character length that you can enter is 16 characters. If you do not specify a password, then the password is null.
Specifies that you should be prompted for the password, which is not echoed.
Specifies a user name for a Linux or UNIX host. The default user name is the first defined of guest
, nobody
, none
, and user
.
Specifies a group for a Linux or UNIX host. The default is none
.
Specifies a Windows domain name, user account, and password. If you do not enter the Windows password, then obtool
prompts you for it. For windows-domain, enter an asterisk (*
) if the windows-account and windows-password apply to all Windows domains. The --domain
option has no default value.
The Windows user account must have access to the following privileges so that obtar can run:
SeBackupPrivilege
User right: Back up files and directories
SeRestorePrivilege
User Right: Restore files and directories
SeChangeNotifyPrivilege
User right: Bypass traverse checking
You must grant the preceding privileges to the user account when it is created or grant them afterward.
Indicates whether the user is permitted to log in to an NDMP server. Specify yes
if you want to enable the user to access an NDMP server and no
if you do not. The default is no
. This login is achieved by means of an external client program.
Specifies the email address for the user. When Oracle Secure Backup wants to communicate with this user, such as to deliver a job summary or notify the user of a pending input request, it sends email to this address.
Specifies the given name of the user if different from the user name, for example, "Jim W. Smith"
for user name jsmith
.
Grants the specified operating system user preauthorized access to the administrative domain as the Oracle Secure Backup user. By default there is no preauthorization.
A preauthorization dictates how an operating system user can be automatically logged in to Oracle Secure Backup. Access is authorized only for the specified operating system user on the specified host. For each host within an Oracle Secure Backup administrative domain, you can declare one or more one-to-one mappings between operating system and Oracle Secure Backup user identities. For example, you can create a preauthorization so that UNIX user lashdown
is automatically logged in to obtool
as user admin
.
Refer to "preauth-spec" for a description of the preauth-spec placeholder. Duplicate preauthorizations are not permitted. Preauthorizations are considered to be duplicates if they have the same hostname, user ID, and domain.
Specifies a name for the Oracle Secure Backup user. User names are case-sensitive and must start with an alphanumeric character. They can contain only letters, numerals, dashes, underscores, and periods (no spaces). They may contain at most 127 characters.
The user name must be unique among all Oracle Secure Backup user names. Formally, it is unrelated to any other name used in your computing environment or the Oracle Secure Backup administrative domain.
Example
Example 2-97 creates an administrative Oracle Secure Backup user named janedoe
. This user runs unprivileged backup and restore operations on Linux and UNIX hosts under the jdoe
operating system account. Because no Windows domains are specified, this user is not permitted to run backup or restore operations on Windows hosts. The jdoe
operating system user is preauthorized to make RMAN backups on host stadv07
.
Example 2-97 Creating an Oracle Secure Backup User
ob> lsuser admin admin sbt admin tadmin admin ob> mkuser janedoe --class admin --password "x45y" --givenname "jane" --unixname jdoe --unixgroup "dba" --preauth stadv07:jdoe+rman+cmdline --ndmpuser no --email jane.doe@business.com ob> lsuser admin admin janedoe admin sbt admin tadmin admin