Create READ ONLY + AWR access on database targets in Oracle Enterprise Manager 12.1.0.5 – EM CLI edition

Leave a reply

rodion-kutsaev-760882-unsplash.jpg

(Picture by Rodion Kutsaev, via Unsplash)

I like CLIs. I really like CLIs. Especially when 90% of my previous and quite long blog post can be summarized with only 3 commands 🙂

It was about creating restricted read only access for users, using a role and a named credential. But EM CLI can greatly simplify this task. To better understand what follows, please read the previous post explaining how to Create READ ONLY + AWR access on database targets in Oracle Enterprise Manager 12.1.0.5 first.

Role creation

./emcli create_role -name="OEM_ROAWR_ROLE" \
-role="EM_USER" \ -- Grant specific role
-privilege="view_target;thing:oracle_database" \ -- Add view privilege on one target
-privilege="view_target;pugsley:oracle_database" \-- Add view privilege on another
-privilege="view_target;fester:oracle_database" \-- Add view privilege on another again
-privilege="CONNECT_ANY_VIEW_TARGET" -- Add connect privilege on any affected target

Named credential creation

./emcli create_named_credential -cred_name="OEM_ROAWR_CREDENTIAL" \
-auth_target_type="oracle_database" \ -- Target type for this credential
-cred_type="DBCreds" \ -- Type for this credential
-cred_scope="global" \ -- Scope (can be global or instance)
-test \ -- Test before creation of credential
-test_target_name="fester" \ -- Target to test
-test_target_type="oracle_database" \ -- Target type to test
-attributes="DBUserName:OEM_ROAWR_ACCESS;DBPassword:xxx" -- Credential specification (password, ssh key ...)

Bonus point : you can get the list of existing named credentials using :

./emcli list_named_credentials
Credential Name       Credential Owner  Authenticating target type.  Cred Type Name  Target Name  Target Username
OEM_ROAWR_CREDENTIAL  SYSMAN            oracle_database              DBCreds                      OEM_ROAWR_ACCESS

Administrator creation

./emcli create_user -name="wednesday" \
-roles="OEM_ROAWR_ROLE" \ -- Grant existing role (created above)
-privilege="GET_CREDENTIAL;CRED_NAME=OEM_ROAWR_CREDENTIAL:CRED_OWNER=SYSMAN" \ -- Add privilege to use credential (created above)
-email="wednesday@addams.family" \ -- Provide an email
-expired="true" \ -- Provide an email
-password="xxx" -- Force the password to expire immediately

The EMCLI verb reference can be found here.

Leave a comment