(Picture by Rodion Kutsaev, via Unsplash)
I like CLIs. I really like CLIs. Especially when 90% of my previous and quite long blog post can be summarized with only 3 commands 🙂
It was about creating restricted read only access for users, using a role and a named credential. But EM CLI can greatly simplify this task. To better understand what follows, please read the previous post explaining how to Create READ ONLY + AWR access on database targets in Oracle Enterprise Manager 12.1.0.5 first.
Role creation
./emcli create_role -name="OEM_ROAWR_ROLE" \ -role="EM_USER" \ -- Grant specific role -privilege="view_target;thing:oracle_database" \ -- Add view privilege on one target -privilege="view_target;pugsley:oracle_database" \-- Add view privilege on another -privilege="view_target;fester:oracle_database" \-- Add view privilege on another again -privilege="CONNECT_ANY_VIEW_TARGET" -- Add connect privilege on any affected target
Named credential creation
./emcli create_named_credential -cred_name="OEM_ROAWR_CREDENTIAL" \ -auth_target_type="oracle_database" \ -- Target type for this credential -cred_type="DBCreds" \ -- Type for this credential -cred_scope="global" \ -- Scope (can be global or instance) -test \ -- Test before creation of credential -test_target_name="fester" \ -- Target to test -test_target_type="oracle_database" \ -- Target type to test -attributes="DBUserName:OEM_ROAWR_ACCESS;DBPassword:xxx" -- Credential specification (password, ssh key ...)
Bonus point : you can get the list of existing named credentials using :
./emcli list_named_credentials Credential Name Credential Owner Authenticating target type. Cred Type Name Target Name Target Username OEM_ROAWR_CREDENTIAL SYSMAN oracle_database DBCreds OEM_ROAWR_ACCESS
Administrator creation
./emcli create_user -name="wednesday" \ -roles="OEM_ROAWR_ROLE" \ -- Grant existing role (created above) -privilege="GET_CREDENTIAL;CRED_NAME=OEM_ROAWR_CREDENTIAL:CRED_OWNER=SYSMAN" \ -- Add privilege to use credential (created above) -email="wednesday@addams.family" \ -- Provide an email -expired="true" \ -- Provide an email -password="xxx" -- Force the password to expire immediately
The EMCLI verb reference can be found here.